chore: Unify VaadinWebSecurityConfigurerAdapter and VaadinWebSecurity (…

…#14577)

vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurity.java

@@ -15,22 +15,22 @@
  */
 package com.vaadin.flow.spring.security;
 
-import javax.crypto.SecretKey;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.LinkedHashMap;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import javax.crypto.SecretKey;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
@@ -39,7 +39,6 @@
 import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
@@ -231,12 +230,6 @@ public static RequestMatcher getDefaultHttpSecurityPermitMatcher(
                 .map(path -> RequestUtil.applyUrlMapping(urlMapping, path))
                 .forEach(paths::add);
 
-        String mappedRoot = RequestUtil.applyUrlMapping(urlMapping, "");
-        if (!"/".equals(mappedRoot)) {
-            // When using an url path, static resources are still fetched from
-            // /VAADIN/ in the context root
-            paths.add("/VAADIN/**");
-        }
         return new OrRequestMatcher(paths.build()
                 .map(AntPathRequestMatcher::new).collect(Collectors.toList()));
     }
@@ -302,19 +295,19 @@ protected void setLoginView(HttpSecurity http, String hillaLoginViewPath)
      *            the http security from {@link #filterChain(HttpSecurity)}
      * @param hillaLoginViewPath
      *            the path to the login view
-     * @param logoutUrl
+     * @param logoutSuccessUrl
      *            the URL to redirect the user to after logging out
      * @throws Exception
      *             if something goes wrong
      */
     protected void setLoginView(HttpSecurity http, String hillaLoginViewPath,
-            String logoutUrl) throws Exception {
+            String logoutSuccessUrl) throws Exception {
         hillaLoginViewPath = applyUrlMapping(hillaLoginViewPath);
         FormLoginConfigurer<HttpSecurity> formLogin = http.formLogin();
         formLogin.loginPage(hillaLoginViewPath).permitAll();
         formLogin.successHandler(
                 getVaadinSavedRequestAwareAuthenticationSuccessHandler(http));
-        http.logout().logoutSuccessUrl(logoutUrl);
+        http.logout().logoutSuccessUrl(logoutSuccessUrl);
         http.exceptionHandling().defaultAuthenticationEntryPointFor(
                 new LoginUrlAuthenticationEntryPoint(hillaLoginViewPath),
                 AnyRequestMatcher.INSTANCE);
@@ -343,14 +336,14 @@ protected void setLoginView(HttpSecurity http,
      *            the http security from {@link #filterChain(HttpSecurity)}
      * @param flowLoginView
      *            the login view to use
-     * @param logoutUrl
+     * @param logoutSuccessUrl
      *            the URL to redirect the user to after logging out
      *
      * @throws Exception
      *             if something goes wrong
      */
     protected void setLoginView(HttpSecurity http,
-            Class<? extends Component> flowLoginView, String logoutUrl)
+            Class<? extends Component> flowLoginView, String logoutSuccessUrl)
             throws Exception {
         Optional<Route> route = AnnotationReader.getAnnotationFor(flowLoginView,
                 Route.class);
@@ -373,7 +366,7 @@ protected void setLoginView(HttpSecurity http,
         formLogin.successHandler(
                 getVaadinSavedRequestAwareAuthenticationSuccessHandler(http));
         http.csrf().ignoringAntMatchers(loginPath);
-        http.logout().logoutSuccessUrl(logoutUrl);
+        http.logout().logoutSuccessUrl(logoutSuccessUrl);
         http.exceptionHandling().defaultAuthenticationEntryPointFor(
                 new LoginUrlAuthenticationEntryPoint(loginPath),
                 AnyRequestMatcher.INSTANCE);

vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java

@@ -15,17 +15,18 @@
  */
 package com.vaadin.flow.spring.security;
 
-import javax.crypto.SecretKey;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.LinkedHashMap;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import javax.crypto.SecretKey;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;