Vaadin security enhancements (#1003)

* Removed VaadinManagedSecurity configuration from MgmtUiAutoConfiguration * added SessionFixationProtectionStrategy for additional protection of UI session authentication * added VaadinSessionClosingLogoutHandler to logout from all UI sessions * added AccessDecisionManager to UI security configuration in order to support method security in UI in context of VaadinSharedSecurity * Changed UI push transport from WEBSOCKET to WEBSOCKET_XHR to solve problems with Spring Security Context * Suppressed atmosphere IOUtils false-positive warning * Removed obsolete AsyncVaadinServletConfiguration * Defined Vaadin4SpringServlet bean instead of plain SpringVaadinServlet for configuration flexibility * Removed obsolete SpringSecurityAtmosphereInterceptor because the client does not communicate with the server using websocket protocol anymore * Removed unit test for SpringSecurityAtmosphereInterceptor * Removed obsolete AuthenticationManagerConfigurer coming from Vaadin Managed Security in InMemoryUserManagementAutoConfiguration * Removed SessionFixationProtectionStrategy and VaadinSessionClosingLogoutHandler because all wrapper sessions are invalidated when the session managed by Spring gets invalidated together with configured HttpSessionEventPublisher events * Added call to close the current session before logout redirect * added comment why we used WEBSOCKET_XHR instead of WEBSOCKET Signed-off-by: Bogdan Bondar <Bogdan.Bondar@bosch.io>
2020-09-03 10:35:22 +02:00
parent fe8569593e
commit 0e4b67895e
11 changed files with 84 additions and 224 deletions
--- a/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/MyUI.java
+++ b/hawkbit-runtime/hawkbit-update-server/src/main/java/org/eclipse/hawkbit/app/MyUI.java
@@ -32,11 +32,13 @@ import com.vaadin.spring.navigator.SpringViewProvider;
 * A {@link SpringUI} annotated class must be present in the classpath. The
 * easiest way to get an hawkBit UI running is to extend the
 * {@link AbstractHawkbitUI} and to annotated it with {@link SpringUI} as in
- * this example.
+ * this example. WEBSOCKET_XHR transport is used instead of WEBSOCKET in order
+ * to preserve Spring Security Context, that does not work using websocket
+ * communication with Vaadin Shared Security.
 *
 */
@SpringUI
-@Push(value = PushMode.AUTOMATIC, transport = Transport.WEBSOCKET)
+@Push(value = PushMode.AUTOMATIC, transport = Transport.WEBSOCKET_XHR)
 // Exception squid:MaximumInheritanceDepth - Most of the inheritance comes from
 // Vaadin.
@SuppressWarnings({ "squid:MaximumInheritanceDepth" })
--- a/hawkbit-runtime/hawkbit-update-server/src/main/resources/logback-spring.xml
+++ b/hawkbit-runtime/hawkbit-update-server/src/main/resources/logback-spring.xml
@@ -19,6 +19,11 @@

   <!-- Security Log with hints on potential attacks -->
   <logger name="server-security" level="INFO" />
+   
+   <!-- Suppressing "More than one Servlet Mapping defined. WebSocket may not work" 
+   error due to the way VaadinServletConfiguration configures the endpoints mapping ("/UI" and "/UI/*"). 
+   At the end only the first "/UI" is taken for websocket communication.  -->
+   <logger name="org.atmosphere.util.IOUtils" level="OFF" />

   <Root level="INFO">
      <appender-ref ref="CONSOLE" />