Skip to content

fix: remove references to VaadinAwareSecurityContextHolderStrategyConfiguration #4919

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mcollovati wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: remove references to VaadinAwareSecurityContextHolderStrategyConfiguration #4919

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions articles/building-apps/integration/rest-api.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,10 +132,8 @@ Open the `SecurityConfiguration.java` file and add two additional security confi
----
import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;

import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
Expand All @@ -148,7 +146,6 @@ import org.springframework.security.web.authentication.HttpStatusEntryPoint;

@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfiguration {

@Bean
Expand Down
5 changes: 0 additions & 5 deletions articles/building-apps/security/add-login/flow.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ To instruct Spring Security to use your login view, modify your security configu
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down Expand Up @@ -141,12 +140,10 @@ Inside this package, create a [classname]`SecurityConfig` class:
.`SecurityConfig.java`
[source,java]
----
import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
Expand All @@ -156,7 +153,6 @@ import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down Expand Up @@ -253,7 +249,6 @@ Modify [classname]`SecurityConfig` to reference the `LoginView`:
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down
1 change: 0 additions & 1 deletion articles/building-apps/security/add-login/hilla.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,6 @@ To instruct Spring Security to use your login view, modify your security configu
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down
10 changes: 4 additions & 6 deletions articles/building-apps/security/add-login/index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,12 @@ This is a minimal implementation of a security configuration class:
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) // <1>
class SecurityConfig {

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Configure Vaadin's security using VaadinSecurityConfigurer
http.with(VaadinSecurityConfigurer.vaadin(), configurer -> { // <2>
http.with(VaadinSecurityConfigurer.vaadin(), configurer -> { // <1>
// TODO Configure the login view
});
return http.build();
Expand All @@ -76,7 +75,7 @@ class SecurityConfig {
@Bean
public UserDetailsManager userDetailsManager() {
LoggerFactory.getLogger(SecurityConfig.class)
.warn("NOT FOR PRODUCTION: Using in-memory user details manager!"); // <3>
.warn("NOT FOR PRODUCTION: Using in-memory user details manager!"); // <2>
var user = User.withUsername("user")
.password("{noop}user")
.roles("USER")
Expand All @@ -89,9 +88,8 @@ class SecurityConfig {
}
}
----
<1> Imports `VaadinAwareSecurityContextHolderStrategyConfiguration`, required for Vaadin security to work with Spring Security.
<2> Always call with `VaadinSecurityConfigurer.vaadin()` -- this ensures that the application is properly configured.
<3> *Tip:* Log a warning message whenever using a configuration that shouldn't end up in production.
<1> Always call with `VaadinSecurityConfigurer.vaadin()` -- this ensures that the application is properly configured.
<2> *Tip:* Log a warning message whenever using a configuration that shouldn't end up in production.

The [classname]`VaadinSecurityConfigurer` class provides essential security configurations out of the box, including:

Expand Down
1 change: 0 additions & 1 deletion articles/building-apps/security/add-logout/flow.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ By default, users are redirected to the root URL (`/`) after logging out. To cha
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down
1 change: 0 additions & 1 deletion articles/building-apps/security/add-logout/hilla.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ By default, users are redirected to the root URL (`/`) after logging out. To cha
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down
2 changes: 0 additions & 2 deletions articles/building-apps/security/protect-services/flow.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ To enable method security, add [annotationname]`@EnableMethodSecurity` to your s
@EnableMethodSecurity
// end::snippet[]
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down Expand Up @@ -113,7 +112,6 @@ Add [annotationname]`@EnableMethodSecurity` to [classname]`SecurityConfig`:
@EnableMethodSecurity
// end::snippet[]
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {
...
}
Expand Down
2 changes: 0 additions & 2 deletions articles/building-apps/security/protect-views/flow.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,6 @@ To enable a custom [interfacename]`NavigationAccessChecker`, create a new [class
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {

@Bean
Expand Down Expand Up @@ -292,7 +291,6 @@ Then update the [methodname]`userDetailsManager()` method of the [classname]`Sec
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfig {
...

Expand Down
1 change: 0 additions & 1 deletion articles/flow/integrations/spring/oauth2.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,6 @@ The post logout redirect URI can be expressed as a relative or absolute URI, or
----
<source-info group="VaadinSecurityConfigurer"></source-info>
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
class SecurityConfiguration {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
Expand Down
1 change: 0 additions & 1 deletion articles/flow/security/advanced-topics/navigation-access-control.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@ public class HomeView extends Div { }

@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand Down
8 changes: 2 additions & 6 deletions articles/flow/security/enabling-security.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,6 @@ This is a minimal implementation of such a class:
<source-info group="VaadinSecurityConfigurer"></source-info>
@EnableWebSecurity // <1>
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) // <2>
public class SecurityConfiguration {

@Bean
Expand Down Expand Up @@ -258,7 +257,7 @@ public class SecurityConfiguration {
}
----

Notice the including of [annotationname]`@EnableWebSecurity`, [annotationname]`@Configuration`, and [annotationname]`@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)` annotations on top of the above class. As their names imply, they instruct Spring to enable its security features and configure the Vaadin-aware security context holder strategy.
Notice the including of [annotationname]`@EnableWebSecurity` and [annotationname]`@Configuration` annotations on top of the above class. As their names imply, they instruct Spring to enable its security features.

