I'm trying to include a 'third-party' url in a vaadin 14 + spring boot application, namely the redirect url of spring-security for a single-sign on '/oauth2/authorization/github'. However the vaadin servlet seems to intercept this url and shows an error message that the route is unknown.
Could not navigate to 'oauth2/authorization/github'
Reason: Couldn't find route for 'oauth2/authorization/github'
How can this be prevented so the oauth2 url can be reached? I checked the vaadin documentation but found no information on how to exclude particular paths from the regular router navigation mechanism. The spring-boot oauth2 tutorial is from the official spring site https://spring.io/guides/tutorials/spring-boot-oauth2/ and the following dependencies were added:
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin</artifactId>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring-boot-starter</artifactId>
</dependency>
The WebSecurityConfigurerAdapter is properly in place since the standard spring-security shows the abovementioned GitHub Auth link on the root '/' of the page. Also for the root page the unknown route error isn't shown.
I also tried the example in https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security and it works for the regular login page but again prevents visiting the oauth2 link.
Is it required to implement a request filter that dispatches this or can the exclusion be configured somewhere?
edit: As reqested here's the WebSecurityAdapterConfigurer
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
// the user is redirected after login.
.requestCache().requestCache(new CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().authenticated()
// Configure the login page.
.and().oauth2Login()
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
.failureUrl(LOGIN_FAILURE_URL)
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers(
// Vaadin Flow static resources
"/VAADIN/**",
// the standard favicon URI
"/favicon.ico",
// the robots exclusion standard
"/robots.txt",
// web application manifest
"/manifest.webmanifest",
"/sw.js",
"/offline-page.html",
// icons and images
"/icons/**",
"/images/**",
// (development mode) static resources
"/frontend/**",
// (development mode) webjars
"/webjars/**",
// (development mode) H2 debugging console
"/h2-console/**",
// (production mode) static resources
"/frontend-es5/**", "/frontend-es6/**",
// oauth2
"/user/**",
"/oauth2/**"
);
}
After checking the tutorial that @anasmi commented it turned out that the WebSecurity configuratin containing the oauth antmatcher was wrong in the first place.
The effect that can now be observed is that the spring security oauth2 filter forwards to /login which does not display the page configured for the vaadin route but a default with the authorization link to github.
Here's a debug log if it helps to understand what's going on:
onTranslationFilter : Calling Authentication entry point.
uthenticationEntryPoint : Trying to match using AndRequestMatcher [requestMatchers=[NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]
her.AndRequestMatcher : Trying to match using NegatedRequestMatcher [requestMatcher=RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]]
.NegatedRequestMatcher : matches = true
her.AndRequestMatcher : Trying to match using MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@5be8fdbf, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]
TypeRequestMatcher : httpRequestMediaTypes=[text/html, application/xhtml+xml, image/webp, application/xml;q=0.9, */*;q=0.8]
TypeRequestMatcher : Processing text/html
TypeRequestMatcher : application/xhtml+xml .isCompatibleWith text/html = false
TypeRequestMatcher : image/* .isCompatibleWith text/html = false
TypeRequestMatcher : text/html .isCompatibleWith text/html = true
her.AndRequestMatcher : All requestMatchers returned true
uthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@20728225
RedirectStrategy : Redirecting to 'http://localhost:8080/login'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/frontend-es6/**'
FilterChainProxy : /login at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login'; against '/login/oauth2/code/*'
FilterChainProxy : /login at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /login'
FilterChainProxy : /login at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/frontend-es6/**'
FilterChainProxy : /oauth2/authorization/github at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /oauth2/authorization/github at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /oauth2/authorization/github at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /oauth2/authorization/github at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /oauth2/authorization/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /oauth2/authorization/github at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/github'; against '/oauth2/authorization/{registrationId}'
RedirectStrategy : Redirecting to 'https://github.com/login/oauth/authorize?response_type=code&client_id=3a39e84cc95590698a1b&scope=read:user&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D&redirect_uri=http://localhost:8080/login/oauth2/code/github'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/frontend-es6/**'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
curityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@2fe150b5. A new one will be created.
