I’m trying to understand how I should be configuring spring security. I did take a read at the docs but it just shows a basic permit for public folder only.
I’m unable to get a 404 error since every page other than defined views is 403 forbidden. This is what I have now. `
Should I be doing this and just manually permitting as needed? I thought the intent was to have the request reach Vaadin so it can authorize by permissions defined on the view hit.
It seems to be a bit hidden on that page, but the key part is
http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
// This is important to register your login view to the
// navigation access control mechanism:
configurer.loginView(LoginView.class);
// You can add any possible extra configurations of your own
// here (the following is just an example):
// configurer.enableCsrfConfiguration(false);
});
The VaadinSecurityConfigurer will set up most things you need, allow needed internal request, allow access and redirect to the login page you specify etc.