Flow: Spring SecurityContext disappears in StreamResource callback method

Created on 21 Mar 2019 · 8Comments · Source: vaadin/flow

Tested using the newest bakery app. Spring SecurityContext disappears and becomes Null authentication in StreamResource callback method. Below an example that reproduces the issue.

`@Route("test")
public class TestView extends VerticalLayout {

public TestView() {
    Anchor anchor = new Anchor();
    anchor.add("DOWNLOAD");
    anchor.setHref(new StreamResource("file", () -> createInputStream()));
    add(anchor);
    // SecurityContext returns correct value UsernamePasswordAuthenticationToken.
    System.err.println(SecurityContextHolder.getContext());
}

private InputStream createInputStream() {
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    try {
        outputStream.write("text".getBytes());
    } catch (IOException e) {
        e.printStackTrace();
    }
    // SecurityContextHolder.getContext() returns Null authentication here.
    System.err.println(SecurityContextHolder.getContext());
    return new ByteArrayInputStream(outputStream.toByteArray());
}

Basically I created a simple view that contains only an Anchor element. When I click on the anchor createInputStream method is executed but Spring SecurityContext changes to null authentication.

Expected behaviour: Spring SecurityContext should be the same during user session and not disappear like in createInputStream method.

Actual behaviour: Spring SecurityContext disappears and changes to Null authentication.

Versions:
- Vaadin 13.0.1
- Spring boot 2.1.0.RELEASE
- Java 11
- Windows 10

As a side note I believe the Upload component's callback method addSucceededListener suffers from the same problem.

bug spring

Source

Julius95

All 8 comments

Hi @Julius95 , Can you verify the same project with JDK 1.8 for us? you can also fork this repository to make the sample project. https://github.com/vaadin/skeleton-starter-flow-spring

ZheSun88 on 22 Mar 2019

Just tested with JDK 1.8.0_201 and problem still seems to exist. Tested on the newest bakery app.

Julius95 on 22 Mar 2019

Okay I just tested with the skeleton project which you suggested and weirdly enough I can't reproduce the issue. It seemed that the skeleton project didn't have Spring Security as dependency but once I added it and tested it I got the expected behaviour. The issue can still be reproduced in bakery app though.

Versions used in skeleton app:

JDK 11.0.1
Spring Boot 2.1.3.RELEASE

Julius95 on 22 Mar 2019

Hi @Julius95 , if i understand correctly, even you add the Spring Security dependency, the app still works in an expected way (no bugs), right?
if in this case, i should move this ticket to bakery instead.

ZheSun88 on 22 Mar 2019

Yeah, StreamResource callback method works as expected (no bugs) on skeleton project but the issue can be reproduced in the latest bakery app. Which implies something is wrong with Bakery app imo.

Julius95 on 22 Mar 2019

I had the same issue: just remove /VAADIN from the exclusion list in your WebSecurityConfigurerAdapter, e.g.:

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                // the standard favicon URI
                "/favicon.ico",
                // development-mode static resources
                "/bower_components/**", "/icons/**", "/images/**", "/src/**",
                "/manifest.json",
                // webjars and frontend
                "/webjars/**", "/frontend/**",
                // production-mode static resources
                "/build/**", "/frontend-es5/**", "/frontend-es6/**");
    }

heruan on 22 Mar 2019

Thank you @heruan for pointing out the problem. So bakery app comes with following WebSecurityConfiguration:

@Override
public void configure(WebSecurity web) throws Exception 

web.ignoring().antMatchers(
// Vaadin Flow static resources
 "/VAADIN/**", //This is the problematic spot
// the standard favicon URI
"/favicon.ico",
// Rest of configuration omitted for simplicity...
}

We can see that all "/VAADIN/" requests are ignored and won't have SpringSecurityContext. Dynamically created files are mapped to "VAADIN/dynamic/resource" url. When a request to dynamic resource is sent SpringSecurityContext is lost due to "/VAADIN/" configuration since the request url maps to it. To fix this remove "/VAADIN/" configuration or change it to "/VAADIN/static/**". This issue should be moved to bakery app since it contains this problematic configuration.

Julius95 on 25 Mar 2019

👀1 👍1

Issue moved to vaadin/bakery-app-starter-flow-spring #755 via ZenHub

ZheSun88 on 25 Mar 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Regression: `hidden` attribute is set to false when server instantiates the component

manolo · 3Comments

When opening an application based on Hummingbird I want a subtle but noticeable notification telling me that the application is not in production mode so that I can take needed steps before going into production

Artur- · 4Comments

Vaadin flow 14.0.13 compile error with openjdk 13

rucko24 · 3Comments

Imprve Binder API for read-only properties

mstahv · 3Comments

Automatically detect the node and npm binaries or download them, if not detected

SomeoneToIgnore · 4Comments