Spring Security Allowing Register Page

Hi to all ,

i dont know if i open this to the right place but i need to implement a register page. so i permit it in the security conf. but even sspring security allow “/register” page. i still see the login page.

how can i just disable security for certain urls?

this setup does not work :

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Not using Spring CSRF here to be able to use plain HTML for the login page
        http.csrf().disable()
                // Register our CustomRequestCache, that saves unauthorized access attempts, so
                // the user is redirected after login.
                //.requestCache().requestCache(new CustomRequestCache())
                // Restrict access to our application.
                .authorizeRequests().antMatchers("/register").permitAll()
                // Allow all flow internal requests.
                .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
                // Allow all requests by logged in users.
                //.anyRequest().hasAnyAuthority(Role.getAllRoles())
                .anyRequest().authenticated()
                // Configure the login page.
                .and().formLogin().loginPage(LOGIN_URL).successHandler(authenticationSuccessHandler).loginProcessingUrl(LOGIN_PROCESSING_URL).permitAll()
                .failureUrl(LOGIN_FAILURE_URL)

                // Configure logout
                .and().logout().logoutSuccessHandler(myLogoutSuccessHandler).logoutSuccessUrl(LOGOUT_SUCCESS_URL).permitAll();
    }

and this is register view :


@Route(value = "register")
public class RegisterView extends VerticalLayout implements BeforeEnterObserver {

    public RegisterView() {
        add(new H1("REGISTER"));
    }

    @PostConstruct
    public void init() {
    }

    @Override
    public void beforeEnter(BeforeEnterEvent beforeEnterEvent) {

    }
}

and i am adding how “register” url looks.

18091141.png

Do you maybe have your own implementation of VaadinServiceInitListener where you define a global BeforeEnterListener?
This was recommended in the [vaadin with spring security]
(https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security#_secure_router_navigation) trainings.

I could imagine that this global BeforeEnterListener redirects you to the login page. If that’s the case, you can change the code inside the global listener to “allow” the registration view as well as the login view.

@Component 
public class ConfigureUIServiceInitListener implements VaadinServiceInitListener { 

    @Override
    public void serviceInit(ServiceInitEvent event) {
        event.getSource().addUIInitListener(uiEvent -> {
        final UI ui = uiEvent.getUI();
        ui.addBeforeEnterListener(this::beforeEnter); 
        });
    }

    /**
     * Reroutes the user if (s)he is not authorized to access the view.
     *
     * @param event
     *            before navigation event with event details
     */
    private void beforeEnter(BeforeEnterEvent event) {
        if (!LoginView.class.equals(event.getNavigationTarget())
		    || !RegisterView.class.equals(event.getNavigationTarget())) // ADDED THIS LINE
            && !SecurityUtils.isUserLoggedIn()) {  
            event.rerouteTo(LoginView.class); 
        }
    }
}

that’s exactly the case. Thank you very much Kaspar.

i changed that before event as below. i am not gonna delete my question and your answer so may be anyone else could benefit.

private void beforeEnter(BeforeEnterEvent event) {
        final boolean accessGranted = SecurityUtils.isAccessGranted(event.getNavigationTarget());
        if (!accessGranted) {
            if (SecurityUtils.isUserLoggedIn()) {
                event.rerouteToError(AccessDeniedException.class);
            } else {
                if (!event.getLocation().getPath().equals("register")) {
                    event.rerouteTo(LoginView.class);
                }
            }
        }
    }

Thanks alot for this