Using JAAS for web applications on VAADIN + TomEE

I would like to talk about the use of JAAS (Java Authentification and Authorization Service) for web applications using VAADIN 7 (as a web framework) and Apach TomEE (as a Java EE container).

First, we need to register realm in the container and associate it with it LoginModule.
You can do this either in the server.xml file of the container or in the application file /src/main/webapp/META-INF/context.xml:


The configuration for ServiceLoginModuleis in the login.config file

 ServiceLoginModule {
    org.apache.openejb.core.security.jaas.ServiceProviderLoginModule required;
};

For it, you need to set the system property to
CATALINA_OPTS: -Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config

Or do it directly in the application code:

System.setProperty("java.security.auth.login.config", “yourPath/login.config");

TomEE has several implementations LoginModule:
  • PropertiesLoginModule displays users and groups in two files (users.properties and groups.properties);
  • SQLLoginModule uses database tables;
  • ServiceProviderLoginModule uses ServiceLoader to load its own LoginProvider implementation;
  • ScriptLoginModule uses the Java Scripting API.

We will use ServiceProviderLoginModule and write our own implementation LoginProvider’a:

public class SimpleLoginProvider implements LoginProvider {
	@Override
	public List authenticate(String user, String password) throws FailedLoginException {
		if ("admin".equals(user) && "admin".equals(password)) {
            return Arrays.asList("ADMIN");
        }
		if ("user".equals(user) && "user".equals(password)) {
            return Arrays.asList("USER");
        }
        throw new FailedLoginException();
	}
}

It contains the authenticate method , which returns a list of roles for a successful authenticated user. In our case, the implementation of this method is quite simple (to show how this mechanism works and access control), there are only two admin and user users who, after passing authentication, get the roles of ADMIN and USER, respectively.
Now we can use the annotation @RolesAllowed("ADMIN"), for example, and restrict access to a method:

@Stateless
public class TestBean {
	@RolesAllowed("ADMIN")
	public String getProtectedInfo() {
		return "It's protected information.";
	}
}

In order for ServiceLoader to be able to load ours LoginProvider, it is necessary to create a file org.apache.openejb.core.security.jaas.LoginProviderin the project directory / src / main / resources / META-INF / services /, which contains our full name LoginProvider’a:

org.psa.vaadinauth.secure.SimpleLoginProvider

We don’t have to directly call the authenticate method , the container will do this after calling the login method from HttpServletRequest’a. After filling out the web form for authorization, we will call this method:

public void login(String user, String password, HttpServletRequest request) throws ServletException {
		request.login(user, password);
	}

Vaadin has its own VaadinService, which contains the static getCurrentRequest method , which, converting to HttpServletRequest us, will be passed to our login method :

login(username, password, (HttpServletRequest) VaadinService.getCurrentRequest());

For redirect and navigation between pages in Vaadin'e there is a very convenient component Navigator . First you need to add the necessary View to it:

getNavigator().addView(LoginView.NAME, LoginView.class);
getNavigator().addView(MainView.NAME, MainView.class);

And then navigate between them by calling the navigateTo method :

getNavigator().navigateTo(LoginView.NAME);

Here I brought the key points, the source code of the project is available on GitHub .

And also a demo .

References:


  1. Official Apache TomEE
    website tomee.apache.org/index.html
  2. Official site VAADIN
    vaadin.com
  3. JAAS and TomEE
    tomee.apache.org/tomee-jaas.html
  4. Security TomEE
    tomee.apache.org/security.html
  5. Creating a simple login view
    vaadin.com/wiki/-/wiki/Main/Creating%20a%20simple%20login%20view

Also popular now: