JAAS for whole Vaadin application

Hi there,

I’m trying to secure my Vaadin application and already read
https://vaadin.com/wiki/-/wiki/Main/Using+Vaadin+CDI+with+JAAS+authentication
. The problem is, when I try to secure the whole app path starting at <url-pattern>/*</urlpattern> I run into the alert “Could not load vaadin-bootstrap.js”, So I added another constraint to allow /VAADIN/* .
Now it loads but thats already the end of it. It just says “Loading …” and nothing happens.
Here is the part of the web.xml I tried out:

<security-constraint>
  <display-name>SecureApplicationConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>SecureUI</web-resource-name>
    <description>Only this UI is protected</description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <description>Only valid users are allowed</description>
    <role-name>viewer</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
  <display-name>VaadinConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>VaadinResources</web-resource-name>
    <url-pattern>/VAADIN/*</url-pattern>
  </web-resource-collection>
</security-constraint>

<security-constraint>
  <display-name>LoginConstraint</display-name>
  <web-resource-collection>
    <web-resource-name>LoginUI</web-resource-name>
    <url-pattern>/login*</url-pattern>
  </web-resource-collection>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>ApplicationRealm</realm-name>
  <form-login-config>
  <form-login-page>/login</form-login-page>
  <form-error-page>/login</form-error-page>
  </form-login-config>
</login-config>

<security-role>
  <role-name>viewer</role-name>
</security-role>

Do not place a security-constraint on /* but rather place security-constraint explicitly on all the UI/servlet mapping that require security.

I’m not 100% sure but I think /login* is not a valid pattern either , you might need to add /login and /login/* , at least in glassfish you will get warnings about /login*

If that does not help, enable finer/finest logging for your application servers’ security modules, that way you’ll be able to see what is going on. ( I susspect the Form-Auth-Module is redirecting to your /login page, does not have access, redirects to /login page , … ) you get the picture .

Note you will not see the redirects on the browser end…

Hi Bastel, not sure if that helps you.
What I did in my project was I have the login/error page in a own login folder.
So with this I can deny acces on /* but grant acces on the /login/*
At least this works on jetty.

With this I also do not need acces on /VAADIN/*
To make sure I also included a second Servlet mapping specially for the login where I use the Default Servlet of Jetty instead of the Vaadin Servlet. So the Vaadin Servlet only starts up after I succesfully authenticated the user.
No need for the login html site.

you can actually see my web.xml config here
https://vaadin.com/forum#!/thread/8288932