By Paul Römer

Part of tutorial series Securing your app with Spring Security

Setting up Spring Security for Vaadin applications

Warning

There was a security issue in the first version of the tutorial: The navigation listener that checks permissions for router navigation was missing. This will allow attackers to manipulate your login view to trigger router navigation and access secured pages! Please, check your code if an UI listener is registered as explained here.

After discussing the goals and setting up the project base, we can finally start with the actual work!

Enable Spring Security

First, we have to add the needed Spring Security dependencies to our POM:

pom.xml

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
</dependency>

Second, we have to disable Spring’s MVC error handler. Since Vaadin 14 it causes strange reload behavior. Check this forum thread for details. Thank you all, for fighting this bug down!

Application.java

@SpringBootApplication(exclude = ErrorMvcAutoConfiguration.class)
public class Application {

Third, we will add a Vaadin aware Spring Security configuration via the SecurityConfiguration class that uses some helpers you can check in the sources.

SecurityConfiguration.java

/**
 * Require login to access internal pages and configure login form.
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    // Not using Spring CSRF here to be able to use plain HTML for the login page
    http.csrf().disable() // (1)

            // Register our CustomRequestCache that saves unauthorized access attempts, so
            // the user is redirected after login.
            .requestCache().requestCache(new CustomRequestCache()) // (2)

            // Restrict access to our application.
            .and().authorizeRequests()

            // Allow all flow internal requests.
            .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll() // (3)

            // Allow all requests by logged in users.
            .anyRequest().authenticated() // (4)

            // Configure the login page.
            .and().formLogin().loginPage(LOGIN_URL).permitAll() // (5)
            .loginProcessingUrl(LOGIN_PROCESSING_URL) // (6)
            .failureUrl(LOGIN_FAILURE_URL)

            // Configure logout
            .and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}

Vaadin has built-in Cross-Site Request Forgery already.
We add a customized request cache to filter out framework internal request. Check CustomRequestCache implementation for details.
Permits a set of Vaadin related request types (check SecurityUtils for details).
Force authentication for all views.
Configure the URL to the login page for redirects and permit access to everyone.
Configure the login URL Spring Security is expecting POST requests to (form submit).

Next, we have to make sure that resources Vaadin needs are bypassed and not affected by our security configuration above:

SecurityConfiguration.java

/**
 * Allows access to static resources, bypassing Spring security.
 */
@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers(
            // Vaadin Flow static resources // (1)
            "/VAADIN/**",

            // the standard favicon URI
            "/favicon.ico",

            // the robots exclusion standard
            "/robots.txt",

            // web application manifest // (2)
            "/manifest.webmanifest",
            "/sw.js",
            "/offline-page.html",

            // (development mode) static resources // (3)
            "/frontend/**",

            // (development mode) webjars // (3)
            "/webjars/**",

            // (production mode) static resources // (4)
            "/frontend-es5/**", "/frontend-es6/**");
}

Mandatory.
Needed only when developing a Progressive Web Application.
Allows access to frontend resources in development mode.
Grants access to all bundled resources. This is important for your login view (if a Polymer template needs to be accessed) or for every other public page.

Secure Router Navigation

Finally, we have to secure router navigation by registerring a before navigation listener that checks for permissions. This is very important as Spring Security is not aware of the single page application behavior of a Vaadin application. That means AJAX requests as they are done during navigation via router links are not protected by the default Spring Security filters.

ConfigureUIServiceInitListener.java

@Component // (1)
public class ConfigureUIServiceInitListener implements VaadinServiceInitListener { // (1)

    @Override
    public void serviceInit(ServiceInitEvent event) {
        event.getSource().addUIInitListener(uiEvent -> {
        final UI ui = uiEvent.getUI();
        ui.addBeforeEnterListener(this::beforeEnter); // (2)
        });
    }

    /**
     * Reroutes the user if (s)he is not authorized to access the view.
     *
     * @param event
     *            before navigation event with event details
     */
    private void beforeEnter(BeforeEnterEvent event) {
        if (!LoginView.class.equals(event.getNavigationTarget()) // (3)
            && !SecurityUtils.isUserLoggedIn()) { // (4)
            event.rerouteTo(LoginView.class); // (5)
        }
    }
}

Allows adding the navigation listener globally to all UI instances by using a service init listener. Spring takes care of registering it.
Adds the before enter listener.
Ignores the login view itself.
Only redirects if user is not logged in. See below.
Actual rerouting the login view if needed.

