Java Config for Spring Security with Vaadin

Question

Im new to these frameworks (Vaadin:7.6.1, Spring Security:4.0.3) and I'm asking myself how to configure the authorized requests if I want to build a Vaadin application.

I looked up a few examples where something like this is written:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{

    [...]

    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
            .authorizeRequests()
                .antMatchers("/login**").permitAll()
                .antMatchers("/UIDL/**").permitAll()
                .antMatchers("/HEARTBEAT/**").authenticated()
                .antMatchers("/VAADIN/**").permitAll()
                .antMatchers("/resources/**").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin().loginPage("/login").permitAll()
                .and()
            .logout().permitAll()
                .and()
            .csrf().disable();
    }
}

Because I want to design the login page I use the Thymeleaf engine. Therefore I'm using this Controller class:

@Controller
public class LoginController
{
    @RequestMapping("/login")
    String login(Model model)
    {
        return "login";
    }
}

Which .antMatchers() should I define if I want to block every request of my application if the user isn't logged in? I know that I have to define antMatchers("/resources/**").permitAll() for the login page to get the css and images. But what are these patterns like "/UIDL/**" and what do I need them for?

Answer 1

Which .antMatchers() should I define if I want to block every request of my application if the user isn't logged in?

If you just want to block every request if the user isn't logged in:

@Override
protected void configure(HttpSecurity http) throws Exception
{
    http
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("/login").permitAll()
            .and()
        .logout().permitAll()
            .and()
        .csrf().disable();
}

You don't really need any antMatcher, not even for the login page, as in the .formLogin() part, you already include .permitAll() for that page.

Now for static resources (css, js, images) and with VAADIN in mind, you can do this overriding another method:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring()
        .antMatchers("/resources/**", "/VAADIN/**");
}

With a Spring Boot project, i also found issues if i didn't allow requests to "/vaadinServlet/**"in the web.ignoring().antMatchers(...).

what are these patterns like "/UIDL/**" and what do I need them for?

When the server receives a request, Spring Security uses these patterns to determine if it should allow or deny access to the request.

They represent the part of the URI after the context root of your application, e.g. in the case of your context root being /, then a request like http://server.com/UIDL/hello the part of the URI that Spring Security will use to determine wether to give acces or not will be /UIDL/hello

The ** represents anything including any sub level, e.g. for the /UIDL/** pattern, the request /UIDL/hello/world/and/any/more/levels will match.

There's also the single * which represents, anything but not including the sub levels, e.g. for the /UIDL/* pattern, the request /UIDL/hello will match, but not /UIDL/hello/world.

As for VAADIN views and UIs, i'm not sure that it is possible to use the antMatchers to grant or deny access, but instead you can annotate the configuration class with @EnableGlobalMethodSecurity(prePost = enabled) and then be able to use the @PreAuthorize( /* spel expression */) annotation on the views to grant or deny access.

UPDATE : Answering to comment questions:

1. Why do you use the configure(WebSecurity web) method with ignoring the resources instead of the configure(HttpSecurity http) with allowing access? Are there significant differences?

The difference is that WebSecurity#ignoring() makes the request being skipped from the Spring Security filter chain, and it is the recommended way for static resources, anything else than static resources should be processed inside configure(HttpSecurity http).

source

2. Why do you ignore the "/VAADIN/**" path?

Because that path is used to serve themes, widget sets, and customizations, which is static content, the path is used to serve it dinamycally from the Vaadin jar, but as suggested in the Vaadin documentation, in production environments should be served statically, as it is faster.

source

3. I could imagine the meaning of "/*" and "/**", but what does "UIDL" and "HEARTBEAT" actually mean? Why are they permitted?

UIDL:

User Interface Definition Language (UIDL) is a language for serializing user interface contents and changes in responses from web server to a browser. The idea is that the server-side components "paint" themselves to the screen (a web page) with the language. The UIDL messages are parsed in the browser and translated to GWT widgets.

source

Heartbeat requests are performed periodically to verify that the connection is still alive between server and client, or the session haven't expired.

source - see sections 4.8.5, 4.8.6, 4.8.7 and 4.8.8