search

jmix-framework / jmix

Jmix framework
https://www.jmix.io
Apache License 2.0
692 stars 124 forks source link

Extending Jmix REST endpoints to implement custom business logic for web and mobile consumption #3606

Closed mik284 closed 2 months ago

mik284 commented 2 months ago

Environment

Jmix version: 2.2.3

Bug Description

I'm encountering an issue while trying to extend Jmix REST endpoints for web and mobile consumption. The application throws a BeanCreationException when creating the sec_UiSecurityFilterChain bean. The specific error message is as follows:

java
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sec_UiSecurityFilterChain' defined in class path resource [io/jmix/autoconfigure/securityflowui/SecurityFlowuiAutoConfiguration$DefaultFlowuiSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: View 'LoginView' is not defined

This error occurs because the LoginView is not defined or registered in the application, causing the security filter chain to fail during instantiation. This is problematic because my REST endpoints require authentication, and this issue prevents the application from properly initializing.

Additionally, I need to allow certain APIs to bypass authentication. This is crucial for enabling public access to specific endpoints while keeping others secure.

Steps To Reproduce

  1. Extend Jmix REST endpoints to require authentication.
  2. Start the application.
  3. Observe the BeanCreationException related to sec_UiSecurityFilterChain.

Current Behavior

  1. The application fails to start due to the missing LoginView, leading to a BeanCreationException.
  2. Currently, all APIs are forced to be authenticated, without an easy way to exempt some from authentication.

Expected Behavior

  1. The application should initialize without errors, with the security filter chain correctly configured for REST endpoint authentication.
  2. Specific APIs should be configurable to bypass authentication.
gorbunkov commented 2 months ago

Hi, @mik284! It is not clear what do you mean by "Extend Jmix REST endpoints to require authentication."

Please attach a sample project that demonstrates the problem.

mik284 commented 2 months ago

Hello, I've been working on customizing the default Jmix REST configuration to enforce authentication on most of my endpoints. During this process, I encountered an issue where the application failed to start, presenting the following error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sec_UiSecurityFilterChain' defined in class path resource [io/jmix/autoconfigure/securityflowui/SecurityFlowuiAutoConfiguration$DefaultFlowuiSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'securityFilterChain' threw exception with message: View 'LoginView' is not defined

I managed to resolve this issue by upgrading from Jmix version 2.2.3 to 2.3.1 and utilizing @annotations like @RestMethod, as well as allowing anonymous resource roles which had failed before. While this solution has worked for me, I'm open to exploring new or alternative approaches that might be more efficient or align better with best practices.

I'm particularly curious about any solutions that might offer improved performance, enhanced security, or better integration with Jmix's ecosystem.

https://github.com/mik284/projectMGT

glebfox commented 2 months ago

If you have any concrete problem now, please let us know.