spring security and VAADIN

1.4k views Asked by At

I am developing my spring boot app which is protected by spring security. Here is part of secured config:

@Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
           // .csrf().ignoringAntMatchers("/dashboard")
           // .and()
            .httpBasic()
            .and()
                .headers().frameOptions().disable()
            .and()
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**").permitAll()
                .antMatchers("/vaadinServlet/UIDL/**").permitAll()
                .antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
                .antMatchers("/actuator/health").permitAll()
                .antMatchers("/actuator/**").hasAuthority(Authority.Type.ROLE_ADMIN.getName())
                .antMatchers("/", "/login**", "/index.html", "/home.html").permitAll()
            .and()
                .logout().logoutSuccessUrl("/").permitAll()
            .and()
                .csrf().csrfTokenRepository(csrfTokenRepository())
            .and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
        // @formatter:on
    }

I am going to implement some admin dashboard to manage my app using VAADIN. I have read that "Disable CSRF-protection in either Spring or Vaadin. If you have both turned on, your application will not work.".

In my case I need to disable CSRF-protection in Vaadin, but I could not find how can I do it using Java config.

For this moment I am getting: https://127.0.0.1:8443/vaadinServlet/UIDL/?v-wsver=7.5.5&v-uiId=0 "Communication error: UIDL could not be read from server. Check servlets mappings. Error code: 403", during navigation from the main view to other views. (e.g: /dashboard#!myview). This because AccessDeniedHandlerImpl handle method is invoked. I have try to fix this using following statements but it doesn't help:

.antMatchers("/vaadinServlet/UIDL/**").permitAll()
.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()

So, please help me to solve this two issues:

  1. Disable CSRF in VAADIN using java config.
  2. Solve problem with view navigation.

Thanks

1

There are 1 answers

0
Hutsul On BEST ANSWER

To fix the above issues, I have decided to divide my project into two modules. First is API app, which has own implemented security configuration. Second is Dashboard, which has both Spring Security integrated with Vaadin4Spring based on this sample.