Vaadin CDI + Navigator + TomEE + Security & @RolesAllowed

Joernpeter · June 26, 2015, 8:48pm

Hi everybody,
I’m just trying to setup security in a vaadin application. I’m able to configure tomee to use a basic authentication against a datasource realm. This works generally fine, whenever i try to access a certain UI, i’m forced to provide the right credentials.
However, i don’t get the @RolesAllowed annotations to work. Whenever i try to access a function annotated with @RolesAllowed, it’s executed anyway, independent of the role (i used also @DeclareRoles). When i access the user principal from the request, i can see that it contains the correct role.
So i have 2 questions :

is it possible to use @RolesAllowed within Vaadin ?
How do i secure particular views from an UI, if i use a navigator ? in the security mappings i wasn’t able to give the right path…
Or is there any code example somewhere using @RolesAllowed respectively showing how views can be secured ?

Joernpeter · June 27, 2015, 8:48am

Here is my view, where i navigate to after login :

@CDIView("secure")
@DeclareRoles({ "admin", "normaluser" })
public class AnotherView extends VerticalLayout implements View {

    @PostConstruct
    public void init() {
        Label label = new Label("Another View");
        Button button = new Button("Click here to execute secured function");
        button.addClickListener(new ClickListener() {

            @Override
            public void buttonClick(ClickEvent event) {
                doSomething();
            }
        });
        Label roles = new Label("Roles from Principal : "
                + makeString(((LoginUI) UI.getCurrent()).getPrincipal()
                        .getRoles(), ","));
        addComponents(label, roles, button);
    }

    @Override
    public void enter(ViewChangeEvent event) {
    }

    @RolesAllowed("admin")
    private void doSomething() {
        Notification.show("this, i should only be able to see as admin",
                Notification.Type.WARNING_MESSAGE);
    }
    
    private String makeString(String stringArray, String seperator) {
        if (stringArray == null || stringArray.length == 0)
            return null;
        boolean first = true;
        StringBuilder builder = new StringBuilder();
        for (String s : stringArray) {
            if (!first) {
                builder.append(seperator);
            } else
                first = false;
            builder.append(s);
        }
        return builder.toString();
    }
}

So I expected that as ‘normaluser’ I am not able to see the notification from doSomething(). Merely it executes…
The Principal I get in the UI, where I can see, that i’m logged in as a ‘normaluser’