Skip to content

feat: Document VaadinSecurityConfigurer #4420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Aug 6, 2025
Merged

feat: Document VaadinSecurityConfigurer #4420

merged 24 commits into from
Aug 6, 2025

Conversation

mshabarov
Copy link
Contributor

@mshabarov mshabarov commented Jul 3, 2025
edited by tltv
Loading

Upgrades the Navigation Access Control docs to use VaadinSecurityConfigurer.
Adds API description for VaadinSecurityConfigurer and examples (perhaps deserves a separate chapter).
Upgrades Enable Security chapter to use VSC.
Upgrades other articles where VaadinWebSecurity was used.
Splits all related code examples into two tabs: one for VaadinSecurityConfigurer and other for deprecated VaadinWebSecurity.

Part-of #4298

tltv
tltv reviewed Jul 16, 2025
View reviewed changes
tltv added 5 commits July 21, 2025 17:39
@tltv
Update more code examples to use VaadinSecurityConfigurer
00d5f6e 
Updating more examples to use tabs to keep old VaadinWebSecurity examples.
@tltv
Update Upgrading from Vaadin 23 Guide
4186268 
Updated for VaadinSecurityConfigurer.
@tltv
Update hilla upgrade guide and rest of the examples
0105465 
Updated for VaadinSecurityConfigurer.
@tltv
Updated for VaadinSecurityConfigurer
e201e34 
Updated deprecated antMatchers.
@tltv
Merge branch 'latest' into security-configurer-example
3c0977b
@tltv
Copy link
Member

tltv commented Jul 22, 2025

I've updated all remaining pages for VaadinSecurityConfigurer. Code examples are split in two tabs, one for new VaadinSecurityConfigurer, other for deprecated VaadinWebSecurity.

This PR assumes that VaadinWebSecurity class will be deprecated starting from 24.8 to be removed in next major release.

@mcollovati mcollovati self-requested a review July 22, 2025 10:01
mcollovati
mcollovati requested changes Jul 22, 2025
View reviewed changes
fredpena
fredpena suggested changes Jul 25, 2025
View reviewed changes
Copy link
Contributor

@fredpena fredpena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Update for Spring 6.5+ compatibility

articles/flow/security/enabling-security.adoc Outdated
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Configure your static resources with public access
http.authorizeHttpRequests(auth -> auth.requestMatchers(new AntPathRequestMatcher("/public/**"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Update for Spring 6.5+ compatibility

As of Spring Security 6.5, AntPathRequestMatcher is deprecated. It is recommended to use the new path matching mechanism based on PathPatternParser, which offers better integration with Spring’s routing system.

Instead of:

http.authorizeHttpRequests(auth -> auth
  .requestMatchers(new AntPathRequestMatcher("/public/**"))
  .permitAll());

It’s better to update to:

http.authorizeHttpRequests(auth -> auth
  .requestMatchers("/public/**")
  .permitAll());

Here’s a more advanced example using the recommended syntax:

http.authorizeHttpRequests(authorize -> authorize
        .requestMatchers("/images/*.png", "/icons/**")
        .permitAll()
        .requestMatchers("/public/**")
        .anonymous()
        .requestMatchers("/admin/**")
        .hasRole("ADMIN"));

This not only simplifies the code but also ensures future compatibility and removes deprecation warnings in newer Spring versions.

mcollovati
mcollovati reviewed Jul 28, 2025
View reviewed changes
mcollovati
mcollovati reviewed Jul 28, 2025
View reviewed changes
mcollovati
mcollovati reviewed Jul 28, 2025
View reviewed changes
articles/hilla/lit/guides/security/spring-login.adoc Outdated
.`SecurityConfig.java`
[source,java]
----
<source-info group="VaadinWebSecurity (deprecated since V24.8)"></source-info>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most likely the VaadinWebSecurity example should be updated in the same way

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this topic and concluded that AuthenticationManagerBuilder is still supported with newer Spring, but it's not recommended way anymore. Therefore using it in old examples is acceptable.

However, it may seem a bit weird that the two side-by-side example configure a non-Vaadin related bean in different ways.

But in other hand, keeping old example as is may work as a nicer transition to newer API for old users. New users probably just ignore deprecated example anyway. Deprecated example will be removed in Vaadin 25 docs.

tltv added 2 commits July 28, 2025 15:50
@tltv
Joined two notes
43c5693
@tltv
Remove deprecated ant matchers from examples
646d7d3 
This change leaves still all examples using VaadinWebSecurity class untouched.
@mshabarov mshabarov marked this pull request as ready for review August 6, 2025 11:30
@mshabarov mshabarov requested a review from mcollovati August 6, 2025 12:38
@mshabarov mshabarov merged commit 3497c1e into latest Aug 6, 2025
2 of 5 checks passed
@mshabarov mshabarov deleted the security-configurer-example branch August 6, 2025 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tltv tltv tltv left review comments

@fredpena fredpena fredpena requested changes

@mcollovati mcollovati mcollovati approved these changes

Assignees
No one assigned
Labels
flow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mshabarov @tltv @mcollovati @fredpena