platform icon indicating copy to clipboard operation
platform copied to clipboard
verified publisher icon vaadin

Vaadin Web Security and Extra Login Parameter

Open ARCHERS opened this issue 2 years ago • 0 comments

Description

In order to set up two factor authentication in Vaadin, we need to add a verification code (soft token) to the standard login form and configure Spring security (see https://www.baeldung.com/spring-security-two-factor-authentication-with-soft-token). I create a custom Vaadin login form which includes fields for username, password and verification code. Rather than use Spring's default UserDetailsService, I create custom AuthenticationProvider, WebAuthenticationDetails and AuthenticationDetailsSource. Previously I registered these in Spring security configuration as follows:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

public SecurityConfiguration(TOTPWebAuthenticationDetailsSource webAuthenticationDetailsSource,
                                         TOTPAuthenticationProvider authenticationProvider) {
            this.webAuthenticationDetailsSource = webAuthenticationDetailsSource;
            this.authenticationProvider = authenticationProvider;
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {

            auth.authenticationProvider(authenticationProvider);
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
        http.formLogin().authenticationDetailsSource(webAuthenticationDetailsSource);
}
}

In moving to VaadinWebSecurity helper, I think the custom AuthenticationProvider can be registered as a Bean (see https://vaadin.com/docs/latest/security/enabling-security), but I can't see a way to register WebAuthenticationDetailsSource with my custom LoginView.class. So the code below doesn't work (and I don't think mixing the two is recommended anyway):

public class SecurityConfiguration extends VaadinWebSecurity {

public  SecurityConfiguration(TOTPWebAuthenticationDetailsSource webAuthenticationDetailsSource,
                                         TOTPAuthenticationProvider authenticationProvider) {
            this.webAuthenticationDetailsSource = webAuthenticationDetailsSource;
            this.authenticationProvider = authenticationProvider;
        }
 @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.formLogin().authenticationDetailsSource(webAuthenticationDetailsSource);
        super.configure(http); 
        setLoginView (http, LoginView.class); 
}

@Bean
AuthenticationProvider authenticationProvider;

}

Use cases

As a developer I want to be able to use VaadinWebSecurity helper to pass custom Authentication Details. I suppose the other option is to set up a separate verification form which opens after successful login, but I'm not sure whether the second step can be registered with Spring security.

Acceptance criteria

Adding a method in VaadinWebSecuity to allow passing Authentication Details

General criteria

Currently using Vaadin 23.3.5

ARCHERS avatar Aug 17 '23 03:08 ARCHERS