Vaadin-on-Kotlin Security Demo
Demonstrates the security aspect of the Vaadin-on-Kotlin framework. For a general information on VoK Security please head to the vok-security module documentation.
To quickly start the app, make sure that you have Java 8 JDK installed. Then, just type this into your terminal:
git clone https://github.com/mvysny/vok-security-demo cd vok-security-demo ./gradlew build web:appRun
The app will be running on http://localhost:8080/.
The app is running live on Heroku at https://vok-sec-demo.herokuapp.com.
About the application
The application uses the username+password authorization, with users stored in an in-memory H2 SQL database (the User class). There are no views that could be accessed publicly - the user must always log in first, in order to see any part of the app.
There are two users pre-created by the Bootstrap class:
- The 'user' user with the password of 'user' and the role of
- The 'admin' user with the password of 'admin' and two roles:
The MyUI is configured to show a full-screen
login form (provided for us by the Vaadin-on-Kotlin as LoginForm class).
The username and password are compared against the database. The
User class takes advantage
of the HasPassword
mixin which makes sure to store the passwords in a hashed form.
If the login succeeds, the user is then stored into the session (or, rather, the
is stored in the session along with the currently logged-in user. This way, we can group all
login/logout functionality into single class). Then, the page is refreshed. This forces Vaadin
to create a new instance of the UI. Since a non-null user is now in the session, the UI will show
the application layout instead of the login form.
There are four views:
- The WelcomeView which is accessible by all logged-in users;
- The UserView which is accessible by all users with roles
- The AdminView which is accessible by users with the
- The UserProfileView which shows info about the currently logged-in user and is therefore accessible by all logged-in users.
MyUI class contains proper logic for catching and displaying
AccessRejectedExceptions, by the means
of installing the proper
ErrorHandler into the UI. You can check the security being enforced, simply
by running the project, logging in as an admin (user
admin) and clicking on the "Admin"
page (or visiting the http://localhost:8080/admin link).
Visit the web module docs for more documentation on the individual project files.
Dissection of project files
Let's look at all files that this project is composed of, and what are the points where you'll add functionality:
|build.gradle||Gradle build tool configuration files. Gradle is used to compile your app, download all dependency jars and build a war file|
|gradlew, gradlew.bat, gradle/||Gradle runtime files, so that you can build your app from command-line simply by running
|.travis.yml||Configuration file for Travis-CI which tells Travis how to build the app. Travis watches your repo; it automatically builds your app and runs all the tests after every commit.|
|Procfile||Configuration file for Heroku which hosts the app. Heroku will wait for Travis to verify the build, then it will build a Tomcat bundle and run it inside of docker.|
|.gitignore||Tells Git to ignore files that can be produced from your app's sources - be it files produced by Gradle, Intellij project files etc.|
|web/||The web Gradle module which will host the web application itself. You can add more Gradle modules as your project will grow. Visit the web module docs for more documentation.|
Development with Intellij IDEA Ultimate
The easiest way (and the recommended way) to develop Karibu-DSL-based web applications is to use Intellij IDEA Ultimate. It includes support for launching your project in any servlet container (Tomcat is recommended) and allows you to debug the code, modify the code and hot-redeploy the code into the running Tomcat instance, without having to restart Tomcat.
- First, download Tomcat and register it into your Intellij IDEA properly: https://www.jetbrains.com/help/idea/2017.1/defining-application-servers-in-intellij-idea.html
- Then just open this project in Intellij, simply by selecting
File / Open...and click on the
build.gradlefile. When asked, select "Open as Project".
- You can then create a launch configuration which will launch the
explodedin Tomcat with Intellij: just scroll to the end of this tutorial: https://kotlinlang.org/docs/tutorials/httpservlets.html
- Start your newly created launch configuration in Debug mode. This way, you can modify the code
Ctrl+F9to hot-redeploy the code. This only redeploys java code though, to redeploy resources just press
Ctrl+F10and select "Update classes and resources"