Every other page load failing

I am using the tutorial [here]
(https://vaadin.com/tutorials/securing-your-app-with-spring-security/setting-up-spring-security) to use Vaadin with Spring Security. I have an issue when I load my page with a Vaadin LoginForm on it where every other page refresh fails to load. This is 100% consistent, so that if I refresh the page, it loads fine. If I refresh it again, it fails, etc.

I narrowed the problem down to this line in the tutorial:

// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

The method SecurityUtils.isFrameworkInternalRequest is part of the tutorial code base, and I’ve just copied and pasted it, as-is:

	/**
	 * Tests if the request is an internal framework request. The test consists of
	 * checking if the request parameter is present and if its value is consistent
	 * with any of the request types know.
	 *
	 * @param request
	 *            {@link HttpServletRequest}
	 * @return true if is an internal framework request. False otherwise.
	 */
	static boolean isFrameworkInternalRequest(HttpServletRequest request) {
		final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
		return parameterValue != null
			&& Stream.of(RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
	}

If I change the return in that method to always be true, then the page load always happens successfully.

When the page load fails, I can see certain things missing like custom-styles in the <head>, #shadow-roots in the Vaadin components, and the login form itself is just an empty set of <vaadin-login-form></vaadin-login-form> tags. Probably other things I’m not aware of. Other pages don’t have this issue. So far the only difference is the presence of the LoginForm on the page that fails, but I’m not sure how it’s related.

Here is some more info: The ApplicationConstants.REQUEST_TYPE_PARAMETER refers to the URL query parameter “v-r”. I see when the page load fails, that parameter is null, and I get some log output like this:

2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /error at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/actuator/**'
2019-09-23 22:58:27.759 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/public/**'
2019-09-23 22:58:27.760 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/error'; against '/login'
2019-09-23 22:58:27.760 INFO  c.m.p.s.SecurityUtils.isFrameworkInternalRequest():37 - RTP: null

When the page load succeeds, I get output like this:

2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter():328 - /?v-r=uidl&v-uiId=1 at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/actuator/**'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/public/**'
2019-09-23 22:58:50.724 DEBUG o.s.s.w.u.m.AntPathRequestMatcher.matches():176 - Checking match of request : '/'; against '/login'
2019-09-23 22:58:50.724 INFO  c.m.p.s.SecurityUtils.isFrameworkInternalRequest():37 - RTP: uidl

Any help is appreciated.

Hey Travis,

wow. Nice report!

First of all I would like to understand if you have configured both, HttpSecurity and WebSecurity as described in the tutorial via

//...
@Override
protected void configure(HttpSecurity http) throws Exception {

//...

@Override
public void configure(WebSecurity web) throws Exception {

Second is, that you might have hit some new and strange behavior caused by Spring’s MVC error handler. You will have to disable it for your application:

@SpringBootApplication(exclude = ErrorMvcAutoConfiguration.class)
public class Application {

Thanks for pointing me on that. I only fixed it in my example app but not in the tutorial. Will do it right now.

Hope that helps!

Cheers,
Paul

Great! The exclusion fixes the problem I’m seeing. I see you also updated the tutorial. Thanks for such a quick response! For anyone who may come across this, you can also add the exclusion in application.properties with

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration