Vaadin Spring Security with BasicAuth

In this Vaadin tutorial, we will learn to secure the application behind basic authentication security provided by spring security module.

I am updating the vaadin hello world application sourcecode with spring security configuration, so if you already have any vaadin application, you can directly look into spring security section.
Table of Contents

1. Development environment
2. Spring Security BasicAuth Configuration
3. Vaadin UI Configuration
4. Maven Dependencies
5. Run the application

1. Development environment

This example uses below tools and frameworks for building the demo vaadin application secured behind spring’s basic authentication security.

  1. JDK 1.8
  2. Vaadin 7.7.0
  3. Spring Security 4.1.3.RELEASE
  4. Eclipse Luna
  5. Tomcat 7

2. Spring Security Basic Auth Configuration

To configure spring basic-auth security, you will need to add applicationContext.xml file in the classpath (if it does not exist already) and then you need to configure the security settings e.g. secured URL patterns, what roles can access what URL, etc.

2.1. applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security/
    http://www.springframework.org/schema/security/spring-security-4.1.xsd">

	<http auto-config="true">
		<intercept-url pattern="/vaadinServlet/**" access="hasRole('ROLE_EDITOR')" />
		<intercept-url pattern="/vaadinServlet/*.*" access="hasRole('ROLE_EDITOR')" />
		<intercept-url pattern="/**" access="hasRole('ROLE_EDITOR')" />
		<http-basic />
		<csrf disabled="true"/>
	</http>

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="howtodoinjava" password="password" authorities="ROLE_EDITOR" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

</beans:beans>

Now you will need to configure springSecurityFilterChain in web.xml file so that security is added to application. Also if you added new applicationContext.xml file, then you will need to register the ContextLoaderListener as well.

2.2. web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
     https://www.oracle.com/java/technologies/;

<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
	<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

//Other configuration will be added here

</web-app>

Spring basic authentication configuration is complete. And now you can modify the respective pieces as per application’s requirements. E.g. You may want to fetch username/password details from database then you can use jdbc-user-service in authentication-provider in applicationContext.xml file.

3. Vaadin UI Configuration

As I have already mentioned that I am modifying vaadin hello world application, it has very basic things. Just VaadinServlet configuration in web.xml file and homepage screen with label to display success message in case authentication is successful.

3.1. web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
     https://www.oracle.com/java/technologies/;

    //Spring security configuration as mentioned in above section

	<context-param>
		<description>Vaadin production mode</description>
		<param-name>productionMode</param-name>
		<param-value>false</param-value>
	</context-param>

	<servlet>
		<servlet-name>vaadinServlet</servlet-name>
		<servlet-class>com.vaadin.server.VaadinServlet</servlet-class>
		<init-param>
			<param-name>UI</param-name>
			<param-value>com.howtodoinjava.vaadin.demo.AppUI</param-value>
		</init-param>
	</servlet>

	<servlet-mapping>
		<servlet-name>vaadinServlet</servlet-name>
		<url-pattern>/*</url-pattern>
	</servlet-mapping>
</web-app>

3.2. AppUI.java

package com.howtodoinjava.vaadin.demo;

import com.vaadin.annotations.Theme;
import com.vaadin.server.VaadinRequest;
import com.vaadin.ui.Label;
import com.vaadin.ui.UI;
import com.vaadin.ui.VerticalLayout;

@Theme("mytheme")
public class AppUI extends UI {

	private static final long serialVersionUID = 1387172685749279538L;

	@Override
	protected void init(VaadinRequest vaadinRequest) {
		final VerticalLayout layout = new VerticalLayout();

		Label label = new Label("Welcome to BasicAuth Secured Vaadin Application");
		layout.addComponent(label);
		
		layout.setMargin(true);
		layout.setSpacing(true);

		setContent(layout);
	}
}

4. Maven Dependencies

A very important part of application is to collect and configure runtime dependencies. As we are using maven, I have added following dependencies into existing pom.xml file.

4.1. pom.xml

<!-- Spring Security -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-core</artifactId>
	<version>${org.springframework.version}</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
	<version>${org.springframework.version}</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
	<version>${org.springframework.version}</version>
</dependency>

<!-- Commons Logging is required with Spring 4.x -->
<dependency>
	<groupId>commons-logging</groupId>
	<artifactId>commons-logging</artifactId>
	<version>1.2</version>
</dependency>

5. Run the application

Now the application is configured and ready to be tested. Let’s hit the application URL in browser.

  1. 5.1. Hit URL http://localhost:8080/VaadinExample/

    You will get the browser popup to enter your username and password.

    Vaadin Spring Security BasicAuth Window
    Vaadin Spring Security BasicAuth Window
  2. 5.2. Fill INCORRECT credentials and submit

    Popup fields will be cleared and it will again ask for username/password.

  3. 5.3. Fill CORRECT credentials and submit

    Application’s home page will be displayed with success message.

    Vaadin Spring Security BasicAuth Successful
    Vaadin Spring Security BasicAuth Successful

Happy Learning !!

Resources:

Spring Security Reference
Vaadin Hello World Application
RFC-2617 [BasicAuth]

Was this post helpful?

Join 8000+ Awesome Developers, Like YOU!

Leave a Comment

About HowToDoInJava

This blog provides tutorials and how-to guides on Java and related technologies.

It also shares the best practices, algorithms & solutions, and frequently asked interview questions.