Class VaadinSecurityConfigurer
- All Implemented Interfaces:
org.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,
org.springframework.security.config.annotation.web.builders.HttpSecurity>
SecurityConfigurer
specifically designed for Vaadin applications.
Provides built-in customizers to configure the security settings for Flow and Hilla by integrating with Spring Security and specialized methods to handle view access control and default security workflows in Vaadin applications.
Usage example:
@Configuration
@EnableWebSecurity
public class MyWebSecurity {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
configurer.loginView(MyLoginView.class);
}).build();
}
}
Configurers
This configurer applies other configurers to set up the security filter chain properly for Vaadin applications. The following configurers may be applied:
FormLoginConfigurer
if a login view is set withloginView(Class)
(or overloads)OAuth2LoginConfigurer
if a login page for OAuth2 authentication is set withoauth2LoginPage(String)
(or overloads)CsrfConfigurer
to allow internal framework requests (can be disabled withenableCsrfConfiguration(boolean)
)LogoutConfigurer
to configure logout handlers for Vaadin applications (can be disabled withenableLogoutConfiguration(boolean)
)RequestCacheConfigurer
to set a request cache designed for Vaadin applications (can be disabled withenableRequestCacheConfiguration(boolean)
)ExceptionHandlingConfigurer
to configure proper exception handling for Vaadin applications (can be disabled withenableExceptionHandlingConfiguration(boolean)
)AuthorizeHttpRequestsConfigurer
to permit internal framework requests and other public endpoints (can be disabled withenableAuthorizedRequestsConfiguration(boolean)
)
Shared Objects
The following beans are shared by this configurer (if not already shared):
-
Method Summary
Modifier and TypeMethodDescriptionaddLogoutHandler
(org.springframework.security.web.authentication.logout.LogoutHandler logoutHandler) Adds aLogoutHandler
to the list of logout handlers.anyRequest
(Consumer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>.org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizedUrl> anyRequestAuthorizeRule) Configures the access rule for any request not matching other configured rules.void
configure
(org.springframework.security.config.annotation.web.builders.HttpSecurity http) org.springframework.security.web.util.matcher.RequestMatcher
Creates and returns a compositeRequestMatcher
for identifying requests that should be permitted without authentication within a Vaadin application.enableAuthorizedRequestsConfiguration
(boolean enableAuthorizedRequestsConfiguration) Enables or disables automatic configuration of authorized requests (enabled by default).enableCsrfConfiguration
(boolean enableCsrfConfiguration) Enables or disables automatic CSRF configuration (enabled by default).enableExceptionHandlingConfiguration
(boolean enableExceptionHandlingConfiguration) Enables or disables automatic configuration of exception handling (enabled by default).enableLogoutConfiguration
(boolean enableLogoutConfiguration) Enables or disables automatic logout configuration (enabled by default).enableNavigationAccessControl
(boolean enableNavigationAccessControl) Enables or disables configuration ofNavigationAccessControl
.enableRequestCacheConfiguration
(boolean enableRequestCacheConfiguration) Enables or disables automatic configuration of the request cache (enabled by default).void
init
(org.springframework.security.config.annotation.web.builders.HttpSecurity http) Configures the login view for use in a Flow application.Configures the login view for use in a Flow application and the logout success URL.Configures the login view for use in a Hilla application.Configures the login view for use in a Hilla application and the logout success URL.logoutSuccessHandler
(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler) Configures the handler for a successful logout.oauth2LoginPage
(String oauth2LoginPage) Configures the login page for OAuth2 authentication.oauth2LoginPage
(String oauth2LoginPage, String postLogoutRedirectUri) Configures the login page for OAuth2 authentication and the post-logout redirect URI.static VaadinSecurityConfigurer
vaadin()
Creates a new instance theVaadinSecurityConfigurer
that can be used to configure security settings for Vaadin applications.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
Method Details
-
vaadin
Creates a new instance theVaadinSecurityConfigurer
that can be used to configure security settings for Vaadin applications.- Returns:
- a new instance of
VaadinSecurityConfigurer
-
loginView
Configures the login view for use in a Flow application.This method ensures that the provided login view class is annotated with
@Route
, retrieves the route path for the login view, and sets up the necessary configurations for login and logout paths.- Parameters:
loginView
- the component class to be used as the login view- Returns:
- the current configurer instance for method chaining
- Throws:
IllegalArgumentException
- if the provided class is not annotated with@Route
-
loginView
public VaadinSecurityConfigurer loginView(Class<? extends Component> loginView, String logoutSuccessUrl) Configures the login view for use in a Flow application and the logout success URL.This method ensures that the provided login view class is annotated with
@Route
, retrieves the route path for the login view, and sets up the necessary configurations for login and logout paths.- Parameters:
loginView
- the component class to be used as the login viewlogoutSuccessUrl
- the URL to redirect to upon a successful logout- Returns:
- the current configurer instance for method chaining
- Throws:
IllegalArgumentException
- if the provided class is not annotated with@Route
-
loginView
Configures the login view for use in a Hilla application.This is used when your application uses a Hilla-based login view that is available at the given path.
If the path points to a Flow view, the corresponding Java class must be annotated with
AnonymousAllowed
to ensure that the view is always accessible.- Parameters:
loginView
- the path to the login view- Returns:
- the current configurer instance for method chaining
-
loginView
Configures the login view for use in a Hilla application and the logout success URL.This is used when your application uses a Hilla-based login view that is available at the given path.
