fix: make sure request principal is available (#22368) (#22399)

When Spring Security request matchers are executed within SpringPathAccessChecker
the request object is a stub instance that throw UnsupportedOperationException
for many methods. This can cause failure when the path access checker is used
in combination with request matchers that, for example, try to access the
request user principal. An example is the pre-configured 'isAllowedHillaView'
matcher.
This change wraps the request matchers configured by Vaadin so that the
request principal is taken from the Spring Security context, if not available
on the request.

In addition provides documentation and helper to set a global HttpServletRequestTransformer
to augment all requests handled by WebInvocationPrivilegeEvaluator with the
proper getUserPrincipal method override.

Fixes #22284

Author: mcollovati

flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/pom.xml

@@ -182,6 +182,9 @@
 				<groupId>com.vaadin</groupId>
 				<artifactId>flow-maven-plugin</artifactId>
 				<version>${project.version}</version>
+				<configuration>
+					<frontendHotdeploy>false</frontendHotdeploy>
+				</configuration>
 				<executions>
 					<execution>
 						<goals>

flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -1,35 +1,39 @@
 package com.vaadin.flow.spring.flowsecurity;
 
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.internal.UrlUtil;
+import com.vaadin.flow.internal.hilla.FileRouterRequestUtil;
+import com.vaadin.flow.spring.RootMappedCondition;
+import com.vaadin.flow.spring.VaadinConfigurationProperties;
+import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
+import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
+import com.vaadin.flow.spring.flowsecurity.views.LoginView;
+import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
+import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
+import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;
 import jakarta.servlet.ServletContext;
-
-import java.util.stream.Collectors;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
-import com.vaadin.flow.component.UI;
-import com.vaadin.flow.internal.UrlUtil;
-import com.vaadin.flow.spring.RootMappedCondition;
-import com.vaadin.flow.spring.VaadinConfigurationProperties;
-import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
-import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
-import com.vaadin.flow.spring.flowsecurity.views.LoginView;
-import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
-import com.vaadin.flow.spring.security.VaadinWebSecurity;
+import java.util.stream.Collectors;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
+import static com.vaadin.flow.spring.security.RequestUtil.antMatchers;
 
 @EnableWebSecurity
 @Configuration
-public class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+public class SecurityConfig {
 
     @Autowired
     private UserInfoService userInfoService;
@@ -46,6 +50,21 @@ static NavigationAccessControlConfigurer navigationAccessControlConfigurer() {
                 .withRoutePathAccessChecker();
     }
 
+    /*
+     * Simulates Hilla implementation that accesses request principal.
+     */
+    @Bean
+    FileRouterRequestUtil sutbFileRouterRequestUtil() {
+        return request -> {
+            var principal = request.getUserPrincipal();
+            if (principal != null) {
+                // do nothing, just prevent IDE from complaining about unused
+                // variable
+            }
+            return false;
+        };
+    }
+
     public String getLogoutSuccessUrl() {
         String logoutSuccessUrl;
         String mapping = vaadinConfigurationProperties.getUrlMapping();
@@ -61,40 +80,38 @@ public String getLogoutSuccessUrl() {
         return logoutSuccessUrl;
     }
 
