Implementing Authentication and Authorization With Vaadin
Learn how to implement a login screen and control access to the application based on user roles
Join the DZone community and get the full member experience.Join For Free
This article shows how to implement authentication and authorization in Spring Boot Vaadin Flow applications without using Spring Security.
Why Without Spring Security?
Spring Security is a powerful framework designed for web applications based on the request/response paradigm. Vaadin hides this paradigm so you can focus on the application and UI logic without having to deeply understand the underlying web technologies. Although it's possible to use Spring Security with Vaadin, doing so requires more work than the approach shown in this article.
Creating a New Project
Start by creating a new Vaadin application with three views:
- Login (
- Home (
- Admin (
Use Java-only views and select the template you want for each view.
The Data Model
Role enum to encapsulate the different roles that users can have in the application as follows:
User class to encapsulate the login data:
This implementation uses Apache Commons Codec to encrypt the password and Apache Commons Lang to generate a random salt string. This makes it harder to hack passwords using "dictionary attacks" and avoids compromising users with the same password. The implementation also uses the AbstractEntity class included in the generated project. This class contains an
id field and
hashCode implementations suitable for a JPA entity.
To gain access to the database, add the following Spring Data repository interface:
Notice that you don't have to implement this interface since Spring Data will create an implementation at runtime. The interface offers many other useful methods that you should get familiar with.
Implementing the Authentication Service
Create a new
AuthService class to encapsulate the authentication and authorization logic:
authenticate method tries to find a user in the database with the given credentials and if it succeeds, a reference to the user is stored in the session and the available routes (links to views in the application) are created for the corresponding user role. If no user is found, an exception is thrown so that the view can show a suitable message.
createRoutes method takes the routes available to the specified role and adds them to the route configuration of Vaadin, making them accessible. The
getAuthorizedRoutes method in this example builds a list with the routes for a role in a "hard-coded" fashion. Other implementations may build this list from an external source like a database, for example.
Implementing the Login View
You can use any available components to implement a login form. For example, you can use the
LoginForm class or alternatively create a custom implementation like the following:
The view calls the service to perform the actual authentication and authorization setup logic (registering the routes available to the user).
You can find the complete source code at https://github.com/alejandro-du/vaadin-auth-example. Keep in mind that this code is intended to be an example of how you can use the
RouteConfiguration class to register routes at runtime for authorization reasons and might not be production-ready. For instance, a known issue with the example is that users can't use the log-in view to authenticate again (or with a different user) if they are already logged in. I hope this example serves as a starting point for implementing the authentication and authorization logic in your Vaadin Flow applications.
Opinions expressed by DZone contributors are their own.