1. 技术文章
  2. Problem with permitAll in Vaadin and WebSecurity - not working

Problem with permitAll in Vaadin and WebSecurity - not working

人盡茶涼 提交于 2021-02-10 18:39:52

问题


I have few views made in Vaadin by @Route and now I want to add Security and some Login. In my SecurityConfiguration class I'm setting antMatchers.permitAll() only for 2 views and for the rest with Role ADMIN. But it is not working as I think it should. It demands login to access every view, and after login I have access to all views no matter what role has the user.

I hoped this tutorial will help me, but in there are no views accessible without login.

Securing Your App With Spring Security

My configuration class:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private UserService userService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    public SecurityConfiguration(UserService userService) {
        this.userService = userService;
    }

    @Autowired
    private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService);
        auth.inMemoryAuthentication()
                .withUser("user")
                .password(passwordEncoder().encode("user"))
                .roles("USER");
    }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http.httpBasic().and()
              .anonymous()
              .and()
              .authorizeRequests()
              .antMatchers("/", "/login").permitAll()
              .antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
              .and()
              .formLogin().loginPage("/login").permitAll()
              .and()
              .logout().logoutSuccessUrl("/")
              .and()
              .csrf().disable().cors().disable().headers().disable();
  }
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                "/VAADIN/**",
                "/favicon.ico",
                "/robots.txt",
                "/manifest.webmanifest",
                "/sw.js",
                "/offline-page.html",
                "/icons/**",
                "/images/**",
                "/frontend/**",
                "/webjars/**",
                "/h2-console/**",
                "/frontend-es5/**", "/frontend-es6/**");
    }
}

My Views have annotations like:

@Route("recipe-manager")
public class RecipeManagerView extends VerticalLayout
@Route("")
public class RecipeBrowserView extends VerticalLayout 
@Route("login")
public class LoginView extends VerticalLayout 
@Route("ingredient-manager")
public class IngredientManagerView extends VerticalLayout

I would expect that anyone can have access to RecipeBrowserView and LoginView, but only logged user can have access to RecipeManagerView and IngredientMangerView.


回答1:


You cannot use path based matching from Spring Security for Vaadin routes. Spring Security does the matching based on request paths whereas navigation from one view to another inside Vaadin is sent as metadata inside an internal request that always goes to the same hardcoded path.

Instead, you can implement your access control logic in an interceptor provided by Vaadin. You can have a look at https://vaadin.com/tutorials/securing-your-app-with-spring-security to find out more about this.




回答2:


To my understanding antMatchers only accept single arguments. You should change you configuration class like:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private UserService userService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    public SecurityConfiguration(UserService userService) {
        this.userService = userService;
    }

    @Autowired
    private void configureAuth(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService);
        auth.inMemoryAuthentication()
                .withUser("user")
                .password(passwordEncoder().encode("user"))
                .roles("USER");
    }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http.httpBasic().and()
              .anonymous()
              .and()
              .authorizeRequests()
              .antMatchers("/").permitAll()
              .antMatchers("/login").permitAll()
              .antMatchers("/recipe-manager", "/ingredient-manager").hasAnyRole("ADMIN")
              .and()
              .formLogin().loginPage("/login").permitAll()
              .and()
              .logout().logoutSuccessUrl("/")
              .and()
              .csrf().disable().cors().disable().headers().disable();
  }
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                "/VAADIN/**",
                "/favicon.ico",
                "/robots.txt",
                "/manifest.webmanifest",
                "/sw.js",
                "/offline-page.html",
                "/icons/**",
                "/images/**",
                "/frontend/**",
                "/webjars/**",
                "/h2-console/**",
                "/frontend-es5/**", "/frontend-es6/**");
    }
}


来源:https://stackoverflow.com/questions/57554363/problem-with-permitall-in-vaadin-and-websecurity-not-working

标签
java
spring-security
vaadin
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!