Describe how to secure embedded component #584
Conversation
There was a problem hiding this comment.
Reviewed 5 of 5 files at r1.
Reviewable status: 13 unresolved discussions, 0 of 1 LGTMs obtained (waiting on @denis-anisimov)
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 13 at r1 (raw file):
To be able to do that you may use embedded web component properties.
This reads as "embedded **** properties".
"To be able to do that, use properties of the embedded web component.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 15 at r1 (raw file):
web component properties. Note that the web component will be instantiated anyway regardless of
The word "anyway" is not needed here.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 16 at r1 (raw file):
Note that the web component will be instantiated anyway regardless of restricted access since you may check the property value only when it's
I think we should aim for passive person, when describing code functionality, so
"-- restricted access since the property value can only be checked when --"
also, avoid contractions in technical text: "it's" -> "it is".
Please slap me, when I do this. I tend to forget.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 19 at r1 (raw file):
updated from the client side in your listener on the server side. It means that you should avoid initialization of your component with a sensible data in its constructor.
Sentence can be reduced:
"It means that you should avoid initialization of your component with a sensible data in its constructor."
->
"It means that you should avoid sensitive data in the component's constructor." (The use won't have a way to avoid initialization, so I don't think it needs to be mentioned here)
"sensible" -> "sensitive"
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 22 at r1 (raw file):
Here is an example how to set a property from the embedding page and check it inside the embedded application:
We are talking about "embedded application" and "embedded web component" interchangeably in the text (probably in the others, too). Should we pick one and use it exclusively, at least in this tutorial?
I think "embedded application" is the one to go with.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 53 at r1 (raw file):
---- Here is the element `my-comp` is embedded into the static page and the `token`
"Here is the element" -> "Here the element"
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 54 at r1 (raw file):
Here is the element `my-comp` is embedded into the static page and the `token` property is set from a JS function which retrieves it somehow within `login`
We should probably open "JS" to "JavaScript"
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 91 at r1 (raw file):
public EmbeddedComponent() { // Don't retrieve any sensible data here without granted access
"sensible" -> "sensitive"
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 103 at r1 (raw file):
The embedded web component will be instantiated before the exporter instance receives the token value and you should not retrieve /initialize the component with any sensible data in its constructor.
"sensible" -> "sensitive"
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 107 at r1 (raw file):
[NOTE] It might be that you don't have a control over embedding web component to
For consistence: "don't" -> "do not"
documentation/src/main/html/EmbeddedSecurity.html, line 26 at r1 (raw file):
<my-comp id="embedded-web-component"></my-comp> </body>
new line
documentation/src/main/java/com/vaadin/flow/tutorial/embeddingflowapplications/EmbeddedComponent.java, line 17 at r1 (raw file):
// Initialize your secured component here } }
new line
documentation/src/main/java/com/vaadin/flow/tutorial/embeddingflowapplications/EmbeddedComponentExporter.java, line 33 at r1 (raw file):
} }
new line
There was a problem hiding this comment.
Reviewable status: 13 unresolved discussions, 0 of 1 LGTMs obtained (waiting on @ujoni)
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 13 at r1 (raw file):
Previously, ujoni (Joni) wrote…
To be able to do that you may use embedded web component properties.This reads as "embedded **** properties".
"To be able to do that, use properties of the embedded web component.
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 15 at r1 (raw file):
Previously, ujoni (Joni) wrote…
The word "anyway" is not needed here.
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 16 at r1 (raw file):
Previously, ujoni (Joni) wrote…
I think we should aim for passive person, when describing code functionality, so
"-- restricted access since the property value can only be checked when --"also, avoid contractions in technical text: "it's" -> "it is".
Please slap me, when I do this. I tend to forget.
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 19 at r1 (raw file):
Previously, ujoni (Joni) wrote…
Sentence can be reduced:
"It means that you should avoid initialization of your component with a sensible data in its constructor."
->
"It means that you should avoid sensitive data in the component's constructor." (The use won't have a way to avoid initialization, so I don't think it needs to be mentioned here)"sensible" -> "sensitive"
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 22 at r1 (raw file):
embedded application
Hm....
embedded application is user here.
The problem is :
- there are properties for embedded application
- it's not possible to instantiate it.
