flow icon indicating copy to clipboard operation
flow copied to clipboard

Published 20 hours ago verified publisher icon vaadin

feat: Introduced component-based security configuration for Spring

Open MarcinVaadin opened this issue 1 year ago • 6 comments

Description

Introduced component-based security configuration for Spring

Fixes #13910

Type of change

  • [ ] Bugfix
  • [x] Feature

Checklist

  • [x] I have read the contribution guide: https://vaadin.com/docs/latest/guide/contributing/overview/
  • [x] I have added a description following the guideline.
  • [x] The issue is created in the corresponding repository and I have referenced it.
  • [ ] I have added tests to ensure my change is effective and works as intended. - Spring security configuration already covered by test-spring-security-flow tests.
  • [x] New and existing tests are passing locally with my change.
  • [x] I have performed self-review and corrected misspellings.

Additional for Feature type of change

  • [x] Enhancement / new feature was discussed in a corresponding GitHub issue and Acceptance Criteria were created.

MarcinVaadin avatar Aug 09 '22 13:08 MarcinVaadin

Unit Test Results

   917 files  ±  0     917 suites  ±0   54m 58s :stopwatch: + 5m 12s 6 008 tests ±  0  5 955 :heavy_check_mark: +  1  53 :zzz: ±0  0 :x: ±0  6 221 runs  +13  6 161 :heavy_check_mark: +14  60 :zzz: ±0  0 :x: ±0 

Results for commit e12b0b30. ± Comparison against base commit b350740e.

:recycle: This comment has been updated with latest results.

github-actions[bot] avatar Aug 09 '22 14:08 github-actions[bot]

This also fixes first WARN mentioned in #13868 The pattern='/images/*.png' is in the starter application so should be fixed there after this is merged. Also stareters should be updated to use the new way.

Changed approach of registering public resources (from ignoring to permitAll) to fix mentioned issues.

MarcinVaadin avatar Aug 12 '22 11:08 MarcinVaadin

Same thought about the old configure(WebSecurity web) Should we maybe expose a WebSecurityCustomizer bean with logic previously from configure(WebSecurity web)? If we adopt the same pattern, the migration would be likely just change the super class

mcollovati avatar Aug 12 '22 12:08 mcollovati

Same thought about the old configure(WebSecurity web) Should we maybe expose a WebSecurityCustomizer bean with logic previously from configure(WebSecurity web)? If we adopt the same pattern, the migration would be likely just change the super class

The functionality of configure(WebSecurity web) has been moved into filterChain(HttpSecurity http) and TBH I don't see a point leaving empty bean.

Yes, it should be described in migration docs.

MarcinVaadin avatar Aug 12 '22 12:08 MarcinVaadin

After this feature applied, we also need to update the following article to not mention the deprecated adapter, but describe a new approach https://vaadin.com/docs/latest/security/enabling-security

mshabarov avatar Aug 12 '22 12:08 mshabarov

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 11 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

sonarcloud[bot] avatar Aug 16 '22 12:08 sonarcloud[bot]

This ticket/PR has been released with Vaadin 23.2.0.beta2 and is also targeting the upcoming stable 23.2.0 version.

vaadin-bot avatar Aug 18 '22 08:08 vaadin-bot