Integrate spring-boot-starter-security with Vaadin 7

1
votes

I'm trying to integrating Spring Security with Vaadin Spring (https://vaadin.com/wiki/-/wiki/Main/Vaadin+Spring).

My application class just starts up the Spring Application

https://gist.github.com/anonymous/c047030c61b90c02d1ef

I created a class that extends WebSecurityConfigurerAdapter

https://gist.github.com/anonymous/0e905d0627adf5e2dc39

pom.xml includes the dependency spring-boot-starter-security

When I type in localhost:8080 it redirects me to the login url (http://localhost:8080/login) provided by Spring Security. I enter in the username/password (user/password) and I get this error.

java.lang.NullPointerException: null at com.vaadin.server.LegacyCommunicationManager.getClientCache(LegacyCommunicationManager.java:194)

(full log output at https://gist.github.com/anonymous/b4be702762b5bc744c66).

I tried adding to the ApplicationSecurity the overridden method "configuration(HttpSecurity http)" based off examples I found on the web but that gives me more errors as that doesn't take me to the /login page at all.

1
javaspring-bootspring-securityvaadinvaadin7
I have simplified the ApplicationSecurity class and I still get the same error. gist.github.com/anonymous/9bbf2991ffdca7f002c9 - caritos

1 Answers

2
votes

I suppose it may have something to do with the fact that not all features are supported in the current beta version as stated by Henri Sara:

Vaadin Spring is an official add-on (moving from alpha to beta at the moment, with some API changes) that includes the core functionality of Vaadin4Spring.

The parts of Vaadin4Spring that are not covered by the current version of Vaadin Spring (event bus, Spring Security support, ...) will be converted to use Vaadin Spring sometime after the beta release. More functionality might migrate to the official add-on in future versions.

Anyway, out of curiosity regarding Spring Security (haven't used it so far) I've done a bit of research with Vaadin 7.4.3. I set the root logger on debug, added a few breakpoints (UIInitHandler:148) and noticed the following:

  • the initial request is correctly handled by the UIInitHandler and an instance of the appropriate UI is created
  • immediately after the same breakpoint @ UIInitHandler:148 is triggered for the /error path and the handler is unable to resolve the UI because most likely you don't have one defined. This also made me think that an exception may be thrown but hidden somewhere in there
  • looking at the logs I saw a lot of Invalid CSRF token found for http://localhost:8080/login?v-1429092013868

So I changed a bit the ApplicationSecurity.configure(HttpSecurity http) method to http.csrf().disable().authorizeRequests().anyRequest().permitAll(); and I was able to proceed to the second screen. Now this may not be that safe from what I gathered, but it should give you a starting point.

Note: You may already know this but if you don't and it saves you some time I'm glad to share this as well, because it took me a while to figure it out. Depending on how you will setup your app security you may end up changing that method to something like below.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().
            exceptionHandling().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")).accessDeniedPage("/accessDenied")
            .and().authorizeRequests()
            .antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**","/login", "/login/**", "/error/**", "/accessDenied/**").permitAll()
            .antMatchers("/authorized", "/**").fullyAuthenticated();
}