--- title: Access Control order: 8 layout: page --- [[v-access-control]] = Access control In this tutorial we will look into access control. [[basic-access-control]] Basic access control ~~~~~~~~~~~~~~~~~~~~ The application we've been building will inevitably need some administrative tools. Creation and deletion of users, for example, is generally something that we'd like to do during runtime. Let's create a simple View for creating a new user: [source,java] .... package com.vaadin.cdi.tutorial; import java.util.concurrent.atomic.AtomicLong; import javax.inject.Inject; import com.vaadin.cdi.CDIView; import com.vaadin.data.Validator; import com.vaadin.data.fieldgroup.BeanFieldGroup; import com.vaadin.data.fieldgroup.FieldGroup.CommitEvent; import com.vaadin.data.fieldgroup.FieldGroup.CommitException; import com.vaadin.data.fieldgroup.FieldGroup.CommitHandler; import com.vaadin.navigator.View; import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent; import com.vaadin.ui.Button; import com.vaadin.ui.Button.ClickEvent; import com.vaadin.ui.Button.ClickListener; import com.vaadin.ui.CustomComponent; import com.vaadin.ui.Label; import com.vaadin.ui.VerticalLayout; @CDIView public class CreateUserView extends CustomComponent implements View { @Inject UserDAO userDAO; private static final AtomicLong ID_FACTORY = new AtomicLong(3); @Override public void enter(ViewChangeEvent event) { final VerticalLayout layout = new VerticalLayout(); layout.setMargin(true); layout.setSpacing(true); layout.addComponent(new Label("Create new user")); final BeanFieldGroup fieldGroup = new BeanFieldGroup( User.class); layout.addComponent(fieldGroup.buildAndBind("firstName")); layout.addComponent(fieldGroup.buildAndBind("lastName")); layout.addComponent(fieldGroup.buildAndBind("username")); layout.addComponent(fieldGroup.buildAndBind("password")); layout.addComponent(fieldGroup.buildAndBind("email")); fieldGroup.getField("username").addValidator(new Validator() { @Override public void validate(Object value) throws InvalidValueException { String username = (String) value; if (username.isEmpty()) { throw new InvalidValueException("Username cannot be empty"); } if (userDAO.getUserBy(username) != null) { throw new InvalidValueException("Username is taken"); } } }); fieldGroup.setItemDataSource(new User(ID_FACTORY.incrementAndGet(), "", "", "", "", "", false)); final Label messageLabel = new Label(); layout.addComponent(messageLabel); fieldGroup.addCommitHandler(new CommitHandler() { @Override public void preCommit(CommitEvent commitEvent) throws CommitException { } @Override public void postCommit(CommitEvent commitEvent) throws CommitException { userDAO.saveUser(fieldGroup.getItemDataSource().getBean()); fieldGroup.setItemDataSource(new User(ID_FACTORY .incrementAndGet(), "", "", "", "", "", false)); } }); Button commitButton = new Button("Create"); commitButton.addClickListener(new ClickListener() { @Override public void buttonClick(ClickEvent event) { try { fieldGroup.commit(); messageLabel.setValue("User created"); } catch (CommitException e) { messageLabel.setValue(e.getMessage()); } } }); layout.addComponent(commitButton); setCompositionRoot(layout); } } .... `CDIViewProvider` checks the Views for a specific annotation, `javax.annotation.security.RolesAllowed`. You can get access to it by adding the following dependency to your pom.xml: [source,xml] .... javax.annotation javax.annotation-api 1.2-b01 .... [source,java] .... @CDIView @RolesAllowed({ "admin" }) public class CreateUserView extends CustomComponent implements View { .... To add access control to our application we'll need to have a concrete implementation of the AccessControl abstract class. Vaadin CDI comes bundled with a simple JAAS implementation, but configuring a JAAS security domain is outside the scope of this tutorial. Instead we'll opt for a simpler implementation. We'll go ahead and alter our UserInfo class to include hold roles. [source,java] .... private List roles = new LinkedList(); public void setUser(User user) { this.user = user; roles.clear(); if (user != null) { roles.add("user"); if (user.isAdmin()) { roles.add("admin"); } } } public List getRoles() { return roles; } .... Let's extend `AccessControl` and use our freshly modified `UserInfo` in it. [source,java] .... package com.vaadin.cdi.tutorial; import javax.enterprise.inject.Alternative; import javax.inject.Inject; import com.vaadin.cdi.access.AccessControl; @Alternative public class CustomAccessControl extends AccessControl { @Inject private UserInfo userInfo; @Override public boolean isUserSignedIn() { return userInfo.getUser() != null; } @Override public boolean isUserInRole(String role) { if (isUserSignedIn()) { for (String userRole : userInfo.getRoles()) { if (role.equals(userRole)) { return true; } } } return false; } @Override public String getPrincipalName() { if (isUserSignedIn()) { return userInfo.getUser().getUsername(); } return null; } } .... Note the `@Alternative` annotation. The JAAS implementation is set as the default, and we can't