1

For Vaadin 14, there is documentation which clearly states which Vaadin resources should be added to the config to bypass Spring Security: https://vaadin.com/docs/v14/flow/tutorial/login-and-authentication

  /**
   * Allows access to static resources, bypassing Spring Security.
   */
  @Override
  public void configure(WebSecurity web) {
    web.ignoring().antMatchers(
        // Client-side JS
        "/VAADIN/**",

        // the standard favicon URI
        "/favicon.ico",

        // the robots exclusion standard
        "/robots.txt",

        // web application manifest
        "/manifest.webmanifest",
        "/sw.js",
        "/offline.html",

        // icons and images
        "/icons/**",
        "/images/**",
        "/styles/**",

        // (development mode) H2 debugging console
        "/h2-console/**");
  }

I'm unable to find the same information for Vaadin 24.

This is my current config:

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);

        web.ignoring().requestMatchers(
              
                "/session-expired",
                "/images/*",
                "/login",
                "/favicon.ico",
                "/favicon-notification.ico",
                "/offline.html",
                "/offline-stub.html",
                "/sw-runtime-resources-precache.js",
                "/robots.txt");
    }

What else should be added for the proper functioning of Vaadin 24? Do I need to add anything else there, like for example:

"/VAADIN/**",
"/sw.js",

or something else?

alexanoid
  • 24,051
  • 54
  • 210
  • 410

2 Answers2

5

You can extend the VaadinWebSecurity class that sets the required rules for a Vaadin application.

https://vaadin.com/docs/latest/security/enabling-security/#security-configuration-class

If you for some reason can't extend it, take a look at the code to see what is configured.

Marco C
  • 706
  • 4
  • 6
3

You should wrap your paths in AntPathRequestMatcher objects. This is my working configuration for Vaadin 24 Flow:

/**
 * @see VaadinWebSecurity#configure(HttpSecurity)
 */
@Override
protected void configure(@NotNull final HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers(
            // Client-side JS
            new AntPathRequestMatcher("/VAADIN/**"),

            // the standard favicon URI
            new AntPathRequestMatcher("/favicon.ico"),

            // the robots exclusion standard
            new AntPathRequestMatcher("/robots.txt"),

            // web application manifest
            new AntPathRequestMatcher("/manifest.webmanifest"),
            new AntPathRequestMatcher("/sw.js"),
            new AntPathRequestMatcher("/offline.html"),

            // icons and images
            new AntPathRequestMatcher("/icons/**"),
            new AntPathRequestMatcher("/images/**"),
            new AntPathRequestMatcher("/styles/**"),

            // (development mode) H2 debugging console
            new AntPathRequestMatcher("/h2-console/**")
    ).permitAll();

    super.configure(http);

    setLoginView(http, LoginView.class, LOGOUT_URL);
}
McPringle
  • 1,939
  • 2
  • 16
  • 19
  • 1
    Thank you! Please also pay your attention on the following document: https://vaadin.com/docs/v23/upgrading/essential-steps/#update-spring-security Vaadin team mentioned that 2 other resources should be added there: "/offline-stub.html", "/sw-runtime-resources-precache.js", – alexanoid Apr 30 '23 at 07:49