Package com.vaadin.flow.spring.security

Class SpringAccessPathChecker

java.lang.Object

com.vaadin.flow.spring.security.SpringAccessPathChecker

All Implemented Interfaces:

AccessPathChecker, Serializable

public class SpringAccessPathChecker
extends Object
implements AccessPathChecker

A Spring specific route path access checker that delegates the check to Spring Security.

It is used in combination with RoutePathAccessChecker to provide path-based security to Flow NavigationAccessControl.

To enable it, define a NavigationAccessControlConfigurer bean, configured using NavigationAccessControlConfigurer.withRoutePathAccessChecker() method.

 
 @Bean
 NavigationAccessControlConfigurer navigationAccessControlConfigurer() {
     return new NavigationAccessControlConfigurer()
             .withRoutePathAccessChecker().withLoginView(LoginView.class);
 }
 
 

Custom Request Transformer

When using SpringAccessPathChecker with Spring Security request matchers that need to access HttpServletRequest.getUserPrincipal(), you may need to create a custom AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer bean using principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer). This prevents UnsupportedOperationExceptions that can occur when Spring Security request matchers attempt to access user principal information.

 
 @Bean
 @Primary
 HttpServletRequestTransformer customRequestTransformer() {
     return SpringAccessPathChecker.principalAwareRequestTransformer(
             new PathPatternRequestTransformer());
 }
 
 

An alternative is to use wrap the single request matchers using RequestUtil.principalAwareRequestMatcher(RequestMatcher).

 
 @Bean
 public SecurityFilterChain webFilterChain(HttpSecurity http) {
     http.authorizeRequests(cfg -> cfg.requestMatchers(RequestUtil.principalAwareRequestMatcher(
          request -> {
              ...
              if (request.getUserPrincipal() == null) {
                  ....;
              }
              ...
              return true;
          }
     ));
 }
 
 

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator)	Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.
SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator, String urlMapping)	Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.

Method Summary

Modifier and Type	Method	Description
boolean	hasAccess(String path, Principal principal, Predicate<String> roleChecker)	Checks if the user defined by the given Principal and role checker has access to the given path.
static org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer	principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer transformer)	Provides a security-aware HTTP request transformer that applies additional processing to the transformed request using RequestUtil.PrincipalAwareRequestWrapper.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SpringAccessPathChecker

public SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator)

Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.

Parameters:

evaluator - evaluator to check path permissions.

SpringAccessPathChecker

public SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator,
 String urlMapping)

Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions. It applies the given Vaadin servlet url mapping to the input path before delegating the check to the evaluator.

Parameters:

evaluator - evaluator to check path permissions.

urlMapping - Vaadin servlet url mapping

Method Details

hasAccess

public boolean hasAccess(String path,
 Principal principal,
 Predicate<String> roleChecker)

Description copied from interface: AccessPathChecker

Checks if the user defined by the given Principal and role checker has access to the given path.

The path is relative to the Vaadin application and does not contain any container specific details such as context or servlet path.

The path is never null and never starts with a "/" character.

Specified by:

hasAccess in interface AccessPathChecker

Parameters:

path - the path to check access to

principal - the principal of the user

roleChecker - a function that can answer if a user has a given role

Returns:

true if the user has access to the given path, false otherwise.

principalAwareRequestTransformer

public static org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer transformer)

Provides a security-aware HTTP request transformer that applies additional processing to the transformed request using RequestUtil.PrincipalAwareRequestWrapper.

A custom AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer bean handling HttpServletRequest.getUserPrincipal() method should be exposed by the application when SpringAccessPathChecker is used in conjunction with Spring Security request matchers that requires to access that information to prevent UnsupportedOperationExceptions.

Parameters:

transformer - the original HTTP request transformer to be wrapped

Returns:

a new HTTP request transformer that wraps the transformed request with enhanced security awareness