I just realized that there is no security configuration for api/v2
You must add this as well
is this config not enough?
http.authorizeHttpRequests(authz β authz.requestMatchers(β/api/v2/**β).anonymous());
I am not deeply familiar with security. Can you explain me how the config looks like?
This looks good
IMO this should work
Could you provide a reproducible example?
I did a simple test and this works for me
http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher(β/api/v2/**β)).anonymous();
I even didnβt need to exclude the URL
I have rebuilt a small project where the same problem occurs. Can it be that something has changed with Vaadin 24?
rest-example.zip (356 KB)
There was the AntPathRequestMatcher missing
http.authorizeHttpRequests(authz β authz.requestMatchers(new AntPathRequestMatcher(β/api/v2/**β)).anonymous());
Plus if you want to use POST you will have to disable csrf
https://github.com/vaadin/docs/issues/2504 created to hopefully get an example we can always link to
The week starts well . I doubt myself. No matter what I try, nothing changes the result.
http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authz β authz.requestMatchers(new AntPathRequestMatcher(β/api/v2/**β)).anonymous());
does not work. Likewise, I created a simple GetMapping method, but it also returns the same result.
Now it works. Thank you very much. You are a great community.
hi all,
I hope, it is ok to (re-)open this post after a couple of month have past.
Thanks to the example from @SimonMartinelli and @outstanding-bear provided in this post, I got it up and running to have in the same application Vaadin UI and REST services with GET-Methods. I was not able to implement a POST request, which in my case is needed. I added a csrf disabled
@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
//http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
http.csrf((csrf) -> csrf.disable());
super.configure(http);
setLoginView(http, LoginView.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Bean
public UserDetailsService users() {
UserDetails user = User.builder()
.username("user")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
in the security config and also
vaadin.exclude-urls=/api/v2/**
in the application.properties. When using the POST method I am always redirected to the Vaadin page (see screenshot).
Is there anyone who has an example or could please updated the attached example in order combine the use of vaadin UI and REST service calls (GET, PUT, POST, DELETE) in one application?
Thanks a lot in advance for your help.
Best regards, Michael
You are too early with your csrf customizing. It has to be after the call to super.
Thanks a lot for your fast response, @knoobie . I checked it out, but unfortunately the result for REST calls using postman are still the same, but when calling the web page it returns lost connection when trying to retrieve the login page (see screenshot below).
My security config is the same except the csrf disable (see code below)
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
//http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
super.configure(http);
http.csrf((csrf) -> csrf.disable());
setLoginView(http, LoginView.class);
}
Is there any way to combine using Vaadin for ui, but also enable REST endpoints in the same application? maybe with separated security configs?
Unfortunately I am not that skilled to find a proper solution here. Thanks in advance to anyone who may provide a short help.
Best regards, Michael
I donβt have a copy-paste ready open source solution on hand, sorry. The gist would be: create a second security chain only for the API.
You can also upvote this; so that hopefully it gets documented in the future Create a Spring + Vaadin + REST example Β· Issue #2504 Β· vaadin/docs Β· GitHub