Setting up SpringSecurity with Vaadin 23

Question

I've been trying to set up a project with Vaadin 23 and Spring Boot, but I have trouble setting up the security and authentication. I can provide more of the code if needed. There are 3 types of users: Admin, Client, Chef but I don't know what is missing.

There is an AuthService in charged of getting a user by mail Project in: https://github.com/NachoEstevo/homecooking/tree/master/src

The main issue is that since the securityConfig class and SecurityUtils class have been created, the app has issues talking to the frontend.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends VaadinWebSecurityConfigurerAdapter {
        @Resource(name = "authService")
        private UserDetailsService userDetailsService;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
                super.configure(http);
                setLoginView(http, PreLoginView.class);


        }
        @Override
        public void configure(WebSecurity web) throws Exception {
                        web.ignoring().antMatchers(
                                "/images/**"
                        );
                        super.configure(web);
                }

        @Bean
        public BCryptPasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
                auth.inMemoryAuthentication().withUser("user").password("{noop}userpass").roles("CLIENT");
        }

        @Bean
        public DaoAuthenticationProvider createDaoAuthenticationProvider() {
                DaoAuthenticationProvider provider = new DaoAuthenticationProvider();

                provider.setUserDetailsService(userDetailsService);
                provider.setPasswordEncoder(passwordEncoder());
                return provider;
        }

}

public class SecurityUtils {

    static boolean isUserLoggedIn() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null
                && !(authentication instanceof AnonymousAuthenticationToken)
                && authentication.isAuthenticated();
    }
    static boolean isFrameworkInternalRequest(HttpServletRequest request) {
        final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
        return parameterValue != null
                && Stream.of(HandlerHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
    }

    public static boolean isAccessGranted(Class<?> securedClass) {
        // Allow if no roles are required.
        Secured secured = AnnotationUtils.findAnnotation(securedClass, Secured.class);
        if (secured == null) {
            return true; // (1)
        }

        // lookup needed role in user roles
        List<String> allowedRoles = Arrays.asList(secured.value());
        Authentication userAuthentication = SecurityContextHolder.getContext().getAuthentication();
        return userAuthentication.getAuthorities().stream() // (2)
                .map(GrantedAuthority::getAuthority)
                .anyMatch(allowedRoles::contains);
    }
    private static final String LOGOUT_SUCCESS_URL = "/";

    public UserDetails getAuthenticatedUser() {
        SecurityContext context = SecurityContextHolder.getContext();
        Object principal = context.getAuthentication().getPrincipal();
        if (principal instanceof UserDetails) {
            return (UserDetails) context.getAuthentication().getPrincipal();
        }
        // Anonymous or no authentication.
        return null;
    }

The linked project doesn't contain any security-related code and "*app has issues talking to the frontend*" is rather vague. — Frettman, Apr 26 '22 at 06:17
Added new branch. https://github.com/NachoEstevo/homecooking/tree/securityConfig — Ignacio Estevo, Apr 26 '22 at 18:16
Have you tried removing the `ROLE_` prefix from your `@RolesAllowed` annotations? The documentation doesn't use it. — Frettman, Apr 27 '22 at 14:02

score 0 · Answer 1 · answered Apr 26 '22 at 06:18

0

Judging from your provided code snippets, you are using Spring's @Secured annotation. Vaadin's (Spring) Security support only recognizes @com.vaadin.flow.server.authAnonymousAllowed, @javax.annotation.security.PermitAll, @javax.annotation.security.RolesAllowed and @javax.annotation.security.DenyAll. And without any recognized annotation, the default is to deny access to a view. See the official documentation.

answered Apr 26 '22 at 06:18

Frettman

2,251
1
13
9

I have been following that documentation closely and used the annotations accordingly I believe, but can't manage to make it work – Ignacio Estevo Apr 26 '22 at 18:27
The Vaadin annotations have been used in the views classes – Ignacio Estevo Apr 26 '22 at 19:02

Setting up SpringSecurity with Vaadin 23

1 Answers1

Linked