RE: How to protect application from access via URL

Michael826 · December 11, 2017, 11:15am

Hey Benedikt,

if you are working with a Navigator,
that
could be a solution for you.

Also Greetings from Germany

Benedikt16 · December 11, 2017, 9:26am

Good Morning,
probably I’m blind a dont see the obviously solution.
After opening application users have to login. If they are not logged in they should not have access to the pages (except the login view). How can I solve this problem? At the moment it is easy to access via expand the URL to the application.

Greets from Germany
Benedikt Wiest
Dragon Consulting Minden UG

Goran26 · December 11, 2017, 10:44am

Hi Benedikt,

I recommend you take a look at the
vaadin bakery app starter
, which includes authentication and authorization. The Spring version is built on top of Spring Security, and in the JavaEE version, Shiro is used for the same purpose.

Hope this helps,
Goran

Jens · December 11, 2017, 12:25pm

I would not initialize the Navigator before the user has logged in. When the UI is created in Init, the login component is rendered as content. When the user successfully logs in, the main layout along with navigator is initialized. You only register those views to navigator that the user actually has access to. Then, if user tries to navigate to “/restricted” URL, the Navigator will just not go there as it doesn’t know what that is. There is no risk of accidentally leaving some kind of route to the page as it just doesn’t exist according to the application.

if(userHasAccess){ navigator.addView("restricted", SuperSecretView.class); }This will lead to it taking the default route, ie start screen, when a user tries to navigate to something restricted. If you instead want to show a page telling the user that she doesn’t have access to the page, you can register all the pages but instead of providing the actual views for the registration, you register them all to some view saying that they don’t have access.

if(userHasAccess){
  navigator.addView("restricted", SuperSecretView.class);
} else {
  navigator.addView("restricted", NoAccessView.class);
}

Benedikt16 · December 12, 2017, 10:08am

Good Morning,
thanks for your fast reply.
I solved the problem with the solution from Michael Rzehulka, works fine for me.

Thanks for help and Greetings