Access control

In this tutorial we will look into access control.

Basic access control

The application we’ve been building will inevitably need some administrative tools. Creation and deletion of users, for example, is generally something that we’d like to do during runtime. Let’s create a simple View for creating a new user:

package com.vaadin.cdi.tutorial;

import java.util.concurrent.atomic.AtomicLong;

import javax.inject.Inject;

import com.vaadin.cdi.CDIView;
import com.vaadin.data.Validator;
import com.vaadin.data.fieldgroup.BeanFieldGroup;
import com.vaadin.data.fieldgroup.FieldGroup.CommitEvent;
import com.vaadin.data.fieldgroup.FieldGroup.CommitException;
import com.vaadin.data.fieldgroup.FieldGroup.CommitHandler;
import com.vaadin.navigator.View;
import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
import com.vaadin.ui.Button;
import com.vaadin.ui.Button.ClickEvent;
import com.vaadin.ui.Button.ClickListener;
import com.vaadin.ui.CustomComponent;
import com.vaadin.ui.Label;
import com.vaadin.ui.VerticalLayout;

@CDIView
public class CreateUserView extends CustomComponent implements View {

  @Inject
  UserDAO userDAO;

  private static final AtomicLong ID_FACTORY = new AtomicLong(3);

  @Override
  public void enter(ViewChangeEvent event) {
    final VerticalLayout layout = new VerticalLayout();
    layout.setMargin(true);
    layout.setSpacing(true);
    layout.addComponent(new Label("Create new user"));

    final BeanFieldGroup<User> fieldGroup = new BeanFieldGroup<User>(
        User.class);
    layout.addComponent(fieldGroup.buildAndBind("firstName"));
    layout.addComponent(fieldGroup.buildAndBind("lastName"));
    layout.addComponent(fieldGroup.buildAndBind("username"));
    layout.addComponent(fieldGroup.buildAndBind("password"));
    layout.addComponent(fieldGroup.buildAndBind("email"));

    fieldGroup.getField("username").addValidator(new Validator() {
      @Override
      public void validate(Object value) throws InvalidValueException {
        String username = (String) value;
        if (username.isEmpty()) {
          throw new InvalidValueException("Username cannot be empty");
        }

        if (userDAO.getUserBy(username) != null) {
          throw new InvalidValueException("Username is taken");
        }
      }
    });

    fieldGroup.setItemDataSource(new User(ID_FACTORY.incrementAndGet(), "",
        "", "", "", "", false));

    final Label messageLabel = new Label();
    layout.addComponent(messageLabel);

    fieldGroup.addCommitHandler(new CommitHandler() {
      @Override
      public void preCommit(CommitEvent commitEvent) throws CommitException {
      }

      @Override
      public void postCommit(CommitEvent commitEvent) throws CommitException {
        userDAO.saveUser(fieldGroup.getItemDataSource().getBean());
        fieldGroup.setItemDataSource(new User(ID_FACTORY
            .incrementAndGet(), "", "", "", "", "", false));
      }
    });
    Button commitButton = new Button("Create");
    commitButton.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        try {
          fieldGroup.commit();
          messageLabel.setValue("User created");
        } catch (CommitException e) {
          messageLabel.setValue(e.getMessage());
        }
      }
    });

    layout.addComponent(commitButton);
    setCompositionRoot(layout);
  }
}

CDIViewProvider checks the Views for a specific annotation, javax.annotation.security.RolesAllowed. You can get access to it by adding the following dependency to your pom.xml:

<dependency>
  <groupId>javax.annotation</groupId>
  <artifactId>javax.annotation-api</artifactId>
  <version>1.2-b01</version>
</dependency>
@CDIView
@RolesAllowed({ "admin" })
public class CreateUserView extends CustomComponent implements View {

To add access control to our application we’ll need to have a concrete implementation of the AccessControl abstract class. Vaadin CDI comes bundled with a simple JAAS implementation, but configuring a JAAS security domain is outside the scope of this tutorial. Instead we’ll opt for a simpler implementation.

We’ll go ahead and alter our UserInfo class to include hold roles.

private List<String> roles = new LinkedList<String>();
public void setUser(User user) {
  this.user = user;
  roles.clear();
  if (user != null) {
    roles.add("user");
    if (user.isAdmin()) {
      roles.add("admin");
    }
  }
}

public List<String> getRoles() {
  return roles;
}

Let’s extend AccessControl and use our freshly modified UserInfo in it.

package com.vaadin.cdi.tutorial;

import javax.enterprise.inject.Alternative;
import javax.inject.Inject;

import com.vaadin.cdi.access.AccessControl;

@Alternative
public class CustomAccessControl extends AccessControl {

  @Inject
  private UserInfo userInfo;

  @Override
  public boolean isUserSignedIn() {
    return userInfo.getUser() != null;
  }

  @Override
  public boolean isUserInRole(String role) {
    if (isUserSignedIn()) {
      for (String userRole : userInfo.getRoles()) {
        if (role.equals(userRole)) {
          return true;
        }
      }
    }
    return false;
  }

