search

vaadin / flow

Vaadin Flow is a Java framework binding Vaadin web components to Java. This is part of Vaadin 10+.
Apache License 2.0
618 stars 167 forks source link

Enable VaadinWebSecurity to use JWT coming from a Filter #14936

Open simasch opened 2 years ago

simasch commented 2 years ago

In some scenarios, a Vaadin application may be called with a valid JWT in the header.

For that a Filter is used that populates the SecurityContext like in this example: https://github.com/simasch/spring-jwt

Now when using VaadinWebSecuritythis approach may not work because the JWT must be used in the browser code and sent back to the server with every request.

Currently, we have to create our own security configuration in this scenario, but then we cannot use annotation-based security.

Please add support for such a scenario.

ollin commented 2 years ago

+1

gsustek commented 1 year ago

+1

To populate Spring SecurityContext this kind of configuration should be used... https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html and then build HTTP Session and Vaadin Session

@simasch are you referring to this scenario? https://discord.com/channels/732335336448852018/1050088058239864842/1050132746804146176 image

instead of default one: image

simasch commented 1 year ago

@gsustek Exactly this is a very common scenario.

gsustek commented 1 year ago

@simasch Can you please explain a little bit more with examples why

Currently, we have to create our own security configuration in this scenario, but then we cannot use annotation-based security. becasue, "Vaadin has a spring security integration and is able to use the spring security annotations."

Does this influence resourceServer springsecurity configuration case only?

Regards, Goran.

In some scenarios, a Vaadin application may be called with a valid JWT in the header.

For that a Filter is used that populates the SecurityContext like in this example: https://github.com/simasch/spring-jwt

Now when using VaadinWebSecuritythis approach may not work because the JWT must be used in the browser code and sent back to the server with every request.

Currently, we have to create our own security configuration in this scenario, but then we cannot use annotation-based security.

Please add support for such a scenario.

simasch commented 1 year ago

@gsustek I think my initial statement is wrong. We CAN use annotation-based security but we still need our own filter because we must add some roles. But I definitely have to check the resource server configuration