I am using the tutorial [here]
(https://vaadin.com/tutorials/securing-your-app-with-spring-security/setting-up-spring-security) to use Vaadin with Spring Security. I have an issue when I load my page with a Vaadin LoginForm on it where every other page refresh fails to load. This is 100% consistent, so that if I refresh the page, it loads fine. If I refresh it again, it fails, etc.
I narrowed the problem down to this line in the tutorial:
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
The method SecurityUtils.isFrameworkInternalRequest is part of the tutorial code base, and I’ve just copied and pasted it, as-is:
/**
* Tests if the request is an internal framework request. The test consists of
* checking if the request parameter is present and if its value is consistent
* with any of the request types know.
*
* @param request
* {@link HttpServletRequest}
* @return true if is an internal framework request. False otherwise.
*/
static boolean isFrameworkInternalRequest(HttpServletRequest request) {
final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
return parameterValue != null
&& Stream.of(RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
}
If I change the return in that method to always be true, then the page load always happens successfully.
When the page load fails, I can see certain things missing like custom-styles in the <head>
, #shadow-roots
in the Vaadin components, and the login form itself is just an empty set of <vaadin-login-form></vaadin-login-form>
tags. Probably other things I’m not aware of. Other pages don’t have this issue. So far the only difference is the presence of the LoginForm on the page that fails, but I’m not sure how it’s related.
Here is some more info: The ApplicationConstants.REQUEST_TYPE_PARAMETER refers to the URL query parameter “v-r”. I see when the page load fails, that parameter is null, and I get some log output like this:
2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/actuator/**'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/public/**'
2019-09-23 22:58:27.760 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/login'
2019-09-23 22:58:27.760 INFO c.m.p.s.SecurityUtils.isFrameworkInternalRequest():37 - RTP: null
When the page load succeeds, I get output like this:
2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/actuator/**'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/public/**'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/login'
2019-09-23 22:58:50.724 INFO c.m.p.s.SecurityUtils.isFrameworkInternalRequest():37 - RTP: uidl
Any help is appreciated.