chore: security helper with list of should-be-public urls (#10134)

* chore: security helper with list of should-be-public urls * Removed VAADIN/** from public urls * Cleanup
vaadin · Mar 2, 2021 · ef84e6c · ef84e6c
1 parent f116492
commit ef84e6c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 2 deletions.
diff --git a/flow-server/src/main/java/com/vaadin/flow/internal/SecurityHelper.java b/flow-server/src/main/java/com/vaadin/flow/internal/SecurityHelper.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2000-2021 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.internal;
+
+import java.io.Serializable;
+
+import com.vaadin.flow.server.PwaConfiguration;
+import com.vaadin.flow.server.communication.PwaHandler;
+import com.vaadin.flow.server.frontend.FrontendUtils;
+
+/**
+ * Helper methods for settigng up security contexts in Vaadin applications.
+ *
+ * @author Vaadin Ltd
+ *
+ */
+public final class SecurityHelper implements Serializable {
+
+    /**
+     * URLs matching these patterns should be publicly available for application
+     * to work. Used for defining bypass rules in e.g. Spring Security.
+     */
+    public static final String[] PUBLIC_VAADIN_URLS = {
+            "/favicon.ico",
+            "/images/**",
+            "/icons/**",
+            "/" + PwaConfiguration.DEFAULT_PATH,
+            "/" + FrontendUtils.SERVICE_WORKER_SRC_JS,
+            PwaHandler.SW_RUNTIME_PRECACHE_PATH,
+            "/" + PwaConfiguration.DEFAULT_OFFLINE_PATH
+    };
+
+    private SecurityHelper() {
+    }
+}
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/communication/PwaHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/communication/PwaHandler.java
@@ -42,6 +42,8 @@
  * @since 1.2
  */
 public class PwaHandler implements RequestHandler {
+    public static final String SW_RUNTIME_PRECACHE_PATH = "/sw-runtime-resources-precache.js";
+
     private final Map<String, RequestHandler> requestHandlerMap = new HashMap<>();
     private final SerializableSupplier<PwaRegistry> pwaRegistryGetter;
 
@@ -104,8 +106,7 @@ private void init(PwaRegistry pwaRegistry) {
         // sw-runtime.js handling (service worker import for precaching runtime
         // generated assets)
         requestHandlerMap.put(
-                // pwaRegistry.getPwaConfiguration().relServiceWorkerPath(),
-                "/sw-runtime-resources-precache.js",
+                SW_RUNTIME_PRECACHE_PATH,
                 (session, request, response) -> {
                     response.setContentType("application/javascript");
                     try (PrintWriter writer = response.getWriter()) {