-    @Override
-    public void configure(HttpSecurity http) throws Exception {
-        // @formatter:off
+    @Bean
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
+            throws Exception {
         http.authorizeHttpRequests(cfg -> cfg
                 .requestMatchers(antMatchers("/admin-only/**", "/admin"))
-                    .hasAnyRole(ROLE_ADMIN)
-                .requestMatchers(antMatchers("/private"))
-                    .authenticated()
-                .requestMatchers(antMatchers("/", "/public/**", "/another", "/menu-list"))
-                    .permitAll()
-                .requestMatchers(antMatchers("/error"))
-                    .permitAll()
+                .hasAnyRole(ROLE_ADMIN).requestMatchers(antMatchers("/private"))
+                .authenticated()
+                .requestMatchers(antMatchers("/", "/public/**", "/another",
+                        "/menu-list"))
+                .permitAll().requestMatchers(antMatchers("/error")).permitAll()
                 // routes aliases
                 .requestMatchers(antMatchers("/alias-for-admin"))
-                    .hasAnyRole(ROLE_ADMIN)
-                .requestMatchers(antMatchers("/home", "/hey/**"))
-                    .permitAll()
-        );
+                .hasAnyRole(ROLE_ADMIN)
+                .requestMatchers(antMatchers("/home", "/hey/**")).permitAll()
+                .requestMatchers(antMatchers("/all-logged-in/**"))
+                .authenticated());
         // @formatter:on
-
-        super.configure(http);
-        if (getLogoutSuccessUrl().equals("/")) {
-            // Test the default url with empty context path
-            setLoginView(http, LoginView.class);
-        } else {
-            setLoginView(http, LoginView.class, getLogoutSuccessUrl());
-        }
-        http.logout(cfg -> cfg
-                .addLogoutHandler((request, response, authentication) -> {
-                    UI ui = UI.getCurrent();
-                    ui.accessSynchronously(() -> ui.getPage()
-                            .setLocation(UrlUtil.getServletPathRelative(
-                                    getLogoutSuccessUrl(), request)));
-                }));
+        http.with(VaadinSecurityConfigurer.vaadin(), vaadin -> {
+            if (getLogoutSuccessUrl().equals("/")) {
+                // Test the default url with empty context path
+                vaadin.loginView(LoginView.class);
+            } else {
+                vaadin.loginView(LoginView.class, getLogoutSuccessUrl());
+            }
+            vaadin.addLogoutHandler((request, response, authentication) -> {
+                UI ui = UI.getCurrent();
+                ui.accessSynchronously(() -> ui.getPage().setLocation(
+                        UrlUtil.getServletPathRelative(getLogoutSuccessUrl(),
+                                request)));
+            });
+        });
+        return http.build();
     }
 
     @Bean

flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/hilla/EndpointController.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2000-2025 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ *
+ */
+
+package com.vaadin.hilla;
+
+// Stub class to simulate the presence of Hilla
+class EndpointController {
+}

flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -1,13 +1,24 @@
 package com.vaadin.flow.spring.flowsecurity;
 
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.internal.UrlUtil;
+import com.vaadin.flow.server.HandlerHelper;
+import com.vaadin.flow.spring.RootMappedCondition;
+import com.vaadin.flow.spring.VaadinConfigurationProperties;
+import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
+import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
+import com.vaadin.flow.spring.flowsecurity.views.LoginView;
+import com.vaadin.flow.spring.security.AuthenticationContext;
+import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
+import com.vaadin.flow.spring.security.RequestUtil;
+import com.vaadin.flow.spring.security.SpringAccessPathChecker;
+import com.vaadin.flow.spring.security.UidlRedirectStrategy;
 import jakarta.servlet.ServletContext;
-
-import java.util.stream.Collectors;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -16,23 +27,17 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer;
+import org.springframework.security.web.access.PathPatternRequestTransformer;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 
-import com.vaadin.flow.component.UI;
-import com.vaadin.flow.internal.UrlUtil;
-import com.vaadin.flow.spring.RootMappedCondition;
-import com.vaadin.flow.spring.VaadinConfigurationProperties;
-import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
-import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
-import com.vaadin.flow.spring.flowsecurity.views.LoginView;
-import com.vaadin.flow.spring.security.AuthenticationContext;
-import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
-import com.vaadin.flow.spring.security.RequestUtil;
+import java.security.Principal;
+import java.util.stream.Collectors;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 import static com.vaadin.flow.spring.security.RequestUtil.antMatchers;
-import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
@@ -60,51 +65,88 @@ public AuthenticationContext authenticationContext() {
     @Bean
     static NavigationAccessControlConfigurer navigationAccessControlConfigurer() {
         return new NavigationAccessControlConfigurer()
-                .withRoutePathAccessChecker();
+                .withLoginView(LoginView.class).withRoutePathAccessChecker();
+    }
+
+    @Bean
+    @Primary
+    static HttpServletRequestTransformer customRequestTransformer() {
+        return SpringAccessPathChecker.principalAwareRequestTransformer(
+                new PathPatternRequestTransformer());
     }
 
