Package com.vaadin.flow.spring.security

Class VaadinWebSecurityConfigurerAdapter

  • All Implemented Interfaces:
    org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,​org.springframework.security.config.annotation.web.builders.WebSecurity>, org.springframework.security.config.annotation.web.WebSecurityConfigurer<org.springframework.security.config.annotation.web.builders.WebSecurity>
    public abstract class VaadinWebSecurityConfigurerAdapter
extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    Provides basic Vaadin security configuration for the project.

    Sets up security rules for a Vaadin application and restricts all URLs except for public resources and internal Vaadin URLs to authenticated user.

    The default behavior can be altered by extending the public/protected methods in the class.

    To use this, create your own web security configurer adapter class by extending this class instead of WebSecurityConfigurerAdapter and annotate it with @EnableWebSecurity and @Configuration.

    For example @EnableWebSecurity @Configuration public class MySecurityConfigurerAdapter extends VaadinWebSecurityConfigurerAdapter { }

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected String applyUrlMapping​(String path)
      Helper method to prepend configured servlet path to the given path.
      protected void configure​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)  
      void configure​(org.springframework.security.config.annotation.web.builders.WebSecurity web)
      The paths listed as "ignoring" in this method are handled without any Spring Security involvement.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
      Matcher for framework internal requests.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher​(String urlMapping)
      Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
      Matcher for Vaadin static (public) resources.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher​(String urlMapping)
      Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView)
      Sets up login for the application using the given Flow login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutUrl)
      Sets up login for the application using the given Flow login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String fusionLoginViewPath)
      Sets up login for the application using form login with the given path for the login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String fusionLoginViewPath, String logoutUrl)
      Sets up login for the application using form login with the given path for the login view.
      protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer)
      Sets up stateless JWT authentication using cookies.
      protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn)
      Sets up stateless JWT authentication using cookies.

      • Methods inherited from class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter

        authenticationManager, authenticationManagerBean, configure, getApplicationContext, getHttp, init, setApplicationContext, setAuthenticationConfiguration, setContentNegotationStrategy, setObjectPostProcessor, setTrustResolver, userDetailsService, userDetailsServiceBean

    • Constructor Detail

      • VaadinWebSecurityConfigurerAdapter

        public VaadinWebSecurityConfigurerAdapter()

    • Method Detail

      • configure

        public void configure​(org.springframework.security.config.annotation.web.builders.WebSecurity web)
               throws Exception
        The paths listed as "ignoring" in this method are handled without any Spring Security involvement. They have no access to any security context etc.

        Specified by:
        configure in interface org.springframework.security.config.annotation.SecurityConfigurer<javax.servlet.Filter,​org.springframework.security.config.annotation.web.builders.WebSecurity>
        Overrides:
        configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        Throws:
        Exception

      • configure

        protected void configure​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception
        Overrides:
        configure in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
        Throws:
        Exception

      • getDefaultHttpSecurityPermitMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
        Matcher for framework internal requests. Assumes Vaadin servlet to be mapped on root path (/*).
        Returns:
        default HttpSecurity bypass matcher

      • getDefaultHttpSecurityPermitMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher​(String urlMapping)
        Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
        Parameters:
        urlMapping - url mapping for the Vaadin servlet.
        Returns:
        default HttpSecurity bypass matcher

      • getDefaultWebSecurityIgnoreMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
        Matcher for Vaadin static (public) resources. Assumes Vaadin servlet to be mapped on root path (/*).
        Returns:
        default WebSecurity ignore matcher

      • getDefaultWebSecurityIgnoreMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher​(String urlMapping)
        Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path. Assumes Vaadin servlet to be mapped on root path (/*).
        Parameters:
        urlMapping - the url mapping for the Vaadin servlet
        Returns:
        default WebSecurity ignore matcher

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String fusionLoginViewPath)
                     throws Exception
        Sets up login for the application using form login with the given path for the login view.

        This is used when your application uses a Fusion based login view available at the given path.

        Parameters:
        http - the http security from configure(HttpSecurity)
        fusionLoginViewPath - the path to the login view
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String fusionLoginViewPath,
                            String logoutUrl)
                     throws Exception
        Sets up login for the application using form login with the given path for the login view.

        This is used when your application uses a Fusion based login view available at the given path.

        Parameters:
        http - the http security from configure(HttpSecurity)
        fusionLoginViewPath - the path to the login view
        logoutUrl - the URL to redirect the user to after logging out
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends Component> flowLoginView)
                     throws Exception
        Sets up login for the application using the given Flow login view.
        Parameters:
        http - the http security from configure(HttpSecurity)
        flowLoginView - the login view to use
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends Component> flowLoginView,
                            String logoutUrl)
                     throws Exception
        Sets up login for the application using the given Flow login view.
        Parameters:
        http - the http security from configure(HttpSecurity)
        flowLoginView - the login view to use
        logoutUrl - the URL to redirect the user to after logging out
        Throws:
        Exception - if something goes wrong

      • setStatelessAuthentication

        protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer)
                                   throws Exception
        Sets up stateless JWT authentication using cookies.
        Parameters:
        http - the http security from configure(HttpSecurity)
        secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
        issuer - the issuer JWT claim
        Throws:
        Exception - if something goes wrong

      • setStatelessAuthentication

        protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer,
                                          long expiresIn)
                                   throws Exception
        Sets up stateless JWT authentication using cookies.
        Parameters:
        http - the http security from configure(HttpSecurity)
        secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
        issuer - the issuer JWT claim
        expiresIn - lifetime of the JWT and cookies, in seconds
        Throws:
        Exception - if something goes wrong

      • applyUrlMapping

        protected String applyUrlMapping​(String path)
        Helper method to prepend configured servlet path to the given path. Path will always be considered as relative to servlet path, even if it starts with a slash character.
        Parameters:
        path - path to be prefixed with servlet path
        Returns:
        the input path prepended by servlet path.