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /login/oauth2/code/github' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : /login/oauth2/code/github?code=c8b1870a2477fef6f032&state=yaVXu6gS7Zcwud2oT_SWsbkj-DbxxxqF46lQ%3D at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/login/oauth2/code/github'; against '/login/oauth2/code/*'
ginAuthenticationFilter : Request is to process authentication
ion.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider
stTemplate : HTTP POST https://github.com/login/oauth/access_token
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Writing [{grant_type=[authorization_code], code=[c8b1870a2477fef6f032], redirect_uri=[http://localhost:8080/login/oauth2/code/github]}] as "application/x-www-form-urlencoded;charset=UTF-8"
stTemplate : Response 200 OK
stTemplate : Reading to [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] as "application/json;charset=utf-8"
stTemplate : HTTP GET https://api.github.com/user
stTemplate : Accept=[application/json, application/*+json]
stTemplate : Response 200 OK
stTemplate : Reading to [java.util.Map<java.lang.String, java.lang.Object>]
nAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@10bebcb4
ginAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken@19bf8c7c
nticationSuccessHandler : Redirecting to DefaultSavedRequest Url: http://localhost:8080/
RedirectStrategy : Redirecting to 'http://localhost:8080/'
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
curityContextRepository : SecurityContext 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/'; against '/VAADIN/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/favicon.ico'
.AntPathRequestMatcher : Checking match of request : '/'; against '/robots.txt'
.AntPathRequestMatcher : Checking match of request : '/'; against '/manifest.webmanifest'
.AntPathRequestMatcher : Checking match of request : '/'; against '/sw.js'
.AntPathRequestMatcher : Checking match of request : '/'; against '/offline-page.html'
.AntPathRequestMatcher : Checking match of request : '/'; against '/icons/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/webjars/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/h2-console/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es5/**'
.AntPathRequestMatcher : Checking match of request : '/'; against '/frontend-es6/**'
FilterChainProxy : / at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
FilterChainProxy : / at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
curityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@19bf8c7c'
FilterChainProxy : / at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
FilterChainProxy : / at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', GET]
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', POST]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', PUT]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'PUT /logout'
tcher.OrRequestMatcher : Trying to match using Ant [pattern='/logout', DELETE]
.AntPathRequestMatcher : Request 'GET /' doesn't match 'DELETE /logout'
tcher.OrRequestMatcher : No matches found
FilterChainProxy : / at position 5 of 15 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/oauth2/authorization/{registrationId}'
FilterChainProxy : / at position 6 of 15 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/login/oauth2/code/*'
FilterChainProxy : / at position 7 of 15 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
.AntPathRequestMatcher : Request 'GET /' doesn't match 'POST /login'
FilterChainProxy : / at position 8 of 15 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
FilterChainProxy : / at position 9 of 15 in additional filter chain; firing Filter: 'DefaultLogoutPageGeneratingFilter'
.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
FilterChainProxy : / at position 10 of 15 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
SavedRequest : pathInfo: both null (property equals)
SavedRequest : queryString: both null (property equals)
SavedRequest : requestURI: arg1=/; arg2=/ (property equals)
SavedRequest : serverPort: arg1=8080; arg2=8080 (property equals)
SavedRequest : requestURL: arg1=http://localhost:8080/; arg2=http://localhost:8080/ (property equals)
SavedRequest : scheme: arg1=http; arg2=http (property equals)
SavedRequest : serverName: arg1=localhost; arg2=localhost (property equals)
SavedRequest : contextPath: arg1=; arg2= (property equals)
SavedRequest : servletPath: arg1=/; arg2=/ (property equals)
FilterChainProxy : / at position 11 of 15 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
FilterChainProxy : / at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
FilterChainProxy : / at position 13 of 15 in additional filter chain; firing Filter: 'SessionManagementFilter'
FilterChainProxy : / at position 14 of 15 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
FilterChainProxy : / at position 15 of 15 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
rSecurityInterceptor : Secure object: FilterInvocation: URL: /; Attributes: [authenticated]
.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@201c9f26, returned: 1
rSecurityInterceptor : Authorization successful
rSecurityInterceptor : RunAsManager did not change Authentication object
FilterChainProxy : / reached end of additional filter chain; proceeding with original chain
ispatcherServlet : GET "/", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
iters.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@169ed862
ispatcherServlet : Completed 200 OK
onTranslationFilter : Chain processed normally
ontextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
.AntPathRequestMatcher : Checking match of request : '/VAADIN/build/webcomponentsjs/webcomponents-loader.js'; against '/VAADIN/**'
FilterChainProxy : /VAADIN/build/webcomponentsjs/webcomponents-loader.js has an empty filter list
ispatcherServlet : GET "/VAADIN/build/webcomponentsjs/webcomponents-loader.js", parameters={}
impleUrlHandlerMapping : Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@46beee3b
You may have been bitten by the Vaadin tutorial, the example code of which, if you used it in your app, has basically removed your antmatchers and http configuration properties from the overall equation.
The problem is in the class ConfigureUIServiceInitListener.java
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) //
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
I ran into a similar problem when trying to make a registration page work. All unauthorized requests are redirected to the login url. Nothing you will do can change this until you do something like this in this method of the class, if you've taken their advice and used it to secure the Vaadin login:
private void beforeEnter(BeforeEnterEvent event) {
if (!LoginView.class.equals(event.getNavigationTarget()) && !**RegisterView.class.equals**(event.getNavigationTarget())//
&& !SecurityUtils.isUserLoggedIn()) { //
event.rerouteTo(LoginView.class); //
}
}
Obviously, our use cases are slightly different. But this is where you'll have to create an exception case because otherwise the beforeEnter method will only allow authenticated requests to access internal framework event. Anything other than LoginView will be redirected to /login. All of your attempts to hammer spring security into allowing your url to be accessed by an as-of-yet authenticated user will be fruitless!
This is highly annoying in the sense that one has to configure http security and then make sure they've added any new exceptions in this method.