Access control

In this tutorial we will look into access control.

Basic access control

The application we’ve been building will inevitably need some administrative tools. Creation and deletion of users, for example, is generally something that we’d like to do during runtime. Let’s create a simple View for creating a new user:

Java

  1. package com.vaadin.cdi.tutorial;
  3. import java.util.concurrent.atomic.AtomicLong;
  5. import javax.inject.Inject;
  7. import com.vaadin.cdi.CDIView;
  8. import com.vaadin.data.Validator;
  9. import com.vaadin.data.fieldgroup.BeanFieldGroup;
  10. import com.vaadin.data.fieldgroup.FieldGroup.CommitEvent;
  11. import com.vaadin.data.fieldgroup.FieldGroup.CommitException;
  12. import com.vaadin.data.fieldgroup.FieldGroup.CommitHandler;
  13. import com.vaadin.navigator.View;
  14. import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
  15. import com.vaadin.ui.Button;
  16. import com.vaadin.ui.Button.ClickEvent;
  17. import com.vaadin.ui.Button.ClickListener;
  18. import com.vaadin.ui.CustomComponent;
  19. import com.vaadin.ui.Label;
  20. import com.vaadin.ui.VerticalLayout;
  22. @CDIView
  23. public class CreateUserView extends CustomComponent implements View {
  25.   @Inject
  26.   UserDAO userDAO;
  28.   private static final AtomicLong ID_FACTORY = new AtomicLong(3);
  30.   @Override
  31.   public void enter(ViewChangeEvent event) {
  32.     final VerticalLayout layout = new VerticalLayout();
  33.     layout.setMargin(true);
  34.     layout.setSpacing(true);
  35.     layout.addComponent(new Label("Create new user"));
  37.     final BeanFieldGroup<User> fieldGroup = new BeanFieldGroup<User>(
  38.         User.class);
  39.     layout.addComponent(fieldGroup.buildAndBind("firstName"));
  40.     layout.addComponent(fieldGroup.buildAndBind("lastName"));
  41.     layout.addComponent(fieldGroup.buildAndBind("username"));
  42.     layout.addComponent(fieldGroup.buildAndBind("password"));
  43.     layout.addComponent(fieldGroup.buildAndBind("email"));
  45.     fieldGroup.getField("username").addValidator(new Validator() {
  46.       @Override
  47.       public void validate(Object value) throws InvalidValueException {
  48.         String username = (String) value;
  49.         if (username.isEmpty()) {
  50.           throw new InvalidValueException("Username cannot be empty");
  51.         }
  53.         if (userDAO.getUserBy(username) != null) {
  54.           throw new InvalidValueException("Username is taken");
  55.         }
  56.       }
  57.     });
  59.     fieldGroup.setItemDataSource(new User(ID_FACTORY.incrementAndGet(), "",
  60.         "", "", "", "", false));
  62.     final Label messageLabel = new Label();
  63.     layout.addComponent(messageLabel);
  65.     fieldGroup.addCommitHandler(new CommitHandler() {
  66.       @Override
  67.       public void preCommit(CommitEvent commitEvent) throws CommitException {
  68.       }
  70.       @Override
  71.       public void postCommit(CommitEvent commitEvent) throws CommitException {
  72.         userDAO.saveUser(fieldGroup.getItemDataSource().getBean());
  73.         fieldGroup.setItemDataSource(new User(ID_FACTORY
  74.             .incrementAndGet(), "", "", "", "", "", false));
  75.       }
  76.     });
  77.     Button commitButton = new Button("Create");
  78.     commitButton.addClickListener(new ClickListener() {
  79.       @Override
  80.       public void buttonClick(ClickEvent event) {
  81.         try {
  82.           fieldGroup.commit();
  83.           messageLabel.setValue("User created");
  84.         } catch (CommitException e) {
  85.           messageLabel.setValue(e.getMessage());
  86.         }
  87.       }
  88.     });
  90.     layout.addComponent(commitButton);
  91.     setCompositionRoot(layout);
  92.   }
  93. }

CDIViewProvider checks the Views for a specific annotation, javax.annotation.security.RolesAllowed. You can get access to it by adding the following dependency to your pom.xml:

XML

  1. <dependency>
  2.   <groupId>javax.annotation</groupId>
  3.   <artifactId>javax.annotation-api</artifactId>
  4.   <version>1.2-b01</version>
  5. </dependency>

Java

  1. @CDIView
  2. @RolesAllowed({ "admin" })
  3. public class CreateUserView extends CustomComponent implements View {

To add access control to our application we’ll need to have a concrete implementation of the AccessControl abstract class. Vaadin CDI comes bundled with a simple JAAS implementation, but configuring a JAAS security domain is outside the scope of this tutorial. Instead we’ll opt for a simpler implementation.

