search

vaadin / flow

Vaadin Flow is a Java framework binding Vaadin web components to Java. This is part of Vaadin 10+.
Apache License 2.0
618 stars 169 forks source link

Allow adding authorization request matcher after Vaadin rules in VaadinWebSecurity #19283

Open mcollovati opened 5 months ago

mcollovati commented 5 months ago

Describe your motivation

When using VaadinWebSecurity as a base class to configure Spring Security, you can only add request matchers before calling super.configure() because that method sets a final anyRequest().authenticated() rule.

It could be helpful in some situations (e.g. request matcher with heavy logic) to specify application security rules after the ones defined by Vaadin, but before the anyRequest().

See also related discussion on Vaadin forum

Describe the solution you'd like

Provide two hooks in VaadinWebSecurity to prepend and append custom request matchers. The methods will be invoked by VaadinWebSecurity.configure() before and after Vaadin matchers.

class VaadinWebSecurity {
    protected void prependRequestAuthorization(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
        // no-op by default
    }

    protected void appendRequestAuthorization(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
        // no-op by default
    }

    protected void configure(HttpSecurity http) throws Exception {
       ....
        http.authorizeHttpRequests(urlRegistry -> {

            prependRequestAuthorization(urlRegistry);

            // Vaadin request matchers

            appendRequestAuthorization(urlRegistry);

            // all other requests require authentication
            urlRegistry.anyRequest().authenticated();
        });

       ....
    }
}

Describe alternatives you've considered

Currently, it seems there is no way to add request matchers after Vaadin ones.

Additional context

knoobie commented 5 months ago

Quick comment: Make Vaadin's security configuration less intrusive, e.g. no overwriting or anything by using the proper "FilterChain" level, allowing people to register their own filter in front or after vaadin (more easily).

Why? Allowing Developer to apply their Spring Security knowledge without all the protected Vaadin methods they could have overwritten.. making it quite hard for them to grasp all the possible things with Spring Security and another Layer of Vaadin on top.

mcollovati commented 5 months ago

@knoobie do you mean, for example, define specific securityMatchers() in VaadinWebSecurity, or something else/in addition?

knoobie commented 5 months ago

I was thinking about something like this (not technical perfect; just an idea) 


@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain vaadinDefaultFilterChain(VaadinSecurityConfig config, HttpSecurity http) {
    // only vaadin internal communication / VAADIN/**
    // do stuff based on config.. e.g. config.isViewSecurityEnabled()
    return http.build();
  }

@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain hillaDefaultFilterChain(HttpSecurity http) {
    // only hilla internal communication
    return http.build();
  }

@Bean
@Order
public SecurityFilterChain userCustomStuff(HttpSecurity http) {
    // user stuff 
    return http.build();
  }