Vaadin 7 + Spring security configuration

[Artgit]

Hello,

first of all - thank you so much for the awesome vaadin4spring add-on! I used it to configure spring with my existing vaadin application.

But right now I run into the problem while trying to configure Spring security with vaadin.

Also, I'm unable to correctly launch spring-boot-sample-security and continuously getting white screen in the my browser without any errors.

Could someone please take a look into my issue described here http://stackoverflow.com/questions/25952514/vaadin-7-spring-security-configuration

What I'm doing wrong ?

[peholmst]

I haven't had time to look at the security integration yet. It is coming up, but I can't say when. I currently have very limited time to spend on this project, so it might take a while. :-(

[fastnsilver]

I can take a look at this. I've had some recent experience implementing Spring Security with Spring Boot and Vaadin. I will roll in some updates to the mvp-sample that prove out securing tree items, controls, tab selection and grid content.

[Artgit]

@fastnsilver ,Thank you! I'm really stuck with it :(

[fastnsilver]

I may have gotten as far as you did. This is my work-in-progress fork branch: https://github.com/fastnsilver/vaadin4spring/tree/mvp-sample-with-secuirty. The project you will be interested in will be mvp-sample. I will keep banging on it until I have it working. You'll have to clone the entirety of my vaadin4spring fork and build as I have some additional version updates to bring things more current with Spring Boot. Stay tuned!

[Artgit]

Thanks! Waiting for updates.

[fastnsilver]

So, I have it working. See fastnsilver@8a93a1d.

It's kinda buggy on logout; but it ultimately does the right thing by redirecting user to login form.

Going to initiate a pull request so Petter can merge.

[fastnsilver]

@Artgit have a look and see if this solves your particular problem; we'll close this issue if it does.

[Artgit]

@fastnsilver , thank you so much ! I got it working !!!

[Artgit]

@fastnsilver, do you have an example how to replace default Spring security login page with a custom in this bundle of Vaadin+Spring ? Thanks.

[fastnsilver]

Did you look here: http://docs.spring.io/autorepo/docs/spring-security/3.2.x/guides/form.html. There's an example of how to build your own form. As for doing it w/ Vaadin, you could set up a dedicated UI for the form and then redirect to your app on success.

[Artgit]

@fastnsilver , thanks, will look into it.

One more question - how to secure Vaadin view's urls like site.com/#!home
or site.com/#!blog

How to secure this path '#!home' or '#!blog'?

[Artgit]

@fastnsilver finally I got it working - custom Spring MVC template for login form and Vaadin application after a successful login. But right now this combination doesn't look very attractive to me.. Strange mix.. Is it possible to authenticate using Vaadin UI/View/Modal for login form view and Spring Security as an underlying logic in this form for authentication ?

[fastnsilver]

@Artgit re: your question on securing bookmarks, i would figure that if all paths (including context) are secured then the bookmarked additions would be too.

re: using vaadin for the login form, have you tried to create another ui entry point annotated w/ @VaadinUI("/login)? take care to abide by Spring Security conventions for login form's inputs.

[Artgit]

@fastnsilver ,

yep, I have implemented following code:

@SuppressWarnings("serial")
@VaadinUI(path = "/login")
public class LoginUI extends UI {

@Override
protected void init(VaadinRequest request) {
    VerticalLayout content = new VerticalLayout();
    TextField name = new TextField("username");
    content.addComponent(name);
    TextField password = new TextField("password");
    content.addComponent(password);
    Button button = new Button("Login");
    button.addClickListener(new ClickListener() {

        @Override
        public void buttonClick(ClickEvent event) {
            // ?????
        }
    });
    content.addComponent(button);
    setContent(content);

}

}

but I don't understand what kind of logic(code) should be placed inside of buttonClick function in order to authenticate via Spring Security..

And also, when I try to access "/login" url I receive a following error:

Publishing payload [org.springframework.security.access.event.AuthorizationFailureEvent[source=FilterInvocation: URL: /VAADIN/widgetsets/com.vaadin.DefaultWidgetSet/com.vaadin.DefaultWidgetSet.nocache.js?1411848418632]] from sender [FilterInvocation: URL: /VAADIN/widgetsets/com.vaadin.DefaultWidgetSet/com.vaadin.DefaultWidgetSet.nocache.js?1411848418632] on event bus [ScopedEventBus[id=1800389329, eventScope=APPLICATION, parentEventBus=null]]

[fastnsilver]

If I have some cycles this week I'll add a custom login form implementation to mvp-sample. Shouldn't be too difficult.

[tonymande]

I got spring security working with the Dashboard Vaadin Demo following this example:
spring-boot-sample-security does not work yet?

That's how I overrode the configure method to permit access to /login /registration and /environment without authentication.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/VAADIN/**", "/PUSH/**", "/UIDL/**", "/login", "/login/**", "/register", "/environment").permitAll()
                .antMatchers("/**").fullyAuthenticated()
                .and()
                .csrf().disable()
                .exceptionHandling()
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"));
    }

Work's like a charm for me.

[Artgit]

@tonymande , thank you ! Based on the example above I finally got all stuff working.

@fastnsilver , thank you very much for your patience and help!

Also, I was wondering if it would be possible to combine Vaadin and Spring Social framework ?

[umeshhansla]

Hi @Artgit ,

I am trying to do something similar to what you have done. Is it possible for you to share your sample code? I keep getting stuck in a redirect loop.

Thanks!

[enyachoke]

Hi am also facing a similar issue found the project https://github.com/markoradinovic/Vaadin4Spring-MVP-Sample-SpringSecurity but it requires some package org.vaadin.spring.mvp which I can't find

[gjrtimmer]

@enyachoke the artifact which you are missing is here: https://github.com/markoradinovic/Vaadin4Spring-MVP

[enyachoke]

@gjrtimmer Thanks It solved it

[gjrtimmer]

Spring boot based security sample is now available. Located within the samples directory.

Note: This is a multi UI security sample with a fully working springSecurityFilterChain.

Next update of the security-sample will be the implementation of 'remember-me' through the use of the official RememberMeAuthenticationFilter within the springSecurityFilterChain.

When this is completed the creation of a security-sample 'single-UI' will be started.

Anyone interested in helping out?

[gjrtimmer]

Basic implementation of Spring-Security is done. See samples/security-sample