Package com.vaadin.flow.spring.security

Class VaadinWebSecurity

java.lang.Object
com.vaadin.flow.spring.security.VaadinWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) public abstract class VaadinWebSecurity extends Object
Provides basic Vaadin component-based security configuration for the project.

Sets up security rules for a Vaadin application and restricts all URLs except for public resources and internal Vaadin URLs to authenticated user.

The default behavior can be altered by extending the public/protected methods in the class.

Provides default bean implementations for SecurityFilterChain and WebSecurityCustomizer.

To use this, create your own web security class by extending this class and annotate it with @EnableWebSecurity and @Configuration.

For example: 

 
 @EnableWebSecurity
 @Configuration
 public class MyWebSecurity extends VaadinWebSecurity {
 }

  • Constructor Summary

    Constructors
    Constructor
    Description
    VaadinWebSecurity()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    addLogoutHandlers(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
    Sets additional LogoutHandlers that will participate in logout process.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    antMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    AntPathRequestMatcher is deprecated and will be removed, use pathMatchers(String...) instead.
    protected String
    applyUrlMapping(String path)
    Helper method to prepend configured servlet path to the given path.
    protected void
    configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Applies Vaadin default configuration to HttpSecurity.
    protected void
    configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
     
    protected boolean
    enableNavigationAccessControl()
    Gets if navigation access control should be enabled.
    org.springframework.security.web.SecurityFilterChain
    filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Registers default SecurityFilterChain bean.
    AuthenticationContext
    getAuthenticationContext()
    Gets the default authentication-context bean.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultHttpSecurityPermitMatcher()
    Matcher for framework internal requests.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultHttpSecurityPermitMatcher(String urlMapping)
    Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultWebSecurityIgnoreMatcher()
    Matcher for Vaadin static (public) resources.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultWebSecurityIgnoreMatcher(String urlMapping)
    Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path.
    protected NavigationAccessControl
    getNavigationAccessControl()
    Vaadin navigation access control bean.
    protected ViewAccessChecker
    getViewAccessChecker()
    Deprecated, for removal: This API element is subject to removal in a future version.
    ViewAccessChecker is not used anymore by VaadinWebSecurity, and has been replaced by NavigationAccessControl.
    protected org.springframework.security.web.authentication.logout.LogoutSuccessHandler
    oidcLogoutSuccessHandler(String postLogoutRedirectUri)
    Gets a OidcClientInitiatedLogoutSuccessHandler instance that redirects to the given URL after logout.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    pathMatchers(String... patterns)
    Utility to create RequestMatchers from path patterns.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    routeMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    AntPathRequestMatcher is deprecated and will be removed, use routePathMatchers(String...) instead.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    routePathMatchers(String... patterns)
    Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView)
    Sets up login for the application using the given Flow login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl)
    Sets up login for the application using the given Flow login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath)
    Sets up login for the application using form login with the given path for the login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl)
    Sets up login for the application using form login with the given path for the login view.
    protected void
    setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage)
    Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.
    protected void
    setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage, String postLogoutRedirectUri)
    Sets up the login page URI of the OAuth2 provider and the post logout URI on the specified HttpSecurity instance.
    protected void
    setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer)
    Sets up stateless JWT authentication using cookies.
    protected void
    setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn)
    Sets up stateless JWT authentication using cookies.
    org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer
    webSecurityCustomizer()
    Registers default WebSecurityCustomizer bean.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • VaadinWebSecurity

      public VaadinWebSecurity()

  • Method Details

    • filterChain

      @Bean(name="VaadinSecurityFilterChainBean") public org.springframework.security.web.SecurityFilterChain filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Registers default SecurityFilterChain bean.

      Defines a filter chain which is capable of being matched against an HttpServletRequest. in order to decide whether it applies to that request.

      HttpSecurity configuration can be customized by overriding configure(HttpSecurity).

      Throws:
      Exception

    • getAuthenticationContext

      @Bean(name="VaadinAuthenticationContext") public AuthenticationContext getAuthenticationContext()
      Gets the default authentication-context bean.
      Returns:
      the authentication-context bean

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Applies Vaadin default configuration to HttpSecurity. Typically, subclasses should call super to apply default Vaadin configuration in addition to custom rules.
      Parameters:
      http - the HttpSecurity to modify
      Throws:
      Exception - if an error occurs

    • webSecurityCustomizer

      @Bean(name="VaadinWebSecurityCustomizerBean") public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()
      Registers default WebSecurityCustomizer bean.

      Beans of this type will automatically be used by WebSecurityConfiguration to customize WebSecurity.

      WebSecurity configuration can be customized by overriding configure(WebSecurity)

      Default no WebSecurity customization is performed.

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) throws Exception
      Throws:
      Exception

    • enableNavigationAccessControl

      protected boolean enableNavigationAccessControl()
      Gets if navigation access control should be enabled. Navigation access control is enabled by default. This method can be overridden returning false to disable it.
      Returns:
      true if navigation access control should be enabled, false to disable it.

    • getDefaultHttpSecurityPermitMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
      Matcher for framework internal requests. Assumes Vaadin servlet to be mapped on root path (/*).
      Returns:
      default HttpSecurity bypass matcher

    • getDefaultHttpSecurityPermitMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher(String urlMapping)
      Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
      Parameters:
      urlMapping - url mapping for the Vaadin servlet.
      Returns:
      default HttpSecurity bypass matcher

    • getDefaultWebSecurityIgnoreMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
      Matcher for Vaadin static (public) resources. Assumes Vaadin servlet to be mapped on root path (/*).
      Returns:
      default WebSecurity ignore matcher

    • getDefaultWebSecurityIgnoreMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher(String urlMapping)
      Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path. Assumes Vaadin servlet to be mapped on root path (/*).
      Parameters:
      urlMapping - the url mapping for the Vaadin servlet
      Returns:
      default WebSecurity ignore matcher

    • antMatchers

      @Deprecated(since="24.8", forRemoval=true) public org.springframework.security.web.util.matcher.RequestMatcher[] antMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      AntPathRequestMatcher is deprecated and will be removed, use pathMatchers(String...) instead.
      Utility to create RequestMatchers from ant patterns.
      Parameters:
      patterns - ant patterns
      Returns:
      an array or RequestMatcher instances for the given patterns.

