Vaadin 24 + Spring Security problems with navigation

Izaquiel.2 · July 25, 2024, 3:08am

I implemented one application with Vaadin 24 + Spring Boot + Spring JPA + Spring Security. The users of application are stored in database MySQL. The entity Users implements UserDetails from Spring Security. The same for UsersService that implements UserDetailsService. All methods are override.

Login page and form works, logout button too.

When starter the application, login page are show and if authentication are ok, the application show home page of app. The problem ocurrs when I click in menu item for navigate for a another view. In this case, the application return to login page.

The Spring Security configuration is:

@Configuration
@EnableWebSecurity
public class ConfigSpringSecurity extends VaadinWebSecurity {

	@Autowired
	private UserDetailsService user;
	private BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		super.configure(http);
		
		setLoginView(http, Login.class);
	}
	
    @Override
    public void configure(WebSecurity web) throws Exception {
    	web.ignoring().requestMatchers("/resources/static/**", "Orbit/login");
    	super.configure(web);
    }

    @Bean
    public AuthenticationManager authManager(HttpSecurity http) throws Exception {
    	var authManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
    	authManagerBuilder.authenticationProvider(authProvider());
    	return authManagerBuilder.build();
    }
    
    @Bean
    public DaoAuthenticationProvider authProvider() {
    	var provider = new DaoAuthenticationProvider();
    	provider.setUserDetailsService(user);
    	provider.setPasswordEncoder(encoder);
    	
    	return provider;
    }
}

The views class are annoted with @PermitAll, and all users logged can access, but, this access don’t ocurrs.

marcoc_753 · July 25, 2024, 5:34am

Please enable TRACE logging level for com.vaadin.flow.server.auth and check (and post here) the relevant messages.

Also, double check that the annotation is @jakarta.annotation.security.PermitAll and not accidentally @javax.annotation.security.PermitAll

Izaquiel.2 · July 27, 2024, 2:56pm

I checked, the annotation is import jakarta.annotation.security.PermitAll;. The log, don’t have WARNINGS, just INFOS.

I make one test with one class annotation @com.vaadin.flow.server.auth.AnonymousAllowed, after make login, the page are load, but, if I navegate to another class with annotation @PermitAll, the login page are load again. If I try return to page with @AnonymousAllowed, the follow error are presented:

2024-07-27T11:55:33.312-03:00e[0;39m e[31mERRORe[0;39m e[35m17220e[0;39m e[2m---e[0;39m e[2m[Orbit] [io-10001-exec-7]e[0;39m e[2me[0;39me[36mc.v.flow.router.InternalServerError     e[0;39m e[2m:e[0;39m There was an exception while trying to navigate to 'Orbit/browser-clientes'

