VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

mcollovati · 2024-04-02T07:00:23Z

Description of the bug

Given a Vaadin 24.3 application with security configured through VaadinWebSecurity, the PUSH connections fail right after login with a 403 error after login, because of Spring Security complaining about an invalid CSRF token.
However, when the protected page is reloaded the PUSH connections are correctly established

2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing POST /VAADIN/push?v-r=push&debug_window&token=bbcccf73-3299-443e-a767-066584ca8495&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=44c5fba3-a76a-4c86-a56c-50c17dcc887f
2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=2949F5403A070331A08F02896D9BD6D9], Granted Authorities=[ROLE_USER]]]
2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/VAADIN/push?v-r=push&debug_window&token=bbcccf73-3299-443e-a767-066584ca8495&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=44c5fba3-a76a-4c86-a56c-50c17dcc887f

The issue seems to be that the Flow PUSH connections requests (/VAADIN/push) are no more identified as Framework requests by HandlerHelper.isFrameworkInternalRequest().
To be noted For Hilla PUSH connections, there is a specific method (HandlerHelper.isHillaPush()) that checks for /HILLA/push

Expected behavior

Spring CSRF check should be skipped for Vaadin PUSH connection, since they have their own built-in protection mechanism.

Minimal reproducible example

Use start.vaadin.com to create an application with protected views and login page
Try to navigate to a protected page, the login view should be shown
Enter credential and verify that Vaadin PUSH connection requests fail with a 403 status code

Versions

Vaadin / Flow version: 24.3
Java version: 17

The text was updated successfully, but these errors were encountered:

mcollovati · 2024-04-03T07:08:35Z

It looks like only ping requests are failing, since they are doing a POST.
The connection is established through a GET request, so CSRF is not checked

HandlerHelper is currently not considering Flow PUSH requests (/VAADIN/push) as internal, preventing VaadinWebSecurity to ignore CSRF checks. The issues happen only for ping requests; the connection request is not affected because it is a GET request. Fixes #19075

mcollovati · 2024-04-03T07:16:41Z

It might be related to the PUSH request error reported in vaadin/kubernetes-kit#111

HandlerHelper is currently not considering Flow PUSH requests (/VAADIN/push) as internal, preventing VaadinWebSecurity to ignore CSRF checks. The issues happen only for ping requests; the connection request is not affected because it is a GET request. Fixes #19075

#19110) HandlerHelper is currently not considering Flow PUSH requests (/VAADIN/push) as internal, preventing VaadinWebSecurity to ignore CSRF checks. The issues happen only for ping requests; the connection request is not affected because it is a GET request. Fixes #19075 Co-authored-by: Marco Collovati <[email protected]>

vaadin-bot · 2024-04-10T09:58:59Z

This ticket/PR has been released with Vaadin 24.4.0.alpha21 and is also targeting the upcoming stable 24.4.0 version.

vaadin-bot · 2024-04-23T13:14:42Z

This ticket/PR has been released with Vaadin 24.3.10.

mcollovati added this to Vaadin Flow bugs & maintenance (Vaadin 10+) Apr 2, 2024

mcollovati moved this to 🆕 Needs triage in Vaadin Flow bugs & maintenance (Vaadin 10+) Apr 2, 2024

mcollovati added bug Impact: High Severity: Minor labels Apr 3, 2024

mcollovati moved this from 🆕 Needs triage to 🔖 Normal Priority (P2) in Vaadin Flow bugs & maintenance (Vaadin 10+) Apr 3, 2024

mcollovati mentioned this issue Apr 3, 2024

fix: detect Flow PUSH requests as internal framework requests #19085

Merged

9 tasks

tepi closed this as completed in #19085 Apr 4, 2024

github-project-automation bot moved this from 🔖 Normal Priority (P2) to ✅ Closed in Vaadin Flow bugs & maintenance (Vaadin 10+) Apr 4, 2024

vaadin-bot added prerelease version for Vaadin 24.4.0 Released with Vaadin 24.4.0.alpha21 labels Apr 10, 2024

vaadin-bot added the Released with Vaadin 24.3.10 label Apr 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

mcollovati commented Apr 2, 2024

mcollovati commented Apr 3, 2024

mcollovati commented Apr 3, 2024

vaadin-bot commented Apr 10, 2024

vaadin-bot commented Apr 23, 2024

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

Comments

mcollovati commented Apr 2, 2024

Description of the bug

Expected behavior

Minimal reproducible example

Versions

mcollovati commented Apr 3, 2024

mcollovati commented Apr 3, 2024

vaadin-bot commented Apr 10, 2024

vaadin-bot commented Apr 23, 2024