TatuLund
commented
2 years ago Currently there is nothing in CDI add-on that would use RolesAllowed. The annotation itself is empty placeholder. In Spring add-on we have helpers extending Spring Security, which also adds access annotation checker. In the nutshell that implementation works so that it adds global BeforeEnterEvent listener (see: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/ViewAccessChecker.java), and checks if the annotation is present in the target route and does rerouting based on the annotation. Technically it could be possible to do something similar with CDI also, but it requires decision on what security integration system we would use. This is necessary, as without connection to user principal the annotation would be meaningless (see our Spring implementation here: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/AccessAnnotationChecker.java#L237) In case of Spring it is natural to use Spring Security, but in CDI world there are multiple competing solutions. We could e.g. decide just to support this with Shiro out of the box.
Note, you can implement this kind of annotation checker in your application logic, it is pretty straight forward. Just reverse engineer our Spring implementation and apply the same e.g. with Shiro or what ever you are using for authentication. Our code is probably more superfluous what you need in just an application.
mcollovati
mrts
When using Vaadin 8 CDI add-on, access to
@CDIView()s that are annotated with@RolesAllowed()is restricted to authenticated users who belong to the corresponding role.It is not clear from the documentation how to achieve this with Vaadin 23 CDI add-on. I used the official Vaadin 23 Flow CDI starter and defined the following view:
When I open http://localhost:8080/me, then
Expected: unauthenticated users are not allowed to access the view. Actual: the view is publicly accessible.
What am I missing?