Secures Vaadin (Flow).
The overall goal is to
- give Spring Security full access control before any requests are processed by Vaadin
- only create Vaadin Sessions when they are really needed - as these are rather heavy (Vaadin stores the state of the UI in these)
- make Vaadin's
VaadinWebSecurity/VaadinSecurityConfigurerbetter customizable
com.vaadin:vaadin-springmust be provided manually (only included with scopeprovidedby default to prevent versioning conflicts)
@EnableWebSecurity
@Configuration
public class MainWebSecurity
{
@Bean
protected SecurityFilterChain mainSecurityFilterChain(
final HttpSecurity http,
final OAuth2CookieRememberMeServices cookieRememberMeServices,
final OAuth2RefreshFilter oAuth2RefreshFilter,
final CSPGenerator cspGenerator,
final CookieBasedRememberRedirectOAuth2LoginProvider rememberLoginProvider,
final OAuth2LoginUrlStoreAdapter oAuth2LoginUrlStoreAdapter,
final HstsApplier hstsApplier)
throws Exception
{
http
.headers(h -> hstsApplier.apply(h)
.contentSecurityPolicy(p -> p.policyDirectives(cspGenerator.buildCSP()))
.contentTypeOptions(Customizer.withDefaults())
.referrerPolicy(p -> p.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)))
.oauth2Login(c -> {
c.defaultSuccessUrl("/" + MainView.NAV);
rememberLoginProvider.configureOAuth2Login(c);
oAuth2LoginUrlStoreAdapter.postProcess(c);
})
.logout(rememberLoginProvider::configureOAuth2Logout)
.addFilterBefore(oAuth2RefreshFilter, AnonymousAuthenticationFilter.class);
cookieRememberMeServices.install(http);
return http
.with(new TotalVaadinFlowSecurityConfigurer(), Customizer.withDefaults())
.build();
}
}Contains a pre-defined Content Security Policy for Vaadin.
Whitelists CSRF requests that should not be processed by Vaadin.
Forces a page reload (for XHR requests) when the authentication expires (401).