I am developing my spring boot app which is protected by spring security. Here is part of secured config:
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
// .csrf().ignoringAntMatchers("/dashboard")
// .and()
.httpBasic()
.and()
.headers().frameOptions().disable()
.and()
.antMatcher("/**").authorizeRequests()
.antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority(Authority.Type.ROLE_ADMIN.getName())
.antMatchers("/", "/login**", "/index.html", "/home.html").permitAll()
.and()
.logout().logoutSuccessUrl("/").permitAll()
.and()
.csrf().csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
// @formatter:on
}
I am going to implement some admin dashboard to manage my app using VAADIN. I have read that "Disable CSRF-protection in either Spring or Vaadin. If you have both turned on, your application will not work.".
In my case I need to disable CSRF-protection in Vaadin, but I could not find how can I do it using Java config.
For this moment I am getting: https://127.0.0.1:8443/vaadinServlet/UIDL/?v-wsver=7.5.5&v-uiId=0 "Communication error: UIDL could not be read from server. Check servlets mappings. Error code: 403", during navigation from the main view to other views. (e.g: /dashboard#!myview). This because AccessDeniedHandlerImpl handle method is invoked. I have try to fix this using following statements but it doesn't help:
.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
So, please help me to solve this two issues:
- Disable CSRF in VAADIN using java config.
- Solve problem with view navigation.
Thanks