  @Override
  public String getPrincipalName() {
    if (isUserSignedIn()) {
      return userInfo.getUser().getUsername();
    }
    return null;
  }
}

Note the @Alternative annotation. The JAAS implementation is set as the default, and we can’t have multiple default implementations. We’ll have to add our custom implementation to the beans.xml:

<beans>
  <alternatives>
    <class>com.vaadin.cdi.tutorial.UserGreetingImpl</class>
    <class>com.vaadin.cdi.tutorial.CustomAccessControl</class>
  </alternatives>
  <decorators>
    <class>com.vaadin.cdi.tutorial.NavigationLogDecorator</class>
  </decorators>
</beans>

Now let’s add a button to navigate to this view.

ChatView:

private Layout buildUserSelectionLayout() {
  VerticalLayout layout = new VerticalLayout();
  layout.setWidth("100%");
  layout.setMargin(true);
  layout.setSpacing(true);
  layout.addComponent(new Label("Select user to talk to:"));
  for (User user : userDAO.getUsers()) {
    if (user.equals(userInfo.getUser())) {
      continue;
    }
    layout.addComponent(generateUserSelectionButton(user));
  }
  layout.addComponent(new Label("Admin:"));
  Button createUserButton = new Button("Create user");
  createUserButton.addClickListener(new ClickListener() {
    @Override
    public void buttonClick(ClickEvent event) {
      navigationEvent.fire(new NavigationEvent("create-user"));
    }
  });
  layout.addComponent(createUserButton);
  return layout;
}

Everything seems to work fine, the admin is able to use this new feature to create a new user and the view is inaccessible to non-admins. An attempt to access the view without the proper authorization will currently cause an IllegalArgumentException. A better approach would be to create an error view and display that instead.

package com.vaadin.cdi.tutorial;

import javax.inject.Inject;

import com.vaadin.cdi.access.AccessControl;
import com.vaadin.navigator.View;
import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
import com.vaadin.ui.Button;
import com.vaadin.ui.Button.ClickEvent;
import com.vaadin.ui.Button.ClickListener;
import com.vaadin.ui.CustomComponent;
import com.vaadin.ui.Label;
import com.vaadin.ui.VerticalLayout;

public class ErrorView extends CustomComponent implements View {

  @Inject
  private AccessControl accessControl;

  @Inject
  private javax.enterprise.event.Event<NavigationEvent> navigationEvent;

  @Override
  public void enter(ViewChangeEvent event) {
    VerticalLayout layout = new VerticalLayout();
    layout.setSizeFull();
    layout.setMargin(true);
    layout.setSpacing(true);

    layout.addComponent(new Label(
        "Unfortunately, the page you've requested does not exists."));
    if (accessControl.isUserSignedIn()) {
      layout.addComponent(createChatButton());
    } else {
      layout.addComponent(createLoginButton());
    }
    setCompositionRoot(layout);
  }

  private Button createLoginButton() {
    Button button = new Button("To login page");
    button.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("login"));
      }
    });
    return button;
  }

  private Button createChatButton() {
    Button button = new Button("Back to the main page");
    button.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("chat"));
      }
    });
    return button;
  }
}

To use this we’ll modify our NavigationService to add the error view to the Navigator.

NavigationServiceImpl:

@Inject
private ErrorView errorView;

@PostConstruct
public void initialize() {
  if (ui.getNavigator() == null) {
    Navigator navigator = new Navigator(ui, ui);
    navigator.addProvider(viewProvider);
    navigator.setErrorView(errorView);
  }
}

We don’t really want the admin-only buttons to be visible to non-admin users. To programmatically hide them we can inject AccessControl to our view.

ChatView:

@Inject
private AccessControl accessControl;

private Layout buildUserSelectionLayout() {
  VerticalLayout layout = new VerticalLayout();
  layout.setWidth("100%");
  layout.setMargin(true);
  layout.setSpacing(true);
  layout.addComponent(new Label("Select user to talk to:"));
  for (User user : userDAO.getUsers()) {
    if (user.equals(userInfo.getUser())) {
      continue;
    }
    layout.addComponent(generateUserSelectionButton(user));
  }
  if(accessControl.isUserInRole("admin")) {
    layout.addComponent(new Label("Admin:"));
    Button createUserButton = new Button("Create user");
    createUserButton.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("create-user"));
      }
    });
    layout.addComponent(createUserButton);
  }
  return layout;
}

Some further topics

In the previous section we pruned the layout programmatically to prevent non-admins from even seeing the admin buttons. That was one way to do it. Another would be to create a custom component representing the layout, then create a producer for that component which would determine at runtime which version to create.

Sometimes there’s a need for a more complex custom access control implementations. You may need to use something more than Java Strings to indicate user roles, you may want to alter access rights during runtime. For those purposes we could extend the CDIViewProvider (with either the @Specializes annotation or @Alternative with a beans.xml entry) and override isUserHavingAccessToView(Bean<?> viewBean).