As a JEE developer at heart, I really like the way I can use Vaadin on Bluemix to create rich, modern user interfaces, using the Java technology that is familiar to me. The Bluemix Vaadin boilerplate deploys an application running on the Liberty for Java runtime environment. I needed a way to secure the application, and decided to look at the latest features of the Bluemix Single Sign On (SSO) service. The Bluemix SSO service documents how to secure both Node.js and Java web applications. However, the Vaadin sample code does not exactly match the examples – this blog will help you bridge the gaps.
Initially, you’ll want to deploy the Vaadin boilerplate which provides a Liberty for Java runtime environment, an SQL Database, and a web application which renders a simple welcome page.
Unlike other boilerplates, you’re directed to download the Vaadin sample application, optionally make changes and recompile, then push the resulting web application war file to Bluemix. The changes required to utilize the Bluemix SSO service from the Vaadin sample are:
The Vaadin sample code does not include a web.xml, instead it uses Java annotations to make these definitions. The Bluemix SSO service secures an app on the Liberty for Java runtime courtesy of standard JEE web.xml deployment descriptor elements, to define security constraints. If the web application contains only a servlet, the required security constraints can also be specified using Java annotations. However, if the web application does not use a servlet then a web.xml file is still required, see this link. In this case, the simplest approach is to add a new web.xml as it aligns with the Bluemix SSO service documentation. The new web.xml file would need to be added to the Vaadin source code at \vaadin-jpa-app\src\main\webapp\WEB-INF\web.xml. For example, it could add a security constraint like this:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
Note the URL pattern for the Vaadin application has been added to a <security-constraint> element, to be constrained to only users in the “user” role. After adding the web.xml file, the source must be recompiled and packaged into a war file using maven, for more information see the documentation for the Vaadin sample code DevOps project
Package a Liberty server runtime, to include a modified server.xml
The Liberty for Java runtime needs to be configured, using its server.xml file, to map the role(s) used to secure the application (in the web.xml), to users in a user directory (in this case, using the Bluemix SSO service). Note the server.xml must also enable the Liberty for Java features required by the Vaadin application:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<webApplication id="vaadin-jpa-application" location="vaadin-jpa-application.war" name="vaadin-jpa-application">
To update the configuration of the Liberty for Java runtime on Bluemix, it is necessary to package a local Liberty runtime environment to include the modified server.xml, and application war file (which should be copied to the “apps” folder of the local Liberty runtime). The resulting package can then be pushed to Bluemix.
The server is packaged into a zip using the "server package" command. The resulting Liberty server package is pushed to Bluemix using the cf tool. It makes sense to specify a previously deployed Vaadin boilerplate as the application name, as this will ensure an SQL Database service is already bound to the Liberty for Java runtime on Bluemix.
Note that after deploying a packaged Liberty server, the URL to access the application needs a context-route appended to the route defined in the Bluemix dashboard. The resulting URL will render the sample Vaadin app, but it is not yet secured.
Add the Bluemix SSO service to the application
After the service has been created, it requires some simple configuration to give it a name, and create an identity source. I used the simple cloud directory, and configured some users.
Once the configuration is complete, the SSO service can be bound to the Liberty for Java runtime. Before testing, it's wise to clear any browser cookies. The app should now be secured:
The Sign In dialogue can be changed to match the presentation of the application – see the Single Sign On service documentation
By default, the user will be prompted to consent the app to access their details in the cloud directory identity source. Alternatively, this consent can be made by default in the cloud directory settings.
That’s it. Enjoy working with your secured Vaadin Bluemix app.