We’ll go ahead and alter our UserInfo class to include hold roles.

Java

  1. private List<String> roles = new LinkedList<String>();
  2. public void setUser(User user) {
  3.   this.user = user;
  4.   roles.clear();
  5.   if (user != null) {
  6.     roles.add("user");
  7.     if (user.isAdmin()) {
  8.       roles.add("admin");
  9.     }
  10.   }
  11. }
  13. public List<String> getRoles() {
  14.   return roles;
  15. }

Let’s extend AccessControl and use our freshly modified UserInfo in it.

Java

  1. package com.vaadin.cdi.tutorial;
  3. import javax.enterprise.inject.Alternative;
  4. import javax.inject.Inject;
  6. import com.vaadin.cdi.access.AccessControl;
  8. @Alternative
  9. public class CustomAccessControl extends AccessControl {
  11.   @Inject
  12.   private UserInfo userInfo;
  14.   @Override
  15.   public boolean isUserSignedIn() {
  16.     return userInfo.getUser() != null;
  17.   }
  19.   @Override
  20.   public boolean isUserInRole(String role) {
  21.     if (isUserSignedIn()) {
  22.       for (String userRole : userInfo.getRoles()) {
  23.         if (role.equals(userRole)) {
  24.           return true;
  25.         }
  26.       }
  27.     }
  28.     return false;
  29.   }
  31.   @Override
  32.   public String getPrincipalName() {
  33.     if (isUserSignedIn()) {
  34.       return userInfo.getUser().getUsername();
  35.     }
  36.     return null;
  37.   }
  38. }

Note the @Alternative annotation. The JAAS implementation is set as the default, and we can’t have multiple default implementations. We’ll have to add our custom implementation to the beans.xml:

XML

  1. <beans>
  2.   <alternatives>
  3.     <class>com.vaadin.cdi.tutorial.UserGreetingImpl</class>
  4.     <class>com.vaadin.cdi.tutorial.CustomAccessControl</class>
  5.   </alternatives>
  6.   <decorators>
  7.     <class>com.vaadin.cdi.tutorial.NavigationLogDecorator</class>
  8.   </decorators>
  9. </beans>

Now let’s add a button to navigate to this view.

ChatView:

Java

  1. private Layout buildUserSelectionLayout() {
  2.   VerticalLayout layout = new VerticalLayout();
  3.   layout.setWidth("100%");
  4.   layout.setMargin(true);
  5.   layout.setSpacing(true);
  6.   layout.addComponent(new Label("Select user to talk to:"));
  7.   for (User user : userDAO.getUsers()) {
  8.     if (user.equals(userInfo.getUser())) {
  9.       continue;
  10.     }
  11.     layout.addComponent(generateUserSelectionButton(user));
  12.   }
  13.   layout.addComponent(new Label("Admin:"));
  14.   Button createUserButton = new Button("Create user");
  15.   createUserButton.addClickListener(new ClickListener() {
  16.     @Override
  17.     public void buttonClick(ClickEvent event) {
  18.       navigationEvent.fire(new NavigationEvent("create-user"));
  19.     }
  20.   });
  21.   layout.addComponent(createUserButton);
  22.   return layout;
  23. }

Everything seems to work fine, the admin is able to use this new feature to create a new user and the view is inaccessible to non-admins. An attempt to access the view without the proper authorization will currently cause an IllegalArgumentException. A better approach would be to create an error view and display that instead.