Here in this tutorial the embedded component is used only when some instance in the context.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 53 at r1 (raw file):
Previously, ujoni (Joni) wrote…
"Here is the element" -> "Here the element"
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 54 at r1 (raw file):
Previously, ujoni (Joni) wrote…
We should probably open "JS" to "JavaScript"
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 91 at r1 (raw file):
Previously, ujoni (Joni) wrote…
"sensible" -> "sensitive"
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 103 at r1 (raw file):
Previously, ujoni (Joni) wrote…
"sensible" -> "sensitive"
Done.
documentation/embedding-flow-applications/tutorial-webcomponent-security.asciidoc, line 107 at r1 (raw file):
Previously, ujoni (Joni) wrote…
For consistence: "don't" -> "do not"
Done.
documentation/src/main/html/EmbeddedSecurity.html, line 26 at r1 (raw file):
Previously, ujoni (Joni) wrote…
new line
Done.
documentation/src/main/java/com/vaadin/flow/tutorial/embeddingflowapplications/EmbeddedComponent.java, line 17 at r1 (raw file):
Previously, ujoni (Joni) wrote…
new line
Done.
documentation/src/main/java/com/vaadin/flow/tutorial/embeddingflowapplications/EmbeddedComponentExporter.java, line 33 at r1 (raw file):
Previously, ujoni (Joni) wrote…
new line
Done.
There was a problem hiding this comment.
Reviewed 4 of 4 files at r2.
Reviewable status:complete! all discussions resolved, 1 of 1 LGTMs obtained
* Updated to 14.0-SNAPSHOT (#546) * Avoid linking to a third party web site (#537) * use reserved example.com domain as example * use backslash to avoid displaying that as link * Remove the unnecessary tutorial module (#545) * Theming embedded components (#554) * Theming embedded components Part of flow#4984 * Add file extension (#556) Fixes #550 * Extend the SSWC tutorial with fireEvent example. (#538) Part of vaadin/flow#5272 * Add a note to the tutorial about automatic servlet registration (#540) Part of vaadin/flow#5070 * Embedding web components: update properties and fire events tutorial (#555), completes #5259 and #5272 * Use relative link on doc reference (#558) * Resolve jetty-server vulnerability (#561) * Retrieving User Input Using the Element API (#495) * Retrieving User Input Using the Element API Edited content * removed obsolete line (breaks build) * Update documentation/element-api/tutorial-user-input.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-user-input.asciidoc typo * Add link to properties, update page number for ewc theming (#562) * Document Push configuration for SSWC (#560) (Part of flow#5194) * Dynamic Styling Using the Element API (#496) * Dynamic Styling Using the Element API Edited content * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-dynamic-styling.asciidoc - Merged overlap content from Element Properties and Attributes * Update tutorial-properties-attributes.asciidoc - Deleted Using classLists and classNames and Using the Style Object sections (moved to Dynamic Styling page * Update tutorial-dynamic-styling.asciidoc minor edits * moved source code to right file * Update tutorial-flow-shortcut.asciidoc (#504) * Update tutorial-flow-shortcut.asciidoc - Edited content - Moved the page higher in the page order * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-flow-shortcut.asciidoc minor language edit * Update tutorial-flow-shortcut.asciidoc minor edits * Update tutorial-router-dynamic-routes.asciidoc (#531) Edited content * Update tutorial-routing-lifecycle.asciidoc (#532) - Edited the new Forward section. - Added internal page links - Other minor edits. * Fix invalid link in the tutorial (#541) Fixes #539 * Update tutorial with the recent API changes (#563) * correct reference syntax (#559) * Correct doc layout format (#557) (Fixes #551) * Fix ParentPrefix -> RoutePrefix (#569) * Add a tutorial about embedded wc in production mode * Add verification file * Correct sentences * Update tutorial to match abstract WebComponentExporter approach * Review fixes: dot + isAdultProperty * Describe how to secure embedded component (#584) * Add a tutorial about security in embedded web applications * Add HTML verification file * Correct wordings * Update jetty.version to solve the vulnerability alert * Merge branch 'master' into bu/2.0-merge-master * Fix validation.
