Flow: Allowing Internal Vaadin Flow Requests in Spring HttpSecurity

Created on 30 May 2018 · 1Comment · Source: vaadin/flow

So, I want to have the following:

User joins Site.
User gets redirected to /login .
On login, this call happens:

POST /?v-r=uidl&v-uiId=1 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 157
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Mobile Safari/537.36
Content-type: application/json; charset=UTF-8
Accept: */*
Referer: http://localhost:8080/login
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=5B5C4BAE7627F53EAA5C099284329E1A

Because I block / by default via Spring Security this request wont be sucessful and I end up getting a "Invalid JSON Response Error".

But if I end up allowing / authentication seems kinda pointless 😄 ....

What can I do to avoid this?

Source

TheSilentHorizon

👍1

Most helpful comment

Ok, i looked at the source of the bakery app and used that method:

    /**
     * Tests if the request is an internal framework request. The test consists of
     * checking if the request parameter is present and if its value is consistent
     * with any of the request types know.
     *
     * @param request
     *            {@link HttpServletRequest}
     * @return true if is an internal framework request. False otherwise.
     */
    static boolean isFrameworkInternalRequest(HttpServletRequest request) {
        final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
        return parameterValue != null
                && Stream.of(ServletHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
    }

and in the SecurityConfig add this line to HttpSecurity:

requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

I leave this here for other people having this issue, if its ok.

TheSilentHorizon on 3 Jun 2018

👍5

>All comments

Ok, i looked at the source of the bakery app and used that method:

    /**
     * Tests if the request is an internal framework request. The test consists of
     * checking if the request parameter is present and if its value is consistent
     * with any of the request types know.
     *
     * @param request
     *            {@link HttpServletRequest}
     * @return true if is an internal framework request. False otherwise.
     */
    static boolean isFrameworkInternalRequest(HttpServletRequest request) {
        final String parameterValue = request.getParameter(ApplicationConstants.REQUEST_TYPE_PARAMETER);
        return parameterValue != null
                && Stream.of(ServletHelper.RequestType.values()).anyMatch(r -> r.getIdentifier().equals(parameterValue));
    }

and in the SecurityConfig add this line to HttpSecurity:

requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

I leave this here for other people having this issue, if its ok.

TheSilentHorizon on 3 Jun 2018

👍5

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Add a way to set dark theme

marcushellberg · 4Comments

How to access properties of Elements inside a PolymerTemplate

appreciated · 3Comments

Support Liferay DXP 7.x (Portlet 3.0)

pleku · 4Comments

When opening an application based on Hummingbird I want a subtle but noticeable notification telling me that the application is not in production mode so that I can take needed steps before going into production

Artur- · 4Comments

Vaadin flow 14.0.13 compile error with openjdk 13

rucko24 · 3Comments