Vaadin url-mapping static content & spring security filters

General
1

Hi,

Currently testing deploying
CIA
, using mod_proxy with apache as frontend.

Having some problems serving static content and determine which vaadin requests I want to pass through security filters.

Demo of application at
http://www.riksdagsmonitor.com:8080/cia/
 .

Current situation, want to set the vaadin application to context root “/”.

Have static images
webapp/images

Have a image/rss web service serving dynamic content.

web.xml


	<servlet>
		<servlet-name>CitizenIntelligenceAgency</servlet-name>
		<servlet-class>com.vaadin.terminal.gwt.server.ApplicationServlet</servlet-class>
		<init-param>
			<param-name>application</param-name>
			<param-value>com.hack23.cia.web.views.navigationview.CitizenIntelligenceAgency</param-value>
		</init-param>
	</servlet>
	<servlet-mapping>
		<servlet-name>CitizenIntelligenceAgency</servlet-name>
		<url-pattern>/cia/*</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
        <servlet-name>CitizenIntelligenceAgency</servlet-name>
        <url-pattern>/VAADIN/*</url-pattern>
    </servlet-mapping>

	<servlet>
		<servlet-name>cia-webservices</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>cia-webservices</servlet-name>
		<url-pattern>/services/*</url-pattern>
	</servlet-mapping>

	<listener>
		<listener-class>com.hack23.cia.web.common.StaticContextLoaderListener</listener-class>
	</listener>
	
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath*:META-INF/cia-application-context-service.xml classpath*:META-INF/cia-application-context-web-actionhandlers.xml classpath*:META-INF/cia-application-context-web-viewfactories.xml classpath*:META-INF/cia-application-context-web-security.xml classpath*:META-INF/sessionFactory.xml</param-value>
	</context-param>

	<context-param>
		<param-name>productionMode</param-name>
		<param-value>true</param-value>
	</context-param>

	<session-config>
		<session-timeout>30</session-timeout>
	</session-config>

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

cia-application-context-web-security.xml


		<!-- 
	<http auto-config='true'>
		<intercept-url pattern="/images/**" filters="none"/>
		<intercept-url pattern="/cia/**" filters="none" />
		<intercept-url pattern="/VAADIN/**" filters="none" />
		<intercept-url pattern="/UIDL/**" filters="none" />
		<intercept-url pattern="/cia/VAADIN/**" filters="none" />
		<intercept-url pattern="/cia/UIDL/**" filters="none" />				
		
		<intercept-url pattern="/cia/VAADIN/**" filters="none" />		
    	<intercept-url pattern="/*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
		<intercept-url pattern="/cia/UIDL/**" filters="none" /> 	
    	<intercept-url pattern="/cia/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/images/**" filters="none"/>
		<intercept-url pattern="/UIDL/**" filters="none" /> 	
  	</http>
    	 -->   	
  	
  	<http auto-config='true'>            
        <intercept-url pattern="/*" access="ROLE_ANONYMOUS" />                
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>        
    </http>

So any recommendations on the url-pattern for the vaadin application to get it to ignore serving images with context root "" ?

Realised I need security for some of the posts to /UIDL/, but which patterns are action clicks and repaints etc ?

All the best,
Pether

2

Not actually answering your question, but have you tried mod_jk?

You should put the security checks on the vaadin application level - not try to filter UIDL requests.

3

Thanks, will give it a try later on again.

Normally used mod_jk for deployments before, but switched to use mod_proxy since it’s included in apache.

Pether