     @Bean
     public SecurityFilterChain webFilterChain(HttpSecurity http,
             AuthenticationContext authenticationContext) throws Exception {
         // Setup
         http.csrf(AbstractHttpConfigurer::disable); // simple for testing
-                                                    // purpose
+        // purpose
 
         // Homemade security for Vaadin application, not fully functional as the
         // configuration provided by VaadinWebSecurity
         // @formatter:off
         http.authorizeHttpRequests(auth -> auth
+                // Ensures that SpringPathAccessChecker does not fail when matchers get Principal from HTTP request
+                .requestMatchers(request -> {
+                    Principal principal = request.getUserPrincipal();
+                    if (principal == null) {
+                        // Do nothing, just avoid IDE complain about not used variable
+                    }
+                    return false; // no need to match rule, we just want to access principal.
+                }).denyAll()
                 // Permit access to static resources
                 .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
-                    .permitAll()
+                .permitAll()
+                // Permit access to vaadin's internal communication
+                .requestMatchers(request -> HandlerHelper
+                        .isFrameworkInternalRequest("/*", request))
+                .permitAll()
+                .requestMatchers(requestUtil::isAnonymousRoute)
+                .permitAll()
+                // Permit technical access to vaadin's static files
+                .requestMatchers(antMatchers("/VAADIN/**")).permitAll()
+                // custom request matchers. using 'routeAwareAntMatcher' to
+                // allow checking route and alias paths against patterns
                 .requestMatchers(antMatchers("/admin-only/**", "/admin"))
-                    .hasAnyRole(ROLE_ADMIN)
+                .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/private"))
-                    .authenticated()
+                .authenticated()
                 .requestMatchers(antMatchers("/", "/public/**", "/another"))
-                    .permitAll()
-                .requestMatchers(new AntPathRequestMatcher("/error"))
-                    .permitAll()
+                .permitAll()
+
+                .requestMatchers(antMatchers("/error"))
+                .permitAll()
                 // routes aliases
                 .requestMatchers(antMatchers("/alias-for-admin"))
-                    .hasAnyRole(ROLE_ADMIN)
+                .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/home", "/hey/**"))
-                    .permitAll()
-                );
+                .permitAll()
+                .requestMatchers(antMatchers("/all-logged-in/**", "/passthrough/**"))
+                .authenticated()
+        );
         // @formatter:on
-        http.with(vaadin(),
-                cfg -> cfg.loginView(LoginView.class, getLogoutSuccessUrl())
-                        .addLogoutHandler(
-                                (request, response, authentication) -> {
-                                    UI ui = UI.getCurrent();
-                                    ui.accessSynchronously(() -> ui.getPage()
-                                            .setLocation(UrlUtil
-                                                    .getServletPathRelative(
-                                                            getLogoutSuccessUrl(),
-                                                            request)));
-                                }));
-
-        return http.build();
+        http.logout(cfg -> {
+            SimpleUrlLogoutSuccessHandler logoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
+            logoutSuccessHandler.setDefaultTargetUrl(getLogoutSuccessUrl());
+            logoutSuccessHandler
+                    .setRedirectStrategy(new UidlRedirectStrategy());
+            cfg.logoutSuccessHandler(logoutSuccessHandler);
+            cfg.addLogoutHandler((request, response, authentication) -> {
+                UI ui = UI.getCurrent();
+                ui.accessSynchronously(() -> ui.getPage().setLocation(
+                        UrlUtil.getServletPathRelative(getLogoutSuccessUrl(),
+                                request)));
+            });
+        });
+        // Custom login page with form authentication
+        http.formLogin(cfg -> cfg.loginPage("/my/login/page").permitAll());
+        DefaultSecurityFilterChain filterChain = http.build();
+        // Test application uses AuthenticationContext, configure it with
+        // the logout handlers
+        AuthenticationContext.applySecurityConfiguration(http,
+                authenticationContext);
+
+        return filterChain;
     }
 
     public String getLogoutSuccessUrl() {