vaadin
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-contextpath/pom.xml
Lines changed: 1 addition & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-contextpath/pom.xml
Lines changed: 1 addition & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-methodsecurity/src/main/java/com/vaadin/flow/spring/flowsecurity/LegacySecurityConfig.java
Lines changed: 114 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-methodsecurity/src/main/java/com/vaadin/flow/spring/flowsecurity/LegacySecurityConfig.java
Lines changed: 114 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-methodsecurity/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 37 additions & 25 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-methodsecurity/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 37 additions & 25 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 16 additions & 44 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow-standalone-routepathaccesschecker/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 16 additions & 44 deletions
@@ -47,6 +47,7 @@
             <groupId>com.vaadin</groupId>
             <artifactId>test-spring-security-flow</artifactId>
             <version>${project.version}</version>
+            <classifier>tests</classifier>
             <type>test-jar</type>
             <scope>test</scope>
         </dependency>
 
@@ -0,0 +1,114 @@
+package com.vaadin.flow.spring.flowsecurity;
+
+import jakarta.servlet.ServletContext;
+
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
+import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.internal.UrlUtil;
+import com.vaadin.flow.spring.RootMappedCondition;
+import com.vaadin.flow.spring.VaadinConfigurationProperties;
+import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
+import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
+import com.vaadin.flow.spring.flowsecurity.views.LoginView;
+import com.vaadin.flow.spring.security.VaadinWebSecurity;
+
+import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
+
+@EnableWebSecurity
+@EnableMethodSecurity(prePostEnabled = false, jsr250Enabled = true, securedEnabled = true)
+@Configuration
+@Profile("legacy-vaadin-web-security")
+public class LegacySecurityConfig extends VaadinWebSecurity {
+
+    @Autowired
+    private UserInfoService userInfoService;
+
+    @Autowired
+    private ServletContext servletContext;
+
+    @Autowired
+    private VaadinConfigurationProperties vaadinConfigurationProperties;
+
+    public String getLogoutSuccessUrl() {
+        String logoutSuccessUrl;
+        String mapping = vaadinConfigurationProperties.getUrlMapping();
+        if (RootMappedCondition.isRootMapping(mapping)) {
+            logoutSuccessUrl = "/";
+        } else {
+            logoutSuccessUrl = mapping.replaceFirst("/\\*$", "/");
+        }
+        String contextPath = servletContext.getContextPath();
+        if (!"".equals(contextPath)) {
+            logoutSuccessUrl = contextPath + logoutSuccessUrl;
+        }
+        return logoutSuccessUrl;
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        http.authorizeHttpRequests(auth -> auth
+                .requestMatchers(new AntPathRequestMatcher("/admin-only/**"))
+                .hasAnyRole(ROLE_ADMIN)
+                .requestMatchers(new AntPathRequestMatcher("/public/**"))
+                .permitAll());
+        super.configure(http);
+        if (getLogoutSuccessUrl().equals("/")) {
+            // Test the default url with empty context path
+            setLoginView(http, LoginView.class);
+        } else {
+            setLoginView(http, LoginView.class, getLogoutSuccessUrl());
+        }
+        http.logout(cfg -> cfg
+                .addLogoutHandler((request, response, authentication) -> {
+                    UI ui = UI.getCurrent();
+                    ui.accessSynchronously(() -> ui.getPage()
+                            .setLocation(UrlUtil.getServletPathRelative(
+                                    getLogoutSuccessUrl(), request)));
+                }));
+    }
+
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService() {
+        return new InMemoryUserDetailsManager() {
+            @Override
+            public UserDetails loadUserByUsername(String username)
+                    throws UsernameNotFoundException {
+                UserInfo userInfo = userInfoService.findByUsername(username);
+                if (userInfo == null) {
+                    throw new UsernameNotFoundException(
+                            "No user present with username: " + username);
+                } else {
+                    return new User(userInfo.getUsername(),
+                            userInfo.getEncodedPassword(),
+                            userInfo.getRoles().stream()
+                                    .map(role -> new SimpleGrantedAuthority(
+                                            "ROLE_" + role))
+                                    .collect(Collectors.toList()));
+                }
+            }
+        };
+    }
+
+    @Bean
+    protected MethodSecurityExpressionHandler createExpressionHandler() {
+        return new DefaultMethodSecurityExpressionHandler();
+    }
+
+}
@@ -4,9 +4,10 @@
 
 import java.util.stream.Collectors;
 
