Vaadin and Spring boot with REST endpoints

Hello Community, I am working on an app for the first time with the latest versions of Vaadin 24 and Spring-Boot 3. It seems that Vaadin has control over all REST endpoints and of course it does not know the path /api/v2/ of spring-boot.
How do I achieve this separation Vaadin for UI and spring-boot for REST?
For the REST endpoints it does not need authentication.
The user authenticates against LDAP.

public class VaadinWithLdapConfiguration extends VaadinWebSecurity {

public void configure(AuthenticationManagerBuilder auth) throws Exception {
.url(String.format(“%s/%s”, url, contextRoot))

protected void configure(HttpSecurity http) throws Exception {

  http.authorizeHttpRequests(authz ->

  setLoginView(http, LoginView.class);


public void configure(WebSecurity web) throws Exception {

Now an “agent” is to communicate with this app via Spring Boot REST

public class AgentRegistrationRestController {
private static final Logger LOGGER = LoggerFactory.getLogger(AgentRegistrationRestController.class);

@PostMapping(value = “/agentregistration”, produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity registerAgent(@RequestBody AgentRegistration agentRegistration) {"REST Endpoint 'RegisterAgent' called");
  // more stuff

  return ResponseEntity.status(HttpStatus.OK).body("Agent successfully registered");


I am grateful for any tip.

You must use anonymous() instead of permitAll java - Understanding the difference of permitAll() and anonymous() in Spring Security - Stack Overflow.

I have changed the line like this:
http.authorizeHttpRequests(authz →

now I get this message
Could not navigate to ‘api/v2/agentregistration’
Available routes:

Good. Now you need this Configuration | Spring | Integrations | Vaadin Docs

Thanks Simon for helping me!
I have added this to the application.yml:
exclude-urls: /api/v2/**
But there is no difference, something must still be missing.

I just realized that there is no security configuration for api/v2

You must add this as well

is this config not enough?

http.authorizeHttpRequests(authz → authz.requestMatchers(“/api/v2/**”).anonymous());

I am not deeply familiar with security. Can you explain me how the config looks like?

This looks good

IMO this should work

Could you provide a reproducible example?

I did a simple test and this works for me

http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous();

I even didn’t need to exclude the URL

I have rebuilt a small project where the same problem occurs. Can it be that something has changed with Vaadin 24? (356 KB)

There was the AntPathRequestMatcher missing

http.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

Plus if you want to use POST you will have to disable csrf created to hopefully get an example we can always link to :sweat_smile:

The week starts well :exploding_head:. I doubt myself. No matter what I try, nothing changes the result.

.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

does not work. Likewise, I created a simple GetMapping method, but it also returns the same result.

this works with the GET request (380 KB)