Missing customization for `accessAnnotationChecker` and `viewAccessChecker`

[nbrugger-tgm]

Issue

the beans viewAccessChecker and accessAnnotationChecker are the core security handlers when using vaadin 21+

There are number of reasons why one would like to provide a custom AnnotationCheker or ViewAccessChecker. You could implement custom or new authorisation schema!

(No) Abstraction

While there is a way to forcefully overwrite the beans provided by vaadin using @Primary there are still t issues

• Its not documented so noone knows to use @Primary and if they do they cant name their bean viewAccessChecker
• There is no abstraction for AccessChecker and AnnotationChecker which makes overwriting them quite hacky - you nearly need to use reflections to set a private field which is a big nono.

Quickfix

For users that need to solve this specific problem at the moment there is a (little hacky) workaround:

Lets assmue you want 2 custom annotations @Public and @Private (keep it simple for sake of example

So you annotate your View With

@PageTitle("Admin")
@Route(value = "vm", layout = MainLayout.class)
@Private
public class AdminView extends VerticalLayout {

Then you need to impement a custom Annotation Checker

public class CustomAnnotationChecker extends AnnotationAccessChecker {
    @Override
    public boolean hasAccess(Method method, Principal principal, Function<String, Boolean> roleChecker) {
        //THIS IS NOT A PROPPER IMPL. JUST AN EXAMPLE -> Blocks everybody from @Private and just allows @Public
        return this.getSecurityTarget(method).isAnnotationPresent(Public.class);
    }
    @Override
    public boolean hasAccess(Class<?> cls, Principal principal, Function<String, Boolean> roleChecker) {
        return this.getSecurityTarget(cls).isAnnotationPresent(Public.class);
    }
}

Then you need to overwrite the annotation checker bean

@Bean
@Primary //very important
public AnnotationAccessChecker customAnnotationChecker(){
    return new CustomAnnotationChecker();
}

You are done :) ... no not rly because for some reason ViewAccessChecker does not uses the bean but instanciates the object itself so you need to overwrite this bean too.

@Primary
@Bean
public ViewAccessChecker customViewAccessChecker() {
    return new CustomViewAccessChecker();
}
class CustomViewAccessChecker extends ViewAccessChecker{
    public CustomViewAccessChecker(){
        super(customAccessAnnotationChecker());
    }
}

Proposed Changes

If this issue is accepted as an issue and the changes are ok with the devs i will implement the changes myself and create a PR to take the load of the core devs

1. Add interface for AnnotationAccessChecker
2. Add interface for ViewAccessChecker
3. add @ConditionalOnMissingBean to all beans provided by vaadin and therefore encouraging overwriting without introducing incompatibilities