Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LOGOUT_URL does not consider server.servlet.context-path #68

Closed
simasch opened this issue Jul 28, 2022 · 3 comments
Closed

LOGOUT_URL does not consider server.servlet.context-path #68

simasch opened this issue Jul 28, 2022 · 3 comments
Labels
enhancement New feature or request

Comments

@simasch
Copy link

simasch commented Jul 28, 2022
edited
Loading

When setting the server.servlet.context-path the logout URL will be wrong.

One way could be to use it in the code

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurityConfigurerAdapter {

    private final String logoutUrl;

    public SecurityConfiguration(@Value("${server.servlet.context-path:/}") String logoutUrl) {
        this.logoutUrl = logoutUrl;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        super.configure(http);
        setLoginView(http, LoginView.class, logoutUrl);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        super.configure(web);
        web.ignoring().antMatchers("/images/*.png");
    }
}

@Component
public class AuthenticatedUser {

   private final UserRepository userRepository;
   private final String logoutUrl;

   @Autowired
   public AuthenticatedUser(UserRepository userRepository, @Value("${server.servlet.context-path:/}") String logoutUrl) {
       this.userRepository = userRepository;
       this.logoutUrl = logoutUrl;
   }

   private Optional<Authentication> getAuthentication() {
       SecurityContext context = SecurityContextHolder.getContext();
       return Optional.ofNullable(context.getAuthentication())
               .filter(authentication -> !(authentication instanceof AnonymousAuthenticationToken));
   }

   public Optional<User> get() {
       return getAuthentication().map(authentication -> userRepository.findByUsername(authentication.getName()));
   }

   public void logout() {
       UI.getCurrent().getPage().setLocation(logoutUrl);
       SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
       logoutHandler.logout(VaadinServletRequest.getCurrent().getHttpServletRequest(), null, null);
   }

}
@simasch simasch added the enhancement New feature or request label Jul 28, 2022
@Artur-
Copy link
Member

Artur- commented Aug 16, 2022

I think this should be moved to the Flow repository and handled automatically by the default security config. There is nothing here that is app specific, right?

With the new component based security config added in vaadin/flow#14303 it should also be possible the inject it into AuthenticatedUser and reuse the logout url defined there

@Artur-
Copy link
Member

Artur- commented Dec 21, 2022

start.vaadin.com now uses the default logout URL and once vaadin/flow#15532 is in a release, it will use the context path correctly

@Artur- Artur- closed this as completed Dec 21, 2022
@ghe-bm
Copy link

ghe-bm commented Sep 1, 2023
edited
Loading

Could you please backport this fix to Vaadin 23?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Artur- @simasch @ghe-bm