SecurityUtils.java

static boolean isUserLoggedIn() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); // (1)
    return authentication != null // (2)
            && !(authentication instanceof AnonymousAuthenticationToken) // (3)
            && authentication.isAuthenticated(); // (4)
}

Gets the authentication token from the security context.
Fail if no authentication is available.
Fail for anonymous authentication tokens. Spring Security will add this type of token if all other authentication mechanism failed by default.
Fail if the authentication token is available but is not authenticated.

Once again, run mvn spring-boot:run to build and start the web application and notice the redirection to /login. So far, so good.

Introduction to using Spring Security in Vaadin applications

Adding form-based login views to a Vaadin application using Spring Security

Comments (48)

Michael Prankl

Hi,

great tutorial series! We recently bumped into an issue with StreamResoure (for file downloads), which serves the file at /VAADIN/dynamic/resource/**.

This tutorial however completely disables the Spring Security chain for everything under /VAADIN/**.

Could you please update the tutorials and example code? See also a great answer on Stackoverflow regarding this issue: https://stackoverflow.com/a/55333581/2054206

Cheers, Michael

Nico Michael

I have a Tab and route the User with tab.add(new RouterLink(text, navigationTarget));

But i get an error: JavaScriptNavigationStateRenderer : BeforeEvent.rerouteTo() with a client side route is not supported

And my user can access the restricted area

Enzo Acosta

hello:

Vaadin 8.11.2 vaadin-spring 3.1.1

i have problem making work vaadin-spring secutrity

in my case works OK the security -> @Secured views + ROLE_XXX only if i have 1 (one) rol in the user.

when i have more than 1 rol the security can not find the match.

i see in com.vaadin.spring.access -> isAccessGranted the list of rols of the users OK and the view give the @Secured OK.

68 return Stream.of(securityConfigAttributes).anyMatch(authorities::contains);

ex1 -> OK:

view = @Secured({"**ROLE_TRASLLATS**","ROLE_PISTER"}) 
user rol = "**ROLE_TRASLLATS**"

securityConfigAttributes=["ROLE_TRASLLATS","ROLE_PISTER"]
authorities=["ROLE_TRASLLATS"]
return = true

ex1 -> NO OK:

view = @Secured({"**ROLE_TRASLLATS**","ROLE_PISTER"}) 
user rol = "**ROLE_TRASLLATS**","ROLE_PISTER","ROLE_MAGATZEM"

securityConfigAttributes=["ROLE_TRASLLATS","ROLE_PISTER"]
authorities=["ROLE_TRASLLATS","ROLE_PISTER","ROLE_MAGATZEM"]
return = false

??????? is any other way to get the seurity.

any idea.... thanks

Ml LL

If I don't want to use a login view. What shoud I do in the UI listener ?

If I arrive in the application and I'm not logged in, I want to start the OAUTH flow immediatly.

Otherwise I would have to add a login with Azure AD button and it's not clear how I can do that with Vaadin (staying in java).

Tatu Lund

Have you checked this OAuth tutorial https://vaadin.com/learn/tutorials/google-login

Ml LL

Yes I finally did it this way. Now I'm trying to add a Remember Me feature as describe here:https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/speciale#_remember_me

But I keep receiving:

UserDetailsService is required. java.lang.IllegalStateException: UserDetailsService is required. at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$UserDetailsServiceDelegator.loadUserByUsername(WebSecurityConfigurerAdapter.java:474) at org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.onLoginSuccess(TokenBasedRememberMeServices.java:187)

Ahmet Eroglu

Hi, I'm following the tutorial, and on my development env. I cant reach to "new CustomRequestCache()", this clas doesn't seem to belong any package. How can I retrieve it?

Tarek Oraby

You need to add the class: https://github.com/vaadin-learning-center/spring-secured-vaadin/blob/master/src/main/java/org/vaadin/paul/spring/app/security/CustomRequestCache.java

Gustavo Madruga

Hey, greate article, Implemented and using per tutorial, thank you!

But now I would like to use the Impersonate feature (SwitchUser) from Spring Security, any hints on how to make this work?

