feat: Document VaadinSecurityConfigurer

articles/building-apps/security/add-login/flow.adoc

@@ -31,7 +31,7 @@ public class LoginView extends Main implements BeforeEnterObserver {
     private final LoginForm login;
 
     public LoginView() {
-        addClassNames(LumoUtility.Display.FLEX, LumoUtility.JustifyContent.CENTER, 
+        addClassNames(LumoUtility.Display.FLEX, LumoUtility.JustifyContent.CENTER,
             LumoUtility.AlignItems.CENTER);
         setSizeFull();
         login = new LoginForm();
@@ -70,14 +70,19 @@ To instruct Spring Security to use your login view, modify your security configu
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, LoginView.class);
+            configurer.loginView(LoginView.class);
 // end::snippet[]
+        });
+
+        return http.build();
     }
     ...
 }
@@ -133,23 +138,32 @@ Inside this package, create a [classname]`SecurityConfig` class:
 .SecurityConfig.class
 [source,java]
 ----
-import com.vaadin.flow.spring.security.VaadinWebSecurity;
+import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.provisioning.UserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
+            configurer.loginView(LoginView.class);
+        });
+
+        return http.build();
     }
 
     @Bean
@@ -198,8 +212,8 @@ public class LoginView extends Main implements BeforeEnterObserver {
     private final LoginForm login;
 
     public LoginView() {
-        addClassNames(LumoUtility.Display.FLEX, 
-            LumoUtility.JustifyContent.CENTER, 
+        addClassNames(LumoUtility.Display.FLEX,
+            LumoUtility.JustifyContent.CENTER,
             LumoUtility.AlignItems.CENTER);
         setSizeFull();
         login = new LoginForm();
@@ -231,14 +245,19 @@ Modify [classname]`SecurityConfig` to reference the `LoginView`:
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, LoginView.class);
+            configurer.loginView(LoginView.class);
 // end::snippet[]
+        });
+
+        return http.build();
     }
     ...
 }

articles/building-apps/security/add-login/hilla.adoc

@@ -56,7 +56,7 @@ Vaadin does not provide a built-in user information type, so you need to define
 [source,java]
 ----
 public record UserInfo(
-    @NonNull String name, 
+    @NonNull String name,
     @NonNull Collection<String> authorities
 ) {
 }
@@ -160,14 +160,19 @@ To instruct Spring Security to use your login view, modify your security configu
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, "/login");
+            configurer.loginView("/login");
 // end::snippet[]
+        });
+
+        return http.build();
     }
     ...
 }
@@ -223,23 +228,32 @@ Inside this package, create a [classname]`SecurityConfig` class:
 .SecurityConfig.class
 [source,java]
 ----
-import com.vaadin.flow.spring.security.VaadinWebSecurity;
+import com.vaadin.flow.spring.security.VaadinSecurityConfigurer;
+import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.provisioning.UserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
+            configurer.loginView("/login");
+        });
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+        return http.build();
     }
 
     @Bean
@@ -274,7 +288,7 @@ Inside this package, create a [recordname]`UserInfo` record:
 import org.jspecify.annotations.NonNull;
 import java.util.Collection;
 
-public record UserInfo(@NonNull String name, 
+public record UserInfo(@NonNull String name,
                        @NonNull Collection<String> authorities) {
 }
 
@@ -395,14 +409,19 @@ Modify [classname]`SecurityConfig` to reference the new login view:
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, "/login");
+            configurer.loginView("/login");
 // end::snippet[]
+        });
+
+        return http.build();
     }
     ...
 }

articles/building-apps/security/add-login/index.adoc

@@ -61,18 +61,22 @@ This is a minimal implementation of a security configuration class:
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http); // <1>
-        // TODO Configure the login view
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
+            configurer.loginView("/login");
+        });
+        return http.build();
     }
 
     @Bean
     public UserDetailsManager userDetailsManager() {
         LoggerFactory.getLogger(SecurityConfig.class)
-            .warn("NOT FOR PRODUCITON: Using in-memory user details manager!"); // <2>
+            .warn("NOT FOR PRODUCTION: Using in-memory user details manager!"); // <1>
         var user = User.withUsername("user")
                 .password("{noop}user")
                 .roles("USER")
@@ -85,17 +89,16 @@ class SecurityConfig extends VaadinWebSecurity {
     }
 }
 ----
-<1> Always call `super.configure()` -- this ensures that the application is properly configured.
-<2> *Tip:* Log a warning message whenever using a configuration that shouldn't end up in production.
+<1> *Tip:* Log a warning message whenever using a configuration that shouldn't end up in production.
 
