Isolated Spring Security for REST API endpoint and Vaadin UI

Hi,

my Spring Boot based App should basically provide 2 major use cases:

  • A REST API with everything located under “/api/**” path
  • A Vaadin based UI located unter “/”

So far everything seems to work fine, despite of one detail: If the authentication for an API endpoint fails, the REST Client is redirected via HTTP 302 to the /login page instead of simpy returning HTTP 401.

I am using a Spring Security configuration oriented on
this GitHub sample
for multiple authentication entry points (basic auth for the API and Vaadin form login for the UI) and the
Vaadin4Spring shared security sample
from Petter Holmström.

Hello,

I won’t exactly answer your question but perhaps you can split the rest API and Vaadin into 2 projects instead put everything inside 1 project.
It’s easier to configure (and you can put this 2 projects on 2 servers … ).

With multiple security configurations, I think the 1st one used and if it’s not ok the second one is used … (so you will be redirected to /login).
But i don’t know enough spring security to help you :).

Hi Jean-Christophe,

thanks for your reply. Splitting up the project was also my first thought since distributed systems are everywhere nowadays. Since our customers often deploy on premise on their own hardware, my goal was to keep things simple and provide a single monolithic deployment unit.

Maybe some spring security guru can help me out and if not, there’s still the ‘2 projects option’ available.

Thanks,
Michael

Hey, I’ve managed to do this!

On your “configure(HttpSecurity http)” do:

http.authorizeRequests().antMatchers(“/api/**”).anonymous()

And on your “configure(WebSecurity web)” do:

web.ignoring().antMatchers(“/api/“).antMatchers(”/h2-console/”);

Both on your
@Configuration
@EnableVaadin
@EnableWebSecurity

class.

:wink:

Lucas Carvalhaes:
Hey, I’ve managed to do this!

On your “configure(HttpSecurity http)” do:

http.authorizeRequests().antMatchers(“/api/**”).anonymous()

And on your “configure(WebSecurity web)” do:

web.ignoring().antMatchers(“/api/“).antMatchers(”/h2-console/”);

Both on your
@Configuration
@EnableVaadin
@EnableWebSecurity

class.

:wink:

you are a crack you helped me a lot thank you,
Although this way it only allows requests without authorization if you had any response to do it with the authorization jwt would be wonderful .