Vaadin and SpringSecurity - access configuration

Hello,
I have two pages: login page and registration page. (Before authorization) I want to go to the registration page (and i can do it with SpringSecurity + SpringMVC ), but always redirected to the registration form. Can anyone help me with SecurityConfiguration file configure? Or maybe the problem is something else?
Thanks!

My security-configuration file:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login";
private static final String LOGIN_URL = "/login";
private static final String LOGOUT_SUCCESS_URL = "/login";

@Bean
public CustomRequestCache requestCache() { //
    return new CustomRequestCache();
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/VAADIN/**", "/HEARTBEAT/**", "/UIDL/**", "/resources/**"
                    , "/login", "/login**", "/login/**", "/manifest.json", "/icons/**", "/images/**", "/registration", "/registration/**", "/grid")
            .permitAll()
            .requestMatchers(SecurityUtils::isFrameworkInternalRequest)
            .permitAll()
            .antMatchers("/user/**").hasAnyAuthority("USER")
            .antMatchers("/admin/**").hasAnyAuthority("ADMIN")
            .anyRequest()
            .authenticated()
            .and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
            .defaultSuccessUrl("/registration", true)
            .failureUrl(LOGIN_FAILURE_URL)
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl(LOGOUT_SUCCESS_URL)
            .and()
            .csrf().disable()
            .requestCache().requestCache(new CustomRequestCache());
}

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(
            "/VAADIN/**",
            "/favicon.ico",
            "/robots.txt",
            "/manifest.webmanifest",
            "/sw.js",
            "/offline-page.html",
            "/icons/**",
            "/images/**",
            "/frontend/**",
            "/webjars/**",
            "/h2-console/**",
            "/frontend-es5/**", "/frontend-es6/**");
}

Hi Rostislav, I know nothing about Vaadin, but came across your post as I’m trying to find out how to add a Vaadin UI to my Spring Boot app. Here is my security config I hope it helps you:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    CustomUserDetailsService customUserDetailsService;

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter() {
        return new JwtAuthenticationFilter();
    }

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .userDetailsService(customUserDetailsService)
                .passwordEncoder(passwordEncoder());
    }

    @Bean(BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .cors()
                    .and()
                .csrf()
                    .disable()
                .exceptionHandling()
                    .authenticationEntryPoint(unauthorizedHandler)
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .authorizeRequests()
                    .antMatchers("/",
                        "/favicon.ico",
                        "/**/*.png",
                        "/**/*.gif",
                        "/**/*.svg",
                        "/**/*.jpg",
                        "/**/*.html",
                        "/**/*.css",
                        "/**/*.js")
                        .permitAll()
                    .antMatchers("/api/auth/**")
                        .permitAll()
                    .antMatchers("/api/user/checkUsernameAvailability", "/api/user/checkEmailAvailability")
                        .permitAll()
                    .antMatchers(HttpMethod.GET, "/api/campaign/**", "/api/users/**")
                        .permitAll()
                    .anyRequest()
                        .authenticated();

        // Add our custom JWT security filter
        http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

    }
}

The problem is probably not with this part of your security configuration. If you followed the [turtorial]
(https://vaadin.com/learn/tutorials/modern-web-apps-with-spring-boot-and-vaadin/adding-a-login-screen-to-a-vaadin-app-with-spring-security) on login and wiring up Vaadin to spring security, you likely used their advice for the security configuration and have essentially eliminated the possibility of making a register route available…

In the tutorial’s ConfigureUIServiceEventListener.class They offer this code to make things “secure.”

private void authenticateNavigation(BeforeEnterEvent event) {
		if (!LoginView.class.equals(event.getNavigationTarget())
		    && !SecurityUtils.isUserLoggedIn()) { 
			event.rerouteTo(LoginView.class);
		}

So unless you’re logged in, the only route that will answer for an anonymous user is the LoginView and any other url will redirect to login, even if you code your websecurity and httpsecurity to allow those requests to be served to anonymous users.

What you have to to is modify this little bit of code to include the view you’ve allowed elsewhere. You still have to include your registration url in http security but unless you add it here, it will never be served and the user will always be redirected to the login view. I found this while creating a register view and noticing that I could never get a successful display of this view unless I was logged in. (Chicken or Egg…)

    private void beforeEnter(BeforeEnterEvent event) {
        if (!LoginView.class.equals(event.getNavigationTarget()) **&& !RegisterView.class.equals(event.getNavigationTarget())**//
                && !SecurityUtils.isUserLoggedIn()) { //
            event.rerouteTo(LoginView.class); // 
        }
    }

Really this is quite ugly because it means that if you ever want some other view to be available to non-authenticated users, you have to remember to add it here. I plan on modifying this so that I can just add anonymous views to a list and have the beforeEnter() method iterate through it.

I have come back to vaadin after pitching them out of my project because I kept running into issues with their tutorials being:
1. focused on creating brand new sites from scratch where there are no real-world problems and legacy code to deal with. (You already perhaps created your model and services and are trying figure out the patterns to wire up the Vaadin front end.)
2. Outdated: Sometimes years old and based on older versions of Vaadin so that many code snippets would be deprecated already.
3. Based on the assumption - especially in the listing of users, that the data has magically populated itself, and where it hasn’t, there is a java class that populates test users into the database. Sure, they offer the caveat in those cases that this isn’t how that data would get populated. However, in the real world, users register themselves and this requires a form and a page for doing so, which I can find no examples of from hours of search. And their login tutorial essentially prevents you from whipping up a Register View that would facilitate this. Kind of funny if I hadn’t spent a few hours trying to figure out what was up. Not very nice vaadin tutorial guys.

I ripped out vaadin and then started building rest controllers for an Angular front end. You can find lots of articles about how to do registration and login and I was able to do that. However, I have branched and come back to Vaadin because coding up rest controllers and the like, plus the complexity of then having to basically replicate the routing that is already provided in spring inside the Angular client is just too much. It was this tutorial that brought me back actually:

https://www.youtube.com/watch?v=v8SwUUWSWG8&feature=youtu.be