Monday, October 30, 2017

Implementing Spring Security on a Vaadin application

Today I'm going to write a little bit about my experience of trying to secure a simple Vaadin application using one of the most popular security frameworks: the security extensions of SpringFramework.
This post will cover the part of configuring a default setting to make it work, of course after this, there are a lot of things to do in your project to finish implementing this, such as storing and retrieving your user details from the underlying datastore of your choice, choosing the password-hashing algorithm, and so on. But at least you will have an overview of what needs to be done to accomplish this.

Starting point

The first requisite you're going to need to build this application is Maven. Using this command-line tool you can create a blank application using the following command:

mvn archetype:generate

After executing that command, maven will list a lot of predefined archetypes, you can filter that list using a keyword. If you enter "vaadin", the list will be shortened, I choose "com.vaadin:vaadin-archetype-application". After entering all of the required information (we are using 8.1.5 version of Vaadin), maven will create a small application that you can compile, package and ran using a built-in Jetty configuration just by launching this command:

mvn jetty:run

After this, you're ready to go with the rest of steps.

Adding Spring Framework

The first thing you'll need to do is to add the spring framework dependency to your project. For achieving this, you'll need to modify your project's pom.xml file, and add this inside the <dependencies> section:

<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>

<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>


This will add all of the required dependencies that you're going to need to implement this. We are considering using 4.2.3.RELEASE, that is the last stable version of that part of the framework at the time this article was written. And also, we are using Vaadin-Spring addon version 2.0.1 (latest stable version).

Adding some classes

With Spring Framework, and Servlet 3.0 specification, you can get rid of all of the old xml configurations and just create some classes to configure the framework. We are going to need the creation of:

  • User model class: This class will model the user that is currently logged in. It has to implement the interface org.springframework.security.core.userdetails.UserDetails, that will you implement some methods, of which these ones are worth mentioning:
    • getUsername & getPassword: This methods should return the stored username and password of your logged in user.
    • getAuthorities: This method should return the granted authorities that will be useful for choosing which functionalities of your application this user can see/execute
    • isAccountNonExpired, isAccountNonLocked, isCredentialsNonExpired and isEnabled: This methods are useful if you want to apply different security policies to control the availability of your user / credentials
  • User Service: Is the class responsible for loading the previous model from the underlying database. In this little example, this class is just creating and returning a new simple User.
  • SecurityConfig: This is the class that controls the security configuration of your application. There are a lot of interesting things in this class to mention:
    • Through the method authenticationProvider(), we are configuring the previous service as the mechanism to retrieve the user from the database.
    • The method configure() is the most important one, and allows a lot of configurations to be set. We are using the minimal ones to allow some unprotected url patterns (like the login form page) and restrict everything else to allow only the access to logged in users.
    • We are also setting some standard configurations regarding the session utilizing the method sessionControlAuthenticationStrategy().
    • Another interesting thing is to create a Session Registry, that is a class that will allow spring to store the security sessions detail in memory.
    • Finally there is a method encoder() that will allow you to hash the password, so no plain password are going to be stored on the database. Just because this is a simple example, we are using a NoOpPasswordEncoder.
  • SecurityWebApplicationInitializer: This class will be responsible of assigning the class SecurityConfig as the base class of spring configuration.
  • LoginUI: Because we are going to secure some urls, and others are going to be left unsecured, we need to create a new UI, that will render the login form. In this class we are using one interesting Vaadin component: the LoginForm, this will render a login form in vaadin using some interesting features like being able to tell the browser to remember the user credentials.
Finally we have to modify the MainUI, a little bit to allow using a SpringVaadinServlet instead the default one. And also we are adding a logout button, that will be doing the logout process, invoking some class of spring security.
After adding this classes you're ready to go and test the application. If you try to access to the default url, you're going to be redirected to the LoginUI and your credentials are going to be asked. Just enter "admin" as username and "admin" as password and you are going to be granted the access to the application.
After that if you click in the logout button, you are going to be logged out of the application and then be redirected to the login page.
That's it. All of the sources are uploaded into a small github project so if you want, you can take a look there. If you have any issues please comment!
Hope this could be useful to someone.


Vaadin's Grid editing capabilities

This time I'd like to talk a little bit about something that I believe is one of the most powerful capabilities of Vaadin Grid component: the editing feature. The default view of the component is a read-only view, of the tabular data loaded in the component. But if you enable the editor, you can visually edit the grid's cells and change the data that the grid is holding in the server's memory. Let's dig in some difficulties to use this feature and how to overcome them.

Inline editing

If you look at the demo sampler application, you'll see that the Item Editor, is like a little form that opens whenever you double click a row. That's different than the previous component in older Vaadin versions (Table). With Table, when you double click on it, the entire row turn into read/write mode, without changing the row into a "mini form" as grid does now. Of course this behavior is configurable, you can disable it just by calling setBuffered(false).
Despite of being somehow more visual, this new conduct, could be an undesirable behavior for enterprise applications that happens to use the keyboard a lot, and not depending so much on the mouse, to handle the table or grid.
If your users desire that kind of grid management, then the Grid Fast Navigation Addon is for you. It uses the Component Extension feature, to give the grid a new look, that makes the editing much more easier, and transforms it in a sort of excel style facility.

Grid Fast Navigation Addon in action

Components

Another thing that prevented some developers to stop using Table and starting to use grid, was that you couldn't use a standard component inside a cell of a Grid. If you wanted to, for example, use checkboxes inside a cell, you had to create a special class, called "renderer", that should handle the server and the client side of that cell.
Luckily there are some addons that may help you with that task. The one that stands out is the Grid renderes collection (it exists for Vaadin 7 and 8 versions). It provides a lot of components that let you handle select, checkbox, images, etc.
In the last version of Vaadin, one of the most interesting features, is a new Renderer, that adds the capability to render a Vaadin component inside a cell of a grid. You can see a preview in the sampler application.
If you are using Vaadin 7, although, you could use a experimental version of that feature, installing the Component Renderer Addon.
Happy coding!


Interested for our works and services?
Get more of our update !