Reputation: 3211
Vaadin and Spring Security: "/VAADIN/**" route
I have an application with Vaadin 8 and Spring Boot. Currently, I'm in progress of adding authentication to this app. So, I enabled Spring Security and started tinkering with it. Basically, I followed this tutorial: https://vaadin.com/tutorials/securing-your-app-with-spring-security/setting-up-spring-security
The approach, described there, works fine, however, I'm slightly disturbed by the fact that /VAADIN/** path needs to be publicly available (otherwise, Vaadin doesn't work). I mean, of course, I have protected particular pages by their paths (e.g. /admin) and unauthenticated users won't be able to open them, but isn't exposure of /VAADIN/** path dangerous? What if some hijacker tries to send some request to the Vaadin servlet outside of the UI (by simply curling it) with some specific headers/parameters? Is it possible that by formatting such request in some malicious way, the data will be actually returned to this hacker, bypassing Spring Security?
Upvotes: 0
Views: 170
Answers (1)
Reputation: 10643
but isn't exposure of /VAADIN/** path dangerous
It is not dangerous per ce. The framework itself has just some generic parts there, like static resources for the client, like the widgetset and theme. Having said that, it is of course to be noted it application design. For example you should not put something that includes confidential info in your app as ThemeResource, but use ClassResource instead and things like that.
Upvotes: 1
Related Questions
- Vaadin: You are asking Spring Security to ignore... This is not recommended?
- Exclude URL paths from vaadin router in vaadin flow 14
- Spring Boot Security & Vaadin page navigation&rendering issue
- spring boot security with vaadin Could not navigate to ''
- Vaadin Session and Spring Security Authentication object
- Vaadin using SpringSecurity authentication
- Spring Boot Security with Vaadin Login
- spring security and VAADIN
- Java Config for Spring Security with Vaadin
- Integrating spring and vaadin