0

In my Vaadin application, I'd like to secure some pages using spring security. Logging in and out functionalities do work all fine but what I want is that when the vaadin application starts, he should still be able to access to "registration view class". For this, I use the following Security Configuration class.

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

private static final String LOGIN_PROCESSING_URL = "/login";
private static final String LOGIN_FAILURE_URL = "/login?error";
private static final String LOGOUT_SUCCESS_URL = "/login";

/**
 * Require login to access internal pages and configure login form.
 */
@Override
protected void configure(HttpSecurity http) throws Exception {
    // Not using Spring CSRF here to be able to use plain HTML for the login page
            http.csrf().disable()

                    // Register our CustomRequestCache, that saves unauthorized access attempts, so
                    // the user is redirected after login.
                    .requestCache().requestCache(new CustomRequestCache())

                    // Restrict access to our application.
                    .and().authorizeRequests()
                    .antMatchers("/", "/VAADIN/**", "/HEARTBEAT/**", "/UIDL/**", "/resources/**"
                            , "/registration", "registration", "/login/**", "/manifest.json", "/icons/**", "/images/**",
                            // (development mode) static resources
                            "/frontend/**",
                            // (production mode) static resources
                            "/frontend-es5/**", "/frontend-es6/**").anonymous()

                    // Allow all flow internal requests.
                    .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

                    // Allow all requests by logged in users.
                    .anyRequest().authenticated()
                                
                    // Configure the login page.
                    .and().formLogin().loginPage(LOGIN_PROCESSING_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
                    .failureUrl(LOGIN_FAILURE_URL)

                    // Configure logout
                    .and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}

And my RegistrationView class looks as follows

@Route(value = "registration", layout = MainView.class)
@RouteAlias(value = "registration", layout = MainView.class)
@CssImport("./styles/views/login/registration.css")
public class Registration extends Div {

private static final long serialVersionUID = -1223086666624645746L;

private TextField username;

private TextField email;

private PasswordField password;

private PasswordField password2;

private Button userRegistrationSubmitButton;

With the current schema, whatever I do, I'm just redirected to login page as soon as I start my application. How could I solve this? Thanks in advance..

Ahmet Eroğlu
  • 594
  • 1
  • 7
  • 23
  • I'm not that familiar with Vaadin, so I'm not sure how Registration maps to a URL. What URL do you request that triggers the redirect? – Rob Winch Oct 20 '20 at 14:49
  • @RobWinch Hi Rob, thx a lot for the answer, can you pls eleborate on that ? I didn't quite get what you mean :/ Thx in advance! – Ahmet Eroğlu Oct 20 '20 at 14:53

2 Answers2

2

This is not exactly a duplicate, but it has the same answer as https://stackoverflow.com/a/57557321/2376954.

The core of it is that you cannot use the path based checks used by Spring Security to secure Vaadin views that are loaded as single-page application.

Leif Åstrand
  • 7,820
  • 13
  • 19
1

For those of you, who will come here in some future time. Don't worry I got your back bro. I found a solution to this(lol). Basically,whoever is dealing with this vaadin and spring security applications, will know that in addition to these Security Configuration and Custom Request Cache classes, you will have ConfigureUIServerInitListener class as well, based on the tutorial you follow. There with a small trick we can restrict the access using an authentication check. So please add the following class if you still dont have it.

@Component
public class ConfigureUIServiceInitListener implements VaadinServiceInitListener {

/**
 * 
 */
private static final long serialVersionUID = 1L;

@Override
public void serviceInit(ServiceInitEvent event) {
    event.getSource().addUIInitListener(uiEvent -> {
        final UI ui = uiEvent.getUI();
        ui.addBeforeEnterListener(this::beforeEnter);
    });
}

/**
 * Reroutes the user if (s)he is not authorized to access the view.
 *
 * @param event
 *            before navigation event with event details
 */
private void beforeEnter(BeforeEnterEvent event) {
    if (AboutView.class.equals(event.getNavigationTarget())
        && !SecurityUtils.isUserLoggedIn()) {
        event.rerouteTo(Login.class);
    }
}
}

As can be see from the before Enter method, I want AboutView class to be protected by spring security. Then I make the corresponding check. Based on this, you can add other view classes. This way it'll stop you from accessing to certain views without being logged in.

Ahmet Eroğlu
  • 594
  • 1
  • 7
  • 23