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'br.com.b3s.sge.extras.orbit.views.MainView': Failed to instantiate [br.com.b3s.sge.extras.orbit.views.MainView]: Constructor threw exception
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:318) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:306) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1357) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1194) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:562) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:522) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:321) ~[spring-beans-6.1.10.jar:6.1.10]
	at com.vaadin.flow.spring.SpringInstantiator.getOrCreate(SpringInstantiator.java:126) ~[vaadin-spring-24.3.8.jar:na]
	at com.vaadin.flow.di.Instantiator.createRouteTarget(Instantiator.java:136) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.lambda$getRouteTarget$1(AbstractNavigationStateRenderer.java:132) ~[flow-server-24.3.8.jar:24.3.8]
	at java.base/java.util.Optional.orElseGet(Optional.java:364) ~[na:na]
	at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.getRouteTarget(AbstractNavigationStateRenderer.java:131) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.sendBeforeEnterEventAndPopulateChain(AbstractNavigationStateRenderer.java:480) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.createChainIfEmptyAndExecuteBeforeEnterNavigation(AbstractNavigationStateRenderer.java:461) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.router.internal.AbstractNavigationStateRenderer.handle(AbstractNavigationStateRenderer.java:211) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.component.internal.JavaScriptNavigationStateRenderer.handle(JavaScriptNavigationStateRenderer.java:78) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.component.UI.handleNavigation(UI.java:1853) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.component.UI.renderViewForRoute(UI.java:1816) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.component.UI.lambda$connectClient$83bb1bf7$1(UI.java:1724) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.component.UI.connectClient(UI.java:1734) ~[flow-server-24.3.8.jar:24.3.8]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:580) ~[na:na]
	at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:227) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:204) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.invokeMethod(PublishedServerEventHandlerRpcHandler.java:150) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.rpc.PublishedServerEventHandlerRpcHandler.handleNode(PublishedServerEventHandlerRpcHandler.java:133) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.rpc.AbstractRpcInvocationHandler.handle(AbstractRpcInvocationHandler.java:74) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocationData(ServerRpcHandler.java:466) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.ServerRpcHandler.lambda$handleInvocations$4(ServerRpcHandler.java:447) ~[flow-server-24.3.8.jar:24.3.8]
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596) ~[na:na]
	at com.vaadin.flow.server.communication.ServerRpcHandler.handleInvocations(ServerRpcHandler.java:447) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.ServerRpcHandler.handleRpc(ServerRpcHandler.java:324) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.communication.UidlRequestHandler.synchronizedHandleRequest(UidlRequestHandler.java:114) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:40) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.VaadinService.handleRequest(VaadinService.java:1574) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.server.VaadinServlet.service(VaadinServlet.java:398) ~[flow-server-24.3.8.jar:24.3.8]
	at com.vaadin.flow.spring.SpringServlet.service(SpringServlet.java:106) ~[vaadin-spring-24.3.8.jar:na]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.25.jar:6.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:632) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:408) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:303) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:267) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.springframework.web.servlet.mvc.ServletForwardingController.handleRequestInternal(ServletForwardingController.java:142) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:178) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:51) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1089) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:914) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590) ~[tomcat-embed-core-10.1.25.jar:6.0]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.25.jar:6.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:365) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) ~[spring-security-config-6.2.5.jar:6.2.5]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.10.jar:6.1.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.10.jar:6.1.10]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar:6.1.10]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:904) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.25.jar:10.1.25]
	at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [br.com.b3s.sge.extras.orbit.views.MainView]: Constructor threw exception
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:221) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:111) ~[spring-beans-6.1.10.jar:6.1.10]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:315) ~[spring-beans-6.1.10.jar:6.1.10]
	... 136 common frames omitted
Caused by: java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143) ~[na:na]
	at br.com.b3s.sge.extras.orbit.views.MainView.<init>(MainView.java:93) ~[classes/:na]
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[na:na]
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[na:na]
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[na:na]
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:208) ~[spring-beans-6.1.10.jar:6.1.10]
	... 138 common frames omitted

Izaquiel.2 · July 27, 2024, 2:58pm

The page extends from Div component Vaadin. And your layout are the MainView, that extendes AppLayout Vaadin.

@Route(value = "Orbit/browser-clientes", layout = MainView.class)
@PageTitle("Orbit - Browser de Pedidos")
@AnonymousAllowed
public class BrowserClientes extends Div {...}

and

@Route(value = "Orbit")
@PageTitle(value = "Orbit")
@PermitAll
@VaadinSessionScope
@SessionScope
public class MainView extends AppLayout {...}

knoobie · July 27, 2024, 3:27pm

@VaadinSessionScope
@SessionScope

This can’t work

marcoc_753 · July 27, 2024, 4:08pm

The cause of the error is at line 93 of your MainView.

And if it is related to some injected service, I guess knoobie gave the correct answer

Izaquiel.2 · July 28, 2024, 7:54pm

I run without this annotations, but no resolve the question. The page that is loading in login method every time works, but when I try navigate to another page, only the login page are loading.

Izaquiel.2 · July 28, 2024, 7:57pm

This error just present in one test with annotation @AnonymousAllowed, when a return with navigation buttons of the browser navigator, When the page depends of login to build the MainView, that have UserDetails injected in your scope to permit logout fuction.

marcoc_753 · July 28, 2024, 8:14pm

I suggest you to set log levels to debug, or even better trace, for both spring security and com.vaadin.flow.server.auth, and then analyze why there is the redirect to login.

One option is that there’s an error rendering the view and spring redirects to the ‘/error’ page that is however not permitted by Spring Security, thus redirecting to login view

Izaquiel.2 · July 28, 2024, 10:18pm

I see in logging that the application set the SecurityContextHolder to anonymous SecurityConext, but the user already are authenticated.

