flow
flow copied to clipboard
feat: Introduced component-based security configuration for Spring
Description
Introduced component-based security configuration for Spring
Fixes #13910
Type of change
- [ ] Bugfix
- [x] Feature
Checklist
- [x] I have read the contribution guide: https://vaadin.com/docs/latest/guide/contributing/overview/
- [x] I have added a description following the guideline.
- [x] The issue is created in the corresponding repository and I have referenced it.
- [ ] I have added tests to ensure my change is effective and works as intended. - Spring security configuration already covered by
test-spring-security-flow
tests. - [x] New and existing tests are passing locally with my change.
- [x] I have performed self-review and corrected misspellings.
Additional for Feature
type of change
- [x] Enhancement / new feature was discussed in a corresponding GitHub issue and Acceptance Criteria were created.
Unit Test Results
917 files ± 0 917 suites ±0 54m 58s :stopwatch: + 5m 12s 6 008 tests ± 0 5 955 :heavy_check_mark: + 1 53 :zzz: ±0 0 :x: ±0 6 221 runs +13 6 161 :heavy_check_mark: +14 60 :zzz: ±0 0 :x: ±0
Results for commit e12b0b30. ± Comparison against base commit b350740e.
:recycle: This comment has been updated with latest results.
This also fixes first WARN mentioned in #13868 The
pattern='/images/*.png'
is in the starter application so should be fixed there after this is merged. Also stareters should be updated to use the new way.
Changed approach of registering public resources (from ignoring to permitAll) to fix mentioned issues.
Same thought about the old configure(WebSecurity web)
Should we maybe expose a WebSecurityCustomizer
bean with logic previously from configure(WebSecurity web)
?
If we adopt the same pattern, the migration would be likely just change the super class
Same thought about the old
configure(WebSecurity web)
Should we maybe expose aWebSecurityCustomizer
bean with logic previously fromconfigure(WebSecurity web)
? If we adopt the same pattern, the migration would be likely just change the super class
The functionality of configure(WebSecurity web)
has been moved into filterChain(HttpSecurity http)
and TBH I don't see a point leaving empty bean.
Yes, it should be described in migration docs.
After this feature applied, we also need to update the following article to not mention the deprecated adapter, but describe a new approach https://vaadin.com/docs/latest/security/enabling-security
Kudos, SonarCloud Quality Gate passed!
0 Bugs
0 Vulnerabilities
0 Security Hotspots
11 Code Smells
No Coverage information
0.0% Duplication
This ticket/PR has been released with Vaadin 23.2.0.beta2 and is also targeting the upcoming stable 23.2.0 version.