7

Im new on vaadin and spring security, I want to know if anyone had a complete project example of the vaadin 7.1 + spring-security integration running in a tomcat server (not in jetty).

Adel Khayata
  • 2,717
  • 10
  • 28
  • 46
rgaaray
  • 71
  • 1
  • 1
  • 3

4 Answers4

7

Vaadin 7 easy integrate with Spring Security. You should configure only 2 files. First - web.xml and second one spring-security.xml (user credentials and security settings). This is small example how to use base form for authentification.

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>Vaadin7SpringSecurity</display-name>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/spring-security.xml
    </param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- filter declaration for Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<http auto-config='true'>
  <intercept-url pattern="/*" access="ROLE_USER" />
</http>

<authentication-manager>
  <authentication-provider>
    <user-service>
      <user name="user" password="password" authorities="ROLE_USER" />
    </user-service>
  </authentication-provider>
</authentication-manager>  

</beans:beans>

For more details, how to extend spring-security.xml configuration you can use Spring resources.

Taras Klym
  • 521
  • 6
  • 7
  • 1
    actually its far from being "easy" - what you're showing is a SPRING application with vaadin SUPPORT - but actually building a VAADIN application with SPRING SECURITY support is ... somewhat hard : https://vaadin.com/wiki?p_p_id=36&p_p_lifecycle=0&p_p_state=pop_up&p_p_mode=view&_36_struts_action=%2Fwiki%2Fview&p_r_p_185834411_nodeName=vaadin.com+wiki&p_r_p_185834411_title=IV+-+Configuring+and+Using+Vaadin+Spring+without+Spring+Boot - sorry but your answer only is valid for a few very limited cases ... for people who want to use vaadin CDI its a real pain to get this going – specializt Aug 31 '15 at 19:20
2

You should have a look on this GitHub project. This is a Vaadin 7.1 + Spring 3.1.2.RELEASE + Spring-Vaadin integration 2.0.1 project. There is also a Jetty plugin inside, but you can run/deploy it also in tomcat without problems.

Rene Herget
  • 1,506
  • 13
  • 28
  • Thanks for your answer, I already use the project you mentioned but I don't know why when I enter the credentials and click in the login button I get forwarded to same login page and not to the UI – rgaaray Sep 04 '13 at 20:45
0

Here is a little project that integrates Vaadin and Spring Security. It's done in Scala, but obviously works in Java as well. Code is here.

frank.durden
  • 103
  • 1
  • 2
  • 5
  • Thnaks for your reply, I check out the code and I try to translate it to java, but I don't know scala so I had a little problems. I translate almost all, the only classes I have a doubt how to translate them are the NavigationErrorHandlingStrategy and the NavigatorFactory, can you help me translating these two classes to java please? – rgaaray Nov 13 '13 at 21:01
0

For referring the above example by using the latest spring-security, I encountered the following errors and provide my soultions:

Error1

Context initialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema or spring-security-3.2.xsd schema with Spring Security 4.0. Please update your schema declarations to the 4.0 schema.

You should check your spring-* version and update the header tag of spring-security.xml. For example: I use spring-beans-4.1.6.RELEASE and spring-security-4.0.2.RELEASE. So I update it as:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd">

Error2

HTTP Status 500 - Failed to evaluate expression 'ROLE_USER'
...
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 0): Property or field 'ROLE_USER' cannot be found on object of type 'org.springframework.security.web.access.expression.WebSecurityExpressionRoot' - maybe not public?
...

According to hints of this resource, you should revise intercept-url tag as following:

<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

Error3

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

That's because spring-security enables CSRF protection by default which conflicts with Vaadin. You should add a new tag inside http :

<csrf disabled="true" />

Here's my complete spring-security.xml for reference:

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <http auto-config='true'>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <csrf disabled="true" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="yourUsername" password="yourPassoword" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
allen
  • 356
  • 5
  • 8