Package com.vaadin.flow.spring.security

Class VaadinWebSecurity

java.lang.Object
com.vaadin.flow.spring.security.VaadinWebSecurity
@Deprecated(since="24.9", forRemoval=true) @Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) public abstract class VaadinWebSecurity extends Object
Deprecated, for removal: This API element is subject to removal in a future version.
Use VaadinSecurityConfigurer instead. It follows the Spring's SecurityConfigurer pattern and we recommend use it to configure Spring Security with Vaadin: 
 @Configuration
 @EnableWebSecurity
 @Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
     @Bean
     SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {}).build();
     }
 }
Read more details in Security Configurer documentation.
Provides basic Vaadin component-based security configuration for the project.

Sets up security rules for a Vaadin application and restricts all URLs except for public resources and internal Vaadin URLs to authenticated user.

The default behavior can be altered by extending the public/protected methods in the class.

Provides default bean implementations for SecurityFilterChain and WebSecurityCustomizer.

To use this, create your own web security class by extending this class and annotate it with @EnableWebSecurity and @Configuration.

For example: 

 
 @EnableWebSecurity
 @Configuration
 public class MyWebSecurity extends VaadinWebSecurity {
 }

  • Constructor Summary

    Constructors
    Constructor
    Description
    VaadinWebSecurity()
    Deprecated, for removal: This API element is subject to removal in a future version.
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    addLogoutHandlers(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets additional LogoutHandlers that will participate in logout process.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    antMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    AntPathRequestMatcher is deprecated and will be removed, use pathMatchers(String...) instead.
    protected String
    applyUrlMapping(String path)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Helper method to prepend configured servlet path to the given path.
    protected void
    configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Applies Vaadin default configuration to HttpSecurity.
    protected void
    configure(org.springframework.security.config.annotation.web.builders.WebSecurity web)
    Deprecated, for removal: This API element is subject to removal in a future version.
     
    protected boolean
    enableNavigationAccessControl()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Gets if navigation access control should be enabled.
    org.springframework.security.web.SecurityFilterChain
    filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Registers default SecurityFilterChain bean.
    AuthenticationContext
    getAuthenticationContext()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Gets the default authentication-context bean.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultHttpSecurityPermitMatcher()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Matcher for framework internal requests.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultHttpSecurityPermitMatcher(String urlMapping)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultWebSecurityIgnoreMatcher()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Matcher for Vaadin static (public) resources.
    static org.springframework.security.web.util.matcher.RequestMatcher
    getDefaultWebSecurityIgnoreMatcher(String urlMapping)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path.
    protected NavigationAccessControl
    getNavigationAccessControl()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Vaadin navigation access control bean.
    protected ViewAccessChecker
    getViewAccessChecker()
    Deprecated, for removal: This API element is subject to removal in a future version.
    ViewAccessChecker is not used anymore by VaadinWebSecurity, and has been replaced by NavigationAccessControl.
    protected org.springframework.security.web.authentication.logout.LogoutSuccessHandler
    oidcLogoutSuccessHandler(String postLogoutRedirectUri)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Gets a OidcClientInitiatedLogoutSuccessHandler instance that redirects to the given URL after logout.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    pathMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Utility to create RequestMatchers from path patterns.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    routeMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    AntPathRequestMatcher is deprecated and will be removed, use routePathMatchers(String...) instead.
    org.springframework.security.web.util.matcher.RequestMatcher[]
    routePathMatchers(String... patterns)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up login for the application using the given Flow login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up login for the application using the given Flow login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up login for the application using form login with the given path for the login view.
    protected void
    setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up login for the application using form login with the given path for the login view.
    protected void
    setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.
    protected void
    setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage, String postLogoutRedirectUri)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up the login page URI of the OAuth2 provider and the post logout URI on the specified HttpSecurity instance.
    protected void
    setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up stateless JWT authentication using cookies.
    protected void
    setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Sets up stateless JWT authentication using cookies.
    org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer
    webSecurityCustomizer()
    Deprecated, for removal: This API element is subject to removal in a future version.
    Registers default WebSecurityCustomizer bean.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • VaadinWebSecurity

      public VaadinWebSecurity()
      Deprecated, for removal: This API element is subject to removal in a future version.