I've added the bellow Bean on SecurityConfiguration.java

@Bean
public SwitchUserFilter switchUserFilter() {
    SwitchUserFilter filter = new SwitchUserFilter();
    filter.setUserDetailsService(userDetailsService);
    filter.setUsernameParameter("email");
    filter.setSuccessHandler(myAuthenticationSuccessHandler());
    return filter;
}

The following to the configure() method

  ...
  // Only Admin can impersonate
  .antMatchers("/login/impersonate*").hasRole("ADMIN")
  .antMatchers("/logout/impersonate*").authenticated()
  ...
  // Configure SwitchUser filter
  .and().addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class)

And on my MainView. java I have the following, to give to the admin the option to impersonate

if(SecurityUtils.isAdmin()) {
  // if not impersonating, give user email options to select
  if(! SecurityUtils.isImpersonating()) {
    ComboBox<String> cbbEmails = new ComboBox<>();
    cbbEmails.setItems(personRepository.listAllEmails());
    topMenu.add(cbbEmails);
    Button btnImpersonate = new Button("Impersonate");
    btnImpersonate.addClickListener(e -> {
      if(! cbbEmails.getValue().isEmpty()) {
        // redirect to impersonating link
        // /login/impersonate?username=loginIdOfTheNewUser
        HashMap<String, String> map = new HashMap<>();
        map.put("username", cbbEmails.getValue());
        QueryParameters qps = QueryParameters.simple(map);
        UI.getCurrent().navigate("login/impersonate", qps);
      }
    });
    topMenu.add(btnImpersonate);
  // if is impersonating, give option to logout from impersonating and get back to admin
  } else {
    Button btnUnimpersonate = new Button("Logout from Impersonating");
    btnUnimpersonate.addClickListener(e -> UI.getCurrent().navigate("logout/impersonate"));
    topMenu.add(btnUnimpersonate);
  }
}

Now I'm getting: Could not navigate to 'login/impersonate' Reason: Couldn't find route for 'login/impersonate'

Thanks for the help!

Folayan Olalekan

Hi paul, Thanks for your article. i have a new route- signup that i would love to be accessible by all . i added

 .antMatchers("/signup").permitAll()

it still shows the login page only this time there is no redirection as with other requests. how do i allow this route while maintaining this config

Thanks alot.

update found a solution here: https://vaadin.com/forum/thread/18091137/spring-security-allowing-register-page

Mark HM

Hi Paul,

Thanks again for your article. I now have a working Spring-secured Vaadin application that authenticates vs a database. 👍🏻

One question though:

How would I modify the security configuration so my application has a context root ("/") that is unsecured...? I have a generic introduction page here and would like to avoid request to the context root to be directly intercepted by the login form.

For a few other views, I have successfully added their route to the web.ignoring().antMatchers(..)., but when I do so with context root "/**", it messes up child routes, in particular by a NPR in SecurityUtils.isAccessGranted(..) where userAuthentication is null. Of course, I could foresee problems with adding "/**", but is there any other way to achieve this? I tried with a redirect controller that would intercept calls to the context root and would redirect to "/frontpage" (which had been added to antMatchers), but the login-interceptor would have prevalence over the redirect controller.

I note that this application is deployed at vaadin.urlMapping=/*.

Much appreciated. 🙏🏻

Best, Mark

Mark HM

The correct way to do this was to add .antMatchers("/").permitAll() here:

protected void configure(HttpSecurity http) throws Exception
{
                ..
                
                .antMatchers("/").permitAll() // <--- here

                .antMatchers("/VAADIN/**").permitAll()
                .anyRequest().authenticated()
                .and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
                .failureUrl(LOGIN_FAILURE_URL).successForwardUrl(LOGOUT_SUCCESS_FORWARD_URL)
				
                ..
}

This opens the context root for anonymous access, while maintaining the enforced authentication for the deeper routes.

Walid Haider

Hi Mark,

I am a newbie to Vaadin and have been searching on how to authenticate against a PostgreSQL database, but with no success. Could you please share how you were able to authenticate against a database?

Thanks and regards.

Mark HM

Hi Walid,

My application is based on Spring Boot, so I used a simple DaoAuthenticationProvider as follows:

import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.core.userdetails.UserDetailsService;

...

public DaoAuthenticationProvider authenticationProvider(){
	DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
	provider.setPasswordEncoder(passwordEncoder);
	provider.setUserDetailsService(userDetailsService);
	return provider;
}

Where are you stuck...?

