ILAY - authorization for Vaadin
ILAY - Authorization for Vaadin
abstract
Ilay is a simple-to-use authentication-framework for Vaadin. It does not incorporate frameworks like Spring-Security or Apache Shiro, but brings it's own api which is custom-tailored for the use with Vaadin. Ilay deals with navigation ( 'is the user allowed to see this view' ) and visibility ( 'should this component be visible to the user' ).
installation
add this maven-dependency to your pom.xml
<dependency>
<groupId>org.ilay</groupId>
<artifactId>ilay</artifactId>
<version>3.0.0</version>
</dependency>
usage
Please note that thanks to the new API's in Vaadin 10+, no bootstrapping-code is necessary.
Let's assume the case that a certain route-target is only to be accessed by users that have the role 'administrator'. Now the first step would be to define an AccessEvaluator, that determines whether or not the current user has that role or not.
class IsAdminAccessEvaluator implements AccessEvaluator {
/*
* instances of this class will be created by VaadinService,
* which will delegate construction to the configured
* DI-provider (CDI, Spring, Guice), if one is configured.
* This is why @Autowired will work here, assuming
* the Spring-Addon for Vaadin is being used.
*/
@Autowired
Supplier<UserRole> userRoleProvider;
@Override
public Access evaluate(Location location, Class<?> navigationTarget, Annotation annotation) {
return UserRole.ADMIN.equals(userRoleProvider.get())
? Access.granted()
: Access.restricted(UserNotInRoleException.class);
}
}
Note that an Access-instance is returned, not a boolean. Access has one granted()-method and a lot of restricted()-methods, which reflect the different reroute-methods in BeforeEnterEvent, to which they eventually delegate.
Now we need to connect the IsAdminAccessEvaluator to our view, the glue for this is an annotation with a nice speaking name and an @NavigationAnnotation on it, that specifies the AccessEvaluator:
@NavigationAnnotation(IsAdminAccessEvaluator.class)
@Retention(RetentionPolicy.RUNTIME)
public interface OnlyForAdmins {
}
OnlyForAdmins can then be used to prevent users that are not admins from entering the protected views
@OnlyForAdmins
@Route("admin-view")
public class AdminView extends Div {
}
And that's it. Now users without Admin-permission will be redirected to an error-view.
Some readers may have noticed that the AccessEvaluator has a generic type-parameter for the annotation it is attached to. So if we like to have additional information in there, like:
@NavigationAnnotation(IsAdminAccessEvaluator.class)
@Retention(RetentionPolicy.RUNTIME)
public interface OnlyForAdmins {
String someAdditionalInfo();
}
We could change IsAdminAccessEvaluator to
class IsAdminAccessEvaluator implements AccessEvaluator<OnlyForAdmins> {
Supplier<UserRole> userRoleProvider;
@Override
public Access evaluate(Location location, Class<?> navigationTarget, OnlyForAdmins annotation) {
Log.info(annotation.someAdditionalInformation());
return UserRole.ADMIN.equals(userRoleProvider.get())
? Access.granted()
: Access.restricted(UserNotInRoleException.class);
}
}
notes
We hope you enjoy working with ilay, if you have any suggestion, feel free to open a github-issue or PR.
Sample code
@WebServlet(urlPatterns = "/*", name = "MyUIServlet", asyncSupported = true) @VaadinServletConfiguration(ui = IlayUI.class, productionMode = false) public class MyUIServlet extends VaadinServlet { }
@Route(value = "messages", layout = MainLayout.class) @Restricted(LoggedInUsers.class) public class MessagesView extends FlexLayout{ ... }
public class LoggedInUsers implements AccessEvaluator { @Inject private UserHolder userHolder; @Override public Access evaluate(Location location, Class<?> navigationTarget) { return userHolder.isPresent() ? Access.granted() : Access.restricted("login"); } }
Links
Compatibility
Was this helpful? Need more help?
Leave a comment or a question below. You can also join
the chat on Discord or
ask questions on StackOverflow.
Version
stable LTS version of Ilay, see Readme for details
- Released
- 2019-02-07
- Maturity
- STABLE
- License
- Apache License 2.0
Compatibility
- Framework
- Vaadin 10+
- Vaadin 11+
- Vaadin 12+
- Vaadin 7.0+ in 1.0.0-vaadin-7-alpha-1
- Vaadin 7.6+ in 1.0.0-vaadin-7
- Vaadin 8.0+ in 1.0.0
- Browser
- Browser Independent
ILAY - authorization for Vaadin - Vaadin Add-on Directory
ILAY - Authorization for VaadinOnline Demo
Example Source Code
Source Code
ILAY - authorization for Vaadin version 1.0.0-alpha-1
null
ILAY - authorization for Vaadin version 1.0.0
null
ILAY - authorization for Vaadin version 1.0.0-vaadin-7
null
ILAY - authorization for Vaadin version 1.0.0-vaadin-7-alpha-1
compiled for vaadin 7, restrictData not supported
ILAY - authorization for Vaadin version 3.0-Final
stable LTS version of Ilay, see Readme for details