form based authentication possible?

Mark4 · November 12, 2010, 8:31pm

Hi,

Is it possible to use form based authentication with Vaadin?

I just put the following into my app:


  <security-constraint> 
               <web-resource-collection> 
                <web-resource-name>xyz</web-resource-name> 
                <url-pattern>/*</url-pattern> 
                </web-resource-collection> 
                <auth-constraint> 
                        <role-name>admin</role-name> 
                </auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>                
  </security-constraint> 

  	<security-role>
		<description>admin role</description>
		<role-name>admin</role-name>
	</security-role>
	
  	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.html</form-login-page>
			<form-error-page>/login.html</form-error-page>
		</form-login-config>
	</login-config>

and I get:

javax.servlet.ServletException: Failed to load application class: com.refineddata.cvm.xyzApplication

I actually just want to secure a particular url (like ‘/admin’) but thought the simple case above would facilitate discussion.

Thank you!

Mark

Mark4 · November 15, 2010, 4:30pm

Anyone? Am I trying something not supported?

Thanks,

Mark

Bobby · November 17, 2010, 5:23pm

Sure, you can either:

Move your application from /* to /something/* and then the login html pages won’t start up Vaadin.
Add a mapping for the specific html pages to the html pages. A mapping to those files will be more specific than /* and so will match the html pages rather than the Vaadin app.

(For #2 you might need to play around with it a little; I don’t recall the exact syntax.)

There’s an example of #1 here. It says EE 6 in it but the web.xml info should apply to EE 5 as well:

http://vaadin.com/wiki/-/wiki/Main/Creating%20Secure%20Vaadin%20Applications%20using%20JEE6

Note that with Java EE6, you can login directly from the Vaadin app and skip form-based login completely:

http://blogs.sun.com/bobby/entry/authentication_without_the_form

Cheers,
Bobby

Mark4 · December 15, 2010, 7:23pm

Hi Bobby,

Thanks for the suggestion. I tried #2, but couldn’t get it to work, so did #1 without much fuss.

Thanks for your help!

Mark

Bobby · January 3, 2011, 3:53pm

Glad you got it working! Just out of curiosity, what problem did you run into with #2?

Cheers,
Bobby

Mark4 · January 5, 2011, 1:58pm

Vaadin wouldn’t work right if a mapping was more specific than '/', the application would simply not load. It only worked if (as in suggestion #1) it was mapped to /xxx/. Give it a try if you are curious, easy to reproduce.

Best,

Mark

Henri2 · January 5, 2011, 2:30pm

If your application mapping is something else than “/", you also need a mapping (to the same servlet) for "/VAADIN/” - for more information, check
the book
or various related forum posts.

Bobby · January 5, 2011, 9:10pm

Hi Mark,

I meant it more like this: map /* to your Vaadin application, and map /userauth/* or something similar to the JSP/HTML files you need for form-based authentication. You can protect /* with a security constraint that still allows access to the login form for the j_security_check.

The alternative is to map /foo to your Vaadin app, and as others point out you need to map /VAADIN/* as well. If it will help, I could post an example of form-based auth with Vaadin that keeps Vaadin mapped to /*. I think I can recall how to do that.

Cheers,
Bobby