    • routeMatchers

      @Deprecated(since="24.8", forRemoval=true) public org.springframework.security.web.util.matcher.RequestMatcher[] routeMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      AntPathRequestMatcher is deprecated and will be removed, use routePathMatchers(String...) instead.
      Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
      Parameters:
      patterns - ant patterns
      Returns:
      an array or RequestMatcher instances for the given patterns.

    • pathMatchers

      public org.springframework.security.web.util.matcher.RequestMatcher[] pathMatchers(String... patterns)
      Utility to create RequestMatchers from path patterns.
      Parameters:
      patterns - path patterns, as described in PathPattern javadoc.
      Returns:
      an array or RequestMatcher instances for the given patterns.
      See Also:
      • PathPatternRequestMatcher.matcher(HttpServletRequest)
      • PathPattern

    • routePathMatchers

      public org.springframework.security.web.util.matcher.RequestMatcher[] routePathMatchers(String... patterns)
      Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
      Parameters:
      patterns - path patterns, as described in PathPattern javadoc.
      Returns:
      an array or RequestMatcher instances for the given patterns.
      See Also:
      • PathPatternRequestMatcher.matcher(HttpServletRequest)
      • PathPattern

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath) throws Exception
      Sets up login for the application using form login with the given path for the login view.

      This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      http - the http security from filterChain(HttpSecurity)
      hillaLoginViewPath - the path to the login view
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl) throws Exception
      Sets up login for the application using form login with the given path for the login view.

      This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      http - the http security from filterChain(HttpSecurity)
      hillaLoginViewPath - the path to the login view
      logoutSuccessUrl - the URL to redirect the user to after logging out
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView) throws Exception
      Sets up login for the application using the given Flow login view.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      flowLoginView - the login view to use
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl) throws Exception
      Sets up login for the application using the given Flow login view.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      flowLoginView - the login view to use
      logoutSuccessUrl - the URL to redirect the user to after logging out
      Throws:
      Exception - if something goes wrong

    • setOAuth2LoginPage

      protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage) throws Exception
      Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.

      This method also configures a logout success handler that redirects to the application base URL after logout.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.
      Throws:
      Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

    • setOAuth2LoginPage

      protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage, String postLogoutRedirectUri) throws Exception
      Sets up the login page URI of the OAuth2 provider and the post logout URI on the specified HttpSecurity instance.

      The post logout redirect uri can be relative or absolute URI or a template. The supported uri template variables are: {baseScheme}, {baseHost}, {basePort} and {basePath}.

      NOTE: "{baseUrl}" is also supported, which is the same as "{baseScheme}://{baseHost}{basePort}{basePath}" handler. setPostLogoutRedirectUri("{baseUrl}");
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.
      postLogoutRedirectUri - the post logout redirect uri. Can be a template.
      Throws:
      Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

    • oidcLogoutSuccessHandler

      protected org.springframework.security.web.authentication.logout.LogoutSuccessHandler oidcLogoutSuccessHandler(String postLogoutRedirectUri)
      Gets a OidcClientInitiatedLogoutSuccessHandler instance that redirects to the given URL after logout.

      If a ClientRegistrationRepository bean is not registered in the application context, the method returns null.
      Parameters:
      postLogoutRedirectUri - the post logout redirect uri
      Returns:
      a OidcClientInitiatedLogoutSuccessHandler, or null if a ClientRegistrationRepository bean is not registered in the application context.

    • setStatelessAuthentication

      protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer) throws Exception
      Sets up stateless JWT authentication using cookies.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
      issuer - the issuer JWT claim
      Throws:
      Exception - if something goes wrong

    • setStatelessAuthentication

      protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn) throws Exception
      Sets up stateless JWT authentication using cookies.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
      issuer - the issuer JWT claim
      expiresIn - lifetime of the JWT and cookies, in seconds
      Throws:
      Exception - if something goes wrong

    • applyUrlMapping

      protected String applyUrlMapping(String path)
      Helper method to prepend configured servlet path to the given path. Path will always be considered as relative to servlet path, even if it starts with a slash character.
      Parameters:
      path - path to be prefixed with servlet path
      Returns:
      the input path prepended by servlet path.

    • getViewAccessChecker

      @Deprecated(forRemoval=true, since="24.3") protected ViewAccessChecker getViewAccessChecker()
      Deprecated, for removal: This API element is subject to removal in a future version.
      ViewAccessChecker is not used anymore by VaadinWebSecurity, and has been replaced by NavigationAccessControl. Calling this method will get a stub implementation that delegates to the NavigationAccessControl instance.
      Vaadin views access checker bean.

      This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call ViewAccessChecker methods explicitly.

      Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

      Returns:
      ViewAccessChecker bean used by this VaadinWebSecurity configuration.

    • getNavigationAccessControl

      protected NavigationAccessControl getNavigationAccessControl()
      Vaadin navigation access control bean.

      This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call NavigationAccessControl methods explicitly.

      Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

      Returns:
      NavigationAccessControl bean used by this VaadinWebSecurity configuration.

    • addLogoutHandlers

      protected void addLogoutHandlers(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
      Sets additional LogoutHandlers that will participate in logout process.
      Parameters:
      registry - used to add custom handlers.