Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Spring security & vaadin push

Peter Streef
5 years ago May 15, 2017 11:34am

I'm using OAuth2 to secure my vaadin app and have implemented this using spring security. However as stated in Petters tutorial on filter based security. You should manually redirect back in case a push or heartbeat request is the first to go through. 

The first one is the URL the user is redirected to after logging in. By default, Spring will save the URL the user originally tried to access and redirect the user back to that URL after authentication. In a Vaadin application, this URL might be a heartbeat or push URL on some occasions. If this happens, the user would only see a blank page and would have to manually change the URL in the browser to get back to the application.

An easy fix is to just permit all on both PUSH and HEARTBEAT urls like this:

@Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.authorizeRequests()
                .antMatchers("/login**").permitAll()
                .antMatchers("/vaadinServlet/PUSH/**").permitAll() 
                .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutSuccessUrl("/")
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .and()
                .csrf().disable();
    }

So I wonder if this is in any way a security threat when using WEBSOCKET_XHR and if so, what is the best way to fix this. Note that since I use OAuth with an external server I cannot just change the redirect url.
 

Peter Streef
5 years ago Jun 02, 2017 9:19am
Sanyi Juhos
5 years ago Jan 15, 2018 6:54am
Christophe Vandenberghe
4 years ago Oct 23, 2018 6:43pm
Adam Klemanovits
4 years ago Mar 01, 2019 12:35pm
Roasty Cocky
3 years ago Dec 19, 2019 4:14pm