Closed Peppe closed 3 years ago
As a workaround, I did a custom request handler to my Vaadin project, and handled /beacon/
in it, to avoid the problem.
The implementation is here: https://github.com/Peppe/vabber/blob/main/src/main/java/com/example/application/security/CustomRequestCache.java#L23-L30
If we assume that applications use VaadinWebSecurityConfigurerAdapter
or some other mechanism that uses helpers defined by HandlerHelper
, then we would just have to change the beacon handler to use a URL that would be matched by one of those.
One obvious candidate would be to use the /VAADIN
namespace which is covered by HandlerHelper.getPublicResourcesRequiringSecurityContext()
, e.g. using /VAADIN/beacon/<id>
as the URL.
For reference, my project is modeled based on the example found at https://github.com/vaadin/spring/tree/master/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity and the tutorial at https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security.
This also causes problems with live reload. When you have collaboration engine in your app and do a change (with Spring Boot Dev Tools enabled) then the app will reload and you will be redirected to the login view, as expected. However, after logging in you will end up on /error
showing
{"timestamp": sometime, "status":999,"error":"None","message":"No message available"}
@tulioag for me the beacon is still causing problems in combination with the spring-boot-keycloak-adapter.
We are using a pattern based whitelisting approach which has been working with the /beacon
url.
If i understand it correctly the beacon url is now pointing to the servlet-root only using query parameters which makes it impossible to whitelist.
Would it be possible to move the beacon url to the /VAADIN
namespace as @Legioth suggested?
Hi @chrosim. I'm no longer working on this project. IIRC, the url was changed to the servlet-root so the beacon is now just another type of Flow request. I suggest that you open a new issue about that.
Describe the bug Collaboration Engine adds beacon HTTP calls to your app. Adding Spring Security to your app denies access to many urls by default, including
/beacon/*
. When you press the login button in your app, maybe four times out of five it works correctly. But every now and then, it will instead download a zero byte file with a UUID name. The file is downloaded due to a request to ie/beacon/ec3fff5a-2f77-4318-90c6-4104460637bd
.To Reproduce Steps to reproduce the behavior:
Expected behavior You don't have to do anything extra about CE when using it in a Spring Security -secured Vaadin app and login works every time.
Versions