Now it works. Thank you very much. You are a great community.
hi all,
I hope, it is ok to (re-)open this post after a couple of month have past.
Thanks to the example from @SimonMartinelli and @outstanding-bear provided in this post, I got it up and running to have in the same application Vaadin UI and REST services with GET-Methods. I was not able to implement a POST request, which in my case is needed. I added a csrf disabled
@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
//http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
http.csrf((csrf) -> csrf.disable());
super.configure(http);
setLoginView(http, LoginView.class);
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Bean
public UserDetailsService users() {
UserDetails user = User.builder()
.username("user")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password("$2a$12$/HlKbjS1GnfgeCxG5jUXlOxFrwwTRJzZavt9a9eMiHT2njn61RwU2")
.roles("USER", "ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
in the security config and also
vaadin.exclude-urls=/api/v2/**
in the application.properties. When using the POST method I am always redirected to the Vaadin page (see screenshot).
Is there anyone who has an example or could please updated the attached example in order combine the use of vaadin UI and REST service calls (GET, PUT, POST, DELETE) in one application?
Thanks a lot in advance for your help.
Best regards, Michael
You are too early with your csrf customizing. It has to be after the call to super.
Thanks a lot for your fast response, @knoobie . I checked it out, but unfortunately the result for REST calls using postman are still the same, but when calling the web page it returns lost connection when trying to retrieve the login page (see screenshot below).
My security config is the same except the csrf disable (see code below)
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authz -> authz.requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous());
//http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/api/v2/**")).anonymous();
super.configure(http);
http.csrf((csrf) -> csrf.disable());
setLoginView(http, LoginView.class);
}
Is there any way to combine using Vaadin for ui, but also enable REST endpoints in the same application? maybe with separated security configs?
Unfortunately I am not that skilled to find a proper solution here. Thanks in advance to anyone who may provide a short help.
Best regards, Michael
I don’t have a copy-paste ready open source solution on hand, sorry. The gist would be: create a second security chain only for the API.
You can also upvote this; so that hopefully it gets documented in the future Create a Spring + Vaadin + REST example · Issue #2504 · vaadin/docs · GitHub