I am trying to use the Vaadin login component, from the provided Bakery example. In a real application some pages do nod need authentication, so I modified your example to allow “other” pages (/o/**) as anonymous adding the following line to SecurityConfiguration:
...
// Restrict access to our application.
.and().authorizeRequests()
.antMatchers("/o/**").permitAll() // <-----------------< ADDED THIS LINE
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
...
But I still get the login page. Can anybody explain why, and how can I avoid login to certain pages?
Debugging the security configuration I see a hearthbeat post that can have triggered the login request:
Request received for POST '/?v-r=heartbeat&v-uiId=34':
org.apache.catalina.connector.RequestFacade@68ce37bb
servletPath:/
pathInfo:null
headers:
host: localhost:8080
connection: keep-alive
content-length: 0
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
content-type: text/plain; charset=utf-8
accept: */*
origin: http://localhost:8080
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: http://localhost:8080/o/mypizza
accept-encoding: gzip, deflate, br
accept-language: en,it;q=0.9,pt;q=0.8,en-US;q=0.7
cookie: JSESSIONID=7E7B1F5DA0C84D5ACB8E4A386BDED907
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
P.S. The login page is activated ONLY if I access a view (route) managed by vaadin. I tested a plain page (tiny servlet):
@WebServlet(urlPatterns = "/o/hello", name = "Hello")
public class HelloServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
resp.setContentType("text/plain");
resp.getWriter().println("Hello");
resp.getWriter().close();
}
}
and it can be accessed without login when pointing the nrowser to /o/hello.