vaadin-framework/documentation/articles/VAccessControl.asciidoc

---
title: Access Control
order: 8
layout: page
---

[[v-access-control]]
= Access control

In this tutorial we will look into access control.

[[basic-access-control]]
Basic access control
~~~~~~~~~~~~~~~~~~~~

The application we've been building will inevitably need some
administrative tools. Creation and deletion of users, for example, is
generally something that we'd like to do during runtime. Let's create a
simple View for creating a new user:

[source,java]
....
package com.vaadin.cdi.tutorial;

import java.util.concurrent.atomic.AtomicLong;

import javax.inject.Inject;

import com.vaadin.cdi.CDIView;
import com.vaadin.data.Validator;
import com.vaadin.data.fieldgroup.BeanFieldGroup;
import com.vaadin.data.fieldgroup.FieldGroup.CommitEvent;
import com.vaadin.data.fieldgroup.FieldGroup.CommitException;
import com.vaadin.data.fieldgroup.FieldGroup.CommitHandler;
import com.vaadin.navigator.View;
import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
import com.vaadin.ui.Button;
import com.vaadin.ui.Button.ClickEvent;
import com.vaadin.ui.Button.ClickListener;
import com.vaadin.ui.CustomComponent;
import com.vaadin.ui.Label;
import com.vaadin.ui.VerticalLayout;

@CDIView
public class CreateUserView extends CustomComponent implements View {

  @Inject
  UserDAO userDAO;

  private static final AtomicLong ID_FACTORY = new AtomicLong(3);

  @Override
  public void enter(ViewChangeEvent event) {
    final VerticalLayout layout = new VerticalLayout();
    layout.setMargin(true);
    layout.setSpacing(true);
    layout.addComponent(new Label("Create new user"));

    final BeanFieldGroup<User> fieldGroup = new BeanFieldGroup<User>(
        User.class);
    layout.addComponent(fieldGroup.buildAndBind("firstName"));
    layout.addComponent(fieldGroup.buildAndBind("lastName"));
    layout.addComponent(fieldGroup.buildAndBind("username"));
    layout.addComponent(fieldGroup.buildAndBind("password"));
    layout.addComponent(fieldGroup.buildAndBind("email"));

    fieldGroup.getField("username").addValidator(new Validator() {
      @Override
      public void validate(Object value) throws InvalidValueException {
        String username = (String) value;
        if (username.isEmpty()) {
          throw new InvalidValueException("Username cannot be empty");
        }

        if (userDAO.getUserBy(username) != null) {
          throw new InvalidValueException("Username is taken");
        }
      }
    });

    fieldGroup.setItemDataSource(new User(ID_FACTORY.incrementAndGet(), "",
        "", "", "", "", false));

    final Label messageLabel = new Label();
    layout.addComponent(messageLabel);

    fieldGroup.addCommitHandler(new CommitHandler() {
      @Override
      public void preCommit(CommitEvent commitEvent) throws CommitException {
      }

      @Override
      public void postCommit(CommitEvent commitEvent) throws CommitException {
        userDAO.saveUser(fieldGroup.getItemDataSource().getBean());
        fieldGroup.setItemDataSource(new User(ID_FACTORY
            .incrementAndGet(), "", "", "", "", "", false));
      }
    });
    Button commitButton = new Button("Create");
    commitButton.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        try {
          fieldGroup.commit();
          messageLabel.setValue("User created");
        } catch (CommitException e) {
          messageLabel.setValue(e.getMessage());
        }
      }
    });

    layout.addComponent(commitButton);
    setCompositionRoot(layout);
  }
}
....

`CDIViewProvider` checks the Views for a specific annotation,
`javax.annotation.security.RolesAllowed`. You can get access to it by
adding the following dependency to your pom.xml:

[source,xml]
....
<dependency>
  <groupId>javax.annotation</groupId>
  <artifactId>javax.annotation-api</artifactId>
  <version>1.2-b01</version>
</dependency>
....

[source,java]
....
@CDIView
@RolesAllowed({ "admin" })
public class CreateUserView extends CustomComponent implements View {
....

To add access control to our application we'll need to have a concrete
implementation of the AccessControl abstract class. Vaadin CDI comes
bundled with a simple JAAS implementation, but configuring a JAAS
security domain is outside the scope of this tutorial. Instead we'll opt
for a simpler implementation.

We'll go ahead and alter our UserInfo class to include hold roles.

[source,java]
....
private List<String> roles = new LinkedList<String>();
public void setUser(User user) {
  this.user = user;
  roles.clear();
  if (user != null) {
    roles.add("user");
    if (user.isAdmin()) {
      roles.add("admin");
    }
  }
}

public List<String> getRoles() {
  return roles;
}
....

Let's extend `AccessControl` and use our freshly modified `UserInfo` in it.

[source,java]
....
package com.vaadin.cdi.tutorial;

import javax.enterprise.inject.Alternative;
import javax.inject.Inject;

import com.vaadin.cdi.access.AccessControl;

@Alternative
public class CustomAccessControl extends AccessControl {

  @Inject
  private UserInfo userInfo;

  @Override
  public boolean isUserSignedIn() {
    return userInfo.getUser() != null;
  }

  @Override
  public boolean isUserInRole(String role) {
    if (isUserSignedIn()) {
      for (String userRole : userInfo.getRoles()) {
        if (role.equals(userRole)) {
          return true;
        }
      }
    }
    return false;
  }

  @Override
  public String getPrincipalName() {
    if (isUserSignedIn()) {