Java

  1. package com.vaadin.cdi.tutorial;
  3. import javax.inject.Inject;
  5. import com.vaadin.cdi.access.AccessControl;
  6. import com.vaadin.navigator.View;
  7. import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
  8. import com.vaadin.ui.Button;
  9. import com.vaadin.ui.Button.ClickEvent;
  10. import com.vaadin.ui.Button.ClickListener;
  11. import com.vaadin.ui.CustomComponent;
  12. import com.vaadin.ui.Label;
  13. import com.vaadin.ui.VerticalLayout;
  15. public class ErrorView extends CustomComponent implements View {
  17.   @Inject
  18.   private AccessControl accessControl;
  20.   @Inject
  21.   private javax.enterprise.event.Event<NavigationEvent> navigationEvent;
  23.   @Override
  24.   public void enter(ViewChangeEvent event) {
  25.     VerticalLayout layout = new VerticalLayout();
  26.     layout.setSizeFull();
  27.     layout.setMargin(true);
  28.     layout.setSpacing(true);
  30.     layout.addComponent(new Label(
  31.         "Unfortunately, the page you've requested does not exists."));
  32.     if (accessControl.isUserSignedIn()) {
  33.       layout.addComponent(createChatButton());
  34.     } else {
  35.       layout.addComponent(createLoginButton());
  36.     }
  37.     setCompositionRoot(layout);
  38.   }
  40.   private Button createLoginButton() {
  41.     Button button = new Button("To login page");
  42.     button.addClickListener(new ClickListener() {
  43.       @Override
  44.       public void buttonClick(ClickEvent event) {
  45.         navigationEvent.fire(new NavigationEvent("login"));
  46.       }
  47.     });
  48.     return button;
  49.   }
  51.   private Button createChatButton() {
  52.     Button button = new Button("Back to the main page");
  53.     button.addClickListener(new ClickListener() {
  54.       @Override
  55.       public void buttonClick(ClickEvent event) {
  56.         navigationEvent.fire(new NavigationEvent("chat"));
  57.       }
  58.     });
  59.     return button;
  60.   }
  61. }

To use this we’ll modify our NavigationService to add the error view to the Navigator.

NavigationServiceImpl:

Java

  1. @Inject
  2. private ErrorView errorView;
  4. @PostConstruct
  5. public void initialize() {
  6.   if (ui.getNavigator() == null) {
  7.     Navigator navigator = new Navigator(ui, ui);
  8.     navigator.addProvider(viewProvider);
  9.     navigator.setErrorView(errorView);
  10.   }
  11. }

We don’t really want the admin-only buttons to be visible to non-admin users. To programmatically hide them we can inject AccessControl to our view.

ChatView:

Java

  1. @Inject
  2. private AccessControl accessControl;
  4. private Layout buildUserSelectionLayout() {
  5.   VerticalLayout layout = new VerticalLayout();
  6.   layout.setWidth("100%");
  7.   layout.setMargin(true);
  8.   layout.setSpacing(true);
  9.   layout.addComponent(new Label("Select user to talk to:"));
  10.   for (User user : userDAO.getUsers()) {
  11.     if (user.equals(userInfo.getUser())) {
  12.       continue;
  13.     }
  14.     layout.addComponent(generateUserSelectionButton(user));
  15.   }
  16.   if(accessControl.isUserInRole("admin")) {
  17.     layout.addComponent(new Label("Admin:"));
  18.     Button createUserButton = new Button("Create user");
  19.     createUserButton.addClickListener(new ClickListener() {
  20.       @Override
  21.       public void buttonClick(ClickEvent event) {
  22.         navigationEvent.fire(new NavigationEvent("create-user"));
  23.       }
  24.     });
  25.     layout.addComponent(createUserButton);
  26.   }
  27.   return layout;
  28. }

Some further topics

In the previous section we pruned the layout programmatically to prevent non-admins from even seeing the admin buttons. That was one way to do it. Another would be to create a custom component representing the layout, then create a producer for that component which would determine at runtime which version to create.

Sometimes there’s a need for a more complex custom access control implementations. You may need to use something more than Java Strings to indicate user roles, you may want to alter access rights during runtime. For those purposes we could extend the CDIViewProvider (with either the @Specializes annotation or @Alternative with a beans.xml entry) and override isUserHavingAccessToView(Bean<?> viewBean).