Vaadin 25 Reusable Theme and Security

SimonMartinelli · January 13, 2026, 2:43pm

I’m working on the migration of a parent theme from Vaadin 24 to Vaadin 25.

And to make it work I had to add a few paths in the Security config:

http.authorizeHttpRequests(
  c -> c.requestMatchers("/theme/*.*", "/theme/*/*.*", "/fonts/*.*", "/icons/*.*", "/images/*.*")
                    .permitAll()
                    .requestMatchers(EndpointRequest.to(HealthEndpoint.class))
                    .permitAll());

This is very inconvenient! Shouldn’t this be handled by the VaadinSecurityConfigurer?
IMO everything that is imported with @StyleSheet should be automatically accessible.

marcoc_753 · January 13, 2026, 2:51pm

Releated discussion Make it easier to include custom stylesheets when using Spring Security · Issue #22476 · vaadin/flow · GitHub

SimonMartinelli · January 13, 2026, 2:58pm

@marcoc_753 Thanks for sharing the issue.

There we have

Vaadin, however, makes styles.css automatically public to simplify theme imports and cover simple cases where styles can be embedded into one single file.

IMO this should also work with Parent Themes.
I really liked the Parent theme functionality before 25. It’s a lot of work to migrate that to Vaadin 25.

marcoc_753 · January 13, 2026, 3:13pm

To better understand, you have a styles.css in the application and other stylesheets packaged into JAR file under src/main/resources/META-INF/resources/themes/my-theme.
To import the parent theme, you use @Stylesheet annotation or @import directive in the CSS.
Is this correct?

SimonMartinelli · January 13, 2026, 3:15pm

I use @StyleSheet like described in

marcoc_753 · January 13, 2026, 3:19pm

I see. I guess a potential workaround to make security work out of the box is to put the theme in src/main/resources/META-INF/resources/themes/. The /themes/* path is allowed by default by VaadinSecurityConfigurator.
But I did not test it, to be honest