fix: ElementRequestHandler requests are no longer blocked by Spring Security (#22055) (#22056)

Note! This fix was 100% made by AI and this must be taken into account when reviewing.

The issue was that ElementRequestHandler requests without a URL postfix were generating URLs like /VAADIN/dynamic/resource/0// instead of /VAADIN/dynamic/resource/0//upload. These URLs were not recognized as internal framework requests by Spring Security's CSRF filter, causing them to be blocked.

The fix modifies HandlerHelper.isFrameworkInternalRequest() to recognize all dynamic resource requests as internal, not just upload requests. Security is maintained by rejecting paths with directory traversal attempts.

Fixes #22055

🤖 Generated with Claude Code

Author: Artur-

flow-server/src/main/java/com/vaadin/flow/server/HandlerHelper.java

@@ -241,6 +241,9 @@ private static boolean isFrameworkInternalRequest(String servletMappingPath,
             return true;
         } else if (isUploadRequest(requestedPathWithoutServletMapping.get())) {
             return true;
+        } else if (isDynamicResourceRequest(
+                requestedPathWithoutServletMapping.get())) {
+            return true;
         }
 
         return false;
@@ -255,6 +258,18 @@ private static boolean isUploadRequest(
                         + "(\\d+)/([0-9a-z-]*)/upload");
     }
 
+    private static boolean isDynamicResourceRequest(
+            String requestedPathWithoutServletMapping) {
+        // Check if the request is for any dynamic resource, including
+        // ElementRequestHandler requests without a specific postfix
+        // Reject paths with directory traversal attempts
+        if (HandlerHelper.isPathUnsafe(requestedPathWithoutServletMapping)) {
+            return false;
+        }
+        return requestedPathWithoutServletMapping
+                .startsWith(StreamRequestHandler.DYN_RES_PREFIX);
+    }
+
     private static boolean isHillaPush(
             String requestedPathWithoutServletMapping) {
         return "HILLA/push".equals(requestedPathWithoutServletMapping);

flow-server/src/test/java/com/vaadin/flow/server/HandlerHelperTest.java

@@ -207,6 +207,28 @@ public void isFrameworkInternalRequest_uploadUrl() {
                 request.getHttpServletRequest()));
     }
 
+    @Test
+    public void isFrameworkInternalRequest_dynamicResourceUrl_withoutPostfix() {
+        // Test for ElementRequestHandler requests without URL postfix
+        VaadinServletRequest request = createVaadinRequest(
+                "VAADIN/dynamic/resource/1/e83d6b6d-2b75-4960-8922-5431f4a23e49/",
+                "", null);
+
+        Assert.assertTrue(HandlerHelper.isFrameworkInternalRequest("/*",
+                request.getHttpServletRequest()));
+    }
+
+    @Test
+    public void isFrameworkInternalRequest_dynamicResourceUrl_withCustomPostfix() {
+        // Test for ElementRequestHandler requests with custom postfix
+        VaadinServletRequest request = createVaadinRequest(
+                "VAADIN/dynamic/resource/1/e83d6b6d-2b75-4960-8922-5431f4a23e49/custom.pdf",
+                "", null);
+
+        Assert.assertTrue(HandlerHelper.isFrameworkInternalRequest("/*",
+                request.getHttpServletRequest()));
+    }
+
     @Test
     public void isFrameworkInternalRequest_hillaPushUrl() {
         VaadinServletRequest request = createVaadinRequest("HILLA/push", "",