feat: Auto-configure a SecurityContextHolderStrategy bean (#22745)

This is the first step towards #21401 and completes the migration from VaadinWebSecurity (now removed) to the recently introduced VaadinSecurityConfigurer in #21373.

It avoids the need to manually import VaadinAwareSecurityContextHolderStrategyConfiguration by removing the class and include the strategy bean definition in SpringSecurityAutoConfiguration with an additional SmartInitializingSingleton that sets the provided strategy bean statically in SecurityContextHolder.

Removing VaadinAwareSecurityContextHolderStrategyConfiguration is a minor breaking change since applications that currently import that configuration manually with

@import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
must remove the explicit import. Runtime functionality is not affected since applications providing their own custom strategy bean will override the auto-configured bean and the custom strategy will be picked up by the SmartInitializingSingleton to be set statically.

Note: a deprecation cycle of VaadinAwareSecurityContextHolderStrategyConfiguration is not feasible since it's not allowed to keep two configurations providing the same conditional bean. An option could to deprecate and make it no-op to avoid compiler errors when importing the configuration (but this might just create some confusion).

Author: heruan

flow-tests/vaadin-spring-tests/test-spring-security-flow-methodsecurity/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -21,7 +21,6 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
@@ -43,7 +42,6 @@
 import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
 import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
 import com.vaadin.flow.spring.flowsecurity.views.LoginView;
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
@@ -52,7 +50,6 @@
 @EnableMethodSecurity(prePostEnabled = false, jsr250Enabled = true, securedEnabled = true)
 @Configuration
 @Profile("default")
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     private final UserInfoService userInfoService;
@@ -85,8 +82,7 @@ public String getLogoutSuccessUrl() {
     }
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.authorizeHttpRequests(auth -> auth
 
                 .requestMatchers(

flow-tests/vaadin-spring-tests/test-spring-security-flow-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -22,7 +22,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -41,14 +40,12 @@
 import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
 import com.vaadin.flow.spring.flowsecurity.views.LoginView;
 import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     @Autowired
@@ -97,8 +94,7 @@ public String getLogoutSuccessUrl() {
     }
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.authorizeHttpRequests(cfg -> cfg
                 .requestMatchers("/admin-only/**", "/admin")
                 .hasAnyRole(ROLE_ADMIN).requestMatchers("/private")

flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -51,6 +51,7 @@
 import com.vaadin.flow.spring.security.RequestUtil;
 import com.vaadin.flow.spring.security.SpringAccessPathChecker;
 import com.vaadin.flow.spring.security.UidlRedirectStrategy;
+import com.vaadin.flow.spring.security.VaadinSavedRequestAwareAuthenticationSuccessHandler;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 
@@ -153,7 +154,9 @@ public SecurityFilterChain webFilterChain(HttpSecurity http,
         });
 
         // Custom login page with form authentication
-        http.formLogin(cfg -> cfg.loginPage("/my/login/page").permitAll());
+        http.formLogin(cfg -> cfg.loginPage("/my/login/page").successHandler(
+                new VaadinSavedRequestAwareAuthenticationSuccessHandler())
+                .permitAll());
         DefaultSecurityFilterChain filterChain = http.build();
         // Test application uses AuthenticationContext, configure it with
         // the logout handlers

flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java

@@ -27,7 +27,6 @@
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.Assert;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.openqa.selenium.WebDriver;
 
@@ -117,11 +116,6 @@ public void redirect_to_private_view_after_login() {
     }
 
     @Test
-    @Ignore("""
-                Requires VaadinAwareSecurityContextHolderStrategyConfiguration that
-                in a custom Spring Security configuration without Vaadin helpers might not be imported.
-                Leaving the test here just as a template in case of future improvements.
-            """)
     public void redirect_to_private_view_after_navigation_and_login() {
         open("");
         navigateTo("private", false);
@@ -286,11 +280,6 @@ public void navigate_in_thread_without_access() {
     }
 
     @Test
-    @Ignore("""
-                Requires VaadinAwareSecurityContextHolderStrategyConfiguration that
-                in a custom Spring Security configuration without Vaadin helpers might not be imported.
-                Leaving the test here just as a template in case of future improvements.
-            """)
     public void navigate_in_thread_with_access() {
         open(LOGIN_PATH);
         loginAdmin();

flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java

@@ -16,7 +16,6 @@
 package com.vaadin.flow.spring.flowsecurity;
 
 import org.junit.Assert;
-import org.junit.Ignore;
 import org.junit.Test;
 import org.openqa.selenium.WebDriver;
 
