User can access unauthorized pages in vaddin- springboot app










0















I created a spring-boot application with vaadin flow and spring security. I configured two roles ROLE_USER and ROLE_ADMIN and granted access to the pages as follows



.antMatchers("/user/mainmenu").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
.antMatchers("/admin/trades").access("hasRole('ROLE_ADMIN')")


Then I created buttons and put it in the main menu so that the user can navigate to the trades view clicking the button as follows (Only admin users should be able to view the page)



tradesButton.addClickListener(buttonClickEvent -> 
getUI().ifPresent(ui -> ui.navigate("/admin/trades"));
);


But even a user only with user role can view the page when clicked. What is the reason for this??



(I've noticed that the app blocks when I put admin view url http://127.0.0.1:8080/admin/trades on address-bar and try to access it.)










share|improve this question

















  • 1





    I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

    – user3717646
    Nov 20 '18 at 5:05















0















I created a spring-boot application with vaadin flow and spring security. I configured two roles ROLE_USER and ROLE_ADMIN and granted access to the pages as follows



.antMatchers("/user/mainmenu").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
.antMatchers("/admin/trades").access("hasRole('ROLE_ADMIN')")


Then I created buttons and put it in the main menu so that the user can navigate to the trades view clicking the button as follows (Only admin users should be able to view the page)



tradesButton.addClickListener(buttonClickEvent -> 
getUI().ifPresent(ui -> ui.navigate("/admin/trades"));
);


But even a user only with user role can view the page when clicked. What is the reason for this??



(I've noticed that the app blocks when I put admin view url http://127.0.0.1:8080/admin/trades on address-bar and try to access it.)










share|improve this question

















  • 1





    I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

    – user3717646
    Nov 20 '18 at 5:05













0












0








0








I created a spring-boot application with vaadin flow and spring security. I configured two roles ROLE_USER and ROLE_ADMIN and granted access to the pages as follows



.antMatchers("/user/mainmenu").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
.antMatchers("/admin/trades").access("hasRole('ROLE_ADMIN')")


Then I created buttons and put it in the main menu so that the user can navigate to the trades view clicking the button as follows (Only admin users should be able to view the page)



tradesButton.addClickListener(buttonClickEvent -> 
getUI().ifPresent(ui -> ui.navigate("/admin/trades"));
);


But even a user only with user role can view the page when clicked. What is the reason for this??



(I've noticed that the app blocks when I put admin view url http://127.0.0.1:8080/admin/trades on address-bar and try to access it.)










share|improve this question














I created a spring-boot application with vaadin flow and spring security. I configured two roles ROLE_USER and ROLE_ADMIN and granted access to the pages as follows



.antMatchers("/user/mainmenu").access("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
.antMatchers("/admin/trades").access("hasRole('ROLE_ADMIN')")


Then I created buttons and put it in the main menu so that the user can navigate to the trades view clicking the button as follows (Only admin users should be able to view the page)



tradesButton.addClickListener(buttonClickEvent -> 
getUI().ifPresent(ui -> ui.navigate("/admin/trades"));
);


But even a user only with user role can view the page when clicked. What is the reason for this??



(I've noticed that the app blocks when I put admin view url http://127.0.0.1:8080/admin/trades on address-bar and try to access it.)







spring-boot spring-security vaadin10






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 14 '18 at 2:38









user3717646user3717646

411210




411210







  • 1





    I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

    – user3717646
    Nov 20 '18 at 5:05












  • 1





    I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

    – user3717646
    Nov 20 '18 at 5:05







1




1





I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

– user3717646
Nov 20 '18 at 5:05





I have found a sample application from vaadin at: vaadin.com/start/lts/full-stack-spring and it has implemented the spring security in it.

– user3717646
Nov 20 '18 at 5:05












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292407%2fuser-can-access-unauthorized-pages-in-vaddin-springboot-app%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53292407%2fuser-can-access-unauthorized-pages-in-vaddin-springboot-app%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Top Tejano songwriter Luis Silva dead of heart attack at 64

政党

天津地下鉄3号線