flow icon indicating copy to clipboard operation
flow copied to clipboard
verified publisher icon vaadin

Allow adding authorization request matcher after Vaadin rules in VaadinWebSecurity

Open mcollovati opened this issue 1 year ago • 4 comments

Describe your motivation

When using VaadinWebSecurity as a base class to configure Spring Security, you can only add request matchers before calling super.configure() because that method sets a final anyRequest().authenticated() rule.

It could be helpful in some situations (e.g. request matcher with heavy logic) to specify application security rules after the ones defined by Vaadin, but before the anyRequest().

See also related discussion on Vaadin forum

Describe the solution you'd like

Provide two hooks in VaadinWebSecurity to prepend and append custom request matchers. The methods will be invoked by VaadinWebSecurity.configure() before and after Vaadin matchers.

class VaadinWebSecurity {
    protected void prependRequestAuthorization(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
        // no-op by default
    }

    protected void appendRequestAuthorization(AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry registry) {
        // no-op by default
    }

    protected void configure(HttpSecurity http) throws Exception {
       ....
        http.authorizeHttpRequests(urlRegistry -> {

            prependRequestAuthorization(urlRegistry);

            // Vaadin request matchers

            appendRequestAuthorization(urlRegistry);

            // all other requests require authentication
            urlRegistry.anyRequest().authenticated();
        });

       ....
    }
}

Describe alternatives you've considered

Currently, it seems there is no way to add request matchers after Vaadin ones.

Additional context

mcollovati avatar Apr 30 '24 07:04 mcollovati

Quick comment: Make Vaadin's security configuration less intrusive, e.g. no overwriting or anything by using the proper "FilterChain" level, allowing people to register their own filter in front or after vaadin (more easily).

Why? Allowing Developer to apply their Spring Security knowledge without all the protected Vaadin methods they could have overwritten.. making it quite hard for them to grasp all the possible things with Spring Security and another Layer of Vaadin on top.

knoobie avatar Apr 30 '24 07:04 knoobie

@knoobie do you mean, for example, define specific securityMatchers() in VaadinWebSecurity, or something else/in addition?

mcollovati avatar Apr 30 '24 07:04 mcollovati

I was thinking about something like this (not technical perfect; just an idea)



@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain vaadinDefaultFilterChain(VaadinSecurityConfig config, HttpSecurity http) {
    // only vaadin internal communication / VAADIN/**
    // do stuff based on config.. e.g. config.isViewSecurityEnabled()
    return http.build();
  }


@Bean
@Order
@DefaultBeanThatCanBeExcludedOrOverwritten
public SecurityFilterChain hillaDefaultFilterChain(HttpSecurity http) {
    // only hilla internal communication
    return http.build();
  }
  
  
@Bean
@Order
public SecurityFilterChain userCustomStuff(HttpSecurity http) {
    // user stuff 
    return http.build();
  }

knoobie avatar Apr 30 '24 09:04 knoobie