Vaadin security enhancements (#1003)
* Removed VaadinManagedSecurity configuration from MgmtUiAutoConfiguration * added SessionFixationProtectionStrategy for additional protection of UI session authentication * added VaadinSessionClosingLogoutHandler to logout from all UI sessions * added AccessDecisionManager to UI security configuration in order to support method security in UI in context of VaadinSharedSecurity * Changed UI push transport from WEBSOCKET to WEBSOCKET_XHR to solve problems with Spring Security Context * Suppressed atmosphere IOUtils false-positive warning * Removed obsolete AsyncVaadinServletConfiguration * Defined Vaadin4SpringServlet bean instead of plain SpringVaadinServlet for configuration flexibility * Removed obsolete SpringSecurityAtmosphereInterceptor because the client does not communicate with the server using websocket protocol anymore * Removed unit test for SpringSecurityAtmosphereInterceptor * Removed obsolete AuthenticationManagerConfigurer coming from Vaadin Managed Security in InMemoryUserManagementAutoConfiguration * Removed SessionFixationProtectionStrategy and VaadinSessionClosingLogoutHandler because all wrapper sessions are invalidated when the session managed by Spring gets invalidated together with configured HttpSessionEventPublisher events * Added call to close the current session before logout redirect * added comment why we used WEBSOCKET_XHR instead of WEBSOCKET Signed-off-by: Bogdan Bondar <Bogdan.Bondar@bosch.io>
This commit is contained in:
@@ -19,6 +19,11 @@
|
||||
|
||||
<!-- Security Log with hints on potential attacks -->
|
||||
<logger name="server-security" level="INFO" />
|
||||
|
||||
<!-- Suppressing "More than one Servlet Mapping defined. WebSocket may not work"
|
||||
error due to the way VaadinServletConfiguration configures the endpoints mapping ("/UI" and "/UI/*").
|
||||
At the end only the first "/UI" is taken for websocket communication. -->
|
||||
<logger name="org.atmosphere.util.IOUtils" level="OFF" />
|
||||
|
||||
<Root level="INFO">
|
||||
<appender-ref ref="CONSOLE" />
|
||||
|
||||
Reference in New Issue
Block a user