Best, Mark

Walid Haider

Hi Mark,

Thank you for the quick response.

Perhaps I am over-complicating the implementation, but I attempted to follow the steps at https://www.baeldung.com/spring-security-authentication-with-a-database but when I debug the application, I am getting the following error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [org/springframework/security/core/userdetails/jdbc/users.ddl]: create table users(username varchar_ignorecase(50) not null primary key,password varchar_ignorecase(500) not null,enabled boolean not null); nested exception is org.postgresql.util.PSQLException: ERROR: type "varchar_ignorecase" does not exist
  Position: 29
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:645) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:475) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1338) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1177) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:557) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:517) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:323) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:321) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:310) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:879) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:878) ~[spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:550) ~[spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) ~[spring-boot-2.2.0.RELEASE.jar:2.2.0.RELEASE]
	at com.tacticamz.javaflux.Application.main(Application.java:21) ~[classes/:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:564) ~[na:na]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) ~[spring-boot-devtools-2.2.0.RELEASE.jar:2.2.0.RELEASE]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [org/springframework/security/core/userdetails/jdbc/users.ddl]: create table users(username varchar_ignorecase(50) not null primary key,password varchar_ignorecase(500) not null,enabled boolean not null); nested exception is org.postgresql.util.PSQLException: ERROR: type "varchar_ignorecase" does not exist
  Position: 29
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:640) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	... 26 common frames omitted
Caused by: org.springframework.jdbc.datasource.init.ScriptStatementFailedException: Failed to execute SQL script statement #1 of class path resource [org/springframework/security/core/userdetails/jdbc/users.ddl]: create table users(username varchar_ignorecase(50) not null primary key,password varchar_ignorecase(500) not null,enabled boolean not null); nested exception is org.postgresql.util.PSQLException: ERROR: type "varchar_ignorecase" does not exist
  Position: 29
	at org.springframework.jdbc.datasource.init.ScriptUtils.executeSqlScript(ScriptUtils.java:626) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.jdbc.datasource.init.ResourceDatabasePopulator.populate(ResourceDatabasePopulator.java:254) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.jdbc.datasource.init.DatabasePopulatorUtils.execute(DatabasePopulatorUtils.java:49) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.jdbc.datasource.init.DataSourceInitializer.execute(DataSourceInitializer.java:111) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.jdbc.datasource.init.DataSourceInitializer.afterPropertiesSet(DataSourceInitializer.java:96) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.authentication.configurers.provisioning.JdbcUserDetailsManagerConfigurer.initUserDetailsService(JdbcUserDetailsManagerConfigurer.java:158) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.authentication.configurers.userdetails.UserDetailsServiceConfigurer.configure(UserDetailsServiceConfigurer.java:47) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.authentication.configurers.userdetails.UserDetailsServiceConfigurer.configure(UserDetailsServiceConfigurer.java:34) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:383) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:329) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration.getAuthenticationManager(AuthenticationConfiguration.java:118) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.authenticationManager(WebSecurityConfigurerAdapter.java:269) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:201) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:322) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:92) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at com.tacticamz.javaflux.security.SecurityConfiguration$$EnhancerBySpringCGLIB$$7c10f633.init(<generated>) ~[classes/:na]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:370) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:324) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:104) ~[spring-security-config-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:564) ~[na:na]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	... 27 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: type "varchar_ignorecase" does not exist
  Position: 29
	at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2497) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2233) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:310) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:446) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:370) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java:311) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.java:297) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java:274) ~[postgresql-42.2.8.jar:42.2.8]
	at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:269) ~[postgresql-42.2.8.jar:42.2.8]
	at com.zaxxer.hikari.pool.ProxyStatement.execute(ProxyStatement.java:95) ~[HikariCP-3.4.1.jar:na]
	at com.zaxxer.hikari.pool.HikariProxyStatement.execute(HikariProxyStatement.java) ~[HikariCP-3.4.1.jar:na]
	at org.springframework.jdbc.datasource.init.ScriptUtils.executeSqlScript(ScriptUtils.java:605) ~[spring-jdbc-5.2.0.RELEASE.jar:5.2.0.RELEASE]
	... 52 common frames omitted

Please see repository: https://github.com/walid-haider/vaadin-authentication/tree/master

Thanking you in anticipation

Regards, Walid

Mark HM

Did you see this one: https://stackoverflow.com/questions/24174884/spring-security-jdbc-authentication-default-schema-error-when-using-postgresql/24199925#24199925...?

