peholmst/vaadin4spring

Vaadin Shared Security -- default logout URL is hardcoded and undocumented

Opened this issue · 0 comments

snowjak88 commented

I've been having a great deal of trouble incorporating Shared Security into my application, so I decided to restart by directly copying the configuration from the sample application. The only substantive changes I made were to make the login and logout URLs dependent on public constant Strings included on LoginUI and LoginFormView -- for example:

@SpringView(LoginFormView.NAME)
public class LoginFormView extends LoginForm implements View {
    public static final String NAME = "login";
    public static final String LOGOUT_NAME = "logout";
    ...
}

public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .logout()
                .addLogoutHandler(new VaadinSessionClosingLogoutHandler())
                .logoutUrl(LoginFormView.LOGOUT_URL)
                .logoutSuccessUrl(LoginUI.PATH + "#!" + LoginFormView.NAME)
                .permitAll()
                .and()
    ....

My logout-button simply calls VaadinSharedSecurity.logout():

    @Autowired private VaadinSharedSecurity security;
    ....
    logInOutButton.addClickListener((ce) -> security.logout());

Tracing out why this didn't work uncovered the fact that the default VaadinLogoutHandler, (VaadinRedirectLogoutHandler) has a default logout-URL of "/logout". VaadinRedirectLogoutHandler simply tries to redirect to that URL (to hook into Spring Security's logout handling). Unfortunately, this default is not documented.

I can't think of any way to easily autodetect a configured logout-URL -- the associated LogoutFilter that's ordinarily constructed using the HttpSecurity builder isn't registered as a bean, I think. (And besides, LogoutFilter doesn't expose its configured URL as a property.)

At present, the only thing I can think of is to enhance the README.md documentation:

  • call out the assumed default logout-URL
  • specify that you should override the bean-definition for VaadinRedirectLogoutHandler (name = VaadinSharedSecurityConfiguration.VAADIN_LOGOUT_HANDLER_BEAN) to handle custom logout-URLs