Spring Boot Security for Vaadin

Security for Vaadin applications based on Spring Boot Security

This add-on serves as glue between Vaadin and Spring Boot Security with the goal of bringing both worlds together as seamlessly as possible. The URL-based security of Spring is replaced with annotations directly on your Vaadin views and endpoint methods. Access rules can be defined using expressions, like hasRole('ADMIN') or any Java code.

Its features mainly focus on two areas:

• Authentication: You configure most parts of your Spring Security filter chain (AuthenticationManager, AuthenticationProviders, UserDetailsService, remember-be authentication, etc.) in your WebSecurityConfigurerAdapter as you would otherwise. This add-on will (by default) configure the form login and logout and wrap them in a simple Java (i.e. server-side) API. This API can be used in your login view to which the user will be automatically forwarded. This allows you to stay completely in Java and Vaadin; no HTML login page or URL redirection necessary. But authentication can also be completely customized to use Web SSO mechanisms instead. See the project page for links to examples like Keycloak and Kerberos.
• Access control: Access control works for views and endpoints using annotations. Access rules are defined using Spring Security expressions or custom Java code for more advanced requirements. There's also a Java API to facilitate fine-grained control within your views and endpoints, so it is e.g. possible to also have publicly accessible views with partially restricted content. Access rules for routes can also be changed at runtime.

For more details on how to use this add-on, please see the project page and/or take a look at the source code of the demo application.

Please let me know if you're successfully using this add-on. Otherwise let me know what doesn't work for you; there's always room for improvement.

Sample code

import com.vaadin.flow.component.Composite;
import com.vaadin.flow.component.html.Span;
import com.vaadin.flow.component.login.LoginForm;
import com.vaadin.flow.component.orderedlayout.VerticalLayout;
import com.vaadin.flow.router.Route;

import de.codecamp.vaadin.security.spring.authentication.VaadinAuthenticationService;


@Route("login")
public class LoginView
  extends Composite<VerticalLayout>
{

  @Override
  protected VerticalLayout initContent()
  {
    VerticalLayout layout = super.initContent();

    LoginForm loginForm = new LoginForm();
    layout.add(loginForm);
    loginForm.addLoginListener(event -> {
      VaadinAuthenticationService.get().login(this, event.getUsername(), event.getPassword(), false,
          result ->
          {
            loginForm.setEnabled(true);
            loginForm.setError(result.isFailure());
            return false;
          });
    });

    return layout;
  }

}

@Route("admin")
// Spring Security expressions
@SecuredAccess("hasRole('ADMIN')")
public class AdminView
{
  ...
}

@Route("admin")
// custom Java code to implement your rules
@SecuredAccess(evaluator = CustomRouteAccessEvaluator.class)
public class AdminView
{
  ...
}

@Route("admin")
// you can create your own set of custom reusable annotations
@RequiresAdminRole
public class AdminView
{
  ...
}

@Endpoint
@RequiresAuthentication
public class DemoEndpoint
{

  @PermitAll // Spring Security's definition of permitAll: allow annoymous
  public String methodOne(String name)
  {
    return "Hello " + name + "!";
  }

  // rule inherited from class
  public String methodTwo(String name)
  {
    return "Greetings, " + name + "!";
  }

  @RequiresAdminRole // a custom annotation
  public String methodThree(String name)
  {
    return "Good bye, " + name + "!";
  }

  @SecuredAccess("hasRole('SPECIAL')")
  public String methodFour(String name)
  {
    return "Good bye, " + name + "!";
  }

}

Links

• Source Code
• Demo Project
• Javadoc

Compatibility