  • Method Details

    • filterChain

      @Bean(name="VaadinSecurityFilterChainBean") public org.springframework.security.web.SecurityFilterChain filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Registers default SecurityFilterChain bean.

      Defines a filter chain which is capable of being matched against an HttpServletRequest. in order to decide whether it applies to that request.

      HttpSecurity configuration can be customized by overriding configure(HttpSecurity).

      Throws:
      Exception

    • getAuthenticationContext

      @Bean(name="VaadinAuthenticationContext") public AuthenticationContext getAuthenticationContext()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets the default authentication-context bean.
      Returns:
      the authentication-context bean

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Applies Vaadin default configuration to HttpSecurity. Typically, subclasses should call super to apply default Vaadin configuration in addition to custom rules.
      Parameters:
      http - the HttpSecurity to modify
      Throws:
      Exception - if an error occurs

    • webSecurityCustomizer

      @Bean(name="VaadinWebSecurityCustomizerBean") public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Registers default WebSecurityCustomizer bean.

      Beans of this type will automatically be used by WebSecurityConfiguration to customize WebSecurity.

      WebSecurity configuration can be customized by overriding configure(WebSecurity)

      Default no WebSecurity customization is performed.

    • configure

      protected void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Throws:
      Exception

    • enableNavigationAccessControl

      protected boolean enableNavigationAccessControl()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets if navigation access control should be enabled. Navigation access control is enabled by default. This method can be overridden returning false to disable it.
      Returns:
      true if navigation access control should be enabled, false to disable it.

    • getDefaultHttpSecurityPermitMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Matcher for framework internal requests. Assumes Vaadin servlet to be mapped on root path (/*).
      Returns:
      default HttpSecurity bypass matcher

    • getDefaultHttpSecurityPermitMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher(String urlMapping)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Matcher for framework internal requests, with Vaadin servlet mapped on the given path.
      Parameters:
      urlMapping - url mapping for the Vaadin servlet.
      Returns:
      default HttpSecurity bypass matcher

    • getDefaultWebSecurityIgnoreMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Matcher for Vaadin static (public) resources. Assumes Vaadin servlet to be mapped on root path (/*).
      Returns:
      default WebSecurity ignore matcher

    • getDefaultWebSecurityIgnoreMatcher

      public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher(String urlMapping)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path. Assumes Vaadin servlet to be mapped on root path (/*).
      Parameters:
      urlMapping - the url mapping for the Vaadin servlet
      Returns:
      default WebSecurity ignore matcher

    • antMatchers

      @Deprecated(since="24.8", forRemoval=true) public org.springframework.security.web.util.matcher.RequestMatcher[] antMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      AntPathRequestMatcher is deprecated and will be removed, use pathMatchers(String...) instead.
      Utility to create RequestMatchers from ant patterns.
      Parameters:
      patterns - ant patterns
      Returns:
      an array or RequestMatcher instances for the given patterns.

    • routeMatchers

      @Deprecated(since="24.8", forRemoval=true) public org.springframework.security.web.util.matcher.RequestMatcher[] routeMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      AntPathRequestMatcher is deprecated and will be removed, use routePathMatchers(String...) instead.
      Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
      Parameters:
      patterns - ant patterns
      Returns:
      an array or RequestMatcher instances for the given patterns.

    • pathMatchers

      public org.springframework.security.web.util.matcher.RequestMatcher[] pathMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Utility to create RequestMatchers from path patterns.
      Parameters:
      patterns - path patterns, as described in PathPattern javadoc.
      Returns:
      an array or RequestMatcher instances for the given patterns.
      See Also:
      • PathPatternRequestMatcher.matcher(HttpServletRequest)
      • PathPattern

    • routePathMatchers

      public org.springframework.security.web.util.matcher.RequestMatcher[] routePathMatchers(String... patterns)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.
      Parameters:
      patterns - path patterns, as described in PathPattern javadoc.
      Returns:
      an array or RequestMatcher instances for the given patterns.
      See Also:
      • PathPatternRequestMatcher.matcher(HttpServletRequest)
      • PathPattern

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up login for the application using form login with the given path for the login view.

