On the OAuth 2.0 login page, it seems the bootstrap css stylesheets are not used.
Expected behavior If these resources are not used to style the page, they could be cleared thus decreasing time needed to fetch those files
Comment From: klopfdreh
This ticket was created as a followup of: https://github.com/spring-cloud/spring-cloud-dataflow-ui/issues/1887
As mentioned in there I configured custom CSP settings and found out that bootstrap is still being used of Spring Cloud Data Flow Server. When those CSP settings are not used, the page is rendered correctly as in LoginPageGeneratingWebFilter implemented.
So this issue might be not a bug, but a feature request to not use bootstrap for those rather simple layouts in the LoginPageGeneratingWebFilter. If the user wish to define a more fancy layout he can do so by following the guide at Spring Security documentation pages.
Comment From: sjohnr
@claudiahub @klopfdreh thanks for reaching out! I looked through your linked issue but I may be missing some of the context for this issue. Apologies if I'm not understanding fully.
The normal Spring Security login page with Spring WebFlux and OAuth2 looks like this:
As mentioned in there I configured custom CSP settings and found out that bootstrap is still being used of Spring Cloud Data Flow Server.
Do you have a sample or configuration you're referring to here that can be reviewed?
When those CSP settings are not used, the page is rendered correctly as in
LoginPageGeneratingWebFilterimplemented.
As in the above screenshot?
So this issue might be not a bug, but a feature request to not use bootstrap for those rather simple layouts in the
LoginPageGeneratingWebFilter.
I'm not sure I am fully understanding the use case here. It seems you should be providing a custom login page. Are you requesting that the built-in login page be more customizable? If so, please see this comment.
Comment From: klopfdreh
Thanks for the answer @sjohnr!
Do you have a sample or configuration you're referring to here that can be reviewed?
We are talking about the standard configuration of Spring Security - if you don’t configure a custom login page.
As in the above screenshot?
The above screenshot (my one) was used to show that bootstrap is still used. To show this I configured CSP which leads to this error in the developer console. If I don't configure CSP then the page is displayed correctly (your screenshot).
I'm not sure I am fully understanding the use case here. It seems you should be providing a custom login page. Are you requesting that the built-in login page be more customizable? If so, please see https://github.com/spring-projects/spring-security/issues/7165#issuecomment-518372449.
This is the exact answer I gave in the login page ticket of Spring Cloud Data Flow UI: https://github.com/spring-cloud/spring-cloud-dataflow-ui/issues/1887#issuecomment-1270284017 - I guess the only thing what could be considered is if it is required to use bootstrap for that simple layout in case of the default login page - or it could be removed in favor of some easier styling.
Comment From: sjohnr
Hi @klopfdreh!
The above screenshot (my one) was used to show that bootstrap is still used.
I'm still not sure I understand why you expect bootstrap not to be used in this case?
To show this I configured CSP
This seems to imply that you are not actually using the default configuration, correct?
I guess the only thing what could be considered is if it is required to use bootstrap for that simple layout in case of the default login page - or it could be removed in favor of some easier styling.
As mentioned in the comment linked above, the default login page (including styling) is a reasonable default provided by Spring Security, and custom styling is straightforward to configure through a custom login page. I'm not clear on what would be easier than this, or why you're requesting that we don't use bootstrap for the default login page? I don't currently see a reason to make a change to Spring Security. However, it's possible I'm still misunderstanding something.
Given the discussion so far, I am going to close this issue as answered. If I've misunderstood anything, or you would like to discuss it more and elaborate on any of the points above, feel free to add additional comments. We can always re-open if needed.
Comment From: klopfdreh
Hey @sjohnr - if you want to keep bootstrap because it makes the styling easier for you, this PR can indeed be closed and the customization should be implemented at SCDF side.