flow
flow copied to clipboard
Published
20 hours ago •
vaadin
vaadin
Default security configuration shows warnings
Description of the bug
When I start a 23.1 rc1 application I see
2022-05-26 14:40:04.103 WARN 67506 --- [ restartedMain] o.s.s.c.a.web.builders.WebSecurity : You are asking Spring Security to ignore Or [Ant [pattern='/favicon.ico'], Ant [pattern='/manifest.webmanifest'], Ant [pattern='/sw.js'], Ant [pattern='/sw-runtime-resources-precache.js'], Ant [pattern='/offline.html'], Ant [pattern='/offline-stub.html'], Ant [pattern='/icons/icon.png'], Ant [pattern='/themes/**'], Ant [pattern='/icons/icon-144x144.png'], Ant [pattern='/icons/icon-192x192.png'], Ant [pattern='/icons/icon-512x512.png'], Ant [pattern='/icons/icon-16x16.png'], Ant [pattern='/icons/icon-32x32.png'], Ant [pattern='/icons/icon-96x96.png'], Ant [pattern='/icons/icon-180x180.png'], Ant [pattern='/icons/icon-1125x2436.png'], Ant [pattern='/icons/icon-750x1334.png'], Ant [pattern='/icons/icon-1242x2208.png'], Ant [pattern='/icons/icon-640x1136.png']]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-05-26 14:40:04.103 INFO 67506 --- [ restartedMain] o.s.s.web.DefaultSecurityFilterChain : Will not secure Or [Ant [pattern='/favicon.ico'], Ant [pattern='/manifest.webmanifest'], Ant [pattern='/sw.js'], Ant [pattern='/sw-runtime-resources-precache.js'], Ant [pattern='/offline.html'], Ant [pattern='/offline-stub.html'], Ant [pattern='/icons/icon.png'], Ant [pattern='/themes/**'], Ant [pattern='/icons/icon-144x144.png'], Ant [pattern='/icons/icon-192x192.png'], Ant [pattern='/icons/icon-512x512.png'], Ant [pattern='/icons/icon-16x16.png'], Ant [pattern='/icons/icon-32x32.png'], Ant [pattern='/icons/icon-96x96.png'], Ant [pattern='/icons/icon-180x180.png'], Ant [pattern='/icons/icon-1125x2436.png'], Ant [pattern='/icons/icon-750x1334.png'], Ant [pattern='/icons/icon-1242x2208.png'], Ant [pattern='/icons/icon-640x1136.png']]
2022-05-26 14:40:04.103 WARN 67506 --- [ restartedMain] o.s.s.c.a.web.builders.WebSecurity : You are asking Spring Security to ignore Ant [pattern='/images/*.png']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
Expected behavior
The default configuration shows no warnings
Minimal reproducible example
npx @vaadin/cli init --pre --auth test-auth
cd test-auth
mvn
Versions
Vaadin: 23.1.0.rc1 Flow: 23.1.0.rc2 Java: Homebrew 17.0.1 OS: aarch64 Mac OS X 12.3.1 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Starter app should be updated after merging https://github.com/vaadin/flow/pull/14303
Creating an application with --latest (currently 23.2.3) I can now see only a single warning
022-10-06 17:08:53.082 WARN 80941 --- [ restartedMain] o.s.s.c.a.web.builders.WebSecurity : You are asking Spring Security to ignore Ant [pattern='/images/*.png']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
It is originated by SecurityConfiguration.configure(WebSecurity web) in the generated project
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
web.ignoring().antMatchers("/images/*.png");
}
Should be moved in configure(HttpSecurity http) before super.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/images/*.png").permitAll();
super.configure(http);
setLoginView(http, LoginView.class, LOGOUT_URL);
}