Vaadin and Spring boot with REST endpoints

Flow
1

Hello Community, I am working on an app for the first time with the latest versions of Vaadin 24 and Spring-Boot 3. It seems that Vaadin has control over all REST endpoints and of course it does not know the path /api/v2/ of spring-boot.
How do I achieve this separation Vaadin for UI and spring-boot for REST?
For the REST endpoints it does not need authentication.
The user authenticates against LDAP.

public class VaadinWithLdapConfiguration extends VaadinWebSecurity {

@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userSearchFilter(userSearchFilter)
.userDnPatterns(userDnPattern)
.contextSource()
.url(String.format(“%s/%s”, url, contextRoot))
.managerDn(managerDn)
.managerPassword(managerPassword)
.and()
.userDetailsContextMapper(ldapMapper);
}

@Override
protected void configure(HttpSecurity http) throws Exception {

  http.authorizeHttpRequests(authz ->
        authz.requestMatchers("/public/**").permitAll()
  );

  super.configure(http);
  setLoginView(http, LoginView.class);

}

@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
}

Now an “agent” is to communicate with this app via Spring Boot REST

@RestController
@RequestMapping(“/api/v2”)
@ResponseBody
public class AgentRegistrationRestController {
private static final Logger LOGGER = LoggerFactory.getLogger(AgentRegistrationRestController.class);

@PostMapping(value = “/agentregistration”, produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity registerAgent(@RequestBody AgentRegistration agentRegistration) {

  LOGGER.info("REST Endpoint 'RegisterAgent' called");
  // more stuff

  return ResponseEntity.status(HttpStatus.OK).body("Agent successfully registered");

}
}

I am grateful for any tip.

2

You must use anonymous() instead of permitAll java - Understanding the difference of permitAll() and anonymous() in Spring Security - Stack Overflow.

3

I have changed the line like this:
http.authorizeHttpRequests(authz →
authz.requestMatchers(“/api/v2/**”).anonymous()

now I get this message
Could not navigate to ‘api/v2/agentregistration’
Available routes:

4

Good. Now you need this Configuration | Spring | Integrations | Vaadin Docs

5

Thanks Simon for helping me!
I have added this to the application.yml:
vaadin:
exclude-urls: /api/v2/**
But there is no difference, something must still be missing.

6

I just realized that there is no security configuration for api/v2

7

You must add this as well

8

is this config not enough?

http.authorizeHttpRequests(authz → authz.requestMatchers(“/api/v2/**”).anonymous());

I am not deeply familiar with security. Can you explain me how the config looks like?

9

This looks good

10

IMO this should work

11

Could you provide a reproducible example?

12

I did a simple test and this works for me

http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous();

13

I even didn’t need to exclude the URL

14

I have rebuilt a small project where the same problem occurs. Can it be that something has changed with Vaadin 24?
rest-example.zip (356 KB)

15

There was the AntPathRequestMatcher missing

16

http.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

17

Plus if you want to use POST you will have to disable csrf

18

https://github.com/vaadin/docs/issues/2504 created to hopefully get an example we can always link to :sweat_smile:

19

The week starts well :exploding_head:. I doubt myself. No matter what I try, nothing changes the result.

http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

does not work. Likewise, I created a simple GetMapping method, but it also returns the same result.

20

this works with the GET request
rest-example.zip (380 KB)