Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing customization for accessAnnotationChecker and viewAccessChecker #914

Open
Tracked by #4382
nbrugger-tgm opened this issue Oct 6, 2021 · 0 comments
Open
Tracked by #4382

Missing customization for accessAnnotationChecker and viewAccessChecker #914

nbrugger-tgm opened this issue Oct 6, 2021 · 0 comments
Labels
enhancement

Comments

@nbrugger-tgm
Copy link

Issue

the beans viewAccessChecker and accessAnnotationChecker are the core security handlers when using vaadin 21+

There are number of reasons why one would like to provide a custom AnnotationCheker or ViewAccessChecker. You could implement custom or new authorisation schema!

(No) Abstraction

While there is a way to forcefully overwrite the beans provided by vaadin using @Primary there are still t issues

  • Its not documented so noone knows to use @Primary and if they do they cant name their bean viewAccessChecker
  • There is no abstraction for AccessChecker and AnnotationChecker which makes overwriting them quite hacky - you nearly need to use reflections to set a private field which is a big nono.

Quickfix

For users that need to solve this specific problem at the moment there is a (little hacky) workaround:

Lets assmue you want 2 custom annotations @Public and @Private (keep it simple for sake of example

So you annotate your View With

@PageTitle("Admin")
@Route(value = "vm", layout = MainLayout.class)
@Private
public class AdminView extends VerticalLayout {

Then you need to impement a custom Annotation Checker

public class CustomAnnotationChecker extends AnnotationAccessChecker {
    @Override
    public boolean hasAccess(Method method, Principal principal, Function<String, Boolean> roleChecker) {
        //THIS IS NOT A PROPPER IMPL. JUST AN EXAMPLE -> Blocks everybody from @Private and just allows @Public
        return this.getSecurityTarget(method).isAnnotationPresent(Public.class);
    }
    @Override
    public boolean hasAccess(Class<?> cls, Principal principal, Function<String, Boolean> roleChecker) {
        return this.getSecurityTarget(cls).isAnnotationPresent(Public.class);
    }
}

Then you need to overwrite the annotation checker bean

@Bean
@Primary //very important
public AnnotationAccessChecker customAnnotationChecker(){
    return new CustomAnnotationChecker();
}

You are done :) ... no not rly because for some reason ViewAccessChecker does not uses the bean but instanciates the object itself so you need to overwrite this bean too.

@Primary
@Bean
public ViewAccessChecker customViewAccessChecker() {
    return new CustomViewAccessChecker();
}
class CustomViewAccessChecker extends ViewAccessChecker{
    public CustomViewAccessChecker(){
        super(customAccessAnnotationChecker());
    }
}

Proposed Changes

If this issue is accepted as an issue and the changes are ok with the devs i will implement the changes myself and create a PR to take the load of the core devs

  1. Add interface for AnnotationAccessChecker
  2. Add interface for ViewAccessChecker
  3. add @ConditionalOnMissingBean to all beans provided by vaadin and therefore encouraging overwriting without introducing incompatibilities
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
OLD Vaadin Flow ongoing work (Vaadin 10+)
Status: Parking lot - under consideration
Vaadin Flow enhancements backlog (Vaadin 10+)
Status: Maybe
Milestone
No milestone
Development

No branches or pull requests
2 participants
@denis-anisimov @nbrugger-tgm