Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
Vaadin CDI + Navigator + TomEE + Security & @RolesAllowed
Hi everybody,
I'm just trying to setup security in a vaadin application. I'm able to configure tomee to use a basic authentication against a datasource realm. This works generally fine, whenever i try to access a certain UI, i'm forced to provide the right credentials.
However, i don't get the @RolesAllowed annotations to work. Whenever i try to access a function annotated with @RolesAllowed, it's executed anyway, independent of the role (i used also @DeclareRoles). When i access the user principal from the request, i can see that it contains the correct role.
So i have 2 questions :
1. is it possible to use @RolesAllowed within Vaadin ?
2. How do i secure particular views from an UI, if i use a navigator ? in the security mappings i wasn't able to give the right path...
Or is there any code example somewhere using @RolesAllowed respectively showing how views can be secured ?
Here is my view, where i navigate to after login :
@CDIView("secure")
@DeclareRoles({ "admin", "normaluser" })
public class AnotherView extends VerticalLayout implements View {
@PostConstruct
public void init() {
Label label = new Label("Another View");
Button button = new Button("Click here to execute secured function");
button.addClickListener(new ClickListener() {
@Override
public void buttonClick(ClickEvent event) {
doSomething();
}
});
Label roles = new Label("Roles from Principal : "
+ makeString(((LoginUI) UI.getCurrent()).getPrincipal()
.getRoles(), ","));
addComponents(label, roles, button);
}
@Override
public void enter(ViewChangeEvent event) {
}
@RolesAllowed("admin")
private void doSomething() {
Notification.show("this, i should only be able to see as admin",
Notification.Type.WARNING_MESSAGE);
}
private String makeString(String stringArray, String seperator) {
if (stringArray == null || stringArray.length == 0)
return null;
boolean first = true;
StringBuilder builder = new StringBuilder();
for (String s : stringArray) {
if (!first) {
builder.append(seperator);
} else
first = false;
builder.append(s);
}
return builder.toString();
}
}
So I expected that as 'normaluser' I am not able to see the notification from doSomething(). Merely it executes...
The Principal I get in the UI, where I can see, that i'm logged in as a 'normaluser'