Getting Access Denied for all routes (with PermitAll() ) in Vaadin 24 and Azure SSO

Question

I'm trying to get Azure SSO working with a Vaadin app. I have been reading the docs but I'm still doing something wrong as I'm getting the Access Denied page with the message.

Could not navigate to '' Reason: Access is denied by annotations on the view.

Available routes:

• ... All my pages are the same.

I have configured my application.properties with the relevant data:

spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/[TENANT ID]/v2.0
spring.security.oauth2.client.registration.[MY APP].provider=azure
spring.security.oauth2.client.registration.[MY APP].client-id=[CLIENT ID]
spring.security.oauth2.client.registration.[MY APP].client-secret=4[CLIENT SECRET]
spring.security.oauth2.client.registration.[MY APP].scope=profile,openid,email

I have got to my SSO page and logged in and then when the redirect happens I get the error.

I have also got the dependency in my build.gradle file:

implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'

I have defined the Security Config as follows:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {
   @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth ->
            auth.requestMatchers(
                AntPathRequestMatcher.antMatcher("/**")).permitAll());
        super.configure(http);
    }
}

And at the top of my views I have, for example the default route:

@Route(value = "", layout = MainLayout.class)
@PageTitle("Home")
@PermitAll

Any idea what I'm missing here?

Answer 1

So all I needed was actually:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {
    protected void configure(HttpSecurity http) throws Exception {
        http.oauth2Login(Customizer.withDefaults());
        super.configure(http);
    }
}

Answer 2

i had a similar problem beacuse the Spring boot security documentation is not easy to navigate.

Try with the solution that worked for me:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(authorize -> {

            authorize
                    .requestMatchers(new AntPathRequestMatcher("/**"))
                    .permitAll();
    
      });

        http.csrf(csrf ->
                csrf.ignoringRequestMatchers(
                        new AntPathRequestMatcher("/oauth2/authorization/**")));

        super.configure(http);
        setLoginView(http, LoginView.class);
    }

The documentation from 5.8.8 shows what the replacement of the method hasIpAddress is (they just confusingly gave the IpAddressMatcher also the name hasIpAddress), so follow that instruction.
Construct an authorizeHttpRequests as shown in the documentation also consider the note below that code, which basically says it is a bad idea to do this.

Answer 3

Why did you set the views with @PermitAll if you already did in security config? Also, I would extends OAuth2UserRequestAwareWebSecurityConfigurerAdapter instead of VaadinWebSecurity for pre-defined atributes of your case.

@EnableWebSecurity
@Configuration
public class SecurityConfig extends OAuth2UserRequestAwareWebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/**").access("@myUserDetailsService.hasAuthority('ROLE_USER')")
            .and()
            .oauth2Login()
                .loginPage("/login")
                .defaultSuccessUrl("/", true);
    }
}