Skip to content

Add documentation for Custom Authorization Rules and Disabling Features in Vaadin Security #4485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Aug 15, 2025
Merged

Add documentation for Custom Authorization Rules and Disabling Features in Vaadin Security #4485

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
c48f24a
docs: enhance description of TemporaryFileUploadHandler in file-handl…
fredpena Jul 25, 2025
d44f3dc
docs: Clarify Spring Boot multipart limits and stream handling in Upl…
fredpena Jul 25, 2025
f9a035b
Update articles/components/upload/index.adoc
fredpena Aug 1, 2025
b613337
Update file-handling.adoc
fredpena Aug 1, 2025
b1edb82
Merge branch 'latest' into latest
mshabarov Aug 6, 2025
728ba81
Merge branch 'v24' into latest
mshabarov Aug 8, 2025
a8f804c
Merge branch 'vaadin:v24' into latest
fredpena Aug 8, 2025
e86def7
Update vaadin-security-configurer.adoc
fredpena Aug 8, 2025
23382d7
Update vaadin-security-configurer.adoc
fredpena Aug 8, 2025
624d08b
Apply suggestions from code review
mshabarov Aug 15, 2025
85cac0f
Merge branch 'v24' into latest
mshabarov Aug 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 50 additions & 1 deletion articles/flow/security/vaadin-security-configurer.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,19 @@

===== Custom Authorization Rules

In Spring Security, *Custom Authorization Rules* are developer-defined rules that control who can access certain HTTP routes or resources. In Vaadin, they complement the access control already applied to views through annotations like `@PermitAll` or `@RolesAllowed`.

====== Use Cases

- Protect REST endpoints that are not part of Vaadin navigation.
- Define public routes that don’t require authentication (`/public/**`).
- Restrict specific areas based on roles (`/admin-only/**`).
- Allow access to error pages without authentication (`/error`).

====== How It Works With Vaadin

Vaadin uses annotations to control access to views at the navigation level, while Spring Security applies these *Custom Authorization Rules* at the HTTP request level. Both layers work together to ensure a secure application.

[source,java]
----
@Configuration
Expand Down Expand Up @@ -327,6 +340,42 @@

===== Disabling Features

The `VaadinSecurityConfigurer` provides some security features enabled by
default to ensure smooth integration between Vaadin and Spring Security.
In certain scenarios, you may disable these defaults to apply your own
custom security configuration.

====== Features That Can Be Disabled

- **CSRF Configuration** (`enableCsrfConfiguration(false)`):

Check warning on line 350 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Abbr] 'CSRF' has no definition.

Raw Output:
{"message": "[Vaadin.Abbr] 'CSRF' has no definition.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 350, "column": 5}}}, "severity": "WARNING"}
By default, the configurer automatically sets up Spring Security’s CSRF

Check warning on line 351 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Abbr] 'CSRF' has no definition.

Raw Output:
{"message": "[Vaadin.Abbr] 'CSRF' has no definition.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 351, "column": 70}}}, "severity": "WARNING"}
filter so that Vaadin internal framework requests (such as UIDL, heartbeat,
and push) are processed without issues.
Disabling this means you will need to handle CSRF configuration yourself,

Check warning on line 354 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Abbr] 'CSRF' has no definition.

Raw Output:
{"message": "[Vaadin.Abbr] 'CSRF' has no definition.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 354, "column": 48}}}, "severity": "WARNING"}

Check warning on line 354 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Will] Avoid using 'will'.

Raw Output:
{"message": "[Vaadin.Will] Avoid using 'will'.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 354, "column": 28}}}, "severity": "WARNING"}
ensuring that internal Vaadin requests are not blocked.

- **Navigation Access Control** (`enableNavigationAccessControl(false)`):
Vaadin enables `NavigationAccessControl` by default to check access
annotations (such as `@PermitAll` or `@RolesAllowed`) when navigating
between views.
Disabling this means Vaadin will no longer enforce annotation-based

Check warning on line 361 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Will] Avoid using 'will'.

Raw Output:
{"message": "[Vaadin.Will] Avoid using 'will'.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 361, "column": 31}}}, "severity": "WARNING"}
navigation security, and you will need to implement your own access control

Check warning on line 362 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.Will] Avoid using 'will'.

Raw Output:
{"message": "[Vaadin.Will] Avoid using 'will'.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 362, "column": 32}}}, "severity": "WARNING"}
logic for view navigation.

====== When To Disable

Check warning on line 365 in articles/flow/security/vaadin-security-configurer.adoc

View workflow job for this annotation

GitHub Actions / lint 

[vale] reported by reviewdog 🐶
[Vaadin.HeadingCase] 'When To Disable' should be in title case.

Raw Output:
{"message": "[Vaadin.HeadingCase] 'When To Disable' should be in title case.", "location": {"path": "articles/flow/security/vaadin-security-configurer.adoc", "range": {"start": {"line": 365, "column": 8}}}, "severity": "WARNING"}

You should only disable these features if:

- You have a clear, secure, and tested replacement for the default behavior.

- You understand the implications of removing these protections.

- Your application has special requirements that conflict with the defaults.

In most applications, keeping these features enabled is the recommended and
safest option.


[source,java]
----
@Configuration
Expand All @@ -343,4 +392,4 @@
}).build();
}
}
----
----
Loading