have multiple default implementations. We'll have to add our custom implementation to the beans.xml: [source,xml] .... com.vaadin.cdi.tutorial.UserGreetingImpl com.vaadin.cdi.tutorial.CustomAccessControl com.vaadin.cdi.tutorial.NavigationLogDecorator .... Now let's add a button to navigate to this view. ChatView: [source,java] .... private Layout buildUserSelectionLayout() { VerticalLayout layout = new VerticalLayout(); layout.setWidth("100%"); layout.setMargin(true); layout.setSpacing(true); layout.addComponent(new Label("Select user to talk to:")); for (User user : userDAO.getUsers()) { if (user.equals(userInfo.getUser())) { continue; } layout.addComponent(generateUserSelectionButton(user)); } layout.addComponent(new Label("Admin:")); Button createUserButton = new Button("Create user"); createUserButton.addClickListener(new ClickListener() { @Override public void buttonClick(ClickEvent event) { navigationEvent.fire(new NavigationEvent("create-user")); } }); layout.addComponent(createUserButton); return layout; } .... Everything seems to work fine, the admin is able to use this new feature to create a new user and the view is inaccessible to non-admins. An attempt to access the view without the proper authorization will currently cause an `IllegalArgumentException`. A better approach would be to create an error view and display that instead. [source,java] .... package com.vaadin.cdi.tutorial; import javax.inject.Inject; import com.vaadin.cdi.access.AccessControl; import com.vaadin.navigator.View; import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent; import com.vaadin.ui.Button; import com.vaadin.ui.Button.ClickEvent; import com.vaadin.ui.Button.ClickListener; import com.vaadin.ui.CustomComponent; import com.vaadin.ui.Label; import com.vaadin.ui.VerticalLayout; public class ErrorView extends CustomComponent implements View { @Inject private AccessControl accessControl; @Inject private javax.enterprise.event.Event navigationEvent; @Override public void enter(ViewChangeEvent event) { VerticalLayout layout = new VerticalLayout(); layout.setSizeFull(); layout.setMargin(true); layout.setSpacing(true); layout.addComponent(new Label( "Unfortunately, the page you've requested does not exists.")); if (accessControl.isUserSignedIn()) { layout.addComponent(createChatButton()); } else { layout.addComponent(createLoginButton()); } setCompositionRoot(layout); } private Button createLoginButton() { Button button = new Button("To login page"); button.addClickListener(new ClickListener() { @Override public void buttonClick(ClickEvent event) { navigationEvent.fire(new NavigationEvent("login")); } }); return button; } private Button createChatButton() { Button button = new Button("Back to the main page"); button.addClickListener(new ClickListener() { @Override public void buttonClick(ClickEvent event) { navigationEvent.fire(new NavigationEvent("chat")); } }); return button; } } .... To use this we'll modify our `NavigationService` to add the error view to the `Navigator`. NavigationServiceImpl: [source,java] .... @Inject private ErrorView errorView; @PostConstruct public void initialize() { if (ui.getNavigator() == null) { Navigator navigator = new Navigator(ui, ui); navigator.addProvider(viewProvider); navigator.setErrorView(errorView); } } .... We don't really want the admin-only buttons to be visible to non-admin users. To programmatically hide them we can inject `AccessControl` to our view. ChatView: [source,java] .... @Inject private AccessControl accessControl; private Layout buildUserSelectionLayout() { VerticalLayout layout = new VerticalLayout(); layout.setWidth("100%"); layout.setMargin(true); layout.setSpacing(true); layout.addComponent(new Label("Select user to talk to:")); for (User user : userDAO.getUsers()) { if (user.equals(userInfo.getUser())) { continue; } layout.addComponent(generateUserSelectionButton(user)); } if(accessControl.isUserInRole("admin")) { layout.addComponent(new Label("Admin:")); Button createUserButton = new Button("Create user"); createUserButton.addClickListener(new ClickListener() { @Override public void buttonClick(ClickEvent event) { navigationEvent.fire(new NavigationEvent("create-user")); } }); layout.addComponent(createUserButton); } return layout; } .... [[some-further-topics]] Some further topics ~~~~~~~~~~~~~~~~~~~ In the previous section we pruned the layout programmatically to prevent non-admins from even seeing the admin buttons. That was one way to do it. Another would be to create a custom component representing the layout, then create a producer for that component which would determine at runtime which version to create. Sometimes there's a need for a more complex custom access control implementations. You may need to use something more than Java Strings to indicate user roles, you may want to alter access rights during runtime. For those purposes we could extend the `CDIViewProvider` (with either the `@Specializes` annotation or `@Alternative` with a beans.xml entry) and override `isUserHavingAccessToView(Bean viewBean)`.