Invalid JSON response from server when enabling Spring Security Config extended by VaadinWebSecurity

Question

Hеllo, all,

I have a Java project that uses Vaadin 24.0.3, Spring boot 3.0.5, Java 17 and you can see the full project on this link.

This is the error that I am getting when trying to implement SecurityConfig class:

Invalid JSON response from server: <!doctype html> window.Vaadin = window.Vaadin || {};window.Vaadin.VaadinLicenseChecker = { maybeCheck: (productInfo) => { }};window.Vaadin.devTools = window.Vaadin.devTools || {};window.Vaadin.devTools.createdCvdlElements = window.Vaadin.devTools.createdCvdlElements || [];window.Vaadin.originalCustomElementDefineFn = window.Vaadin.originalCustomElementDefineFn || window.customElements.define;window.customElements.define = function (tagName, constructor, ...args) {const { cvdlName, version } = constructor;if (cvdlName && version) { const { connectedCallback } = constructor.prototype; constructor.prototype.connectedCallback = function () { window.Vaadin.devTools.createdCvdlElements.push(this); if (connectedCallback) { connectedCallback.call(this); } }}window.Vaadin.originalCustomElementDefineFn.call(this, tagName, constructor, ...args);}; window.Vaadin = window.Vaadin || {};window.Vaadin.ConsoleErrors = window.Vaadin.ConsoleErrors || [];const browserConsoleError = window.console.error.bind(window.console);console.error = (...args) => { browserConsoleError(...args); window.Vaadin.ConsoleErrors.push(args);};window.onerror = (message, source, lineno, colno, error) => {const location=source+':'+lineno+':'+colno;window.Vaadin.ConsoleErrors.push([message, '('+location+')']);};window.addEventListener('unhandledrejection', e => { window.Vaadin.ConsoleErrors.push([e.reason]);}); window.Vaadin = window.Vaadin || {}; window.Vaadin.developmentMode = true; if (!('CSSLayerBlockRule' in window)) { window.location.search='v-r=oldbrowser'; } window.Vaadin = window.Vaadin || {};window.Vaadin.TypeScript= {}; window.JSCompiler_renameProperty = function(a) { return a;} body, #outlet { height: 100vh; width: 100%; margin: 0; } .v-reconnect-dialog,.v-system-error {position: absolute;color: black;background: white;top: 1em;right: 1em;border: 1px solid black;padding: 1em;z-index: 10000;max-width: calc(100vw - 4em);max-height: calc(100vh - 4em);overflow: auto;} .v-system-error {color: indianred;pointer-events: auto;} .v-system-error h3, .v-system-error b {color: red;} [hidden] { display: none !important; } window.Vaadin = window.Vaadin || {}; window.Vaadin.registrations = window.Vaadin.registrations || []; window.Vaadin.registrations.push({"is":"flow/SpringInstantiator","version":"24.0.3"},{"is":"routing/server","version":"24.0.3"},{"is":"flow/app-dev-bundle","version":"24.0.3"},{"is":"java","version":"17.0.5"});

If I comment out the method "setLoginView(http, LoginView.class", I am able to get to my login view page, but none of my routes work as expected as I am greeted with the following error message - clicking on them doesn't work and redirects me to the same error message:

Could not navigate to 'main' Available routes: admin_panel cinemas confirmation/:___url_parameter (requires parameter) main projections registration tickets This detailed message is only shown when running in development mode.

This is the SecurityConfig class

package com.finals.cinema.security;

import com.finals.cinema.view.LoginView;
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {

@Override
protected void configure(HttpSecurity http) throws Exception {
    // Delegating the responsibility of general configurations
    // of http security to the super class. It's configuring
    // the followings: Vaadin's CSRF protection by ignoring
    // framework's internal requests, default request cache,
    // ignoring public views annotated with @AnonymousAllowed,
    // restricting access to other views/endpoints, and enabling
    // ViewAccessChecker authorization.
    // You can add any possible extra configurations of your own
    // here (the following is just an example):

    // http.rememberMe().alwaysRemember(false);

    // Configure your static resources with public access before calling
    // super.configure(HttpSecurity) as it adds final anyRequest matcher
    //        http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/*"))
    //                .permitAll();

    super.configure(http);

    // This is important to register your login view to the
    // view access checker mechanism:
    //        setLoginView(http, LoginView.class);
}

@Override
public void configure(WebSecurity web) throws Exception {
    // Customize your WebSecurity configuration.
    super.configure(web);
}

/**
 * Demo UserDetailsManager which only provides two hardcoded
 * in memory users and their roles.
 * NOTE: This shouldn't be used in real world applications.
 */
@Bean
public UserDetailsManager userDetailsService() {
    UserDetails user =
            User.withUsername("user")
                    .password("{noop}user")
                    .roles("USER")
                    .build();
    UserDetails admin =
            User.withUsername("admin")
                    .password("{noop}admin")
                    .roles("ADMIN")
                    .build();
    return new InMemoryUserDetailsManager(user, admin);
}
}

What I have tried so far:

setLoginView(http, LoginView.class);
setLoginView(http, "");
setLoginView(http, "/");

setLoginView(http, MainView.class) - the application works as if the is no Security configured and all routes are available publicly/without being logged in.

EDIT: This is the debug log from Spring Security.

2023-06-20T22:53:26.208+03:00 DEBUG 18424 --- [nio-8888-exec-1] o.s.security.web.FilterChainProxy        : Secured GET /VAADIN/dev-bundle/VAADIN/build/FlowClient-e0ae8105.js
2023-06-20T22:53:26.289+03:00 DEBUG 18424 --- [nio-8888-exec-2] o.s.security.web.FilterChainProxy        : Securing GET /VAADIN/themes/flowcrmtutorial/styles.css
2023-06-20T22:53:26.289+03:00 DEBUG 18424 --- [nio-8888-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-06-20T22:53:26.290+03:00 DEBUG 18424 --- [nio-8888-exec-2] o.s.security.web.FilterChainProxy        : Secured GET /VAADIN/themes/flowcrmtutorial/styles.css
2023-06-20T22:53:26.297+03:00 DEBUG 18424 --- [nio-8888-exec-4] o.s.security.web.FilterChainProxy        : Securing POST /?v-r=uidl&v-uiId=3
2023-06-20T22:53:26.444+03:00 DEBUG 18424 --- [nio-8888-exec-4] o.s.s.a.dao.DaoAuthenticationProvider    : Failed to find user ''
2023-06-20T22:53:26.446+03:00 DEBUG 18424 --- [nio-8888-exec-4] o.s.s.web.DefaultRedirectStrategy        : Redirecting to /?error
2023-06-20T22:53:26.450+03:00 DEBUG 18424 --- [nio-8888-exec-5] o.s.security.web.FilterChainProxy        : Securing GET /?error
2023-06-20T22:53:26.450+03:00 DEBUG 18424 --- [nio-8888-exec-5] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-06-20T22:53:26.450+03:00 DEBUG 18424 --- [nio-8888-exec-5] o.s.security.web.FilterChainProxy        : Secured GET /?error