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Profile;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -17,6 +18,7 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import com.vaadin.flow.component.UI;
@@ -26,23 +28,31 @@
 import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
 import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
 import com.vaadin.flow.spring.flowsecurity.views.LoginView;
-import com.vaadin.flow.spring.security.VaadinWebSecurity;
+import com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategyConfiguration;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
+import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @EnableMethodSecurity(prePostEnabled = false, jsr250Enabled = true, securedEnabled = true)
 @Configuration
-public class SecurityConfig extends VaadinWebSecurity {
+@Profile("default")
+@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class)
+public class SecurityConfig {
 
-    @Autowired
-    private UserInfoService userInfoService;
+    private final UserInfoService userInfoService;
 
-    @Autowired
-    private ServletContext servletContext;
+    private final ServletContext servletContext;
 
-    @Autowired
-    private VaadinConfigurationProperties vaadinConfigurationProperties;
+    private final VaadinConfigurationProperties vaadinConfigurationProperties;
+
+    public SecurityConfig(UserInfoService userInfoService,
+            ServletContext servletContext,
+            VaadinConfigurationProperties vaadinConfigurationProperties) {
+        this.userInfoService = userInfoService;
+        this.servletContext = servletContext;
+        this.vaadinConfigurationProperties = vaadinConfigurationProperties;
+    }
 
     public String getLogoutSuccessUrl() {
         String logoutSuccessUrl;
@@ -59,27 +69,29 @@ public String getLogoutSuccessUrl() {
         return logoutSuccessUrl;
     }
 
-    @Override
-    public void configure(HttpSecurity http) throws Exception {
+    @Bean
+    SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http)
+            throws Exception {
         http.authorizeHttpRequests(auth -> auth
                 .requestMatchers(new AntPathRequestMatcher("/admin-only/**"))
                 .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(new AntPathRequestMatcher("/public/**"))
                 .permitAll());
-        super.configure(http);
-        if (getLogoutSuccessUrl().equals("/")) {
-            // Test the default url with empty context path
-            setLoginView(http, LoginView.class);
-        } else {
-            setLoginView(http, LoginView.class, getLogoutSuccessUrl());
-        }
-        http.logout(cfg -> cfg
-                .addLogoutHandler((request, response, authentication) -> {
-                    UI ui = UI.getCurrent();
-                    ui.accessSynchronously(() -> ui.getPage()
-                            .setLocation(UrlUtil.getServletPathRelative(
-                                    getLogoutSuccessUrl(), request)));
-                }));
+        http.with(vaadin(), cfg -> {
+            String logoutSuccessUrl = getLogoutSuccessUrl();
+            if (logoutSuccessUrl.equals("/")) {
+                cfg.loginView(LoginView.class);
+            } else {
+                cfg.loginView(LoginView.class, logoutSuccessUrl);
+            }
+            cfg.addLogoutHandler((request, response, authentication) -> {
+                UI ui = UI.getCurrent();
+                ui.accessSynchronously(() -> ui.getPage().setLocation(
+                        UrlUtil.getServletPathRelative(getLogoutSuccessUrl(),
+                                request)));
+            });
+        });
+        return http.build();
     }
 
