Controlling Endpoint Access
- Securing Server-Side Endpoints
- Security Options
- Defining User Permissions
- Accessing User Information in an Endpoint Method
- Client Side Authentication
- CSRF Protection of Hilla Endpoints
When developing server-side views, endpoint access control is implemented using regular Java approaches: servlet-container-based security, third-party libraries, or session-based solutions.
You can create a project with the basic security configuration added to it using the --auth
option:
This article describes all the pieces needed for securing client-centric applications.
Securing Server-Side Endpoints
The first step is to configure authorization of each endpoint that the application exposes.
Consider the simple Hilla endpoint defined in the following class:
@Endpoint
@PermitAll
public class CounterEndpoint {
public int addOne(int number) {
return number + 1;
}
}
Hilla access-control features are enabled by default for any endpoint method.
If not specified in Java code explicitly, a Principal
object must be present in the request before invoking an endpoint method.
The HttpServletRequest.getUserPrincipal()
Java API is used for the check.
At this point, the servlet container or the application needs to be configured appropriately to handle user authentication.
Security Options
By default, all anonymous and authenticated requests are denied. To change the default behavior, place a security Java annotation on either the endpoint class or the endpoint method. The following annotations are available:
-
@PermitAll
Allows any authenticated user to call a method via the request. -
@RolesAllowed
Grants access to users having the roles specified in the annotation value. Roles are covered in the next section. -
@DenyAll
Disallows anyone from calling the method via the request. The default. -
@AnonymousAllowed
Permits anyone to call the method via the request without authorization.
A security annotation that’s placed on a class is applied to any public method of this class that has no security annotations. If the method has security annotations, any class-level annotation is discarded and only method-level ones are applied.
If there are multiple annotations specified on some entity, the following rules are applied:
-
DenyAll
overrides other annotations -
AnonymousAllowed
overridesRolesAllowed
andPermitAll
-
RolesAllowed
overridesPermitAll
Example:
@Endpoint
@PermitAll
public class MyEndpoint {
@DenyAll
public void deniedMethod() {
// Not possible to call by any request. Since there
// is a `@PermitAll` annotation on the
// class, we specify this one on a method to override
// the class one.
}
@AnonymousAllowed
public void anonymousMethod() {
// Possible to call by any request (even without
// authorization) since method level annotation
// overrides class-level one
}
public void permittedToAllMethod() {
// Permitted to all authenticated users as per the
// class annotation.
}
@RolesAllowed("ROLE_ADMIN")
public void permittedToRoleMethod() {
// Permitted to all authenticated users having the
// role ROLE_ADMIN.
}
}
Defining User Permissions
As mentioned in the previous section, every user can have roles and this may affect their ability to access some endpoint methods. This section explains how to specify these for each user.
Hilla endpoints check the existence of roles by using the HttpServletRequest.isUserInRole(String)
Java API.
After the servlet container has been configured to handle user authentication, when the server receives a request for the secured endpoint, the user and its roles are checked. If everything is OK, the method is executed.
Accessing User Information in an Endpoint Method
When access to the UserPrincipal
is required in an endpoint, call the VaadinRequest.getCurrent()
method to access the HttpServletRequest
API.
@Endpoint
public class EchoEndpoint {
public String saySomething(String message) {
return VaadinRequest.getCurrent().getUserPrincipal().getName() + " says: " + message;
}
}
import { EchoEndpoint } from 'Frontend/generated/EchoEndpoint';
EchoEndpoint
.saySomething("It's snowing in Turku")
.then(response => console.log(response));
Client Side Authentication
If it’s required to know, on the client side, whether a user is authenticated, please read Checking Authentication.
CSRF Protection of Hilla Endpoints
Hilla endpoints are protected from Cross-Site Request Forgery (CSRF) attacks using the same approach as Vaadin. See Cross-Site Request Forgery in the Vaadin Flow security guide for more details.