[FIXED] Upgrading to VaadinWebSecurity is breaking custom WebSocket

Issue

I recently upgraded my project from Vaadin 23.1 to 23.2 and also upgraded my Spring Security configuration class to extend VaadinWebSecurity. My project also has a custom WebSocket endpoint that is exposed at a certain URL. Before the change to VaadinWebSecurity it was working fine. However after upgrading, it is not reachable any more. Instead, it seems I am getting connected to a Vaadin WebSocket. Probably the new SecurityFilterChain is overwriting my config.

Message received after connecting:

for(;;);[{"meta":{"async":true,"sessionExpired":true}}]

Security Config

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {

    public static final String LOGOUT_URL = "/";
    public static final String WEBSOCKET_URl = "/websocket";

   //...

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers(WEBSOCKET_URl)
                .permitAll();

        super.configure(http);
        setLoginView(http, LoginView.class, LOGOUT_URL);
    }

}

Sample WebSocket Handler

@Configuration
@EnableWebSocket
public class Websocket implements WebSocketConfigurer {
    @Override
    public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
        registry
                .addHandler(new WebSocketHandler() {
                                @Override
                                public void afterConnectionEstablished(WebSocketSession session) throws Exception {
                                    session.sendMessage(new TextMessage("this is a response"));
                                }

                                // ...

                            }, SecurityConfiguration.WEBSOCKET_URl)
                .setAllowedOriginPatterns("*");
    }
}

I created a minimal example project based on start.vaadin.com. It contains a sample WebSocket Handler.

• sample-webscoket-vaadin.zip
• Vaadin / Flow version: 23.2.1
• Java version: 17

Can someone give me some advice how to get the WebSocket running again?

Solution

Atmosphere handler is intercepting the request. I've did some tests and security config is fine since the connection is established. After excluding Atmosphere dependency Spring WS handler works as expected.

It seems to be a bug in the Flow, I've created https://github.com/vaadin/flow/issues/14602

Exclusion workaround:

<dependency>
    <groupId>com.vaadin</groupId>
    <!-- Replace artifactId with vaadin-core to use only free components -->
    <artifactId>vaadin</artifactId>
    <exclusions>
        <exclusion>
            <groupId>com.vaadin.external.atmosphere</groupId>
            <artifactId>atmosphere-runtime</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Answered By - Marcin
Answer Checked By - David Goodson (JavaFixing Volunteer)