[classname]`VaadinSecurityConfigurer` is a helper class that configures the common Vaadin-related Spring Security settings. By using it, the view-based access control mechanism is enabled automatically, and no further configuration is needed.

Expand Down Expand Up @@ -565,7 +564,7 @@ To add impersonation for a Vaadin application, create the [classname]`SwitchUser
[source,java]
----
@Bean
public SwitchUserFilter switchUserFilter(VaadinAwareSecurityContextHolderStrategy strategy) {
public SwitchUserFilter switchUserFilter(SecurityContextHolderStrategy strategy) {
SwitchUserFilter filter = new SwitchUserFilter();
filter.setSecurityContextHolderStrategy(strategy);
filter.setUserDetailsService(userDetailsService());
Expand All @@ -576,9 +575,6 @@ To add impersonation for a Vaadin application, create the [classname]`SwitchUser
}
----

[NOTE]
The bean should use `VaadinSecurityContextHolderStrategy` bean to work properly. If the [classname]`SwitchUserFilter` is initialized differently, the wrong security holder is used and the feature won't work. Make sure to add `@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)` on top of your security configuration class.

To secure the impersonation endpoints, configure the HttpSecurity object with the appropriate matchers like so:

[source,java]
Expand Down
11 changes: 3 additions & 8 deletions articles/flow/security/vaadin-security-configurer.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ The `VaadinSecurityConfigurer` can be used in a Spring Security configuration cl
----
@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand All @@ -35,8 +34,6 @@ public class SecurityConfig {
}
----

The `VaadinAwareSecurityContextHolderStrategyConfiguration` is imported manually to ensure that the [classname]`VaadinSession`-based security context holder is initialized.

==== Applied Configurers

The `VaadinSecurityConfigurer` applies several other Spring Security configurers to set up the security filter chain:
Expand Down Expand Up @@ -194,7 +191,6 @@ Creates and returns a composite `RequestMatcher` for identifying requests that s
----
@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand All @@ -216,7 +212,6 @@ To configure multiple filter chains, use `@Order` annotation to specify the orde
----
@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Order(1)
Expand Down Expand Up @@ -283,7 +278,6 @@ public class SecurityConfigurationAPI {

@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Order(1)
Expand Down Expand Up @@ -315,7 +309,6 @@ Vaadin uses annotations to control access to views at the navigation level, whil
----
@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand Down Expand Up @@ -380,7 +373,6 @@ safest option.
----
@Configuration
@EnableWebSecurity
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand All @@ -393,3 +385,6 @@ public class SecurityConfig {
}
}
----


[discussion-id]`164DDBB1-3DC0-4E30-B8B9-D280BB83341F`
3 changes: 0 additions & 3 deletions articles/hilla/lit/guides/security/spring-login.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ To implement your own security configuration, create a new configuration class t
----
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand Down Expand Up @@ -509,7 +508,6 @@ The following example demonstrates how to access an SQL database with tables for
<source-info group="VaadinSecurityConfigurer"></source-info>
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {
//...

Expand Down Expand Up @@ -541,7 +539,6 @@ This next example shows how to configure authentication by using an LDAP reposit
<source-info group="VaadinSecurityConfigurer"></source-info>
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {
//...

Expand Down
1 change: 0 additions & 1 deletion articles/hilla/lit/guides/security/spring-stateless.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,6 @@ By default, the JWT and cookies expire thirty minutes after the last server requ
<source-info group="VaadinSecurityConfigurer"></source-info>
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
Expand Down
2 changes: 0 additions & 2 deletions articles/upgrading/index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -739,7 +739,6 @@ The deprecated [classname]`VaadinWebSecurity` class has been removed from Vaadin
<source-info group="VaadinWebSecurity (deprecated since V24.9)"></source-info>
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand Down Expand Up @@ -924,7 +923,6 @@ public SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) throws E
----
@EnableWebSecurity // should be already present
@Configuration // should be already present
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfiguration {
}
----
Expand Down
4 changes: 0 additions & 4 deletions src/main/java/com/vaadin/demo/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
package com.vaadin.demo;

import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfig {

@Bean
Expand Down
3 changes: 0 additions & 3 deletions src/main/java/com/vaadin/demo/fusion/security/authentication/SecurityConfigDemo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
package com.vaadin.demo.fusion.security.authentication;

import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
Expand All @@ -19,7 +17,6 @@
*/
//@EnableWebSecurity
//@Configuration
//@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
public class SecurityConfigDemo {

@Bean
Expand Down
3 changes: 0 additions & 3 deletions src/main/java/com/vaadin/demo/fusion/security/stateless/SecurityConfigurer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,19 @@
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.security.web.SecurityFilterChain;

import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;
import com.vaadin.flow.spring.security.stateless.VaadinStatelessSecurityConfigurer;

// tag::stateless-configure[]
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
@Profile("this-is-just-a-demo-class") // hidden-source-line
public class SecurityConfigurer {

Expand Down
Loading