Vaadin and Spring boot with REST endpoints

SimonMartinelli · June 19, 2023, 7:48am

I just realized that there is no security configuration for api/v2

SimonMartinelli · June 19, 2023, 7:49am

You must add this as well

outstanding-bear · June 19, 2023, 8:14am

is this config not enough?

http.authorizeHttpRequests(authz → authz.requestMatchers(“/api/v2/**”).anonymous());

I am not deeply familiar with security. Can you explain me how the config looks like?

SimonMartinelli · June 19, 2023, 8:15am

This looks good

SimonMartinelli · June 19, 2023, 8:15am

IMO this should work

SimonMartinelli · June 19, 2023, 8:15am

Could you provide a reproducible example?

SimonMartinelli · June 19, 2023, 8:25am

I did a simple test and this works for me

http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous();

SimonMartinelli · June 19, 2023, 8:25am

I even didn’t need to exclude the URL

outstanding-bear · June 19, 2023, 11:44am

I have rebuilt a small project where the same problem occurs. Can it be that something has changed with Vaadin 24?
rest-example.zip (356 KB)

SimonMartinelli · June 19, 2023, 12:15pm

There was the AntPathRequestMatcher missing

SimonMartinelli · June 19, 2023, 12:15pm

http.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

SimonMartinelli · June 19, 2023, 12:15pm

Plus if you want to use POST you will have to disable csrf

quirky-zebra · June 19, 2023, 12:30pm

https://github.com/vaadin/docs/issues/2504 created to hopefully get an example we can always link to

outstanding-bear · June 19, 2023, 1:03pm

The week starts well . I doubt myself. No matter what I try, nothing changes the result.

http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());

does not work. Likewise, I created a simple GetMapping method, but it also returns the same result.

SimonMartinelli · June 19, 2023, 1:56pm

this works with the GET request
rest-example.zip (380 KB)

outstanding-bear · June 20, 2023, 7:20am

Now it works. Thank you very much. You are a great community.

michael.hitz · March 26, 2024, 3:54pm

hi all,

I hope, it is ok to (re-)open this post after a couple of month have past.
Thanks to the example from @SimonMartinelli and @outstanding-bear provided in this post, I got it up and running to have in the same application Vaadin UI and REST services with GET-Methods. I was not able to implement a POST request, which in my case is needed. I added a csrf disabled

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {

   @Bean
   public PasswordEncoder passwordEncoder() {
      return new BCryptPasswordEncoder();
   }

   @Override
   protected void configure(HttpSecurity http) throws Exception {
      http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
      //http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
      http.csrf((csrf) -> csrf.disable());
      super.configure(http);
      setLoginView(http, LoginView.class);
   }

   @Override
   public void configure(WebSecurity web) throws Exception {
      super.configure(web);
   }

   @Bean
   public UserDetailsService users() {
      UserDetails user = User.builder()
            .username("user")
            .password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
            .roles("USER")
            .build();
      UserDetails admin = User.builder()
            .username("admin")
            .password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
            .roles("USER", "ADMIN")
            .build();
      return new InMemoryUserDetailsManager(user, admin);
   }

}

in the security config and also

vaadin.exclude-urls=/api/v2/**

in the application.properties. When using the POST method I am always redirected to the Vaadin page (see screenshot).

Is there anyone who has an example or could please updated the attached example in order combine the use of vaadin UI and REST service calls (GET, PUT, POST, DELETE) in one application?

Thanks a lot in advance for your help.

Best regards, Michael

knoobie · March 26, 2024, 6:46pm

You are too early with your csrf customizing. It has to be after the call to super.

michael.hitz · March 27, 2024, 4:15pm

Thanks a lot for your fast response, @knoobie . I checked it out, but unfortunately the result for REST calls using postman are still the same, but when calling the web page it returns lost connection when trying to retrieve the login page (see screenshot below).
My security config is the same except the csrf disable (see code below)

@Override
   protected void configure(HttpSecurity http) throws Exception {
      http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
      //http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
      super.configure(http);
      http.csrf((csrf) -> csrf.disable());
      setLoginView(http, LoginView.class);
   }

Is there any way to combine using Vaadin for ui, but also enable REST endpoints in the same application? maybe with separated security configs?
Unfortunately I am not that skilled to find a proper solution here. Thanks in advance to anyone who may provide a short help.

Best regards, Michael

knoobie · March 27, 2024, 6:00pm

I don’t have a copy-paste ready open source solution on hand, sorry. The gist would be: create a second security chain only for the API.

You can also upvote this; so that hopefully it gets documented in the future Create a Spring + Vaadin + REST example · Issue #2504 · vaadin/docs · GitHub