Spring Security with vaadin

hans-georg1 · January 17, 2019, 3:02pm

I use Spring Security with vaadin.

I have a the following SecurityConfig

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableVaadin
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailService userDetailService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
        	.antMatchers("/").permitAll()
//        	.antMatchers("/**").permitAll()
        	.antMatchers("/VAADIN/**", "/META-INF/**", "/static/**", "/error/**", "/accessDenied/**", "/vaadinServlet/**").permitAll()
        	.anyRequest().authenticated();

        http.csrf().disable();
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.addFilterBefore(new JwtTokenFilter(userDetailService), UsernamePasswordAuthenticationFilter.class);
    }

All is ok when i give permission to all URI’s with :

.antMatchers("/**").permitAll()

But i only want to give permission to /, not to all under /.

When i delete this line (.antMatchers("/*…) then the application can not read the css for vaadin.

Which Vaadin spezific URI’s must i give free that vaadin can read all vaadin-specific-resources, something like:

.antMatchers("/VAADIN/**", "/META-INF/**", "/static/**", "/vaadinServlet/**").permitAll()

Tatu2 · January 18, 2019, 8:06am

Your code looks like copy paste from typical Vaadin 8 project. The folder names in Flow apps have changed a bit. For Flow app I would start with template below, e.g. in your case the styles are probably under “frontend” directory. The part under “web application manifest” can be left out if you are not using @PWA annotation.

@Override
public void configure(WebSecurity web) throws Exception {
	web.ignoring().antMatchers(
			// Vaadin Flow static resources
			"/VAADIN/**",

			// the standard favicon URI
			"/favicon.ico",

			// the robots exclusion standard
			"/robots.txt",

			// web application manifest
			"/manifest.webmanifest",
			"/sw.js",
			"/offline-page.html",

			// icons and images
			"/icons/**",
			"/images/**",

			// (development mode) static resources
			"/frontend/**",

			// (development mode) webjars
			"/webjars/**",

			// (development mode) H2 debugging console
			"/h2-console/**",

			// (production mode) static resources
			"/frontend-es5/**", "/frontend-es6/**");
}

hans-georg1 · January 18, 2019, 8:30am

Thanks now it works.

I have copied the code from here

https://examples.javacodegeeks.com/enterprise-java/vaadin/vaadin-spring-security-example/

But this demo was for vaadin8

paro · March 27, 2019, 5:17am

Hey,

we added a new tutorial about Spring Security: https://vaadin.com/tutorials/securing-your-app-with-spring-security

Even if you solved your issue already, I would like to collect some more feedback to push the tutorial into the right direction.

Cheers,
Paul