Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring SecurityContext disappears in StreamResource callback method #5323

Closed
Julius95 opened this issue Mar 21, 2019 · 8 comments
Closed

Spring SecurityContext disappears in StreamResource callback method #5323

Julius95 opened this issue Mar 21, 2019 · 8 comments
Labels
bug spring
Milestone
Abandoned

Comments

@Julius95
Copy link

Julius95 commented Mar 21, 2019
edited
Loading

Tested using the newest bakery app. Spring SecurityContext disappears and becomes Null authentication in StreamResource callback method. Below an example that reproduces the issue.

`@Route("test")
public class TestView extends VerticalLayout {

public TestView() {
    Anchor anchor = new Anchor();
    anchor.add("DOWNLOAD");
    anchor.setHref(new StreamResource("file", () -> createInputStream()));
    add(anchor);
    // SecurityContext returns correct value UsernamePasswordAuthenticationToken.
    System.err.println(SecurityContextHolder.getContext());
}

private InputStream createInputStream() {
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    try {
        outputStream.write("text".getBytes());
    } catch (IOException e) {
        e.printStackTrace();
    }
    // SecurityContextHolder.getContext() returns Null authentication here.
    System.err.println(SecurityContextHolder.getContext());
    return new ByteArrayInputStream(outputStream.toByteArray());
}

}`

Basically I created a simple view that contains only an Anchor element. When I click on the anchor createInputStream method is executed but Spring SecurityContext changes to null authentication.

Expected behaviour: Spring SecurityContext should be the same during user session and not disappear like in createInputStream method.

Actual behaviour: Spring SecurityContext disappears and changes to Null authentication.

  • Versions:
  • Vaadin 13.0.1
  • Spring boot 2.1.0.RELEASE
  • Java 11
  • Windows 10

As a side note I believe the Upload component's callback method addSucceededListener suffers from the same problem.
@ZheSun88
Copy link
Contributor

Hi @Julius95 , Can you verify the same project with JDK 1.8 for us? you can also fork this repository to make the sample project. https://github.com/vaadin/skeleton-starter-flow-spring

@Julius95
Copy link
Author

Julius95 commented Mar 22, 2019
edited
Loading

Just tested with JDK 1.8.0_201 and problem still seems to exist. Tested on the newest bakery app.

@Julius95
Copy link
Author

Okay I just tested with the skeleton project which you suggested and weirdly enough I can't reproduce the issue. It seemed that the skeleton project didn't have Spring Security as dependency but once I added it and tested it I got the expected behaviour. The issue can still be reproduced in bakery app though.

Versions used in skeleton app:

  • JDK 11.0.1
  • Spring Boot 2.1.3.RELEASE

@ZheSun88
Copy link
Contributor

Hi @Julius95 , if i understand correctly, even you add the Spring Security dependency, the app still works in an expected way (no bugs), right?
if in this case, i should move this ticket to bakery instead.

@Julius95
Copy link
Author

Julius95 commented Mar 22, 2019
edited
Loading

Yeah, StreamResource callback method works as expected (no bugs) on skeleton project but the issue can be reproduced in the latest bakery app. Which implies something is wrong with Bakery app imo.

@heruan
Copy link
Member

heruan commented Mar 22, 2019

I had the same issue: just remove /VAADIN from the exclusion list in your WebSecurityConfigurerAdapter, e.g.:

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers(
                // the standard favicon URI
                "/favicon.ico",
                // development-mode static resources
                "/bower_components/**", "/icons/**", "/images/**", "/src/**",
                "/manifest.json",
                // webjars and frontend
                "/webjars/**", "/frontend/**",
                // production-mode static resources
                "/build/**", "/frontend-es5/**", "/frontend-es6/**");
    }

@Julius95
Copy link
Author

Julius95 commented Mar 25, 2019
edited
Loading

Thank you @heruan for pointing out the problem. So bakery app comes with following WebSecurityConfiguration:

@Override
public void configure(WebSecurity web) throws Exception 

web.ignoring().antMatchers(
// Vaadin Flow static resources
 "/VAADIN/**", //This is the problematic spot
// the standard favicon URI
"/favicon.ico",
// Rest of configuration omitted for simplicity...
}

We can see that all "/VAADIN/" requests are ignored and won't have SpringSecurityContext. Dynamically created files are mapped to "VAADIN/dynamic/resource" url. When a request to dynamic resource is sent SpringSecurityContext is lost due to "/VAADIN/" configuration since the request url maps to it. To fix this remove "/VAADIN/" configuration or change it to "/VAADIN/static/**". This issue should be moved to bakery app since it contains this problematic configuration.

@ZheSun88 ZheSun88 mentioned this issue Mar 25, 2019
Open
@ZheSun88
Copy link
Contributor

Issue moved to vaadin/bakery-app-starter-flow-spring #755 via ZenHub

@ZheSun88 ZheSun88 added this to the Abandoned milestone Mar 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug spring
Projects
None yet
Milestone
Abandoned
Development

No branches or pull requests
3 participants
@heruan @Julius95 @ZheSun88