Package com.vaadin.flow.spring.security

Class SpringAccessPathChecker

java.lang.Object
com.vaadin.flow.spring.security.SpringAccessPathChecker
All Implemented Interfaces:
AccessPathChecker, Serializable
public class SpringAccessPathChecker extends Object implements AccessPathChecker
A Spring specific route path access checker that delegates the check to Spring Security.

It is used in combination with RoutePathAccessChecker to provide path-based security to Flow NavigationAccessControl.

To enable it, define a NavigationAccessControlConfigurer bean, configured using NavigationAccessControlConfigurer.withRoutePathAccessChecker() method. 
 
 @Bean
 NavigationAccessControlConfigurer navigationAccessControlConfigurer() {
     return new NavigationAccessControlConfigurer()
             .withRoutePathAccessChecker().withLoginView(LoginView.class);
 }

Custom Request Transformer

When using SpringAccessPathChecker with Spring Security request matchers that need to access HttpServletRequest.getUserPrincipal(), you may need to create a custom AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer bean using principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer). This prevents UnsupportedOperationExceptions that can occur when Spring Security request matchers attempt to access user principal information. 

 
 @Bean
 @Primary
 HttpServletRequestTransformer customRequestTransformer() {
     return SpringAccessPathChecker.principalAwareRequestTransformer(
             new PathPatternRequestTransformer());
 }
An alternative is to use wrap the single request matchers using RequestUtil.principalAwareRequestMatcher(RequestMatcher). 
 
 @Bean
 public SecurityFilterChain webFilterChain(HttpSecurity http) {
     http.authorizeRequests(cfg -> cfg.requestMatchers(RequestUtil.principalAwareRequestMatcher(
          request -> {
              ...
              if (request.getUserPrincipal() == null) {
                  ....;
              }
              ...
              return true;
          }
     ));
 }
See Also:

  • Constructor Summary

    Constructors
    Constructor
    Description
    SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator)
    Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.
    SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator, String urlMapping)
    Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    hasAccess(String path, Principal principal, Predicate<String> roleChecker)
     
    static org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer
    principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer transformer)
    Provides a security-aware HTTP request transformer that applies additional processing to the transformed request using RequestUtil.PrincipalAwareRequestWrapper.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SpringAccessPathChecker

      public SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator)
      Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions.
      Parameters:
      evaluator - evaluator to check path permissions.

    • SpringAccessPathChecker

      public SpringAccessPathChecker(org.springframework.security.web.access.WebInvocationPrivilegeEvaluator evaluator, String urlMapping)
      Creates a new instance that uses the given WebInvocationPrivilegeEvaluator to check path permissions. It applies the given Vaadin servlet url mapping to the input path before delegating the check to the evaluator.
      Parameters:
      evaluator - evaluator to check path permissions.
      urlMapping - Vaadin servlet url mapping

  • Method Details

    • hasAccess

      public boolean hasAccess(String path, Principal principal, Predicate<String> roleChecker)
      Specified by:
      hasAccess in interface AccessPathChecker

    • principalAwareRequestTransformer

      public static org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer principalAwareRequestTransformer(org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer transformer)
      Provides a security-aware HTTP request transformer that applies additional processing to the transformed request using RequestUtil.PrincipalAwareRequestWrapper.

      A custom AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer bean handling HttpServletRequest.getUserPrincipal() method should be exposed by the application when SpringAccessPathChecker is used in conjunction with Spring Security request matchers that requires to access that information to prevent UnsupportedOperationExceptions.

      Parameters:
      transformer - the original HTTP request transformer to be wrapped
      Returns:
      a new HTTP request transformer that wraps the transformed request with enhanced security awareness