Develop Reference

Upgrading to VaadinWebSecurity is breaking custom WebSocket

I recently upgraded my project from Vaadin 23.1 to 23.2 and also upgraded my Spring Security configuration class to extend VaadinWebSecurity.
My project also has a custom WebSocket endpoint that is exposed at a certain URL.
Before the change to VaadinWebSecurity it was working fine. However after upgrading, it is not reachable any more.
Instead, it seems I am getting connected to a Vaadin WebSocket.
Probably the new SecurityFilterChain is overwriting my config.
Message received after connecting:
for(;;);[{"meta":{"async":true,"sessionExpired":true}}]
Security Config
#EnableWebSecurity
#Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
public static final String LOGOUT_URL = "/";
public static final String WEBSOCKET_URl = "/websocket";
//...
#Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(WEBSOCKET_URl)
.permitAll();
super.configure(http);
setLoginView(http, LoginView.class, LOGOUT_URL);
}
}
Sample WebSocket Handler
#Configuration
#EnableWebSocket
public class Websocket implements WebSocketConfigurer {
#Override
public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
registry
.addHandler(new WebSocketHandler() {
#Override
public void afterConnectionEstablished(WebSocketSession session) throws Exception {
session.sendMessage(new TextMessage("this is a response"));
}
// ...
}, SecurityConfiguration.WEBSOCKET_URl)
.setAllowedOriginPatterns("*");
}
}
I created a minimal example project based on start.vaadin.com.
It contains a sample WebSocket Handler.
sample-webscoket-vaadin.zip
Vaadin / Flow version: 23.2.1
Java version: 17
Can someone give me some advice how to get the WebSocket running again?

Atmosphere handler is intercepting the request. I've did some tests and security config is fine since the connection is established. After excluding Atmosphere dependency Spring WS handler works as expected.
It seems to be a bug in the Flow, I've created https://github.com/vaadin/flow/issues/14602
Exclusion workaround:
<dependency>
<groupId>com.vaadin</groupId>
<!-- Replace artifactId with vaadin-core to use only free components -->
<artifactId>vaadin</artifactId>
<exclusions>
<exclusion>
<groupId>com.vaadin.external.atmosphere</groupId>
<artifactId>atmosphere-runtime</artifactId>
</exclusion>
</exclusions>
</dependency>

Spring security doest not restrict access

I have Spring MVC project and try to add security. My problem is that spring doesn't deny access to pages. I mean if I go to /product page, it will open. I have the following security config:
#Configuration
#EnableWebSecurity
public class SecureConfig extends WebSecurityConfigurerAdapter {
#Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication().withUser("a").password("1")
.roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated();
http.csrf().disable();
}
}
At first, I thought, these methods are not executed by spring context, but then I found that they are executed.
if I understand correctly, this configuration should deny access to all pages, but the opposite happens, I can go to any page (/, /product, /test pages)
My security dependencies:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.4.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.4.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.4.0</version>
</dependency>
Application class:
public class Application implements WebApplicationInitializer {
Logger logger = LoggerFactory.getLogger(Application.class);
#Override
public void onStartup(ServletContext servletContext) throws ServletException {
AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
context.register(WebConf.class, SecureConfig.class);
ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", new DispatcherServlet(context));
dispatcher.addMapping("/*");
dispatcher.setLoadOnStartup(1);
}
}

I solved this problem by adding the following class:
public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {
}
SpringSecurityFilterChain did not work without this class, that's why security didn't work.

In Spring Boot Security Basic Authentication, why the default password is not getting overridden by custom ones

Even when I extend WebSecurityConfigurerAdapter class and override its methods: configure(HttpSecurity http) and configure(AuthenticationManagerBuilder auth) with custom users and roles and either add or remove #EnableWebSecurity annotation from this configuration concrete class, the default password is still getting generated and I cannot use http basic authentication with the custom credentials I declared inside configure() method.
I am always getting like below in the console:
Using generated security password: a2b4b374-65d2-4d20-a965-b34c00d44de9
turning off Spring Security by excluding SecurityAutoConfiguration.class is disabling the whole security which I don't want.
pom.xml
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.5.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
</dependencies>
Security Configuration
#Configuration
#EnableWebSecurity
public class BookStoreSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("{noop}password").roles("USER");
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().antMatcher("/**").authorizeRequests().anyRequest().hasRole("USER").and().csrf().disable();
}
}
App Entry Point
#SpringBootApplication(scanBasePackages={"com.example.springbootsecurity.bookstore"})
public class BookStoreApp {
public static void main(String[] args) {
SpringApplication.run(BookStoreApp.class, args);
}
}
I expected that from postman I would be able to login through basic authentication of my custom credential: admin/password.
But I always get the default password at console and my declared user credentials don't ever work and always give 401 unauthorized http status
Please help me with the solution!

javax.servlet.ServletException: Circular view path [login]

I am new to Spring Boot and want to add the Spring Security module to my previous project. I followed this link. My Spring Boot version is 1.5.6.RELEASE.
Here is the security configuration
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
#Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
}
Here is the MVC configuration:
#Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
#Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/home").setViewName("home");
registry.addViewController("/").setViewName("home");
registry.addViewController("/hello").setViewName("hello");
registry.addViewController("/login").setViewName("login");
}
I can ensure that home.html, hello.html and login.html are located in resources/templates/. As I added the Spring Security part to a previous project, I also has an controller that handles jpa request
#Controller
#RequestMapping("/test/pgsql")
public class TestPostgreSQLController {
#Autowired
private CustomerRepository customerRepository;
#RequestMapping("/save")
public #ResponseBody
String process() {
customerRepository.save(new Customer("Neo", "Chan"));
customerRepository.save(new Customer("Luke", "Liu"));
customerRepository.save(new Customer("Ran", "Guo"));
customerRepository.save(new Customer("Joey", "Chen"));
customerRepository.save(new Customer("Larry", "Huang"));
return "Done";
}
#RequestMapping("/findbyid")
public #ResponseBody String findById(#RequestParam("id") long id) {
String result = "";
result = customerRepository.findOne(id).toString();
return result;
}
#RequestMapping("/find")
public #ResponseBody String find(#RequestParam("lastname") String lastName) {
String results = "";
for (Customer bauer : customerRepository.findCustomersByLastName(lastName)) {
System.out.println(bauer.toString());
results = results + bauer.toString() + "<br>";
}
return results;
}
}
the pom.xml is like this
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
I build the project as jar package. When I visit the localhost:8080/home or localhost:8080/login address. It throws the following exception:
javax.servlet.ServletException: Circular view path [login]: would dispatch back to the current handler URL [/login] again. Check your ViewResolver setup! (Hint: This may be the result of an unspecified view, due to default view name generation.)
Any suggestion? Thanks in advance.

I had the same problem. Problem is related with pom file, you should add Thymeleaf dependency and code will start works.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>

It's long time after this question been asked but I found the answer here]
try to add registry.addViewController("/login").setViewName("login.html");
that work for me hope it helps1

Spring security permitAll() does not work

<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.5.RELEASE</version>
</dependency>
I have created a spring-boot application purely severed as resource server.
#Configuration
#EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
#Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
}
}
In my configuration class, I did the above (allow everything, just for experiment purpose). However, it still seems that all requests come to this server got 401 unauthorised error. PermitAll() does not seem to work.
Am I missing something here?
Thanks.