HowToDoInJava

Vaadin Spring Security BasicAuth Example

By | Filed Under: Vaadin

In this tutorial, we will learn to secure vaadin application behind basic authentication security provided by spring security module.

I am updating the vaadin hello world application sourcecode with spring security configuration, so if you already have any vaadin application, you can directly look into spring security section.
Table of Contents

Development environment
Spring Security BasicAuth Configuration
Vaadin UI Configuration
Maven Dependencies
Run the application

Development environment

This example uses below tools and frameworks for building the demo vaadin application secured behind spring’s basic authentication security.

  1. JDK 1.8
  2. Vaadin 7.7.0
  3. Spring Security 4.1.3.RELEASE
  4. Eclipse Luna
  5. Tomcat 7

Spring Security BasicAuth Configuration

To configure spring basicauth security, you will need to add applicationContext.xml file in classpath (if it does not exist already) and then you need to configure the security settings e.g. secured URL patterns, what roles can access what URL etc.

applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.1.xsd">

	<http auto-config="true">
		<intercept-url pattern="/vaadinServlet/**" access="hasRole('ROLE_EDITOR')" />
		<intercept-url pattern="/vaadinServlet/*.*" access="hasRole('ROLE_EDITOR')" />
		<intercept-url pattern="/**" access="hasRole('ROLE_EDITOR')" />
		<http-basic />
		<csrf disabled="true"/>
	</http>

	<authentication-manager>
		<authentication-provider>
			<user-service>
				<user name="howtodoinjava" password="password" authorities="ROLE_EDITOR" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

</beans:beans>

Now you will need to configure springSecurityFilterChain in web.xml file so that security is added to application. Also if you added new applicationContext.xml file, then you will need to register the ContextLoaderListener as well.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
     http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<filter>
	<filter-name>springSecurityFilterChain</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
	<filter-name>springSecurityFilterChain</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
	<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

//Other configuration will be added here

</web-app>

Spring basic authentication configuration is complete. And now you can modify the respective pieces as per application’s requirements. E.g. You may want to fetch username/password details from database then you can use jdbc-user-service in authentication-provider in applicationContext.xml file.

Vaadin UI Configuration

As I have already mentioned that I am modifying vaadin hello world application, it has very basic things. Just VaadinServlet configuration in web.xml file and homepage screen with label to display success message in case authentication is successful.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
     http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    //Spring security configuration as mentioned in above section

	<context-param>
		<description>Vaadin production mode</description>
		<param-name>productionMode</param-name>
		<param-value>false</param-value>
	</context-param>

	<servlet>
		<servlet-name>vaadinServlet</servlet-name>
		<servlet-class>com.vaadin.server.VaadinServlet</servlet-class>
		<init-param>
			<param-name>UI</param-name>
			<param-value>com.howtodoinjava.vaadin.demo.AppUI</param-value>
		</init-param>
	</servlet>

	<servlet-mapping>
		<servlet-name>vaadinServlet</servlet-name>
		<url-pattern>/*</url-pattern>
	</servlet-mapping>
</web-app>

AppUI.java

package com.howtodoinjava.vaadin.demo;

import com.vaadin.annotations.Theme;
import com.vaadin.server.VaadinRequest;
import com.vaadin.ui.Label;
import com.vaadin.ui.UI;
import com.vaadin.ui.VerticalLayout;

@Theme("mytheme")
public class AppUI extends UI {

	private static final long serialVersionUID = 1387172685749279538L;

	@Override
	protected void init(VaadinRequest vaadinRequest) {
		final VerticalLayout layout = new VerticalLayout();

		Label label = new Label("Welcome to BasicAuth Secured Vaadin Application");
		layout.addComponent(label);
		
		layout.setMargin(true);
		layout.setSpacing(true);

		setContent(layout);
	}
}

Maven Dependencies

A very important part of application is to collect and configure runtime dependencies. As we are using maven, I have added following dependencies into existing pom.xml file.

pom.xml

<!-- Spring Security -->
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-core</artifactId>
	<version>${org.springframework.version}</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-web</artifactId>
	<version>${org.springframework.version}</version>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-config</artifactId>
	<version>${org.springframework.version}</version>
</dependency>

<!-- Commons Logging is required with Spring 4.x -->
<dependency>
	<groupId>commons-logging</groupId>
	<artifactId>commons-logging</artifactId>
	<version>1.2</version>
</dependency>

Run the application

Now the application is configured and ready to be tested. Let’s hit the application URL in browser.

  1. Hit URL http://localhost:8080/VaadinExample/

    You will get the browser popup to enter your username and password.

    Vaadin Spring Security BasicAuth Window
    Vaadin Spring Security BasicAuth Window

  2. Fill INCORRECT credentials and submit

    Popup fields will be cleared and it will again ask for username/password.

  3. Fill CORRECT credentials and submit

    Application’s home page will be displayed with success message.

    Vaadin Spring Security BasicAuth Successful
    Vaadin Spring Security BasicAuth Successful

Drop me your questions in comments section.

Sourcecode Download

Resources:

Spring Security Reference
Vaadin Hello World Application
RFC-2617 [BasicAuth]

LinkedinRedditPocket

Feedback, Discussion and Comments

  1. Useful way to secure vaadin application behind basic authentication security

    Reply

  2. works fine but how to logout ?

    Reply

  3. Thanks for sharing this blog

    Reply

Ask Questions & Share Feedback

Please do not submit a comment only to say "Thank you".

*Want to Post Code Snippets or XML content? Please use [java] ... [/java] tags otherwise code may not appear partially or even fully. e.g.
[java] 
public static void main (String[] args) {
...
} 
[/java]