Closed vlipovetskii closed 1 year ago
Hi, hmmm, that's interesting. Perhaps you're running the tests in production mode and the access is rejected to given route? In such case Vaadin responds with NotFoundException, in order to not to reveal to the potential attacker that the route in fact exists.
Could you also provide an example project please?
Yes, the tests are run in the production mode. I have investigated, how Vaadin checks the access to views.
Several classes participate in the check process: SpringViewAccessChecker extends ViewAccessChecker and uses AccessAnnotationChecker to check the access.
As a workaround, I have created my own custom implementation of AccessAnnotationChecker, which bypasses annotation checks if setting isProdEnvironment=false. So, the issue can be closed.
` open class KVdAccessAnnotationChecker( env: Environment, prefix: String = defaultPrefix, ) : AccessAnnotationChecker(), KServiceHasLoggingEnabledA by KServiceHasLoggingEnabled(env, prefix) {
companion object : KLoggerA {
const val defaultPrefix = "KAccessAnnotationChecker"
private val log by lazy { classLogger }
}
@Suppress("MemberVisibilityCanBePrivate")
protected val isProdEnvironment = env.getRequiredProperty<Boolean>("$prefix.isProdEnvironment", log)
override fun hasAccess(method: Method?, principal: Principal?, roleChecker: Function<String, Boolean>?): Boolean {
if (isServiceLoggingEnabled) log.info("hasAccess($method, $principal, roleChecker)")
return if (isProdEnvironment) {
super.hasAccess(method, principal, roleChecker).also {
if (isServiceLoggingEnabled) log.info("super.hasAccess(method, principal, roleChecker) -> $it")
}
} else {
true.also {
if (isServiceLoggingEnabled) log.info("true")
}
}
}
override fun hasAccess(cls: Class<*>?, principal: Principal?, roleChecker: Function<String, Boolean>?): Boolean {
if (isServiceLoggingEnabled) log.info("hasAccess($cls, $principal, roleChecker)")
return if (isProdEnvironment) {
super.hasAccess(cls, principal, roleChecker).also {
if (isServiceLoggingEnabled) log.info("super.hasAccess(cls, principal, roleChecker) -> $it")
}
}else {
true.also {
if (isServiceLoggingEnabled) log.info("true")
}
}
}
} `
Thank you for letting me know; closing as fixed then. However, perhaps Karibu should offer some support out-of-the-box for this? If yes, we can brainstorm on the best way.
naviagteTo doesn't work (Vaadin UI uncaught exception com.vaadin.flow.router.NotFoundException), if to put @PermiAll on a class with @Route annotation.
Removing @PermiAll doesn't help.
To allow naviagteTo to work, I need to replace @PermiAll with @AnonymousAllowed temporarily.
spring-boot: 2.7.7 Vaadin: 23.3.2 karibu: 1.1.3 karibu-tools: 0.13 karibu-testing: 1.3.23