@RolesAllowed annotation seems to have no effect in Vaadin 23

[mrts]

When using Vaadin 8 CDI add-on, access to @CDIView()s that are annotated with @RolesAllowed() is restricted to authenticated users who belong to the corresponding role.

It is not clear from the documentation how to achieve this with Vaadin 23 CDI add-on. I used the official Vaadin 23 Flow CDI starter and defined the following view:

@Route("me")
@RolesAllowed(Constants.USERS_ROLE)
@Tag("my-view")
@JsModule("./src/views/my-view.ts")
public class MyView extends LitTemplate {
}

When I open http://localhost:8080/me, then

Expected: unauthenticated users are not allowed to access the view.
Actual: the view is publicly accessible.

What am I missing?

[TatuLund]

Currently there is nothing in CDI add-on that would use RolesAllowed. The annotation itself is empty placeholder. In Spring add-on we have helpers extending Spring Security, which also adds access annotation checker. In the nutshell that implementation works so that it adds global BeforeEnterEvent listener (see: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/ViewAccessChecker.java), and checks if the annotation is present in the target route and does rerouting based on the annotation. Technically it could be possible to do something similar with CDI also, but it requires decision on what security integration system we would use. This is necessary, as without connection to user principal the annotation would be meaningless (see our Spring implementation here: https://github.com/vaadin/flow/blob/master/flow-server/src/main/java/com/vaadin/flow/server/auth/AccessAnnotationChecker.java#L237) In case of Spring it is natural to use Spring Security, but in CDI world there are multiple competing solutions. We could e.g. decide just to support this with Shiro out of the box.

Note, you can implement this kind of annotation checker in your application logic, it is pretty straight forward. Just reverse engineer our Spring implementation and apply the same e.g. with Shiro or what ever you are using for authentication. Our code is probably more superfluous what you need in just an application.

[mcollovati]

Here's the link to the documentation about securing plain java application, that may help to set up things as well for CDI
https://vaadin.com/docs/latest/security/advanced-topics/securing-plain-java-app

[mrts]

Alright, that's quite a big change then. @RolesAllowed() @CDIView()s' JAAS integration worked flawlessly with Vaadin 8, see e.g. this. Thank you for the explanation and references! I'll experiment with the ViewAccessChecker and get back when time allows. I think that the recommended solution should be documented in the CDI docs.