I'm currently developing a Vaadin 8 app with spring boot and as I've read on many posts, the correct way of securing a view is to annotate the class with PreAuthorize. I'm doing that to protect views like this:
@SpringView(name="arinteractions")
@PreAuthorize("hasAuthority('OWNER') or hasAuthority('ADMIN')")
public class ARInteractionsView extends SideMenuViewBase {
The first problem I encountered was that my roles didn't have the ROLE_ prefix so I added that.
Still, spring was allowing the user to enter any view just by typing its URL (which in vaadin is a hashbang like #!interactionview).
Adding this allows the user with access to enter the view, but also users without access. When a user without the roles tries to enter the views he they open. The logs show:
Found view ARStorageBanksView annotated with @PreAuthorize but no access decision manager. Granting access.
And also an exception is thrown:
org.springframework.security.access.AccessDeniedException
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.4.RELEASE.jar:5.0.4.RELEASE]
I tried adding an access decision manager by adding a bean maker method in the security config, but I didn't found any documentation on how to implement this correctly.
Also, adding the access decision manager only made it worse. All views became blocked and the logs showed that the views 'didn't exist'.
What I did to solve was to use the old @Secured annotation. That for some reason is working flawlessly.
Spring security Roles, Authorities, are very confusing. Some of its objects are strings, some are plain objects, the auth scripts are hard to debug, the convetions aren't obvious that are required.
So the question is, what is the correct way of setting up security so that I can use the newer pre-authorize?
I think there is nothing wrong using @Secured, especially if it works. The Vaadin reference application (Bakery) has been implemented using that as well. See more at: https://vaadin.com/start/v8-full-stack-spring