Cause the default schema is not suitable for PostgreSQL, you need to create your own schema and implement own query for user and authority query.

Best, Mark

Walid Haider

Hi Mark,

Thanks for the tip - much appreciated!

I am not getting the error anymore, but I am still at a loss with regards to completing the implementation. Could you please have a look at my repository so as to point me in the right direction.

Regards, Walid

Mark HM

It seems there are quite a few other steps you need to take before you are ready for PostgreSQL integration.

The files in your repository are not organised according to Maven directory convention, which means the project will not run from the command line.

I suggest:

Study the proper Maven setup and organise your project accordingly;
Ensure your project works without security from the command line;
Implement an example with In-Memory Authentication;
When this works, extend your project to include PostgreSQL integration.

Good luck. 👍🏻

Walid Haider

Hi Mark,

Once again, thanks for the swift response.

I have managed to get to the In-Memory Authentication example (please see repository).

From this point what would I need to do, in order to include PostgreSQL integration?

After logging in:

Thanks and regards, Walid

51E51BEF-CAB1-46E9-8050-5FBC06545849_4_5005_c.jpeg (13.9 kB)

Mark HM

Hi Walid,

I don't understand why you made your last changes in a separate branch. Does it not make more sense to consolidate everything in the main branch...?

It seems there are really many examples available around what you're trying to achieve: https://www.google.com/search?q=spring+security+postgresql+example&oq=spring+security+postgresql+example&aqs=chrome..69i57.10316j0j1&sourceid=chrome&ie=UTF-8

I recommend you to be very specific regarding your problem and the steps you have already taken to address. I do not have the time to guess what your current problem is and to fix it for you. I suggest that you use stackoverflow.com to find help.

This document provides valuable guidance on formulating your question when asking for help: http://www.catb.org/~esr/faqs/smart-questions.html.

Good luck...!

Best, Mark

Håkan Arvidsson

Hi Paul,

and thank you for this tutorial focusing on the important aspect of security.

Though I haven't been able to find out how to accomplish a logout. I see, that the logout url is configured in SecurityConfiguration.configure(HttpSecurity http), but how can a logout be invoked?

I think i've found the solution adding a method in SecureUtils:

public static void logout() {
	Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
	authentication.setAuthenticated(false);
}

In the Bakery App navigating back to the login/logout page is accomplished with: UI.getCurrent().getPage().executeJavaScript("location.assign('logout')");

I am new to Vaadin 10+ and ask myself if this is the proper way to navigate.

Paul Römer

Hi Håkan,

honestly I always prefer using a simple link to /logout instead of using the UI object to navigate:

Element logoutLink = ElementFactory.createAnchor("logout", "Logout");
// use Element API to add the link
getElement().appendChild(logoutLink);

The problem is that the logout view is unknown to Vaadin as it is an endpoint provided by Spring Security. As Vaadin does not know the view it prevents you from using the typical UI.navigate() methods. And that is why the Bakery is using this ugly hack and executes some JS function to load the logout page.

So, yes. If you want to use the UI to navigate because you want to handle a click event of some button, use the method Bakery uses. If you want to simplify things, use the simple link. It also avoids additional roundtrips.

Cheers, Paul

Lars

Hi Hakan,

thanks for this little hack. It seem the anchor solution doesn't work on v15.

Tim Cassidy

A few things

Is this updated for the latest Spring Boot versions?
What are the overrides in SecurityConfiguration? Please include the entire class. I found that SecurityConfiguration extends WebSecurityConfigurerAdapter here: https://github.com/vaadin-learning-center/spring-secured-vaadin/blob/login-overlay-form-custom-servlet-context/src/main/java/org/vaadin/paul/spring/app/security/SecurityConfiguration.java

Paul Römer

Hi Tim,

sometimes the tutorial introduction desyncs with the corresponding repository. But the source of truth is the repo: https://github.com/vaadin-learning-center/spring-secured-vaadin

The master branch contains the Spring Security configuration all examples in the repository branches share. And right now, it is

Vaadin 14.1.1 and Spring Boot 2.2.0

I disagree with putting whole class into the tutorial. You would loose the overview quite fast. But I will add a note that we are extending from WebSecurityConfigurerAdapter

Cheers, Paul

Michel Riondel

Hi Paul

I looked at the GitHub Code and wondered about the maven dependencies. There are some entries pointing to prerelease features. Is that necessary? Or can I assume that just the released versions are required?

