com.vaadin.flow.spring.security

Class VaadinWebSecurityConfigurerAdapter

java.lang.Object

org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

com.vaadin.flow.spring.security.VaadinWebSecurityConfigurerAdapter

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>

public abstract class VaadinWebSecurityConfigurerAdapter
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Provides basic Vaadin security configuration for the project.

Sets up security rules for a Vaadin application and restricts all URLs except for public resources and internal Vaadin URLs to authenticated user.

The default behavior can be altered by extending the public/protected methods in the class.

To use this, create your own web security configurer adapter class by extending this class instead of WebSecurityConfigurerAdapter and annotate it with @EnableWebSecurity and @Configuration.

For example @EnableWebSecurity @Configuration public class MySecurityConfigurerAdapter extends VaadinWebSecurityConfigurerAdapter { }

Constructor Summary

Constructors

Constructor and Description
VaadinWebSecurityConfigurerAdapter()

Method Summary

Modifier and Type	Method and Description
protected void	configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
void	configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) The paths listed as "ignoring" in this method are handled without any Spring Security involvement.
static org.springframework.security.web.util.matcher.RequestMatcher	getDefaultHttpSecurityPermitMatcher() Matcher for framework internal requests.
static org.springframework.security.web.util.matcher.RequestMatcher	getDefaultWebSecurityIgnoreMatcher() Matcher for Vaadin static (public) resources.
protected void	setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends com.vaadin.flow.component.Component> flowLoginView) Sets up login for the application using the given Flow login view.
protected void	setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends com.vaadin.flow.component.Component> flowLoginView, String logoutUrl) Sets up login for the application using the given Flow login view.
protected void	setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String fusionLoginViewPath) Sets up login for the application using form login with the given path for the login view.
protected void	setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String fusionLoginViewPath, String logoutUrl) Sets up login for the application using form login with the given path for the login view.
protected void	setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer) Sets up stateless JWT authentication using cookies.
protected void	setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn) Sets up stateless JWT authentication using cookies.

Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

authenticationManager, authenticationManagerBean, configure, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

VaadinWebSecurityConfigurerAdapter

public VaadinWebSecurityConfigurerAdapter()

Method Detail

configure

public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
               throws Exception

The paths listed as "ignoring" in this method are handled without any Spring Security involvement. They have no access to any security context etc.

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,org.springframework.security.config.annotation.web.builders.WebSecurity>

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

configure

protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception

Overrides:

configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

Throws:

Exception

getDefaultHttpSecurityPermitMatcher

public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()

Matcher for framework internal requests.

Returns:

default HttpSecurity bypass matcher

getDefaultWebSecurityIgnoreMatcher

public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()

Matcher for Vaadin static (public) resources.

Returns:

default WebSecurity ignore matcher

setLoginView

protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String fusionLoginViewPath)
                     throws Exception

Sets up login for the application using form login with the given path for the login view.

This is used when your application uses a Fusion based login view available at the given path.

Parameters:

http - the http security from configure(HttpSecurity)

fusionLoginViewPath - the path to the login view

Throws:

Exception - if something goes wrong

setLoginView

protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String fusionLoginViewPath,
                            String logoutUrl)
                     throws Exception

Sets up login for the application using form login with the given path for the login view.

This is used when your application uses a Fusion based login view available at the given path.

Parameters:

http - the http security from configure(HttpSecurity)

fusionLoginViewPath - the path to the login view

logoutUrl - the URL to redirect the user to after logging out

Throws:

Exception - if something goes wrong

setLoginView

protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends com.vaadin.flow.component.Component> flowLoginView)
                     throws Exception

Sets up login for the application using the given Flow login view.

Parameters:

http - the http security from configure(HttpSecurity)

flowLoginView - the login view to use

Throws:

Exception - if something goes wrong

setLoginView

protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends com.vaadin.flow.component.Component> flowLoginView,
                            String logoutUrl)
                     throws Exception

Sets up login for the application using the given Flow login view.

Parameters:

http - the http security from configure(HttpSecurity)

flowLoginView - the login view to use

logoutUrl - the URL to redirect the user to after logging out

Throws:

Exception - if something goes wrong

setStatelessAuthentication

protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer)
                                   throws Exception

Sets up stateless JWT authentication using cookies.

Parameters:

http - the http security from configure(HttpSecurity)

secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name

issuer - the issuer JWT claim

Throws:

Exception - if something goes wrong

setStatelessAuthentication

protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer,
                                          long expiresIn)
                                   throws Exception

Sets up stateless JWT authentication using cookies.

Parameters:

http - the http security from configure(HttpSecurity)

secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name

issuer - the issuer JWT claim

expiresIn - lifetime of the JWT and cookies, in seconds

Throws:

Exception - if something goes wrong