vaadin4spring
vaadin4spring copied to clipboard
peholmst
Investigate conflicts between Vaadin and Spring Security
There are a few things such as CSRF protection and session management that both Vaadin and Spring Security try to handle. This can lead to conflicts and strange errors. We have to investigate what features are duplicated and how to handle them.
For CSRF, I've opted in all samples to disable its' use within Spring Security. What kind of strange errors are you getting ?
I believe only one should be enabled.
My experience is also that you should just disable Spring Security CSRF protection when using Vaadin4Spring. Since I did, everything seems to work pretty well in my current project.
We've experienced push stability problems with Spring Security. Sometimes, the UI freezes and you have to do a hard refresh to get a new UI. We don't know what's causing this, but one possibility is that Spring Security does something with the session that is not compatible with Vaadin push.
No we don't, this problem is completely random. We have not been able to reproduce it, but still it happens every now and then. However, sometimes, we've seen this message in the logs: "Session expired before push was disconnected. This should never happen."
The FileDownloader extension is not working with "frameOptions" enabled. I've also experienced some problems with push months ago, I've figured out that web filters were completely ignored by push requests.. That's maybe a clue.
@monp What transport protocol were you using for push? Websockets, long polling or streaming?
@monp OK. The problems we're experiencing show up when using long polling.
doesn't Vaadin have CSRF protection built-in? If so would there be any need to enable csrf on the Spring WebSecurityConfigurerAdapter?
