Version 1.3 of the
Application foundation
has been released. This version has focused on improving the inbuilt security features but also few other changes have been made. The most significant changes has been in the authentication module, which has gotten a bunch of new features explained below. The view module has also received some new features. Additionally to the new features, bugs have been fixed and the code quality has been improved.
New features, authentication module
Protection against brute force attacks
The authentication module now contains protection against brute force attacks. If a user tries to log in but gets the password wrong five times in a row (number of allowed failed attempts can be configured), the user account will be locked and you can no longer log in with it unless the account is unlocked, thus preventing an attacker from performing brute force attacks in the login form.
Developers often forget another entry point for brute force attacks - the password change form. Password change forms often require the user to give his current password before the new password is applied. If the user forgets to log out and leaves the computer, then an attacker can use the user’s session and perform a brute force attack using the password change form - unless, of course, the developer has remembered block this entry point as well. The UserUtil class contains the method changePassword(). This method keeps track of failed password change attempts. If the user gets his current password wrong five times in a row, then the user is automatically logged out from the application (note that the account will not be locked).
Inbuilt password rules
The authentication module now contains more password rules which can be applied for users. Previously, one have been able to define a minimum length for a password. Now you can also define that a password must contain lower-case letters, upper-case letters, number and/or special characters. The usage of these password rules is explained below in the configuration section of this release note.
It can be user-friendly to give the user feedback about these password policies in the graphical user interface. Hence, you can call the PasswordUtil.getValidators() method which will return a list of Vaadin validators of all active password rules, these validators can be applied directly to Vaadin fields.
New features, view module
Deactivation of views
The view module has received a counterpart for the activation of views - namely, deactivation of views. It works just as activating of views, you call ViewHandler.deactivateView(…) to deactivate a view. An event about the deactivation is sent to the dispatch listeners (who can cancel the deactivation if necessary) after which the parent view is told to deactivate the view. Finally, the view’s deactivated() method will be called.
A default implementation for the ViewContainer interface
The view module has received a new class, the SimpleViewContainer. The SimpleViewContainer is a default implementation of the ViewContainer interface. The SimpleViewContainer is a normal Vaadin CustomComponent with a panel. When a view is activated, any existing views are removed from the panel and the activated view is added to the panel. When a view is deactivated, then it is simply removed from the panel. This implementation of the ViewContainer comes handy when you don’t need any special features for changing views in your application. The SimpleViewContainer extends the AbstractView, so it can be used as a view itself.
The newest version of the Application Foundation can be downloaded from
the directory
.
For more details about the release, please see the
release notes
.