VaadinSecurityConfigurer + CAS authentication: best practice when using RouterLi

Flow
1

Hi everyone,

I’m integrating Vaadin (Flow 24/25) with Spring Security + CAS authentication, and I’m trying to understand the recommended way to configure VaadinSecurityConfigurer when authentication is delegated to an external CAS server.

Context

  • Authentication is handled entirely by CAS (via Spring Security).

  • CAS configuration (entry point, filters, success handler, etc.) is already working correctly.

  • When accessing protected URLs via a browser refresh or direct URL, the flow works perfectly:

    /viewExample → redirected to CAS → authenticated → redirected back to /viewExample

    (Spring Security SavedRequest works as expected.)

  • Views are secured using Vaadin annotations:

    • @AnonymousAllowed for public views
    • @PermitAll / @RolesAllowed for protected views

  • I am using VaadinSecurityConfigurer mainly to support Vaadin navigation (RouterLink) and internal Vaadin requests.

Current configuration

http.with(vaadin(), v -> {
    v.loginView(LoginView.class, "/");
});

And a very simple LoginView:

@Route("login")
@AnonymousAllowed
public class LoginView extends VerticalLayout
        implements BeforeEnterObserver {

    @Override
    public void beforeEnter(BeforeEnterEvent event) {
        UI.getCurrent().getPage().setLocation("/unauthorized"); // to trigger the redirect to cas
    }
}

Problem

When navigating to a protected view via RouterLink:

new RouterLink("View example", ViewExample.class);

(where ViewExample is @PermitAll)

The flow is:

  1. Vaadin detects unauthenticated access
  2. Vaadin navigates to LoginView
  3. LoginView redirects to /unauthorized
  4. CAS login is shown
  5. After successful login, the user is not redirected back to the original Vaadin view, but instead ends up at the /unauthorized

I understand that this is expected, but there is a simple way to configure this to work?

So:

  • Direct URL access works
  • RouterLink access does not restore the target

Questions

  1. Is vaadin.loginView(...) intended to be used when authentication is handled by an external IdP like CAS?
  2. Is there a recommended pattern for CAS / external SSO when using RouterLink navigation?
    ms / CAS service parameter)?

Any guidance, patterns, or references would be greatly appreciated.
Thanks in advance!