Errai: The browser as a platform

Wednesday, May 29, 2013

Security

Security is important in any web application and with GWT this is not trivial. There are some well known security frameworks like PicketLink and Shiro, but they are hard to integrate into GWT because they are still request and URL based. So we decided that in true Errai fashion this should be easy.

The new security module is based on PicketLink, but can work with others as well, and integrates well with Errai's existing features like multi-page navigation and automatic data binding. To create a login page for example you'll need something like this:

There are a couple of things that are new here: on the @Page annotation we've introduced the notion of roles. A page can have multiple roles. "Default Page" is now also a page role. You can also define custom page roles in your application and use them to group your pages however you like. LoginPage is a special role that the security module defines. Errai-security will 'redirect' the user to the Login Page when they don't have enough rights to continue.

That raises the question: how do we specify that we need a logged in user for a specific operation or view? Well, we annotate:

This will 'redirect' the user to the login page when the user is not logged in or doesn't have the admin role. Now for those of you who are paying attention, you will have noticed that this is not very secure as this will all happen in the browser via JavaScript. Although the JavaScript is hard to read, an attacker could still be able to call the service even if he is not allowed. That is why the interceptors have server side equivalents that will throw exceptions instead of 'redirecting' the user.

On the server side, the interceptors are CDI interceptors and in order for them to activate you'll need to add them to your beans.xml.

When a user logs in or out, CDI events are fired. Of course, you can observe these events. Also, you can hide elements declaratively based on users' roles. For instance, hide a menu item in a navigation bar:

In this example the admin link is only shown when the user has this role. You'll need to remember to also annotate the Service methods that fetch data for this admin page as you can not rely on these client side checks alone.

Let me know what you think of it and what kind of features you would like to see in there.


9 comments:

  1. For clarity's sake, you could remove the unnecessary style attributes from the HTML template example!

    ReplyDelete
  2. This looks great. One question though. It would be preferable not to use Errai-specific annotations for @RequireRoles etc. Has DeltaSpike still not gotten around to defining such annotations in the security module? Is JBoss still working with DeltaSpike? Seems to me stuff like this should be leveraging DeltaSpike (with Picketlink under the covers) and then just mixing in Errai magic on top to support the annotations client-side?

    ReplyDelete
    Replies
    1. The reason for the Errai specific annotations is to make sure that it works together with other Errai functionality like navigation and client interceptors. If you don't want to use them you loose the whole integration with the front-end. In the end that is what Errai-security is a front-end integration with the PicketLink backend.

      Delete
    2. Hi Erik

      Security is a big thing. And expecting people to use PicketLink because they are are using errai is a big ask.

      We are using Apache Shiro, and we are really wanting to have a clean integration with Errai.

      Surely there is someway to have an interface that allows for an independence of security provider and Errai ?

      Delete
    3. Hi Anton,

      Of course there is an interface that you could implement, right now I've have done only one e.g. PicketLink, but there could be other implementations as well. Which implementation is used can be selected at runtime by adding them as alternatives in the bean.xml.

      also see this https://github.com/edewit/errai/blob/master/errai-security/src/main/java/org/jboss/errai/security/server/JaasAuthenticationService.java fairly empty example of an alternative.

      Cheers,
      Erik Jan

      Delete
  3. I'm very happy being Herpes free now. It was a sad incident that was announced to me after the check up in the hospital and I was diagnosed of HSV 2. I thank God now for using Dr.odey Abang to cure my virus. I'm not ashamed to say this because no virus of such can be detected in me. I'm Charlotte from Columbia. I thought about it many Times when I heard about this Herbal cures for Herpes. I was really happy when I came across blogs of comments of Doctors who run cures sicknesses and was comfortable to try Dr. Abang from patients testimony I came across here on my online page. I knew now they are real Africa herbalists who run cures for Herpes. There's every opportunity to be cure with natural herbs, because all medical prescriptions are derived from herbs and roots. Its really hard time living with Herpes on drugs which can't get you cure. I tried this and I can boost of myself now as a woman. I need to be loved not to lost, get your instant cure to all sicknesses from Dr, Odey Abang.
    He cures HSV,HPV,Cancer,low spam count and much more from the evidence I saw 💯 % sure no site effects with active immune booster

    Email him for you cure
    Odeyabangherbalhome@gmail.com
    WhatsApp/calls
    +2349015049094

    ReplyDelete
  4. Nothing is not possible in this word.
    Herpes I cried out for 8moths had a cure and was making use of the Medication that never wanted a life living on drugs, I applied Antibiotics, he prescribed for me the acyclovir(Zovirax), famciclovir (Famvir), andvalacyclovir (Valtrex).
    They never get me cured.
    My God keep blessing you and your Family. Dr
    ODEY ABANG, your a powerful Herbalist fir your work in my life
    I wish you know how I feel inside me when I was making use of does tablets that never could there get me cured. I had to search about some of my favourite blogs when I thought about Dr Odey abang from the testimonies of patients and I remember a friend who told me I should try Dr. Odey Abang herbal medicine. He told me the man can cure me,but was shy and feel its dirty taking in herbs made with African herbalists.
    You need to know I would have been cured before now since I knew him then, but still interested in letting you that was my punishment.
    Thanks reading my article, feel good and not make my mistake, I love testimonies and explanations of the new beginning is all I hope for
    Think about your live and use herbs to get you cured of your challenge on
    HIV/Aids
    SYPHILIS
    DIABETES
    CANCER
    ALL CAN BE CURED WITH MANY OTHERS BY DR. ODEY ABANG
    His email is for you so you speak to him

    Odeyabangherbalhome@gmail.com
    WhatsApp number +2349015049094

    ReplyDelete