-The [classname]`VaadinWebSecurity` class provides essential security configurations out of the box, including:
+The [classname]`VaadinSecurityConfigurer` class provides essential security configurations out of the box, including:
 
 * CSRF protection
 * Default request caching
 * Access restriction to Vaadin views and services
 
 [NOTE]
-If you need to customize security rules, such as allowing anonymous access to static resources, do so  _before_ calling `super.configure()`. This is because [classname]`VaadinWebSecurity` applies a *catch-all rule* that requires authentication for _all_ requests.
+If you need to customize security rules, such as allowing anonymous access to static resources, do so in the configuration in [method]`securityFilterChain`. This is because [classname]`VaadinSecurityConfigurer` applies a *catch-all rule* that requires authentication for _all_ requests.
 
 
 == Create a Login View

articles/building-apps/security/add-logout/flow.adoc

@@ -44,14 +44,18 @@ By default, users are redirected to the root URL (`/`) after logging out. To cha
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, LoginView.class, "/logged-out.html"); // <1>
+            configurer.loginView(LoginView.class, "/logged-out.html"); // <1>
 // end::snippet[]
+        });
+        return http.build();
     }
     ...
 }
@@ -141,7 +145,7 @@ public final class MainLayout extends AppLayout {
         userMenuItem.getSubMenu().addItem("View Profile");
         userMenuItem.getSubMenu().addItem("Manage Settings");
 // tag::snippet[]
-        userMenuItem.getSubMenu().addItem("Logout", 
+        userMenuItem.getSubMenu().addItem("Logout",
             event -> authenticationContext.logout()); // <1>
 // end::snippet[]
 

articles/building-apps/security/add-logout/hilla.adoc

@@ -45,14 +45,18 @@ By default, users are redirected to the root URL (`/`) after logging out. To cha
 ----
 @EnableWebSecurity
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        // Configure Vaadin's security using VaadinSecurityConfigurer
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
 // tag::snippet[]
-        setLoginView(http, "/login", "/logged-out.html"); // <1>
+            configurer.loginView(LoginView.class, "/logged-out.html"); // <1>
 // end::snippet[]
+        });
+        return http.build();
     }
     ...
 }

articles/building-apps/security/protect-services/flow.adoc

@@ -37,12 +37,15 @@ To enable method security, add [annotationname]`@EnableMethodSecurity` to your s
 @EnableMethodSecurity
 // end::snippet[]
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
-
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        super.configure(http);
-        setLoginView(http, LoginView.class);
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
+
+    @Bean
+    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
+            configurer.loginView(LoginView.class);
+        });
+        return http.build();
     }
     ...
 }
@@ -113,7 +116,8 @@ Add [annotationname]`@EnableMethodSecurity` to [classname]`SecurityConfig`:
 @EnableMethodSecurity
 // end::snippet[]
 @Configuration
-class SecurityConfig extends VaadinWebSecurity {
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+class SecurityConfig {
     ...
 }
 ----
@@ -180,10 +184,10 @@ public class TaskListView extends Main {
         //if (authenticationContext.hasRole(Roles.ADMIN)) {
 // end::snippet[]
             add(new ViewToolbar("Task List",
-                ViewToolbar.group(description, dueDate, createBtn))); 
+                ViewToolbar.group(description, dueDate, createBtn)));
 // tag::snippet[]
         //} else {
-        //    add(new ViewToolbar("Task List")); 
+        //    add(new ViewToolbar("Task List"));
         //}
 // end::snippet[]
         add(taskGrid);