Package com.vaadin.flow.spring.security

Class VaadinWebSecurity

  • public abstract class VaadinWebSecurity
extends Object
    Provides basic Vaadin component-based security configuration for the project.

    Sets up security rules for a Vaadin application and restricts all URLs except for public resources and internal Vaadin URLs to authenticated user.

    The default behavior can be altered by extending the public/protected methods in the class.

    Provides default bean implementations for SecurityFilterChain and WebSecurityCustomizer.

    To use this, create your own web security class by extending this class and annotate it with @EnableWebSecurity and @Configuration.

    For example: 

     
 @EnableWebSecurity
 @Configuration
 public class MyWebSecurity extends VaadinWebSecurity {
 }

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addLogoutHandlers​(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
      Sets additional LogoutHandlers that will participate in logout process.
      protected String applyUrlMapping​(String path)
      Helper method to prepend configured servlet path to the given path.
      protected void configure​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
      Applies Vaadin default configuration to HttpSecurity.
      protected void configure​(org.springframework.security.config.annotation.web.builders.WebSecurity web)  
      org.springframework.security.web.SecurityFilterChain filterChain​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
      Registers default SecurityFilterChain bean.
      AuthenticationContext getAuthenticationContext()
      Gets the default authentication-context bean.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
      Matcher for framework internal requests.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher​(String urlMapping)
      Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
      Matcher for Vaadin static (public) resources.
      static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher​(String urlMapping)
      Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path.
      protected ViewAccessChecker getViewAccessChecker()
      Vaadin views access checker bean.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView)
      Sets up login for the application using the given Flow login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl)
      Sets up login for the application using the given Flow login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath)
      Sets up login for the application using form login with the given path for the login view.
      protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl)
      Sets up login for the application using form login with the given path for the login view.
      protected void setOAuth2LoginPage​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage)
      Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.
      protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer)
      Sets up stateless JWT authentication using cookies.
      protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn)
      Sets up stateless JWT authentication using cookies.
      org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()
      Registers default WebSecurityCustomizer bean.

    • Constructor Detail

      • VaadinWebSecurity

        public VaadinWebSecurity()

    • Method Detail

      • filterChain

        @Bean(name="VaadinSecurityFilterChainBean")
public org.springframework.security.web.SecurityFilterChain filterChain​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                                                                 throws Exception
        Registers default SecurityFilterChain bean.

        Defines a filter chain which is capable of being matched against an HttpServletRequest. in order to decide whether it applies to that request.

        HttpSecurity configuration can be customized by overriding configure(HttpSecurity).

        Throws:
        Exception

      • getAuthenticationContext

        @Bean(name="VaadinAuthenticationContext")
public AuthenticationContext getAuthenticationContext()
        Gets the default authentication-context bean.
        Returns:
        the authentication-context bean

      • configure

        protected void configure​(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                  throws Exception
        Applies Vaadin default configuration to HttpSecurity. Typically, subclasses should call super to apply default Vaadin configuration in addition to custom rules.
        Parameters:
        http - the HttpSecurity to modify
        Throws:
        Exception - if an error occurs

      • webSecurityCustomizer

        @Bean(name="VaadinWebSecurityCustomizerBean")
public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()
        Registers default WebSecurityCustomizer bean.

        Beans of this type will automatically be used by WebSecurityConfiguration to customize WebSecurity.

        WebSecurity configuration can be customized by overriding configure(WebSecurity)

        Default no WebSecurity customization is performed.

      • configure

        protected void configure​(org.springframework.security.config.annotation.web.builders.WebSecurity web)
                  throws Exception
        Throws:
        Exception

      • getDefaultHttpSecurityPermitMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
        Matcher for framework internal requests. Assumes Vaadin servlet to be mapped on root path (/*).
        Returns:
        default HttpSecurity bypass matcher

      • getDefaultHttpSecurityPermitMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher​(String urlMapping)
        Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
        Parameters:
        urlMapping - url mapping for the Vaadin servlet.
        Returns:
        default HttpSecurity bypass matcher

      • getDefaultWebSecurityIgnoreMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
        Matcher for Vaadin static (public) resources. Assumes Vaadin servlet to be mapped on root path (/*).
        Returns:
        default WebSecurity ignore matcher

      • getDefaultWebSecurityIgnoreMatcher

        public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher​(String urlMapping)
        Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path. Assumes Vaadin servlet to be mapped on root path (/*).
        Parameters:
        urlMapping - the url mapping for the Vaadin servlet
        Returns:
        default WebSecurity ignore matcher

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String hillaLoginViewPath)
                     throws Exception
        Sets up login for the application using form login with the given path for the login view.

        This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

        Parameters:
        http - the http security from filterChain(HttpSecurity)
        hillaLoginViewPath - the path to the login view
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            String hillaLoginViewPath,
                            String logoutSuccessUrl)
                     throws Exception
        Sets up login for the application using form login with the given path for the login view.

        This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

        Parameters:
        http - the http security from filterChain(HttpSecurity)
        hillaLoginViewPath - the path to the login view
        logoutSuccessUrl - the URL to redirect the user to after logging out
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends Component> flowLoginView)
                     throws Exception
        Sets up login for the application using the given Flow login view.
        Parameters:
        http - the http security from filterChain(HttpSecurity)
        flowLoginView - the login view to use
        Throws:
        Exception - if something goes wrong

      • setLoginView

        protected void setLoginView​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                            Class<? extends Component> flowLoginView,
                            String logoutSuccessUrl)
                     throws Exception
        Sets up login for the application using the given Flow login view.
        Parameters:
        http - the http security from filterChain(HttpSecurity)
        flowLoginView - the login view to use
        logoutSuccessUrl - the URL to redirect the user to after logging out
        Throws:
        Exception - if something goes wrong

      • setOAuth2LoginPage

        protected void setOAuth2LoginPage​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                  String oauth2LoginPage)
                           throws Exception
        Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.
        Parameters:
        http - the http security from filterChain(HttpSecurity)
        oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.
        Throws:
        Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

      • setStatelessAuthentication

        protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer)
                                   throws Exception
        Sets up stateless JWT authentication using cookies.
        Parameters:
        http - the http security from filterChain(HttpSecurity)
        secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
        issuer - the issuer JWT claim
        Throws:
        Exception - if something goes wrong

      • setStatelessAuthentication

        protected void setStatelessAuthentication​(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
                                          SecretKey secretKey,
                                          String issuer,
                                          long expiresIn)
                                   throws Exception
        Sets up stateless JWT authentication using cookies.
        Parameters:
        http - the http security from filterChain(HttpSecurity)
        secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
        issuer - the issuer JWT claim
        expiresIn - lifetime of the JWT and cookies, in seconds
        Throws:
        Exception - if something goes wrong

      • applyUrlMapping

        protected String applyUrlMapping​(String path)
        Helper method to prepend configured servlet path to the given path. Path will always be considered as relative to servlet path, even if it starts with a slash character.
        Parameters:
        path - path to be prefixed with servlet path
        Returns:
        the input path prepended by servlet path.

      • getViewAccessChecker

        protected ViewAccessChecker getViewAccessChecker()
        Vaadin views access checker bean.

        This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call ViewAccessChecker methods explicitly.

        Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

        Returns:
        ViewAccessChecker bean used by this VaadinWebSecurity configuration.

      • addLogoutHandlers

        protected void addLogoutHandlers​(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
        Sets additional LogoutHandlers that will participate in logout process.
        Parameters:
        registry - used to add custom handlers.