Package com.vaadin.flow.spring.security

Class VaadinSecurityConfigurer

java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<VaadinSecurityConfigurer,org.springframework.security.config.annotation.web.builders.HttpSecurity>
com.vaadin.flow.spring.security.VaadinSecurityConfigurer
All Implemented Interfaces:
org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,org.springframework.security.config.annotation.web.builders.HttpSecurity>
public final class VaadinSecurityConfigurer extends org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<VaadinSecurityConfigurer,org.springframework.security.config.annotation.web.builders.HttpSecurity>
A SecurityConfigurer specifically designed for Vaadin applications.

Provides built-in customizers to configure the security settings for Flow and Hilla by integrating with Spring Security and specialized methods to handle view access control and default security workflows in Vaadin applications.

Usage example: 

 
 @Configuration
 @EnableWebSecurity
 public class MyWebSecurity {

     @Bean
     SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
             configurer.loginView(MyLoginView.class);
         }).build();
     }
 }

Configurers

This configurer applies other configurers to set up the security filter chain properly for Vaadin applications. The following configurers may be applied:

Shared Objects

The following beans are shared by this configurer (if not already shared):

  • Method Details

    • vaadin

      public static VaadinSecurityConfigurer vaadin()
      Creates a new instance the VaadinSecurityConfigurer that can be used to configure security settings for Vaadin applications.
      Returns:
      a new instance of VaadinSecurityConfigurer

    • loginView

      public VaadinSecurityConfigurer loginView(Class<? extends Component> loginView)
      Configures the login view for use in a Flow application.

      This method ensures that the provided login view class is annotated with @Route, retrieves the route path for the login view, and sets up the necessary configurations for login and logout paths.

      Parameters:
      loginView - the component class to be used as the login view
      Returns:
      the current configurer instance for method chaining
      Throws:
      IllegalArgumentException - if the provided class is not annotated with @Route

    • loginView

      public VaadinSecurityConfigurer loginView(Class<? extends Component> loginView, String logoutSuccessUrl)
      Configures the login view for use in a Flow application and the logout success URL.

      This method ensures that the provided login view class is annotated with @Route, retrieves the route path for the login view, and sets up the necessary configurations for login and logout paths.

      Parameters:
      loginView - the component class to be used as the login view
      logoutSuccessUrl - the URL to redirect to upon a successful logout
      Returns:
      the current configurer instance for method chaining
      Throws:
      IllegalArgumentException - if the provided class is not annotated with @Route

    • loginView

      public VaadinSecurityConfigurer loginView(String loginView)
      Configures the login view for use in a Hilla application.

      This is used when your application uses a Hilla-based login view that is available at the given path.

      If the path points to a Flow view, the corresponding Java class must be annotated with AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      loginView - the path to the login view
      Returns:
      the current configurer instance for method chaining

    • loginView

      public VaadinSecurityConfigurer loginView(String loginView, String logoutSuccessUrl)
      Configures the login view for use in a Hilla application and the logout success URL.

      This is used when your application uses a Hilla-based login view that is available at the given path.

      If the path points to a Flow view, the corresponding Java class must be annotated with AnonymousAllowed to ensure that the view is always accessible.

      Parameters:
      loginView - the path to the login view
      logoutSuccessUrl - the URL to redirect to upon a successful logout
      Returns:
      the current configurer instance for method chaining

    • oauth2LoginPage

      public VaadinSecurityConfigurer oauth2LoginPage(String oauth2LoginPage)
      Configures the login page for OAuth2 authentication.

      If using Spring's OAuth2 client, this should be set to Spring's internal redirect endpoint /oauth2/authorization/{registrationId} where registrationId is the ID of the OAuth2 client registration.

      This method also configures a logout success handler that redirects to the application base URL after logout.

      Parameters:
      oauth2LoginPage - the login page for OAuth2 authentication
      Returns:
      the current configurer instance for method chaining

    • oauth2LoginPage

      public VaadinSecurityConfigurer oauth2LoginPage(String oauth2LoginPage, String postLogoutRedirectUri)
      Configures the login page for OAuth2 authentication and the post-logout redirect URI.

      If using Spring's OAuth2 client, this should be set to Spring's internal redirect endpoint /oauth2/authorization/{registrationId} where registrationId is the ID of the OAuth2 client registration.

      The {baseUrl} placeholder is also supported, which is the same as {baseScheme}://{baseHost}{basePort}{basePath}.

      Parameters:
      oauth2LoginPage - the login page for OAuth2 authentication
      postLogoutRedirectUri - the URI to redirect to after the user logs out
      Returns:
      the current configurer instance for method chaining

    • logoutSuccessHandler

      public VaadinSecurityConfigurer logoutSuccessHandler(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler)
      Configures the handler for a successful logout.

