Package com.vaadin.flow.spring.security.stateless

Class VaadinStatelessSecurityConfigurer<H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<VaadinStatelessSecurityConfigurer<H>,H>

com.vaadin.flow.spring.security.stateless.VaadinStatelessSecurityConfigurer<H>

Type Parameters:

H - the concrete HttpSecurityBuilder subclass

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>

public final class VaadinStatelessSecurityConfigurer<H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>
extends org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<VaadinStatelessSecurityConfigurer<H>,H>

Enables authentication that relies on JWT instead of sessions.

Shared Objects Created

The following shared objects are populated:

• SecurityContextRepository is populated with a JwtSecurityContextRepository
• CsrfConfigurer.csrfTokenRepository(CsrfTokenRepository) is used to set LazyCsrfTokenRepository that delegates to CookieCsrfTokenRepository

Shared Objects Used

The following shared objects are used:

• VaadinDefaultRequestCache - if present, this uses VaadinDefaultRequestCache.setDelegateRequestCache(RequestCache) to delegate saving requests to CookieRequestCache
• VaadinSavedRequestAwareAuthenticationSuccessHandler - if present, this uses VaadinSavedRequestAwareAuthenticationSuccessHandler.setCsrfTokenRepository(CsrfTokenRepository) to allow the success handler to set the new csrf cookie

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	VaadinStatelessSecurityConfigurer.SecretKeyConfigurer	Enables configuring the secret key and the algorithm for the JWT signing and verification when using VaadinStatelessSecurityConfigurer.

Constructor Summary

Constructors

Constructor	Description
VaadinStatelessSecurityConfigurer()

Method Summary

Modifier and Type	Method	Description
static void	apply(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.config.Customizer<VaadinStatelessSecurityConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>> customizer)	Applies configuration required to enable stateless security for a Vaadin application.
void	configure(H http)
VaadinStatelessSecurityConfigurer<H>	expiresIn(long expiresIn)	Sets the lifetime of the JWT.
void	init(H http)
VaadinStatelessSecurityConfigurer<H>	issuer(String issuer)	Sets the issuer claim to use when issuing and verifying the JWT.
void	setSharedObjects(org.springframework.security.config.annotation.web.builders.HttpSecurity http)	Deprecated, for removal: This API element is subject to removal in a future version. to be removed.
VaadinStatelessSecurityConfigurer<H>.SecretKeyConfigurer	withSecretKey()	Specifies using a secret key for signing and verification.
VaadinStatelessSecurityConfigurer<H>	withSecretKey(org.springframework.security.config.Customizer<VaadinStatelessSecurityConfigurer<H>.SecretKeyConfigurer> customizer)	Specifies using a secret key for signing and verification.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

VaadinStatelessSecurityConfigurer

public VaadinStatelessSecurityConfigurer()

Method Details

setSharedObjects

@Deprecated(since="24.4",
            forRemoval=true)
public void setSharedObjects(org.springframework.security.config.annotation.web.builders.HttpSecurity http)

Deprecated, for removal: This API element is subject to removal in a future version.

to be removed. There is no direct replacement for this method. Shared object setup must be done along with other required configurations by calling apply(HttpSecurity, Customizer).

Sets JwtSecurityContextRepository as a shared object to be used by multiple SecurityConfigurer.

Parameters:

http - the http security builder to store the shared object.

See Also:

• apply(HttpSecurity, Customizer)

apply

public static void apply(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
 org.springframework.security.config.Customizer<VaadinStatelessSecurityConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>> customizer)
                  throws Exception

Applies configuration required to enable stateless security for a Vaadin application.

Use customizer to tune VaadinStatelessSecurityConfigurer, or Customizer.withDefaults() to accept the default values.

Parameters:

http - the http security builder

customizer - the Customizer to provide more options for the VaadinStatelessSecurityConfigurer

Throws:

Exception

init

public void init(H http)

Specified by:

init in interface org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>

Overrides:

init in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>

configure

public void configure(H http)

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>

Overrides:

configure in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>

expiresIn

public VaadinStatelessSecurityConfigurer<H> expiresIn(long expiresIn)

Sets the lifetime of the JWT. The default is 1800 seconds.

Parameters:

expiresIn - the lifetime in seconds

Returns:

the VaadinStatelessSecurityConfigurer for further customization

issuer

public VaadinStatelessSecurityConfigurer<H> issuer(String issuer)

Sets the issuer claim to use when issuing and verifying the JWT.

Parameters:

issuer - string identifier or URL of the issuer

Returns:

the VaadinStatelessSecurityConfigurer for further customization

withSecretKey

public VaadinStatelessSecurityConfigurer<H>.SecretKeyConfigurer withSecretKey()

Specifies using a secret key for signing and verification.

Returns:

the VaadinStatelessSecurityConfigurer<H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>.SecretKeyConfigurer

withSecretKey

public VaadinStatelessSecurityConfigurer<H> withSecretKey(org.springframework.security.config.Customizer<VaadinStatelessSecurityConfigurer<H>.SecretKeyConfigurer> customizer)

Specifies using a secret key for signing and verification.

Parameters:

customizer - the Customizer to provide configuration for the VaadinStatelessSecurityConfigurer<H extends org.springframework.security.config.annotation.web.HttpSecurityBuilder<H>>.SecretKeyConfigurer

Returns:

the VaadinStatelessSecurityConfigurer for further customization