     @Bean
 
@@ -16,15 +16,11 @@
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import com.vaadin.flow.component.UI;
 import com.vaadin.flow.internal.UrlUtil;
-import com.vaadin.flow.server.HandlerHelper;
-import com.vaadin.flow.server.auth.NavigationAccessControl;
 import com.vaadin.flow.spring.RootMappedCondition;
 import com.vaadin.flow.spring.VaadinConfigurationProperties;
 import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
@@ -33,10 +29,10 @@
 import com.vaadin.flow.spring.security.AuthenticationContext;
 import com.vaadin.flow.spring.security.NavigationAccessControlConfigurer;
 import com.vaadin.flow.spring.security.RequestUtil;
-import com.vaadin.flow.spring.security.UidlRedirectStrategy;
 
 import static com.vaadin.flow.spring.flowsecurity.service.UserInfoService.ROLE_ADMIN;
 import static com.vaadin.flow.spring.security.RequestUtil.antMatchers;
+import static com.vaadin.flow.spring.security.VaadinSecurityConfigurer.vaadin;
 
 @EnableWebSecurity
 @Configuration
@@ -64,7 +60,7 @@ public AuthenticationContext authenticationContext() {
     @Bean
     static NavigationAccessControlConfigurer navigationAccessControlConfigurer() {
         return new NavigationAccessControlConfigurer()
-                .withRoutePathAccessChecker().withLoginView(LoginView.class);
+                .withRoutePathAccessChecker();
     }
 
     @Bean
@@ -81,17 +77,6 @@ public SecurityFilterChain webFilterChain(HttpSecurity http,
                 // Permit access to static resources
                 .requestMatchers(PathRequest.toStaticResources().atCommonLocations())
                     .permitAll()
-                // Permit access to vaadin's internal communication
-                .requestMatchers(request -> HandlerHelper
-                        .isFrameworkInternalRequest("/*", request))
-                    .permitAll()
-                .requestMatchers(requestUtil::isAnonymousRoute)
-                    .permitAll()
-                // Permit technical access to vaadin's static files
-                .requestMatchers(new AntPathRequestMatcher("/VAADIN/**"))
-                    .permitAll()
-                // custom request matchers. using 'routeAwareAntMatcher' to
-                // allow checking route and alias paths against patterns
                 .requestMatchers(antMatchers("/admin-only/**", "/admin"))
                     .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/private"))
@@ -105,34 +90,21 @@ public SecurityFilterChain webFilterChain(HttpSecurity http,
                     .hasAnyRole(ROLE_ADMIN)
                 .requestMatchers(antMatchers("/home", "/hey/**"))
                     .permitAll()
-                // Secure everything else
-                .anyRequest().authenticated()
-        );
+                );
         // @formatter:on
-
-        http.logout(cfg -> {
-            SimpleUrlLogoutSuccessHandler logoutSuccessHandler = new SimpleUrlLogoutSuccessHandler();
-            logoutSuccessHandler.setDefaultTargetUrl(getLogoutSuccessUrl());
-            logoutSuccessHandler
-                    .setRedirectStrategy(new UidlRedirectStrategy());
-            cfg.logoutSuccessHandler(logoutSuccessHandler);
-            cfg.addLogoutHandler((request, response, authentication) -> {
-                UI ui = UI.getCurrent();
-                ui.accessSynchronously(() -> ui.getPage().setLocation(
-                        UrlUtil.getServletPathRelative(getLogoutSuccessUrl(),
-                                request)));
-            });
-        });
-        // Custom login page with form authentication
-        http.formLogin(cfg -> cfg.loginPage("/my/login/page").permitAll());
-        DefaultSecurityFilterChain filterChain = http.build();
-
-        // Test application uses AuthenticationContext, configure it with
-        // the logout handlers
-        AuthenticationContext.applySecurityConfiguration(http,
-                authenticationContext);
-
-        return filterChain;
+        http.with(vaadin(),
+                cfg -> cfg.loginView(LoginView.class, getLogoutSuccessUrl())
+                        .addLogoutHandler(
+                                (request, response, authentication) -> {
+                                    UI ui = UI.getCurrent();
+                                    ui.accessSynchronously(() -> ui.getPage()
+                                            .setLocation(UrlUtil
+                                                    .getServletPathRelative(
+                                                            getLogoutSuccessUrl(),
+                                                            request)));
+                                }));
+
+        return http.build();
     }
 
     public String getLogoutSuccessUrl() {