Thank you for the clarification. Cheers Michel

Paul Römer

Hey Michel,

looks like some updates are needed, indeed. It's from the base project I started my tutorial series with. But we are not using any pre-release stuff. Just stable Vaadin and Spring versions. No need to worry!

Cheers, Paul

Mark HM

Hi Paul, thank you for this tutorial.

Could you explain which modifications are necessary in case of a custom url mapping...?

vaadin.urlMapping=/app/*

Best, Mark

Paul Römer

Hey Mark,

I played around with the URL mapping and I came to the conclusion that using server.servlet.context-path=/app makes much more sense and works :)

But, I am also puzzled why we suggest using vaadin.urlMapping in our documentation especially in the Spring part. If you set it, Spring is confused because it does not know anything about the context change of the Vaadin webapp and the redirect to /login fails. If you use both, it also fails for the same reason. Spring only knows about /app but Vaadin knows about both and ends up with /app/app.

I made an example: https://github.com/vaadin-learning-center/spring-secured-vaadin/tree/login-overlay-form-custom-servlet-context

Cheers, Paul

Mark HM

Hi Paul,

Thank you for looking into this.

It has become less important for me to deploy my application on a separate context, since I've noticed that self-defined controllers (e.g. for preparing JSON data) have priority over the main Vaadin servlet. But still, this is a valuable addition to your Spring Security tutorial.

Best, Mark

Marat Kazgozhin

Hello, thanks for good explanation!

I'd like to ask a question, about isFrameworkInternalRequest.

While using @Push through web-app, would it better to use the RequestMatcher with isFrameworkInternalRequest within the configure(web: WebSecurity) instead configure(http: HttpSecurity), to make sure that framework internal requests will not be handled by security filters?

Paul Römer

Hmm... Marat,

I have to think about it. Push wasn't on my list, yet, but it feels like I have to think about it.

Thanks for the hint. I will ping you back,

Paul

Paul Römer

Hey Marat,

sorry for the late response. Let's call this comment a Santa Claus present.

I investigated a bit and it was quite easy to get server side push to work without the need to alter the security configuration at all. Check this example: https://github.com/vaadin-learning-center/spring-secured-vaadin/tree/server-push

So, to other your question: It is not needed to exclude the internal requests from the security filter chain. It likely would kill the application as you would have to handle requests with non-initalized security context.

Cheers, Paul

Ted Pricer

Great article - serves as the basis for my products config.

I noticed that ignoring "/VAADIN/**" Has the side effect of making the security context unavailable to requests triggered by Upload event (and I would suspect others too). I found that moving it to configure(HttpSecurity) with .antMatchers("/VAADIN/**").permitAll() works.

uros kristan

Ted Pricer: configure(HttpSecurity) with .antMatchers("/VAADIN/**").permitAll()

I have exactly the same problem. And I am using spring 5.

Paul Römer

True, you both are right.

If you need the security context available in the upload listeners then you will have to adjust the security configuration as you have done. Of course, the side-effect is that all requests to /VAADIN are handled by the filter chain now.

I added an example: https://github.com/vaadin-learning-center/spring-secured-vaadin/tree/login-overlay-form-authenticated-upload

Abel Haman

Hello,

I like your tutorial but I'm also desperating :-). I'm migrating an existing Vaadin 8 application with Spring Security to Vaadin 14. Each click on a button causes the lost of connection to the server (Server connection lost, trying to reconnect...). What else do I miss in the configuration? I have followed the instructions of this tutorial. In the background, the post-request is sent every second resulting in the following aoutput:

POST http://localhost:8080/app/?v-r=uidl&v-uiId=4 405
POST http://localhost:8080/app/?v-r=uidl&v-uiId=4 405

I hope you can help me solving this problem.

