Ok, so I think my other issue can be broken down to two scenarios.
- my security configuration is not applied to my integration test, or
- vaadin's shared security csrf protection is also making use of the
org.springframework.security.web.csrf.CsrfFilter- (which is where the access denied exception eventually occurs, despite Csrf protection being turned off in the settings)
How do you turn off VAADIN's csrf protection, though?
The only thing I found was for Vaadin 7 (we're using 8) and with a web.xml (that we don't have with Spring Boot).