Access control

    The application we’ve been building will inevitably need some administrative tools. Creation and deletion of users, for example, is generally something that we’d like to do during runtime. Let’s create a simple View for creating a new user:

    Java

    checks the Views for a specific annotation, javax.annotation.security.RolesAllowed. You can get access to it by adding the following dependency to your pom.xml:

    XML

    1. <dependency>
    2.   <groupId>javax.annotation</groupId>
    3.   <artifactId>javax.annotation-api</artifactId>
    4.   <version>1.2-b01</version>
    5. </dependency>

    Java

    1. @CDIView
    2. @RolesAllowed({ "admin" })
    3. public class CreateUserView extends CustomComponent implements View {

    To add access control to our application we’ll need to have a concrete implementation of the AccessControl abstract class. Vaadin CDI comes bundled with a simple JAAS implementation, but configuring a JAAS security domain is outside the scope of this tutorial. Instead we’ll opt for a simpler implementation.

    We’ll go ahead and alter our UserInfo class to include hold roles.

    Let’s extend AccessControl and use our freshly modified UserInfo in it.

    Java

    1. package com.vaadin.cdi.tutorial;
    3. import javax.enterprise.inject.Alternative;
    4. import javax.inject.Inject;
    6. import com.vaadin.cdi.access.AccessControl;
    8. @Alternative
    9. public class CustomAccessControl extends AccessControl {
    11.   @Inject
    12.   private UserInfo userInfo;
    14.   @Override
    15.   public boolean isUserSignedIn() {
    16.     return userInfo.getUser() != null;
    17.   }
    19.   @Override
    20.   public boolean isUserInRole(String role) {
    21.     if (isUserSignedIn()) {
    22.       for (String userRole : userInfo.getRoles()) {
    23.         if (role.equals(userRole)) {
    24.           return true;
    25.         }
    26.       }
    27.     }
    28.     return false;
    29.   }
    31.   @Override
    32.   public String getPrincipalName() {
    33.       return userInfo.getUser().getUsername();
    35.     return null;
    36.   }
    37. }

    Note the @Alternative annotation. The JAAS implementation is set as the default, and we can’t have multiple default implementations. We’ll have to add our custom implementation to the beans.xml:

    XML

    1. <beans>
    2.   <alternatives>
    3.     <class>com.vaadin.cdi.tutorial.UserGreetingImpl</class>
    4.     <class>com.vaadin.cdi.tutorial.CustomAccessControl</class>
    5.   </alternatives>
    6.   <decorators>
    7.     <class>com.vaadin.cdi.tutorial.NavigationLogDecorator</class>
    8.   </decorators>
    9. </beans>

    Now let’s add a button to navigate to this view.

    ChatView:

    Java

    Java

    1. package com.vaadin.cdi.tutorial;
    3. import javax.inject.Inject;
    5. import com.vaadin.cdi.access.AccessControl;
    6. import com.vaadin.navigator.View;
    7. import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
    8. import com.vaadin.ui.Button;
    9. import com.vaadin.ui.Button.ClickEvent;
    10. import com.vaadin.ui.Button.ClickListener;
    11. import com.vaadin.ui.CustomComponent;
    12. import com.vaadin.ui.Label;
    13. import com.vaadin.ui.VerticalLayout;
    15. public class ErrorView extends CustomComponent implements View {
    17.   @Inject
    18.   private AccessControl accessControl;
    20.   @Inject
    21.   private javax.enterprise.event.Event<NavigationEvent> navigationEvent;
    23.   @Override
    24.   public void enter(ViewChangeEvent event) {
    25.     VerticalLayout layout = new VerticalLayout();
    26.     layout.setSizeFull();
    27.     layout.setMargin(true);
    28.     layout.setSpacing(true);
    29.     layout.addComponent(new Label(
    30.         "Unfortunately, the page you've requested does not exists."));
    32.       layout.addComponent(createChatButton());
    33.     } else {
    34.       layout.addComponent(createLoginButton());
    35.     }
    36.     setCompositionRoot(layout);
    37.   }
    39.   private Button createLoginButton() {
    40.     Button button = new Button("To login page");
    41.     button.addClickListener(new ClickListener() {
    42.       @Override
    43.       public void buttonClick(ClickEvent event) {
    44.         navigationEvent.fire(new NavigationEvent("login"));
    45.       }
    46.     });
    47.     return button;
    48.   }
    50.   private Button createChatButton() {
    51.     Button button = new Button("Back to the main page");
    52.     button.addClickListener(new ClickListener() {
    53.       @Override
    54.       public void buttonClick(ClickEvent event) {
    55.         navigationEvent.fire(new NavigationEvent("chat"));
    56.       }
    57.     });
    58.     return button;
    59.   }
    60. }

    To use this we’ll modify our NavigationService to add the error view to the Navigator.

    NavigationServiceImpl:

    Java

    1. @Inject
    2. private ErrorView errorView;
    4. @PostConstruct
    5. public void initialize() {
    6.   if (ui.getNavigator() == null) {
    7.     Navigator navigator = new Navigator(ui, ui);
    8.     navigator.addProvider(viewProvider);
    9.     navigator.setErrorView(errorView);
    10.   }

    We don’t really want the admin-only buttons to be visible to non-admin users. To programmatically hide them we can inject AccessControl to our view.

    ChatView:

    Java

    Some further topics

    Sometimes there’s a need for a more complex custom access control implementations. You may need to use something more than Java Strings to indicate user roles, you may want to alter access rights during runtime. For those purposes we could extend the CDIViewProvider (with either the @Specializes annotation or with a beans.xml entry) and override isUserHavingAccessToView(Bean<?> viewBean).