@@ -28,11 +27,6 @@
 public class UIAccessContextIT extends AbstractIT {
 
     @Test
-    @Ignore("""
-                Requires VaadinAwareSecurityContextHolderStrategyConfiguration that
-                in a custom Spring Security configuration without Vaadin helpers might not be imported.
-                Leaving the test here just as a template in case of future improvements.
-            """)
     public void securityContextSetForUIAccess() throws Exception {
         String expectedUserBalance = "Hello John the User, your bank account balance is $10000.00.";
         String expectedAdminBalance = "Hello Emma the Admin, your bank account balance is $200000.00.";

flow-tests/vaadin-spring-tests/test-spring-security-flow-themes-contextpath/src/main/java/com/vaadin/flow/spring/flowthemessecuritycontextpath/SecurityConfig.java

@@ -17,25 +17,20 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
-
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
 @Profile("default")
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.with(vaadin(), cfg -> {
         });
         return http.build();

flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -25,14 +25,13 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.DependsOn;
-import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -50,15 +49,13 @@
 import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
 import com.vaadin.flow.spring.flowsecurity.views.LoginView;
 import com.vaadin.flow.spring.security.UidlRedirectStrategy;
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
 @Profile("default")
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     private final UserInfoService userInfoService;
@@ -99,8 +96,7 @@ public String getLogoutSuccessUrl() {
     }
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.authorizeHttpRequests(auth -> auth
                 .requestMatchers("/admin-only/**").hasAnyRole(ROLE_ADMIN)
                 .requestMatchers("/public/**", "/error").permitAll()
@@ -171,9 +167,10 @@ public UserDetails loadUserByUsername(String username)
     }
 
     @Bean
-    @DependsOn("VaadinSecurityContextHolderStrategy")
-    public SwitchUserFilter switchUserFilter() {
+    public SwitchUserFilter switchUserFilter(
+            SecurityContextHolderStrategy securityContextHolderStrategy) {
         SwitchUserFilter filter = new SwitchUserFilter();
+        filter.setSecurityContextHolderStrategy(securityContextHolderStrategy);
         filter.setUserDetailsService(userDetailsService());
         filter.setSwitchUserMatcher(PathPatternRequestMatcher
                 .pathPattern(HttpMethod.GET, "/impersonate"));

flow-tests/vaadin-spring-tests/test-spring-security-webicons-urlmapping/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -17,25 +17,20 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
-
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
 @Profile("default")
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.with(vaadin(), cfg -> cfg.loginView(LoginView.class));
         return http.build();
     }

flow-tests/vaadin-spring-tests/test-spring-security-webicons/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java

@@ -17,25 +17,20 @@
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.web.SecurityFilterChain;
 
-import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
-
 import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
 @Profile("default")
-@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
 public class SecurityConfig {
 
     @Bean
-    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
-            throws Exception {
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) {
         http.with(vaadin(), cfg -> cfg.loginView(LoginView.class));
         return http.build();
     }

vaadin-spring/src/main/java/com/vaadin/flow/spring/SpringSecurityAutoConfiguration.java

@@ -18,14 +18,17 @@
 import java.util.List;
 import java.util.Optional;
 
+import org.springframework.beans.factory.SmartInitializingSingleton;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.access.WebInvocationPrivilegeEvaluator;
 
 import com.vaadin.flow.server.auth.AccessAnnotationChecker;
@@ -40,6 +43,7 @@
 import com.vaadin.flow.spring.security.RequestUtil;
 import com.vaadin.flow.spring.security.SpringAccessPathChecker;
 import com.vaadin.flow.spring.security.SpringNavigationAccessControl;
+import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategy;
 import com.vaadin.flow.spring.security.VaadinDefaultRequestCache;
 import com.vaadin.flow.spring.security.VaadinRolePrefixHolder;
 
@@ -49,7 +53,7 @@
  * @author Vaadin Ltd
  *
  */
-@Configuration(proxyBeanMethods = false)
+@AutoConfiguration
 @ConditionalOnClass(WebSecurityCustomizer.class)
 @EnableConfigurationProperties(VaadinConfigurationProperties.class)
 public class SpringSecurityAutoConfiguration {
@@ -209,4 +213,16 @@ public VaadinRolePrefixHolder vaadinRolePrefixHolder(
     AuthenticationContext authenticationContext() {
         return new AuthenticationContext();
     }
+
+    @Bean
+    @ConditionalOnMissingBean
+    SecurityContextHolderStrategy vaadinAwareSecurityContextHolderStrategy() {
+        return new VaadinAwareSecurityContextHolderStrategy();
+    }
+
+    @Bean
+    SmartInitializingSingleton securityContextHolderStrategyInitializer(
+            SecurityContextHolderStrategy strategy) {
+        return () -> SecurityContextHolder.setContextHolderStrategy(strategy);
+    }
 }