Vaadin 7 beta 10 + spring security

Natalia4 · December 11, 2012, 3:29pm

Maybe someone can give me a hand. I’m using Spring Integration (https://vaadin.com/directory#addon/springvaadinintegration) addon, and followed this blog (http://morevaadin.com/content/spring-security-integration/) to set spring security.
My app does the following:

“login view” is shown
shows the login screen: that’s fine.
user inputs login info and gets authenticated: that’s fine
the security context is set with the authentication data
the “main view” is shown: that’s fine

However, if I do something as simple as add a button to the main view and show

Notification.show("auth " + SecurityContextHolder.getContext().getAuthentication());

The authentication is null. But the same Notification in the “enter(ViewChangeEvent)” of the same view is working fine.

I’m guessing something is wrong with my web.xml config o my spring-security.xml but I’ve been reading everywhere and I can’t find the problem.

Here’s my web.xml:


	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/root-context.xml
			/WEB-INF/security.xml
		</param-value>
	</context-param>
	<servlet>
		<servlet-name>Vaadin Sample Application</servlet-name>
		<servlet-class>com..MyServlet</servlet-class>
		<init-param>
			<param-name>beanName</param-name>
			<param-value>vaadinUI</param-value>
		</init-param>
		<init-param>
			<param-name>systemMessagesBeanName</param-name>
			<param-value>DEFAULT</param-value>
		</init-param>
		<load-on-startup>10</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>Vaadin Sample Application</servlet-name>
		<url-pattern>/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>Vaadin Sample Application</servlet-name>
		<url-pattern>/VAADIN/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
		<servlet-name>default</servlet-name>
		<url-pattern>/static/*</url-pattern>
	</servlet-mapping>
	<context-param>
		<description>Vaadin production mode</description>
		<param-name>productionMode</param-name>
		<param-value>true</param-value>
	</context-param>
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

and my security.xml


	<global-method-security secured-annotations="enabled" />

	<http pattern="/VAADIN/**" security="none" />
	<http pattern="/static/**" security="none" />

	<http auto-config='true'>
		<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
	</http>

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="admin" authorities="ROLE_USER, ROLE_ADMIN"
					password="admin" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

I’m guessing it has something to do with the interceptors that populate the security context but I don’t know how to fix it.
I’d appreciate any help! Thanks in advanced!!

Leandro14 · December 16, 2012, 10:38pm

Hi, im stuck with the same problem! Could someone help us?

Philippe4 · January 16, 2013, 11:19pm

Hi,

Your
SecurityContext
needs to be stored somewhere between each requests, in fact, that’s what is lacking in the
morevaadin example
. If you have a look at the Spring Security documentation
here
, the
SecurityContextPersistenceFilter
can do this job for you.

On another hand, you can also write some code in your application servlet to store and retrieve the SecurityContext from the HttpSession, but I don’t think it’s a good approach.

You already have declared your DelegatingFilterProxy in your web.xml, so just add the following in your security.xml :

<beans:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
	    <filter-chain-map path-type="ant">
	        <filter-chain pattern="/**" filters="securityContextPersistenceFilter"/>
	    </filter-chain-map>
	</beans:bean>

	<beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>

Hope this helps.

Rene20 · September 3, 2013, 2:38pm

I just upload the same Alexander Federov’s spring security project example, with the only changed that I put all the dependecies in the pom.xml, I’m run it in a tomcat 7 and I use STS IDE.

The login page load fine.
When I complete the username and the password and click in the login button, the next error show up

Estado HTTP 404 - /j_spring_security_check

and the url in the browser show like this

http://localhost:8092/j_spring_security_check

I think that error show up because in tht url I don’t see the context path of my project (“vaadin-spring-security”)

this is the project

https://github.com/rgaaray/vaadin-spring-security/

any idea??