I was testing the Authentication and Authorization Implementation from Alejandro’s Data-Centric Applications Book.
I realized that seems not to work well when I started implementing Routing and Navigation in Vaadin 10. Since even if you are not authenticated in the app you are allow to access many other views when injecting the actual routes in the browser.
Take a look at the attachements, you will see that injecting the routes in the urls you can actually go to the views that are suppose to be private.
Is there any way that with the same Authentication and Authorization implementation one can make use of Routes and Navigation without compromising the security of the app?
Researching a little I found the BeforeEnterObserver Interface which I implemented and allows me to check if the user has been authenticated and the session still active, if not I just reroute the user to the login view. Something like this:
@Override
public void beforeEnter(BeforeEnterEvent beforeEnterEvent) {
// TODO Auto-generated method stub
if (!AuthService.isAuthenticated()) {
beforeEnterEvent.rerouteTo(PublicSide.class);
}
}
It’s working for me so far. But if you have a better way to do it, don’t hesitate in sharing your thoughts.
