Issue with POST requests on Spring Boot 3/Spring Security 6 Vaadin 24 application

Question

I have a Vaadin Application and I am trying to upgrade it from Vaadin 14 to 24 and that brings along an upgrade from Spring Security 5/Spring Boot 2 to Spring Security 6 and Spring boot 3.

I am having a problem with a route that has an @AnonymousAllowed annotation and it accepts a x-www-urlencoded parameter that contains a JSON structure.

I added CommonsRequestLoggingFilter to dump out the request to the log file and I can see that it is arriving into the application.

The parameter arrives into the application and the logger logs the payload = payRequest = JSON structure. That all looks good.

The next line in the logs says

FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=payments-list%2Fexternal-api&query=

And it looks like the parameter (payRequest) has disappeared. When the request routes to the Vaadin view which it does correctly, there are no parameters in the request. It looks like it has been converted to a GET with no parameters.

I am getting to the right place in my application but I appear to have lost the parameters in my POST request on the way.

Appreciate if anyone has any suggestion as to what might be going on. All this works perfectly in Vaadin 14.

27-11:58:47.616 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.f.CommonsRequestLoggingFilter.beforeRequest - Before request [POST /wbcarpv24sb-2.0.0/payments-list/external-api, client=x.x.x.x]
27-11:58:47.616 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.s.DispatcherServlet.traceDebug - POST "/wbcarpv24sb-2.0.0/payments-list/external-api", parameters={masked}
27-11:58:47.617 [https-jsse-nio-8443-exec-24] DEBUG c.v.f.s.VaadinServletConfiguration$RootExcludeHandler.getHandler - Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@2a4e714f
27-11:58:47.637 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.s.DispatcherServlet.logResult - Completed 200 OK
27-11:58:47.637 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.f.CommonsRequestLoggingFilter.afterRequest - After request [POST /wbcarpv24sb-2.0.0/payments-list/external-api, client=192.x.x.x, session=FFBDDCFBFE7D5EDD3AE3EBECC9654604, payload=payRequest=%7B%22sid%22%3A%22000000%22%2C%22bu%22%3A%22MKCC%22%2C%22agentId%22%3A%22TestAgent%22%2C%22rurl%22%3A%22digest%22%3A%2266b09ea9e4bc8279a752db5b089e457f3a68a9ae50f776b38a6d842d314b4d4016bc83d734888c1318b9170aa061bbbd70654a1c67c9c42d47ad2a8d5f7f9940%22%7D]
27-11:58:47.703 [https-jsse-nio-8443-exec-27] DEBUG o.s.s.w.FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=payments-list%2Fexternal-api&query=
........

c.S.a.u.c.u.v.x.l.MainLayout.afterNavigation - MainLayout - afterNavigation()payments-list/external-api
27-11:58:47.821 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - In Set Parameter method of payment list
27-11:58:47.821 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Context Path/wbcarpv24sb-2.0.0
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Heartbeat = 300
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Production Mode  = true
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Close Idle Sessions = false
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Original Location = payments-list/external-api
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - queryParameters is NOT null ....
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Query String =
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - parametersMap is NOT null .... 0
27-11:58:47.822 [https-jsse-nio-8443-exec-28] WARN  c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - payRequest IS null

Answer 1

I was having a similiar problem with my Spring Boot app earlier today and it turns out Spring CSRF protection may cause problems with POST request. you need to disable with

 HttpSecurity.csrf(Customizer)

pattern An example code for SecurityFilterChain in SecurityConfig.java files:

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable())
                .authorizeHttpRequests(auth -> {

                        auth.requestMatchers("/").permitAll();
                        auth.requestMatchers("/your_endpoint1").permitAll();
                        auth.requestMatchers("/your_endpoint2").permitAll();
                        auth.anyRequest().authenticated(); 
                        }
                )
                .httpBasic(withDefaults())
                .build();

    }