Good. Now you need this Configuration | Spring | Integrations | Vaadin Docs
Thanks Simon for helping me!
I have added this to the application.yml:
vaadin:
exclude-urls: /api/v2/**
But there is no difference, something must still be missing.
I just realized that there is no security configuration for api/v2
You must add this as well
is this config not enough?
http.authorizeHttpRequests(authz → authz.requestMatchers(“/api/v2/**”).anonymous());
I am not deeply familiar with security. Can you explain me how the config looks like?
This looks good
IMO this should work
Could you provide a reproducible example?
I did a simple test and this works for me
http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous();
I even didn’t need to exclude the URL
I have rebuilt a small project where the same problem occurs. Can it be that something has changed with Vaadin 24?
rest-example.zip (356 KB)
There was the AntPathRequestMatcher missing
http.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());
Plus if you want to use POST you will have to disable csrf
https://github.com/vaadin/docs/issues/2504 created to hopefully get an example we can always link to 
The week starts well 
. I doubt myself. No matter what I try, nothing changes the result.
http.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authz → authz.requestMatchers(new AntPathRequestMatcher(“/api/v2/**”)).anonymous());
does not work. Likewise, I created a simple GetMapping method, but it also returns the same result.
Now it works. Thank you very much. You are a great community.
hi all,
I hope, it is ok to (re-)open this post after a couple of month have past.
Thanks to the example from @SimonMartinelli and @outstanding-bear provided in this post, I got it up and running to have in the same application Vaadin UI and REST services with GET-Methods. I was not able to implement a POST request, which in my case is needed. I added a csrf disabled
@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
//http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
http.csrf((csrf) -> csrf.disable());
super.configure(http);
setLoginView(http, LoginView.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Bean
public UserDetailsService users() {
UserDetails user = User.builder()
.username("user")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
in the security config and also
vaadin.exclude-urls=/api/v2/**
in the application.properties. When using the POST method I am always redirected to the Vaadin page (see screenshot).
Is there anyone who has an example or could please updated the attached example in order combine the use of vaadin UI and REST service calls (GET, PUT, POST, DELETE) in one application?
Thanks a lot in advance for your help.
Best regards, Michael
You are too early with your csrf customizing. It has to be after the call to super.