Are there any plans to have a Spring Security integration in Vaadin 10 like we have seen for Vaadin 8?
What would be the best approach? I could think of using BeforeEnter… but that would be needed on every view. Do you have any ideas for a more generic approach?
Hi Thomas,
If you have a pro subscription, you can see Spring Security integration in the Spring Starter pack:
https://vaadin.com/start/v10-full-stack-spring
In short - what the starter app is doing is having a beforeEnter on the MainView.
public void beforeEnter(BeforeEnterEvent event) {
if (!SecurityUtils.isAccessGranted(event.getNavigationTarget())) {
event.rerouteToError(AccessDeniedException.class);
}
}
All the other views that use the MainView for layout will automatically be checked.
@HtmlImport("frontend://src/views/development/list-editor.html")
@Route(value = "listeditor", layout = MainView.class)
Thanks Martin,
sometimes the solution is so near, but one doesn’t see it.
Yeah, been there too 
BTW - I was trying out different deployment options this weekend and ran into issues when trying to deploy as a stand-alone spring-boot jar. I was looking through the forum and noticed that you had a question along the same lines about 2 months ago.
Did you ever find a solution to it?
(I wanted to reply to your original post, but the forum search is rather useles, so I wasn’t able to find it again).
No I did not find a solution. As far as I could see Vaadin is loading the resources using the SerlvetContext which doesn’t play nice with Spring Boot packaging. Do you think we should file a ticket on this?
There is a open ticket: https://github.com/vaadin/spring/issues/265
(I didn’t try this solution or the blog post)
Just for sharing knowledge. The security working for me with the org.springframework.security.web.access.WebInvocationPrivilegeEvaluator
@Override
public void beforeEnter(BeforeEnterEvent event) {
log.debug("BeforeEnterEvent: navigate to {}", event.getNavigationTarget().getCanonicalName());
VaadinRequest currentRequest = VaadinService.getCurrentRequest();
HttpServletRequest httpServletRequest = ((VaadinServletRequest)currentRequest).getHttpServletRequest();
String requestUrl = httpServletRequest.getRequestURL().toString();
String pathInfo = currentRequest.getPathInfo();
// base URI
String baseUrl = Optional.ofNullable(requestUrl)
.map(str -> str.replaceAll(pathInfo+"$", "/"))
.orElse(requestUrl);
URI uri = null;
try {
uri = new URI(baseUrl);
} catch (URISyntaxException e) {
e.printStackTrace();
return;
}
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String destination = UI.getCurrent().getRouter().getUrl((Class<? extends Component>) event.getNavigationTarget());
log.debug("Destination is {}", uri.getRawPath()+destination);
// now we have the url path we can check against spring if this user has access
boolean access = webPrivs.isAllowed( uri.getRawPath()+destination, authentication);
log.debug(String.format("Allowed: %b %s", access, ""));
if(!access) event.rerouteTo(AccessDeniedView.class);
}
Hey guys,
we added a new tutorial about the integration of Spring Security into Vaadin: https://vaadin.com/tutorials/securing-your-app-with-spring-security. It is still work in progress but I would like to collect feedback for future improvements.
Cheers,
Paul