Add documentation for Custom Authorization Rules and Disabling Features in Vaadin Security (#4485) (#4519)

vaadin-bot · fredpena · peholmst · web-flow · commit f8ee90698a82 · 2025-08-20T15:39:34.000+03:00
Summary
This PR adds detailed for two key sections in Vaadin Security configuration:

Custom Authorization Rules – explains what they are, their use cases, and how they complement Vaadin's annotation-based view access control.
Disabling Features – explains the default behavior of CSRF configuration and Navigation Access Control in VaadinSecurityConfigurer, and when it is safe to disable them.

Co-authored-by: Fred Peña &lt;f.ant.pena@gmail.com&gt;
Co-authored-by: Petter Holmström &lt;petter@vaadin.com&gt;
diff --git a/articles/flow/security/vaadin-security-configurer.adoc b/articles/flow/security/vaadin-security-configurer.adoc
@@ -298,6 +298,19 @@ public class SecurityConfig {
 
 ===== Custom Authorization Rules
 
+In Spring Security, *Custom Authorization Rules* are developer-defined rules that control who can access certain HTTP routes or resources. In Vaadin, they complement the access control already applied to views through annotations like `@PermitAll` or `@RolesAllowed`.
+
+====== Use Cases
+
+- Protect REST endpoints that are not part of Vaadin navigation.
+- Define public routes that don’t require authentication (`/public/**`).
+- Restrict specific areas based on roles (`/admin-only/**`).
+- Allow access to error pages without authentication (`/error`).
+
+====== How It Works With Vaadin
+
+Vaadin uses annotations to control access to views at the navigation level, while Spring Security applies these *Custom Authorization Rules* at the HTTP request level. Both layers work together to ensure a secure application.
+
 [source,java]
 ----
 @Configuration
@@ -327,6 +340,42 @@ public class SecurityConfig {
 
 ===== Disabling Features
 
+The `VaadinSecurityConfigurer` provides some security features enabled by
+default to ensure smooth integration between Vaadin and Spring Security.
+In certain scenarios, you may disable these defaults to apply your own
+custom security configuration.
+
+====== Features That Can Be Disabled
+
+- **CSRF Configuration** (`enableCsrfConfiguration(false)`):  
+  By default, the configurer automatically sets up Spring Security’s CSRF
+  filter so that Vaadin internal framework requests (such as UIDL, heartbeat,
+  and push) are processed without issues.  
+  Disabling this means you will need to handle CSRF configuration yourself,
+  ensuring that internal Vaadin requests are not blocked.
+
+- **Navigation Access Control** (`enableNavigationAccessControl(false)`):  
+  Vaadin enables `NavigationAccessControl` by default to check access
+  annotations (such as `@PermitAll` or `@RolesAllowed`) when navigating
+  between views.  
+  Disabling this means Vaadin will no longer enforce annotation-based
+  navigation security, and you will need to implement your own access control
+  logic for view navigation.
+
+====== When To Disable
+
+You should only disable these features if:
+
+- You have a clear, secure, and tested replacement for the default behavior.
+
+- You understand the implications of removing these protections.
+
+- Your application has special requirements that conflict with the defaults.
+
+In most applications, keeping these features enabled is the recommended and
+safest option.
+
+
 [source,java]
 ----
 @Configuration
@@ -343,4 +392,4 @@ public class SecurityConfig {
         }).build();
     }
 }
-----
+----
