Vaadin Web Security permit all requests

I tried finding a solution to that problem a while ago, but it didn’t work out.

Essentially I’m using the VaadinWebSecurity adapter that does all the cool stuff for me. The only issue I have is this line of code:

// all other requests require authentication
urlRegistry.anyRequest().authenticated();

I have specific use cases where I want to be able to permit all requests, not just the authenticated ones. For example for webhooks.
Is there any way to achieve that?

You can add excpetions

how does your configuration looks like?

http.authorizeRequests().requestMatchers(new AntPathRequestMatcher("/webhooks/**")).permitAll();

Like this:

        // Delegating the responsibility of general configurations
        // of http security to the super class. It's configuring
        // the followings: Vaadin's CSRF protection by ignoring
        // framework's internal requests, default request cache,
        // ignoring public views annotated with @AnonymousAllowed,
        // restricting access to other views/endpoints, and enabling
        // ViewAccessChecker authorization.
        super.configure(http);

        // Configures a login success handler and the login page URI of
        // the OAuth2 provider on the specified HttpSecurity instance
        http.oauth2Login()
                .loginPage(LOGIN_ROUTE)
                .successHandler(this.loginSuccessHandler(http))
                .permitAll();
        this.getViewAccessChecker().setLoginView(LOGIN_ROUTE);

The problem is that that would only solve one problem. I also have a “public” part of the website and I want to show users a 404 page if they enter a non existing url

we solve this by having the vaadin application not at the root but on a sub-path, e.g.: example.com/coolvaadinapp/

Sadly that’s not applicable in my case :frowning_with_open_mouth:

than the security config is only done für /coolvaadinapp/ and everything else is free to configure diffently

I’ve tried that above the super#configure call, but calling the webhook still redirects me to OAuth2 Provider’s login page :/

This works in my case

Did you configure any default authentication entry points for that AntPath?

No. I use Actuator

These are REST endpoints