If the path points to a Flow view, the corresponding Java class must be annotated with
AnonymousAllowed
to ensure that the view is always accessible.- Parameters:
loginView
- the path to the login viewlogoutSuccessUrl
- the URL to redirect to upon a successful logout- Returns:
- the current configurer instance for method chaining
-
oauth2LoginPage
Configures the login page for OAuth2 authentication.If using Spring's OAuth2 client, this should be set to Spring's internal redirect endpoint
/oauth2/authorization/{registrationId}
whereregistrationId
is the ID of the OAuth2 client registration.This method also configures a logout success handler that redirects to the application base URL after logout.
- Parameters:
oauth2LoginPage
- the login page for OAuth2 authentication- Returns:
- the current configurer instance for method chaining
-
oauth2LoginPage
public VaadinSecurityConfigurer oauth2LoginPage(String oauth2LoginPage, String postLogoutRedirectUri) Configures the login page for OAuth2 authentication and the post-logout redirect URI.If using Spring's OAuth2 client, this should be set to Spring's internal redirect endpoint
/oauth2/authorization/{registrationId}
whereregistrationId
is the ID of the OAuth2 client registration.The
{baseUrl}
placeholder is also supported, which is the same as{baseScheme}://{baseHost}{basePort}{basePath}
.- Parameters:
oauth2LoginPage
- the login page for OAuth2 authenticationpostLogoutRedirectUri
- the URI to redirect to after the user logs out- Returns:
- the current configurer instance for method chaining
-
logoutSuccessHandler
public VaadinSecurityConfigurer logoutSuccessHandler(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler) Configures the handler for a successful logout.This overrides the default handler configured automatically with either
loginView(Class)
oroauth2LoginPage(String)
(and their overloads).- Parameters:
logoutSuccessHandler
- the logout success handler- Returns:
- the current configurer instance for method chaining
-
addLogoutHandler
public VaadinSecurityConfigurer addLogoutHandler(org.springframework.security.web.authentication.logout.LogoutHandler logoutHandler) Adds aLogoutHandler
to the list of logout handlers.- Parameters:
logoutHandler
- the logout handler to be added- Returns:
- the current configurer instance for method chaining
-
enableCsrfConfiguration
Enables or disables automatic CSRF configuration (enabled by default).This configurer will automatically configure Spring's CSRF filter to allow Vaadin internal framework requests to be properly processed.
- Parameters:
enableCsrfConfiguration
- whether CSRF configuration should be enabled- Returns:
- the current configurer instance for method chaining
-
enableLogoutConfiguration
Enables or disables automatic logout configuration (enabled by default).This configurer will automatically configure logout behavior to work properly with Flow and Hilla.
- Parameters:
enableLogoutConfiguration
- whether logout configuration should be enabled- Returns:
- the current configurer instance for method chaining
-
enableRequestCacheConfiguration
public VaadinSecurityConfigurer enableRequestCacheConfiguration(boolean enableRequestCacheConfiguration) Enables or disables automatic configuration of the request cache (enabled by default).This configurer will automatically configure the request cache to work properly with Vaadin's internal framework requests.
- Parameters:
enableRequestCacheConfiguration
- whether configuration of the request cache should be enabled- Returns:
- the current configurer instance for method chaining
-
enableExceptionHandlingConfiguration
public VaadinSecurityConfigurer enableExceptionHandlingConfiguration(boolean enableExceptionHandlingConfiguration) Enables or disables automatic configuration of exception handling (enabled by default).This configurer will automatically configure exception handling to work properly with Flow and Hilla.
- Parameters:
enableExceptionHandlingConfiguration
- whether configuration of exception handling should be enabled- Returns:
- the current configurer instance for method chaining
-
enableAuthorizedRequestsConfiguration
public VaadinSecurityConfigurer enableAuthorizedRequestsConfiguration(boolean enableAuthorizedRequestsConfiguration) Enables or disables automatic configuration of authorized requests (enabled by default).This configurer will automatically configure authorized requests to permit requests to anonymous Flow and Hilla views, and static assets.
- Parameters:
enableAuthorizedRequestsConfiguration
- whether configuration of authorized requests should be enabled- Returns:
- the current configurer instance for method chaining
- See Also:
-
anyRequest
public VaadinSecurityConfigurer anyRequest(Consumer<org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>.org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizedUrl> anyRequestAuthorizeRule) Configures the access rule for any request not matching other configured rules.The default rule is to require authentication, which is the equivalent of passing
AuthorizeHttpRequestsConfigurer.AuthorizedUrl.authenticated()
to this method.- Parameters:
anyRequestAuthorizeRule
- the access rule for any request not matching other rules, ornull
to disable automatic configuration- Returns:
- the current configurer instance for method chaining
-
defaultPermitMatcher
public org.springframework.security.web.util.matcher.RequestMatcher defaultPermitMatcher()Creates and returns a compositeRequestMatcher
for identifying requests that should be permitted without authentication within a Vaadin application.This matcher combines multiple specific matchers, including those for framework internal requests, anonymous endpoints, allowed Hilla views, anonymous routes, custom web icons, and default security configurations.
- Returns:
- a
RequestMatcher
that matches requests to be allowed without authentication
-
init
public void init(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception - Specified by:
init
in interfaceorg.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,
org.springframework.security.config.annotation.web.builders.HttpSecurity> - Overrides:
init
in classorg.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,
org.springframework.security.config.annotation.web.builders.HttpSecurity> - Throws:
Exception
-
configure
public void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception - Specified by:
configure
in interfaceorg.springframework.security.config.annotation.SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,
org.springframework.security.config.annotation.web.builders.HttpSecurity> - Overrides:
configure
in classorg.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,
org.springframework.security.config.annotation.web.builders.HttpSecurity> - Throws:
Exception
-