Implementing Spring Security on a Vaadin application
Today I'm going to write a little bit about my experience of trying to secure a simple Vaadin application using one of the most popular security frameworks: the security extensions of SpringFramework.
This post will cover the part of configuring a default setting to make it work, of course after this, there are a lot of things to do in your project to finish implementing this, such as storing and retrieving your user details from the underlying datastore of your choice, choosing the password-hashing algorithm, and so on. But at least you will have an overview of what needs to be done to accomplish this.
After executing that command, maven will list a lot of predefined archetypes, you can filter that list using a keyword. If you enter "vaadin", the list will be shortened, I choose "com.vaadin:vaadin-archetype-application". After entering all of the required information (we are using 8.1.5 version of Vaadin), maven will create a small application that you can compile, package and ran using a built-in Jetty configuration just by launching this command:
After this, you're ready to go with the rest of steps.
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
This will add all of the required dependencies that you're going to need to implement this. We are considering using 4.2.3.RELEASE, that is the last stable version of that part of the framework at the time this article was written. And also, we are using Vaadin-Spring addon version 2.0.1 (latest stable version).
This post will cover the part of configuring a default setting to make it work, of course after this, there are a lot of things to do in your project to finish implementing this, such as storing and retrieving your user details from the underlying datastore of your choice, choosing the password-hashing algorithm, and so on. But at least you will have an overview of what needs to be done to accomplish this.
Starting point
The first requisite you're going to need to build this application is Maven. Using this command-line tool you can create a blank application using the following command:
mvn archetype:generate
mvn jetty:run
After this, you're ready to go with the rest of steps.
Adding Spring Framework
The first thing you'll need to do is to add the spring framework dependency to your project. For achieving this, you'll need to modify your project's pom.xml file, and add this inside the <dependencies> section:<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-spring</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
This will add all of the required dependencies that you're going to need to implement this. We are considering using 4.2.3.RELEASE, that is the last stable version of that part of the framework at the time this article was written. And also, we are using Vaadin-Spring addon version 2.0.1 (latest stable version).
Adding some classes
With Spring Framework, and Servlet 3.0 specification, you can get rid of all of the old xml configurations and just create some classes to configure the framework. We are going to need the creation of:- User model class: This class will model the user that is currently logged in. It has to implement the interface org.springframework.security.core.userdetails.UserDetails, that will you implement some methods, of which these ones are worth mentioning:
- getUsername & getPassword: This methods should return the stored username and password of your logged in user.
- getAuthorities: This method should return the granted authorities that will be useful for choosing which functionalities of your application this user can see/execute
- isAccountNonExpired, isAccountNonLocked, isCredentialsNonExpired and isEnabled: This methods are useful if you want to apply different security policies to control the availability of your user / credentials
- User Service: Is the class responsible for loading the previous model from the underlying database. In this little example, this class is just creating and returning a new simple User.
- SecurityConfig: This is the class that controls the security configuration of your application. There are a lot of interesting things in this class to mention:
- Through the method authenticationProvider(), we are configuring the previous service as the mechanism to retrieve the user from the database.
- The method configure() is the most important one, and allows a lot of configurations to be set. We are using the minimal ones to allow some unprotected url patterns (like the login form page) and restrict everything else to allow only the access to logged in users.
- We are also setting some standard configurations regarding the session utilizing the method sessionControlAuthenticationStrategy().
- Another interesting thing is to create a Session Registry, that is a class that will allow spring to store the security sessions detail in memory.
- Finally there is a method encoder() that will allow you to hash the password, so no plain password are going to be stored on the database. Just because this is a simple example, we are using a NoOpPasswordEncoder.
- SecurityWebApplicationInitializer: This class will be responsible of assigning the class SecurityConfig as the base class of spring configuration.
- LoginUI: Because we are going to secure some urls, and others are going to be left unsecured, we need to create a new UI, that will render the login form. In this class we are using one interesting Vaadin component: the LoginForm, this will render a login form in vaadin using some interesting features like being able to tell the browser to remember the user credentials.
Finally we have to modify the MainUI, a little bit to allow using a SpringVaadinServlet instead the default one. And also we are adding a logout button, that will be doing the logout process, invoking some class of spring security.
After adding this classes you're ready to go and test the application. If you try to access to the default url, you're going to be redirected to the LoginUI and your credentials are going to be asked. Just enter "admin" as username and "admin" as password and you are going to be granted the access to the application.
After that if you click in the logout button, you are going to be logged out of the application and then be redirected to the login page.
That's it. All of the sources are uploaded into a small github project so if you want, you can take a look there. If you have any issues please comment!
Hope this could be useful to someone.