* Updated to 14.0-SNAPSHOT (#546) * Avoid linking to a third party web site (#537) * use reserved example.com domain as example * use backslash to avoid displaying that as link * Remove the unnecessary tutorial module (#545) * Theming embedded components (#554) * Theming embedded components Part of flow#4984 * Add file extension (#556) Fixes #550 * Extend the SSWC tutorial with fireEvent example. (#538) Part of vaadin/flow#5272 * Add a note to the tutorial about automatic servlet registration (#540) Part of vaadin/flow#5070 * Embedding web components: update properties and fire events tutorial (#555), completes #5259 and #5272 * Use relative link on doc reference (#558) * Resolve jetty-server vulnerability (#561) * Retrieving User Input Using the Element API (#495) * Retrieving User Input Using the Element API Edited content * removed obsolete line (breaks build) * Update documentation/element-api/tutorial-user-input.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-user-input.asciidoc typo * Add link to properties, update page number for ewc theming (#562) * Document Push configuration for SSWC (#560) (Part of flow#5194) * Dynamic Styling Using the Element API (#496) * Dynamic Styling Using the Element API Edited content * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-dynamic-styling.asciidoc - Merged overlap content from Element Properties and Attributes * Update tutorial-properties-attributes.asciidoc - Deleted Using classLists and classNames and Using the Style Object sections (moved to Dynamic Styling page * Update tutorial-dynamic-styling.asciidoc minor edits * moved source code to right file * Update tutorial-flow-shortcut.asciidoc (#504) * Update tutorial-flow-shortcut.asciidoc - Edited content - Moved the page higher in the page order * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-flow-shortcut.asciidoc minor language edit * Update tutorial-flow-shortcut.asciidoc minor edits * Update tutorial-router-dynamic-routes.asciidoc (#531) Edited content * Update tutorial-routing-lifecycle.asciidoc (#532) - Edited the new Forward section. - Added internal page links - Other minor edits. * Fix invalid link in the tutorial (#541) Fixes #539 * Update tutorial with the recent API changes (#563) * correct reference syntax (#559) * Correct doc layout format (#557) (Fixes #551) * Fix ParentPrefix -> RoutePrefix (#569) * Add a tutorial about embedded wc in production mode * Add verification file * Correct sentences * Update tutorial to match abstract WebComponentExporter approach * Review fixes: dot + isAdultProperty * Describe how to secure embedded component (#584) * Add a tutorial about security in embedded web applications * Add HTML verification file * Correct wordings * Update jetty.version to solve the vulnerability alert * Merge branch 'master' into bu/2.0-merge-master * Fix validation.
* Updated to 14.0-SNAPSHOT (#546) * Avoid linking to a third party web site (#537) * use reserved example.com domain as example * use backslash to avoid displaying that as link * Remove the unnecessary tutorial module (#545) * Theming embedded components (#554) * Theming embedded components Part of flow#4984 * Add file extension (#556) Fixes #550 * Extend the SSWC tutorial with fireEvent example. (#538) Part of vaadin/flow#5272 * Add a note to the tutorial about automatic servlet registration (#540) Part of vaadin/flow#5070 * Embedding web components: update properties and fire events tutorial (#555), completes #5259 and #5272 * Use relative link on doc reference (#558) * Resolve jetty-server vulnerability (#561) * Retrieving User Input Using the Element API (#495) * Retrieving User Input Using the Element API Edited content * removed obsolete line (breaks build) * Update documentation/element-api/tutorial-user-input.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-user-input.asciidoc typo * Add link to properties, update page number for ewc theming (#562) * Document Push configuration for SSWC (#560) (Part of flow#5194) * Dynamic Styling Using the Element API (#496) * Dynamic Styling Using the Element API Edited content * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/element-api/tutorial-dynamic-styling.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-dynamic-styling.asciidoc - Merged overlap content from Element Properties and Attributes * Update tutorial-properties-attributes.asciidoc - Deleted Using classLists and classNames and Using the Style Object sections (moved to Dynamic Styling page * Update tutorial-dynamic-styling.asciidoc minor edits * moved source code to right file * Update tutorial-flow-shortcut.asciidoc (#504) * Update tutorial-flow-shortcut.asciidoc - Edited content - Moved the page higher in the page order * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update documentation/components/tutorial-flow-shortcut.asciidoc Co-Authored-By: ruthstocks <44681145+ruthstocks@users.noreply.github.com> * Update tutorial-flow-shortcut.asciidoc minor language edit * Update tutorial-flow-shortcut.asciidoc minor edits * Update tutorial-router-dynamic-routes.asciidoc (#531) Edited content * Update tutorial-routing-lifecycle.asciidoc (#532) - Edited the new Forward section. - Added internal page links - Other minor edits. * Fix invalid link in the tutorial (#541) Fixes #539 * Update tutorial with the recent API changes (#563) * correct reference syntax (#559) * Correct doc layout format (#557) (Fixes #551) * Fix ParentPrefix -> RoutePrefix (#569) * Add a tutorial about embedded wc in production mode * Add verification file * Correct sentences * Update tutorial to match abstract WebComponentExporter approach * Review fixes: dot + isAdultProperty * Describe how to secure embedded component (#584) * Add a tutorial about security in embedded web applications * Add HTML verification file * Correct wordings * Update jetty.version to solve the vulnerability alert * Merge branch 'master' into bu/2.0-merge-master * Fix validation.
Fixes flow#5005
This change is