      This overrides the default handler configured automatically with either loginView(Class) or oauth2LoginPage(String) (and their overloads).

      Parameters:
      logoutSuccessHandler - the logout success handler
      Returns:
      the current configurer instance for method chaining

    • addLogoutHandler

      public VaadinSecurityConfigurer addLogoutHandler(org.springframework.security.web.authentication.logout.LogoutHandler logoutHandler)
      Adds a LogoutHandler to the list of logout handlers.
      Parameters:
      logoutHandler - the logout handler to be added
      Returns:
      the current configurer instance for method chaining

    • enableCsrfConfiguration

      public VaadinSecurityConfigurer enableCsrfConfiguration(boolean enableCsrfConfiguration)
      Enables or disables automatic CSRF configuration (enabled by default).

      This configurer will automatically configure Spring's CSRF filter to allow Vaadin internal framework requests to be properly processed.

      Parameters:
      enableCsrfConfiguration - whether CSRF configuration should be enabled
      Returns:
      the current configurer instance for method chaining

    • enableLogoutConfiguration

      public VaadinSecurityConfigurer enableLogoutConfiguration(boolean enableLogoutConfiguration)
      Enables or disables automatic logout configuration (enabled by default).

      This configurer will automatically configure logout behavior to work properly with Flow and Hilla.

      Parameters:
      enableLogoutConfiguration - whether logout configuration should be enabled
      Returns:
      the current configurer instance for method chaining

    • enableRequestCacheConfiguration

      public VaadinSecurityConfigurer enableRequestCacheConfiguration(boolean enableRequestCacheConfiguration)
      Enables or disables automatic configuration of the request cache (enabled by default).

      This configurer will automatically configure the request cache to work properly with Vaadin's internal framework requests.

      Parameters:
      enableRequestCacheConfiguration - whether configuration of the request cache should be enabled
      Returns:
      the current configurer instance for method chaining

    • enableExceptionHandlingConfiguration

      public VaadinSecurityConfigurer enableExceptionHandlingConfiguration(boolean enableExceptionHandlingConfiguration)
      Enables or disables automatic configuration of exception handling (enabled by default).

      This configurer will automatically configure exception handling to work properly with Flow and Hilla.

      Parameters:
      enableExceptionHandlingConfiguration - whether configuration of exception handling should be enabled
      Returns:
      the current configurer instance for method chaining

    • enableAuthorizedRequestsConfiguration

      public VaadinSecurityConfigurer enableAuthorizedRequestsConfiguration(boolean enableAuthorizedRequestsConfiguration)
      Enables or disables automatic configuration of authorized requests (enabled by default).

      This configurer will automatically configure authorized requests to permit requests to anonymous Flow and Hilla views, and static assets.

      Parameters:
      enableAuthorizedRequestsConfiguration - whether configuration of authorized requests should be enabled
      Returns:
      the current configurer instance for method chaining
      See Also:

    • anyRequest

      public VaadinSecurityConfigurer anyRequest(Consumer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>.org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizedUrl> anyRequestAuthorizeRule)
      Configures the access rule for any request not matching other configured rules.

      The default rule is to require authentication, which is the equivalent of passing AuthorizeHttpRequestsConfigurer.AuthorizedUrl.authenticated() to this method.

      Parameters:
      anyRequestAuthorizeRule - the access rule for any request not matching other rules, or null to disable automatic configuration
      Returns:
      the current configurer instance for method chaining

    • enableNavigationAccessControl

      public VaadinSecurityConfigurer enableNavigationAccessControl(boolean enableNavigationAccessControl)
      Enables or disables configuration of NavigationAccessControl.

      NavigationAccessControl is enabled by default.

      Parameters:
      enableNavigationAccessControl - a boolean flag indicating whether NavigationAccessControl should be enabled or disabled
      Returns:
      the current configurer instance for method chaining

    • defaultPermitMatcher

      public org.springframework.security.web.util.matcher.RequestMatcher defaultPermitMatcher()
      Creates and returns a composite RequestMatcher for identifying requests that should be permitted without authentication within a Vaadin application.

      This matcher combines multiple specific matchers, including those for framework internal requests, anonymous endpoints, allowed Hilla views, anonymous routes, custom web icons, and default security configurations.

      Returns:
      a RequestMatcher that matches requests to be allowed without authentication

    • init

      public void init(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Specified by:
      init in interface org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,org.springframework.security.config.annotation.web.builders.HttpSecurity>
      Overrides:
      init in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,org.springframework.security.config.annotation.web.builders.HttpSecurity>
      Throws:
      Exception

    • configure

      public void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
      Specified by:
      configure in interface org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,org.springframework.security.config.annotation.web.builders.HttpSecurity>
      Overrides:
      configure in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,org.springframework.security.config.annotation.web.builders.HttpSecurity>
      Throws:
      Exception