Open mcollovati opened 5 months ago
Quick comment: Make Vaadin's security configuration less intrusive, e.g. no overwriting or anything by using the proper "FilterChain" level, allowing people to register their own filter in front or after vaadin (more easily).
Why? Allowing Developer to apply their Spring Security knowledge without all the protected Vaadin methods they could have overwritten.. making it quite hard for them to grasp all the possible things with Spring Security and another Layer of Vaadin on top.
@knoobie do you mean, for example, define specific securityMatchers()
in VaadinWebSecurity
, or something else/in addition?
I was thinking about something like this (not technical perfect; just an idea)
@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain vaadinDefaultFilterChain(VaadinSecurityConfig config, HttpSecurity http) {
// only vaadin internal communication / VAADIN/**
// do stuff based on config.. e.g. config.isViewSecurityEnabled()
return http.build();
}
@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain hillaDefaultFilterChain(HttpSecurity http) {
// only hilla internal communication
return http.build();
}
@Bean
@Order
public SecurityFilterChain userCustomStuff(HttpSecurity http) {
// user stuff
return http.build();
}
Describe your motivation
When using
VaadinWebSecurity
as a base class to configure Spring Security, you can only add request matchers before callingsuper.configure()
because that method sets a finalanyRequest().authenticated()
rule.It could be helpful in some situations (e.g. request matcher with heavy logic) to specify application security rules after the ones defined by Vaadin, but before the
anyRequest()
.See also related discussion on Vaadin forum
Describe the solution you'd like
Provide two hooks in
VaadinWebSecurity
to prepend and append custom request matchers. The methods will be invoked byVaadinWebSecurity.configure()
before and after Vaadin matchers.Describe alternatives you've considered
Currently, it seems there is no way to add request matchers after Vaadin ones.
Additional context