Beacon is causing problems when using Spring Security and Collaboration Engine together

[Peppe]

Describe the bug
Collaboration Engine adds beacon HTTP calls to your app. Adding Spring Security to your app denies access to many urls by default, including /beacon/*. When you press the login button in your app, maybe four times out of five it works correctly. But every now and then, it will instead download a zero byte file with a UUID name. The file is downloaded due to a request to ie /beacon/ec3fff5a-2f77-4318-90c6-4104460637bd.

To Reproduce
Steps to reproduce the behavior:

1. Download a new Vaadin app from start
2. Secure your app with Spring Security and add a login page that posts
3. Add CE components to your application
4. Login multiple times
5. Notice that every now and again you do not get logged in, but instead you get a file download

Expected behavior
You don't have to do anything extra about CE when using it in a Spring Security -secured Vaadin app and login works every time.

Versions
- Vaadin version: V20
- Collaboration Engine version: V3.1
- Java version: 11
- OS version: Mac OS

[Peppe]

As a workaround, I did a custom request handler to my Vaadin project, and handled /beacon/ in it, to avoid the problem.

The implementation is here: https://github.com/Peppe/vabber/blob/main/src/main/java/com/example/application/security/CustomRequestCache.java#L23-L30

[Legioth]

If we assume that applications use VaadinWebSecurityConfigurerAdapter or some other mechanism that uses helpers defined by HandlerHelper, then we would just have to change the beacon handler to use a URL that would be matched by one of those.

One obvious candidate would be to use the /VAADIN namespace which is covered by HandlerHelper.getPublicResourcesRequiringSecurityContext(), e.g. using /VAADIN/beacon/<id> as the URL.

[Peppe]

For reference, my project is modeled based on the example found at https://github.com/vaadin/spring/tree/master/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity and the tutorial at https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/setting-up-spring-security.

[Artur-]

This also causes problems with live reload. When you have collaboration engine in your app and do a change (with Spring Boot Dev Tools enabled) then the app will reload and you will be redirected to the login view, as expected. However, after logging in you will end up on /error showing

{"timestamp": sometime, "status":999,"error":"None","message":"No message available"}

[chrosim]

@tulioag for me the beacon is still causing problems in combination with the spring-boot-keycloak-adapter.
We are using a pattern based whitelisting approach which has been working with the /beacon url.
If i understand it correctly the beacon url is now pointing to the servlet-root only using query parameters which makes it impossible to whitelist.
Would it be possible to move the beacon url to the /VAADIN namespace as @Legioth suggested?

[tulioag]

Hi @chrosim. I'm no longer working on this project. IIRC, the url was changed to the servlet-root so the beacon is now just another type of Flow request. I suggest that you open a new issue about that.