Changes since 24.8.8
Fixes
-
Make sure request principal is available (#22368)
Commit · Pull request · IssueWhen Spring Security request matchers are executed within SpringPathAccessChecker the request object is a stub instance that throw UnsupportedOperationException for many methods. This can cause failure when the path access checker is used in combination with request matchers that, for example, try to access the request user principal. An example is the pre-configured 'isAllowedHillaView' matcher. This change wraps the request matchers configured by Vaadin so that the request principal is taken from the Spring Security context, if not available on the request. In addition provides documentation and helper to set a global HttpServletRequestTransformer to augment all requests handled by WebInvocationPrivilegeEvaluator with the proper getUserPrincipal method override.