      return userInfo.getUser().getUsername();
    }
    return null;
  }
}
....

Note the `@Alternative` annotation. The JAAS implementation is set as the
default, and we can't have multiple default implementations. We'll have
to add our custom implementation to the beans.xml:

[source,xml]
....
<beans>
  <alternatives>
    <class>com.vaadin.cdi.tutorial.UserGreetingImpl</class>
    <class>com.vaadin.cdi.tutorial.CustomAccessControl</class>
  </alternatives>
  <decorators>
    <class>com.vaadin.cdi.tutorial.NavigationLogDecorator</class>
  </decorators>
</beans>
....

Now let's add a button to navigate to this view.

ChatView:

[source,java]
....
private Layout buildUserSelectionLayout() {
  VerticalLayout layout = new VerticalLayout();
  layout.setWidth("100%");
  layout.setMargin(true);
  layout.setSpacing(true);
  layout.addComponent(new Label("Select user to talk to:"));
  for (User user : userDAO.getUsers()) {
    if (user.equals(userInfo.getUser())) {
      continue;
    }
    layout.addComponent(generateUserSelectionButton(user));
  }
  layout.addComponent(new Label("Admin:"));
  Button createUserButton = new Button("Create user");
  createUserButton.addClickListener(new ClickListener() {
    @Override
    public void buttonClick(ClickEvent event) {
      navigationEvent.fire(new NavigationEvent("create-user"));
    }
  });
  layout.addComponent(createUserButton);
  return layout;
}
....

Everything seems to work fine, the admin is able to use this new feature
to create a new user and the view is inaccessible to non-admins. An
attempt to access the view without the proper authorization will
currently cause an `IllegalArgumentException`. A better approach would be
to create an error view and display that instead.

[source,java]
....
package com.vaadin.cdi.tutorial;

import javax.inject.Inject;

import com.vaadin.cdi.access.AccessControl;
import com.vaadin.navigator.View;
import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
import com.vaadin.ui.Button;
import com.vaadin.ui.Button.ClickEvent;
import com.vaadin.ui.Button.ClickListener;
import com.vaadin.ui.CustomComponent;
import com.vaadin.ui.Label;
import com.vaadin.ui.VerticalLayout;

public class ErrorView extends CustomComponent implements View {

  @Inject
  private AccessControl accessControl;

  @Inject
  private javax.enterprise.event.Event<NavigationEvent> navigationEvent;

  @Override
  public void enter(ViewChangeEvent event) {
    VerticalLayout layout = new VerticalLayout();
    layout.setSizeFull();
    layout.setMargin(true);
    layout.setSpacing(true);

    layout.addComponent(new Label(
        "Unfortunately, the page you've requested does not exists."));
    if (accessControl.isUserSignedIn()) {
      layout.addComponent(createChatButton());
    } else {
      layout.addComponent(createLoginButton());
    }
    setCompositionRoot(layout);
  }

  private Button createLoginButton() {
    Button button = new Button("To login page");
    button.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("login"));
      }
    });
    return button;
  }

  private Button createChatButton() {
    Button button = new Button("Back to the main page");
    button.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("chat"));
      }
    });
    return button;
  }
}
....

To use this we'll modify our `NavigationService` to add the error view to
the `Navigator`.

NavigationServiceImpl:

[source,java]
....
@Inject
private ErrorView errorView;

@PostConstruct
public void initialize() {
  if (ui.getNavigator() == null) {
    Navigator navigator = new Navigator(ui, ui);
    navigator.addProvider(viewProvider);
    navigator.setErrorView(errorView);
  }
}
....

We don't really want the admin-only buttons to be visible to non-admin
users. To programmatically hide them we can inject `AccessControl` to our
view.

ChatView:

[source,java]
....
@Inject
private AccessControl accessControl;

private Layout buildUserSelectionLayout() {
  VerticalLayout layout = new VerticalLayout();
  layout.setWidth("100%");
  layout.setMargin(true);
  layout.setSpacing(true);
  layout.addComponent(new Label("Select user to talk to:"));
  for (User user : userDAO.getUsers()) {
    if (user.equals(userInfo.getUser())) {
      continue;
    }
    layout.addComponent(generateUserSelectionButton(user));
  }
  if(accessControl.isUserInRole("admin")) {
    layout.addComponent(new Label("Admin:"));
    Button createUserButton = new Button("Create user");
    createUserButton.addClickListener(new ClickListener() {
      @Override
      public void buttonClick(ClickEvent event) {
        navigationEvent.fire(new NavigationEvent("create-user"));
      }
    });
    layout.addComponent(createUserButton);
  }
  return layout;
}
....

[[some-further-topics]]
Some further topics
~~~~~~~~~~~~~~~~~~~

In the previous section we pruned the layout programmatically to prevent
non-admins from even seeing the admin buttons. That was one way to do
it. Another would be to create a custom component representing the
layout, then create a producer for that component which would determine
at runtime which version to create.

Sometimes there's a need for a more complex custom access control
implementations. You may need to use something more than Java Strings to
indicate user roles, you may want to alter access rights during runtime.
For those purposes we could extend the `CDIViewProvider` (with either the
`@Specializes` annotation or `@Alternative` with a beans.xml entry) and
override `isUserHavingAccessToView(Bean<?> viewBean)`.