      This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      http - the http security from filterChain(HttpSecurity)
      hillaLoginViewPath - the path to the login view
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up login for the application using form login with the given path for the login view.

      This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      http - the http security from filterChain(HttpSecurity)
      hillaLoginViewPath - the path to the login view
      logoutSuccessUrl - the URL to redirect the user to after logging out
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up login for the application using the given Flow login view.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      flowLoginView - the login view to use
      Throws:
      Exception - if something goes wrong

    • setLoginView

      protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up login for the application using the given Flow login view.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      flowLoginView - the login view to use
      logoutSuccessUrl - the URL to redirect the user to after logging out
      Throws:
      Exception - if something goes wrong

    • setOAuth2LoginPage

      protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.

      This method also configures a logout success handler that redirects to the application base URL after logout.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.
      Throws:
      Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

    • setOAuth2LoginPage

      protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage, String postLogoutRedirectUri) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up the login page URI of the OAuth2 provider and the post logout URI on the specified HttpSecurity instance.

      The post logout redirect uri can be relative or absolute URI or a template. The supported uri template variables are: {baseScheme}, {baseHost}, {basePort} and {basePath}.

      NOTE: "{baseUrl}" is also supported, which is the same as "{baseScheme}://{baseHost}{basePort}{basePath}" handler. setPostLogoutRedirectUri("{baseUrl}");
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.
      postLogoutRedirectUri - the post logout redirect uri. Can be a template.
      Throws:
      Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

    • oidcLogoutSuccessHandler

      protected org.springframework.security.web.authentication.logout.LogoutSuccessHandler oidcLogoutSuccessHandler(String postLogoutRedirectUri)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets a OidcClientInitiatedLogoutSuccessHandler instance that redirects to the given URL after logout.

      If a ClientRegistrationRepository bean is not registered in the application context, the method returns null.
      Parameters:
      postLogoutRedirectUri - the post logout redirect uri
      Returns:
      a OidcClientInitiatedLogoutSuccessHandler, or null if a ClientRegistrationRepository bean is not registered in the application context.

    • setStatelessAuthentication

      protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up stateless JWT authentication using cookies.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
      issuer - the issuer JWT claim
      Throws:
      Exception - if something goes wrong

    • setStatelessAuthentication

      protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets up stateless JWT authentication using cookies.
      Parameters:
      http - the http security from filterChain(HttpSecurity)
      secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name
      issuer - the issuer JWT claim
      expiresIn - lifetime of the JWT and cookies, in seconds
      Throws:
      Exception - if something goes wrong

    • applyUrlMapping

      protected String applyUrlMapping(String path)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Helper method to prepend configured servlet path to the given path. Path will always be considered as relative to servlet path, even if it starts with a slash character.
      Parameters:
      path - path to be prefixed with servlet path
      Returns:
      the input path prepended by servlet path.

    • getViewAccessChecker

      @Deprecated(forRemoval=true, since="24.3") protected ViewAccessChecker getViewAccessChecker()
      Deprecated, for removal: This API element is subject to removal in a future version.
      ViewAccessChecker is not used anymore by VaadinWebSecurity, and has been replaced by NavigationAccessControl. Calling this method will get a stub implementation that delegates to the NavigationAccessControl instance.
      Vaadin views access checker bean.

      This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call ViewAccessChecker methods explicitly.

      Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

      Returns:
      ViewAccessChecker bean used by this VaadinWebSecurity configuration.

    • getNavigationAccessControl

      protected NavigationAccessControl getNavigationAccessControl()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Vaadin navigation access control bean.

      This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call NavigationAccessControl methods explicitly.

      Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

      Returns:
      NavigationAccessControl bean used by this VaadinWebSecurity configuration.

    • addLogoutHandlers

      protected void addLogoutHandlers(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets additional LogoutHandlers that will participate in logout process.
      Parameters:
      registry - used to add custom handlers.