[2m2024-07-28T19:11:33.824-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:33.824-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:33.824-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.016-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.016-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:34.016-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.141-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [o-10001-exec-10][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.141-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [o-10001-exec-10][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:34.141-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [o-10001-exec-10][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.345-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-5][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.345-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-5][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:34.345-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-5][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.726-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-6][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:34.726-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-6][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:34.726-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-6][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:35.460-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-6][0;39m [2m[0;39m[36mo.s.s.a.dao.DaoAuthenticationProvider   [0;39m [2m:[0;39m Authenticated user
[2m2024-07-28T19:11:35.535-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-7][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /VAADIN/dynamic/resource/9/8728f544-8bf2-4efd-8173-884a6aca554e/B3S.png
[2m2024-07-28T19:11:35.535-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-7][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:35.535-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-7][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /VAADIN/dynamic/resource/9/8728f544-8bf2-4efd-8173-884a6aca554e/B3S.png
[2m2024-07-28T19:11:35.541-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-2][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /VAADIN/dynamic/resource/9/49158d71-5697-42a4-ae90-d3014d91637b/toggle.png
[2m2024-07-28T19:11:35.541-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-2][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:35.541-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-2][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /VAADIN/dynamic/resource/9/49158d71-5697-42a4-ae90-d3014d91637b/toggle.png
[2m2024-07-28T19:11:35.572-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-4][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:35.572-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-4][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:35.572-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-4][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:35.617-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-8][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:35.618-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-8][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:35.618-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-8][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:38.960-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-9][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:38.961-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-9][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:38.961-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-9][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:39.000-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing GET /VAADIN/dynamic/resource/9/716f020a-e7f6-4917-bba1-1f6f7b8328bf/backgroud.jpg
[2m2024-07-28T19:11:39.000-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:39.000-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured GET /VAADIN/dynamic/resource/9/716f020a-e7f6-4917-bba1-1f6f7b8328bf/backgroud.jpg
[2m2024-07-28T19:11:39.036-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /?v-r=uidl&v-uiId=9
[2m2024-07-28T19:11:39.037-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to anonymous SecurityContext
[2m2024-07-28T19:11:39.037-03:00[0;39m [32mDEBUG[0;39m [35m14568[0;39m [2m---[0;39m [2m[Orbit] [io-10001-exec-3][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Secured POST /?v-r=uidl&v-uiId=9

marcoc_753 · July 28, 2024, 11:36pm

The published logs are missing most of the info about the spring security filter chain processing. Try with trace log level

Izaquiel.2 · July 30, 2024, 12:49am

I finally can solution this question.

I make the modifications in my SpringSecurity Configuration class, that extends from VaadinWebSecurity and modifications in login method.

In SpringSecurityConfig Class:

@Configuration
@EnableWebSecurity
public class ConfigSpringSecurity extends VaadinWebSecurity {

	@Autowired
	private UserDetailsService user;
	@Autowired
	private ConfigSpringSecurityEncoder encoder;
	
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.authenticationManager(authManager(http))
			.authenticationProvider(authProvider())
			;
		
		super.configure(http);
		setLoginView(http, Login.class);
	}
	
    @Override
    public void configure(WebSecurity web) throws Exception {
    	super.configure(web);
    }

    @Bean(name = "configAuthenticationManager")
    public AuthenticationManager authManager(HttpSecurity http) throws Exception {
    	AuthenticationManagerBuilder authManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
    	authManagerBuilder.authenticationProvider(authProvider());

    	return authManagerBuilder.build();
    }
    
    @Bean(name = "configAuthenticationProvider")
    public DaoAuthenticationProvider authProvider() {
    	DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    	provider.setUserDetailsService(user);
    	provider.setPasswordEncoder(encoder.getEncoder());

    	return provider;
    }

	@Override
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
		return super.filterChain(http);
	}
}

the login method:

private void login() {
			try {
				UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username.getValue(), password.getValue());
				Authentication auth = daoAuthProvider.authenticate(token);
				
				SecurityContext sc = SecurityContextHolder.getContext();
				sc.setAuthentication(auth);
				HttpSession session = request.getSession(true);
				session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, sc);
				
				if (SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
					Notification notification = Notification.show("Credenciais validadas. Acessando aplicação.");
					notification.addThemeVariants(NotificationVariant.LUMO_SUCCESS);
					notification.setPosition(Position.BOTTOM_CENTER);
				}
				
				login.getUI().ifPresent(ui -> ui.navigate("orbit/"));
			} catch (org.springframework.security.core.AuthenticationException e) {
				Notification notification = Notification.show("Credenciais de acesso inválidas!");
				notification.addThemeVariants(NotificationVariant.LUMO_ERROR);
				notification.setPosition(Position.BOTTOM_CENTER);
			}
		}

with this modifications I can finally that SpringSecurity works with jakarta annotations like @PermitAll, @RolesAllowed et al.

But, in Spring Security logs I styll have DEBUGS logs like this:

o.s.security.web.FilterChainProxy        Secured POST /?v-r=uidl&v-uiId=10
o.s.s.a.dao.DaoAuthenticationProvider    Authenticated user
...
o.s.security.web.FilterChainProxy       Securing GET /VAADIN/dynamic/resource/10/45d6128a-4acb-4c41-892e-334c3d65a14f/B3S.png
o.s.s.w.a.AnonymousAuthenticationFilter Set SecurityContextHolder to anonymous SecurityContext

The application, keep set SecurityContextHolder to anonymous in SecurityContext. But, now works.

Have any suggestion for resolve this AnonymousAuthenticationFilter?