This is how my Web Security configuration looks like:

@EnableWebSecurity
  @Configuration  
  public static class StaffConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {      
      http.csrf().disable();
      http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
      .accessDeniedPage("/403");
      http.requestCache().requestCache(new CustomRequestCache())
      .and().authorizeRequests()
      .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

      // Allow all requests by logged in users.
      .antMatchers("/vaadinServlet/UIDL/**").permitAll()
      .antMatchers("/vaadinServlet/VAADIN/**").permitAll()
      .antMatchers("/VAADIN/**").permitAll()
      .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
      .antMatchers("/cmws/**").permitAll()
      .antMatchers("/uuid/**").permitAll()
      .antMatchers("/authenticate/**").permitAll()
      .antMatchers("/mui/**").permitAll()
      .and().authorizeRequests()
      .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()      
      .anyRequest().authenticated();      
      http.httpBasic().disable();
      http.formLogin().disable();
      http.logout().invalidateHttpSession(true);
      http.addFilterAfter(developmentCasMockFilter(), LogoutFilter.class);
      http.addFilterBefore(singleLogoutFilter(), CasAuthenticationFilter.class);      
      http.addFilter(casAuthenticationFilter());
      http.addFilterBefore(requestLogoutFilter(), LogoutFilter.class);
      http.sessionManagement().sessionAuthenticationStrategy(sessionAuthenticationStrategy());   
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
      web.ignoring().antMatchers(
          // Vaadin Flow static resources //
          "/VAADIN/**");
      /*
       * ,
       *
       * // the standard favicon URI "/favicon.ico",
       *
       * // web application manifest // "/manifest.webmanifest", "/sw.js", // "/offline-page.html",
       *
       * // (development mode) static resources // "/frontend/**",
       *
       * // (development mode) webjars // "/webjars/**",
       *
       * // (production mode) static resources // "/frontend-es5/**", "/frontend-es6/**");
       */
    }


 // beans definitions ...
}

Thank you and kind regards!

Centurion Dobrius

Because of various problems, I decided to start from scratch with mz Vaadin 7 project..

Sara Fabris

Hello, i'm Sara. In our web-application we use Vaadin 7. This point of discussion Third, we will add a Vaadin aware Spring Security configuration via the SecurityConfiguration class that uses some helpers you can check in the sources. is a problem that occurs only with VAADIN 14 or even in VAADIN 7-8?

Thank you and kind regards!

Paul Römer

Hey Sara,

this tutorial series is only about Vaadin 14 and not Vaadin 7. Parts of it might be valid for Vaadin 7, but I never tried it.

What might help you is a blog post created by Petter: https://vaadin.com/blog/filter-based-spring-security-in-vaadin-applications in 2016.

Cheers, Paul

Paul Römer

I got some feedback pointing me to the lack of an explanation of the actual authentication providers / user details providers.

Will be added soonish :)

Thanks to Kaspar

Daniel Schumacher

Hi Paul!

This kind of explanation is exactly what I am looking for. Can you please tell me if there is already an article about that topic?

The whole tutorial is very good so far!

Thanks an kind regards Daniel

Paul Römer

Hi Daniel,

thanks for the positive feedback!

Unfortunately, I prioritized other articles over that one. But if there is some time left I will spend the Friday to create a new tutorial about the providers.

Cheers, Paul

Marcin Jankiewicz

Great and very helpful article, thank you for that! One question thought, how can I add access to few Views to all(anonymous) users?

Paul Römer

Hi Marcin,

there is an upcoming article about fine grained access control to the views. Right now the example is about to differ between "normal" users and administrators. But I can add a section about making the webapp partially accessible to all users and just secure parts of it.

Paul Römer

Hey guys,

I noticed a security issue in this tutorial. You might have noticed the warning in the beginning. Please check the Secure Router Navigation section if you are affected.

My apologies!

sudipta roy

Hello, Thanks for the tutorial. I have done the steps mentioned in the article. But now it says "http://localhost:8080 is requesting your username and password. The site says: “Realm".

Paul Römer

Hey Roy,

sounds like Spring Security's auto configuration jumps in. Can you check if you have some output on the command line about temporary credentials?

But that means that your security configuration wasn't found/ignored for some reason. Did you use the code from the repository or did you create a project from scratch?

Cheers, Paul

Setting up Spring Security for Vaadin applications

Enable Spring Security

Secure Router Navigation

Comments (48)

Download Modern Web App Development Guide