Contact us
Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Calling javascript synchronously by Enver Haase, 2 weeks ago
Recent Posts
Vaadin Forum4. Other

Vaadin CDI + Navigator + TomEE + Security & @RolesAllowed

Joernpeter Pook
7 years ago Jun 26, 2015 8:48pm

Hi everybody,
I'm just trying to setup security in a vaadin application. I'm able to configure tomee to use a basic authentication against a datasource realm. This works generally fine, whenever i try to access a certain UI, i'm forced to provide the right credentials.
However, i don't get the @RolesAllowed annotations to work. Whenever i try to access a function annotated with @RolesAllowed, it's executed anyway, independent of the role (i used also @DeclareRoles). When i access the user principal from the request, i can see that it contains the correct role.
So i have 2 questions :
1. is it possible to use @RolesAllowed within Vaadin ?
2. How do i secure particular views from an UI, if i use a navigator ? in the security mappings i wasn't able to give the right path...
Or is there any code example somewhere using @RolesAllowed respectively showing how views can be secured ?

Joernpeter Pook
7 years ago Jun 27, 2015 8:48am

Here is my view, where i navigate to after login :

@CDIView("secure")
@DeclareRoles({ "admin", "normaluser" })
public class AnotherView extends VerticalLayout implements View {

    @PostConstruct
    public void init() {
        Label label = new Label("Another View");
        Button button = new Button("Click here to execute secured function");
        button.addClickListener(new ClickListener() {

            @Override
            public void buttonClick(ClickEvent event) {
                doSomething();
            }
        });
        Label roles = new Label("Roles from Principal : "
                + makeString(((LoginUI) UI.getCurrent()).getPrincipal()
                        .getRoles(), ","));
        addComponents(label, roles, button);
    }

    @Override
    public void enter(ViewChangeEvent event) {
    }

    @RolesAllowed("admin")
    private void doSomething() {
        Notification.show("this, i should only be able to see as admin",
                Notification.Type.WARNING_MESSAGE);
    }
    
    private String makeString(String stringArray, String seperator) {
        if (stringArray == null || stringArray.length == 0)
            return null;
        boolean first = true;
        StringBuilder builder = new StringBuilder();
        for (String s : stringArray) {
            if (!first) {
                builder.append(seperator);
            } else
                first = false;
            builder.append(s);
        }
        return builder.toString();
    }
}

So I expected that as 'normaluser' I am not able to see the notification from doSomething(). Merely it executes...
The Principal I get in the UI, where I can see, that i'm logged in as a 'normaluser'