blank login page for non-empty context root / url mapping

[mvysny]

I'm trying to run this example Vaadin app in the /app context root. Steps I've taken:

1. Checked out the login-overlay-form branch
2. I set vaadin.url-mapping=/app/* in application.properties.
3. Then I modified SecurityConfiguration.java and set the login URLs as follows:

	private static final String LOGIN_PROCESSING_URL = "/app/login";
	private static final String LOGIN_FAILURE_URL = "/app/login?error";
	private static final String LOGIN_URL = "/app/login";
	private static final String LOGOUT_SUCCESS_URL = "/app/login";

However, the login page comes in blank. There are the following errors in the JS console:

The script from “http://localhost:8080/VAADIN/static/client/client-C001A087E3ACCAA1E16BBD9F71FBD6EA.cache.js/” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
login
Loading module from “http://localhost:8080/app/login” was blocked because of a disallowed MIME type (“text/html”).
login
The resource from “http://localhost:8080/app/login” was blocked due to MIME type (“text/html”) mismatch (X-Content-Type-Options: nosniff).
login
Loading failed for the <script> with source “http://localhost:8080/app/VAADIN/build/webcomponentsjs/webcomponents-loader.js”. login:1:1
Uncaught SyntaxError: expected expression, got '<'
client-C001A087E3ACCAA1E16BBD9F71FBD6EA.cache.js:1
Uncaught (in promise) DOMException: The operation is insecure.

[mvysny]

The response to GET http://localhost:8080/VAADIN/static/client/client-C001A087E3ACCAA1E16BBD9F71FBD6EA.cache.js/ is also incorrect - even though it's 200 OK, it's a html page instead of a JavaScript script.

Looks like according to this guide, certain requests will always be made from the root context root, regardless of the mapping? vaadin/flow-and-components-documentation#1273

[mvysny]

A workaround would be to set server.servlet.context-path=/app. Unfortunately that doesn't solve the case when you'd like to have two servlets, Vaadin one mapped to /app/* and the other mapped to /something.

[mvysny]

I've checked out https://vaadin.com/docs/v14/flow/spring/tutorial-spring-configuration.html#using-spring-boot-properties and added the following to Application.java, did not help:

    @Bean
    public ServletRegistrationBean frontendServletBean() {
        ServletRegistrationBean bean = new ServletRegistrationBean<>(new VaadinServlet() {
            @Override
            protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
                if (!serveStaticOrWebJarRequest(req, resp)) {
                    resp.sendError(404);
                }
            }
        }, "/frontend/*");
        bean.setLoadOnStartup(1);
        return bean;
    }

[tarekoraby]

I asked @paulroemer about this, and he thinks that getting this setting to work is indeed tricky. He thus suggests using a different SpringBoot app instead of having different servlets in one app.

[mvysny]

@tarekoraby could you please post Paul's answer on why exactly is this tricky? Perhaps that could provide some info for some Spring user which might be able to dwell deeper...

[tarekoraby]

I don't have the reasoning behind Paul's suggestion I'm afraid.

[simasch]

@tarekoraby @mvysny I can't create two applications because we are using Camnuda Java API from Vaadin. So this is not a valid solution.

[mvysny]

@paulroemer ?

[Frettman]

You need to use vaadin.urlMapping in your application properties. vaadin.url-mapping will currently not work, even though your IDE suggests it.

[simasch]

I use vaadin.urlMapping and it doesn't work either.

[Frettman]

I can just say, that vaadin.url-mapping in application.properties does not (yet) work. Or rather, it only works partially in a way that breaks things. From what has been stated here by @mvysny, using vaadin.urlMapping should fix the most immediate issue.
I'd generally recommend to use a URL mapping for Vaadin, because having Vaadin in the root will conflict/break loading of some static resources like WebJars.

[simasch]

I'm the originator of this issue and discussed this with @mvysny in the expert chat.

We use vaadin.urlMapping=/app/* and this causes the described problem with Spring Security and a Vaadin Login view.

[Frettman]

Add the following line to SecurityConfiguration:
.antMatchers("/app/VAADIN/**").permitAll()

[simasch]

@Frettman That helped!

Thank you very much.