Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@RolesAllowed annotation seems to have no effect in Vaadin 23 #418

Open
mrts opened this issue Nov 21, 2022 · 3 comments
Open

@RolesAllowed annotation seems to have no effect in Vaadin 23 #418

mrts opened this issue Nov 21, 2022 · 3 comments
Labels
enhancement

Comments

@mrts
Copy link

mrts commented Nov 21, 2022
edited
Loading

When using Vaadin 8 CDI add-on, access to @CDIView()s that are annotated with @RolesAllowed() is restricted to authenticated users who belong to the corresponding role.

It is not clear from the documentation how to achieve this with Vaadin 23 CDI add-on. I used the official Vaadin 23 Flow CDI starter and defined the following view:

@Route("me")
@RolesAllowed(Constants.USERS_ROLE)
@Tag("my-view")
@JsModule("./src/views/my-view.ts")
public class MyView extends LitTemplate {
}

When I open http://localhost:8080/me, then

Expected: unauthenticated users are not allowed to access the view.
Actual: the view is publicly accessible.

What am I missing?
@TatuLund
Copy link

Currently there is nothing in CDI add-on that would use RolesAllowed. The annotation itself is empty placeholder. In Spring add-on we have helpers extending Spring Security, which also adds access annotation checker. In the nutshell that implementation works so that it adds global BeforeEnterEvent listener (see: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/ViewAccessChecker.java), and checks if the annotation is present in the target route and does rerouting based on the annotation. Technically it could be possible to do something similar with CDI also, but it requires decision on what security integration system we would use. This is necessary, as without connection to user principal the annotation would be meaningless (see our Spring implementation here: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/AccessAnnotationChecker.java#L237) In case of Spring it is natural to use Spring Security, but in CDI world there are multiple competing solutions. We could e.g. decide just to support this with Shiro out of the box.

Note, you can implement this kind of annotation checker in your application logic, it is pretty straight forward. Just reverse engineer our Spring implementation and apply the same e.g. with Shiro or what ever you are using for authentication. Our code is probably more superfluous what you need in just an application.

@mcollovati
Copy link
Contributor

Here's the link to the documentation about securing plain java application, that may help to set up things as well for CDI
https://vaadin.com/docs/latest/security/advanced-topics/securing-plain-java-app

@mrts
Copy link
Author

mrts commented Nov 22, 2022
edited
Loading

Alright, that's quite a big change then. @RolesAllowed() @CDIView()s' JAAS integration worked flawlessly with Vaadin 8, see e.g. this. Thank you for the explanation and references! I'll experiment with the ViewAccessChecker and get back when time allows. I think that the recommended solution should be documented in the CDI docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrts @mcollovati @TatuLund