In this tutorial, we will learn to secure vaadin application behindbasic authentication security provided byspring security module.
I am updating the vaadin hello world application sourcecode with spring security configuration, so if you already have any vaadin application, you can directly look intospring security section.
Table of Contents Development environment Spring Security BasicAuth Configuration Vaadin UI Configuration Maven Dependencies Run the application Development environmentThis example uses below tools and frameworks for building the demo vaadin application secured behind spring’s basic authentication security.
JDK 1.8 Vaadin 7.7.0 Spring Security 4.1.3.RELEASE Eclipse Luna Tomcat 7 Spring Security BasicAuth ConfigurationTo configure spring basicauth security, you will need to add applicationContext.xml file in classpath (if it does not exist already) and then you need to configure the security settings e.g. secured URL patterns, what roles can access what URL etc.
applicationContext.xml <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd"> <http auto-config="true"> <intercept-url pattern="/vaadinServlet/**" access="hasRole('ROLE_EDITOR')" /> <intercept-url pattern="/vaadinServlet/*.*" access="hasRole('ROLE_EDITOR')" /> <intercept-url pattern="/**" access="hasRole('ROLE_EDITOR')" /> <http-basic /> <csrf disabled="true"/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="howtodoinjava" password="password" authorities="ROLE_EDITOR" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>Now you will need to configure springSecurityFilterChain in web.xml file so that security is added to application. Also if you added new applicationContext.xml file, then you will need to register the ContextLoaderListener as well.
web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> //Other configuration will be added here </web-app>Spring basic authentication configuration is complete. And now you can modify the respective pieces as per application’s requirements. E.g. You may want to fetch username/password details from database then you can usejdbc-user-service in authentication-provider in applicationContext.xml file.
Vaadin UI ConfigurationAs I have already mentioned that I am modifying vaadin hello world application, it has very basic things. Just VaadinServlet configuration in web.xml file and homepage screen with label to display success message in case authentication is successful.
web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> //Spring security configuration as mentioned in above section <context-param> <description>Vaadin production mode</description> <param-name>productionMode</param-name> <param-value>false</param-value> </context-param> <servlet> <servlet-name>vaadinServlet</servlet-name> <servlet-class>com.vaadin.server.VaadinServlet</servlet-class> <init-param> <param-name>UI</param-name> <param-value>com.howtodoinjava.vaadin.demo.AppUI</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>vaadinServlet</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> </web-app> AppUI.java package com.howtodoinjava.vaadin.demo; import com.vaadin.annotations.Theme; import com.vaadin.server.VaadinRequest; import com.vaadin.ui.Label; import com.vaadin.ui.UI; import com.vaadin.ui.VerticalLayout; @Theme("mytheme") public class AppUI extends UI { private static final long serialVersionUID = 1387172685749279538L; @Override protected void init(VaadinRequest vaadinRequest) { final VerticalLayout layout = new VerticalLayout(); Label label = new Label("Welcome to BasicAuth Secured Vaadin Application"); layout.addComponent(label); layout.setMargin(true); layout.setSpacing(true); setContent(layout); } } Maven DependenciesA very important part of application is to collect and configure runtime dependencies. As we are usingmaven, I have added following dependencies into existing pom.xml file.
pom.xml <!-- Spring Security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${org.springframework.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${org.springframework.version}</version> </dependency> <!-- Commons Logging is required with Spring 4.x --> <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>1.2</version> </dependency> Run the applicationNow the application is configured and ready to be tested. Let’s hit the application URL in browser.
Hit URL http://localhost:8080/VaadinExample/You will get the browser popup to enter your username and password.
Vaadin Spring Security BasicAuth Window Fill INCORRECT credentials and submit
Popup fields will be cleared and it will again ask for username/password.
Fill CORRECT credentials and submitApplication’s home page will be displayed with success message.
Vaadin Spring Security BasicAuth Successful
Drop me your questions in comments section.
Sourcecode Download
Resources:
Spring Security Reference
Vaadin Hello World Application
RFC-2617 [BasicAuth]