Using JAAS for web applications on VAADIN + TomEE
- From the sandbox
- Tutorial
I would like to talk about the use of JAAS (Java Authentification and Authorization Service) for web applications using VAADIN 7 (as a web framework) and Apach TomEE (as a Java EE container).
First, we need to register realm in the container and associate it with it
You can do this either in the server.xml file of the container or in the application file /src/main/webapp/META-INF/context.xml:
The configuration for
For it, you need to set the system property to
Or do it directly in the application code:
TomEE has several implementations
We will use
It contains the authenticate method , which returns a list of roles for a successful authenticated user. In our case, the implementation of this method is quite simple (to show how this mechanism works and access control), there are only two admin and user users who, after passing authentication, get the roles of ADMIN and USER, respectively.
Now we can use the annotation
In order for ServiceLoader to be able to load ours
We don’t have to directly call the authenticate method , the container will do this after calling the login method from
Vaadin has its own VaadinService, which contains the static getCurrentRequest method , which, converting to
For redirect and navigation between pages in Vaadin'e there is a very convenient component Navigator . First you need to add the necessary View to it:
And then navigate between them by calling the navigateTo method :
Here I brought the key points, the source code of the project is available on GitHub .
And also a demo .
First, we need to register realm in the container and associate it with it
LoginModule
. You can do this either in the server.xml file of the container or in the application file /src/main/webapp/META-INF/context.xml:
The configuration for
ServiceLoginModule
is in the login.config file ServiceLoginModule {
org.apache.openejb.core.security.jaas.ServiceProviderLoginModule required;
};
For it, you need to set the system property to
CATALINA_OPTS: -Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
Or do it directly in the application code:
System.setProperty("java.security.auth.login.config", “yourPath/login.config");
TomEE has several implementations
LoginModule
:- PropertiesLoginModule displays users and groups in two files (users.properties and groups.properties);
- SQLLoginModule uses database tables;
- ServiceProviderLoginModule uses ServiceLoader to load its own LoginProvider implementation;
- ScriptLoginModule uses the Java Scripting API.
We will use
ServiceProviderLoginModule
and write our own implementation LoginProvider’a
:public class SimpleLoginProvider implements LoginProvider {
@Override
public List authenticate(String user, String password) throws FailedLoginException {
if ("admin".equals(user) && "admin".equals(password)) {
return Arrays.asList("ADMIN");
}
if ("user".equals(user) && "user".equals(password)) {
return Arrays.asList("USER");
}
throw new FailedLoginException();
}
}
It contains the authenticate method , which returns a list of roles for a successful authenticated user. In our case, the implementation of this method is quite simple (to show how this mechanism works and access control), there are only two admin and user users who, after passing authentication, get the roles of ADMIN and USER, respectively.
Now we can use the annotation
@RolesAllowed("ADMIN")
, for example, and restrict access to a method:@Stateless
public class TestBean {
@RolesAllowed("ADMIN")
public String getProtectedInfo() {
return "It's protected information.";
}
}
In order for ServiceLoader to be able to load ours
LoginProvider
, it is necessary to create a file org.apache.openejb.core.security.jaas.LoginProvider
in the project directory / src / main / resources / META-INF / services /, which contains our full name LoginProvider’a
:org.psa.vaadinauth.secure.SimpleLoginProvider
We don’t have to directly call the authenticate method , the container will do this after calling the login method from
HttpServletRequest’a
. After filling out the web form for authorization, we will call this method:public void login(String user, String password, HttpServletRequest request) throws ServletException {
request.login(user, password);
}
Vaadin has its own VaadinService, which contains the static getCurrentRequest method , which, converting to
HttpServletRequest
us, will be passed to our login method :login(username, password, (HttpServletRequest) VaadinService.getCurrentRequest());
For redirect and navigation between pages in Vaadin'e there is a very convenient component Navigator . First you need to add the necessary View to it:
getNavigator().addView(LoginView.NAME, LoginView.class);
getNavigator().addView(MainView.NAME, MainView.class);
And then navigate between them by calling the navigateTo method :
getNavigator().navigateTo(LoginView.NAME);
Here I brought the key points, the source code of the project is available on GitHub .
And also a demo .
References:
- Official Apache TomEE
website tomee.apache.org/index.html - Official site VAADIN
vaadin.com - JAAS and TomEE
tomee.apache.org/tomee-jaas.html - Security TomEE
tomee.apache.org/security.html - Creating a simple login view
vaadin.com/wiki/-/wiki/Main/Creating%20a%20simple%20login%20view