You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tested using the newest bakery app. Spring SecurityContext disappears and becomes Null authentication in StreamResource callback method. Below an example that reproduces the issue.
`@Route("test")
public class TestView extends VerticalLayout {
Basically I created a simple view that contains only an Anchor element. When I click on the anchor createInputStream method is executed but Spring SecurityContext changes to null authentication.
Expected behaviour: Spring SecurityContext should be the same during user session and not disappear like in createInputStream method.
Actual behaviour: Spring SecurityContext disappears and changes to Null authentication.
Versions:
Vaadin 13.0.1
Spring boot 2.1.0.RELEASE
Java 11
Windows 10
As a side note I believe the Upload component's callback method addSucceededListener suffers from the same problem.
Okay I just tested with the skeleton project which you suggested and weirdly enough I can't reproduce the issue. It seemed that the skeleton project didn't have Spring Security as dependency but once I added it and tested it I got the expected behaviour. The issue can still be reproduced in bakery app though.
Hi @Julius95 , if i understand correctly, even you add the Spring Security dependency, the app still works in an expected way (no bugs), right?
if in this case, i should move this ticket to bakery instead.
Yeah, StreamResource callback method works as expected (no bugs) on skeleton project but the issue can be reproduced in the latest bakery app. Which implies something is wrong with Bakery app imo.
Thank you @heruan for pointing out the problem. So bakery app comes with following WebSecurityConfiguration:
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().antMatchers(
// Vaadin Flow static resources
"/VAADIN/**", //This is the problematic spot
// the standard favicon URI
"/favicon.ico",
// Rest of configuration omitted for simplicity...
}
We can see that all "/VAADIN/" requests are ignored and won't have SpringSecurityContext. Dynamically created files are mapped to "VAADIN/dynamic/resource" url. When a request to dynamic resource is sent SpringSecurityContext is lost due to "/VAADIN/" configuration since the request url maps to it. To fix this remove "/VAADIN/" configuration or change it to "/VAADIN/static/**". This issue should be moved to bakery app since it contains this problematic configuration.
The text was updated successfully, but these errors were encountered:
@Julius95 commented on Thu Mar 21 2019
Tested using the newest bakery app. Spring SecurityContext disappears and becomes Null authentication in StreamResource callback method. Below an example that reproduces the issue.
`@Route("test")
public class TestView extends VerticalLayout {
}`
Basically I created a simple view that contains only an Anchor element. When I click on the anchor
createInputStreammethod is executed but Spring SecurityContext changes to null authentication.Expected behaviour: Spring SecurityContext should be the same during user session and not disappear like in
createInputStreammethod.Actual behaviour: Spring SecurityContext disappears and changes to Null authentication.
As a side note I believe the Upload component's callback method
addSucceededListenersuffers from the same problem.@ZheSun88 commented on Fri Mar 22 2019
Hi @Julius95 , Can you verify the same project with JDK 1.8 for us? you can also fork this repository to make the sample project. https://github.com/vaadin/skeleton-starter-flow-spring
@Julius95 commented on Fri Mar 22 2019
Just tested with JDK 1.8.0_201 and problem still seems to exist. Tested on the newest bakery app.
@Julius95 commented on Fri Mar 22 2019
Okay I just tested with the skeleton project which you suggested and weirdly enough I can't reproduce the issue. It seemed that the skeleton project didn't have Spring Security as dependency but once I added it and tested it I got the expected behaviour. The issue can still be reproduced in bakery app though.
Versions used in skeleton app:
@ZheSun88 commented on Fri Mar 22 2019
Hi @Julius95 , if i understand correctly, even you add the Spring Security dependency, the app still works in an expected way (no bugs), right?
if in this case, i should move this ticket to bakery instead.
@Julius95 commented on Fri Mar 22 2019
Yeah, StreamResource callback method works as expected (no bugs) on skeleton project but the issue can be reproduced in the latest bakery app. Which implies something is wrong with Bakery app imo.
@heruan commented on Fri Mar 22 2019
I had the same issue: just remove
/VAADINfrom the exclusion list in yourWebSecurityConfigurerAdapter, e.g.:@Julius95 commented on Mon Mar 25 2019
Thank you @heruan for pointing out the problem. So bakery app comes with following WebSecurityConfiguration:
We can see that all "/VAADIN/" requests are ignored and won't have SpringSecurityContext. Dynamically created files are mapped to "VAADIN/dynamic/resource" url. When a request to dynamic resource is sent SpringSecurityContext is lost due to "/VAADIN/" configuration since the request url maps to it. To fix this remove "/VAADIN/" configuration or change it to "/VAADIN/static/**". This issue should be moved to bakery app since it contains this problematic configuration.
The text was updated successfully, but these errors were encountered: