GWT 2.5 easy Bean validation

The goal of this paper is to setup quickly and smoothly a clean validation process on your DTO. It shows an easy setup using GIN and GWT-Dispatch. An Intro is also available here Gwt 2.5 Validation Intro

The needed libraires to start are: Javax validation (Api), Hibernate validators (Sources and Implementation) and Slf4j (logger).
For the next step we are going to build a custom annotation which will be use into our gwt-dispatch actions:
Here the code for custom validator and his annotation:

@Target({ ElementType.FIELD, ElementType.ANNOTATION_TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Constraint(validatedBy = RequiredValidator.class)
public @interface Required {
    String message() default "Value is required";
    Class[] groups() default {};
    Class[] payload() default {};
}

 

public class RequiredValidator implements ConstraintValidator {
    @Override
    public void initialize(Required constraintAnnotation) { }

    @Override
    public boolean isValid(String value, ConstraintValidatorContext context) {
        return (!Strings.isNullOrEmpty(value));
        // use Guava strings to check null or empty value
    }
}

Now we can use our required annotation into our action (There is also a possibility to use more than one annotation on our field):

public class SendMailAction extends ActionImpl {
    @Required
    private String email;
  ...
    private SendMailAction(String email) {
       this.email = email;
    }
  ...
  // add accessors
}

To complete module settings we need a validator factory for the module like it is shown into the Gwt Devguide:

public final class ClientValidatorFactory extends AbstractGwtValidatorFactory {

    // Syntax for multiple class:  @GwtValidation({action1.class, action2.class})
    @GwtValidation(SendMailAction.class)
    public interface GwtValidator extends Validator {
    }
    @Override
    public AbstractGwtValidator createValidator() {
        return GWT.create(GwtValidator.class);
    }
}

Now we are going to write a generic constraint validation manager which will be provided using Gin Injector. Here it is :

public class ClientValidation extends Validation {
    private Validator validator;
    private Set<ConstraintViolation> constraintViolations;

    public ClientValidation() {
        this.validator = buildDefaultValidatorFactory().getValidator();
    }
    public Set<ConstraintViolation> getConstraintViolations(Object object) {
        this.constraintViolations = validator.validate(object);
        return constraintViolations;
    }
    public String getPrimaryMessage() {
        return constraintViolations.iterator().next().getMessage();
    }
}

Finally we can configure one single instance into our module:

...
bind(ClientValidation.class).in(Singleton.class);

and use it everywhere on client side with @Inject:

if (!clientValidation.getConstraintViolations(new sendMailAction(email)).isEmpty()) {
            alert(clientValidation.getPrimaryMessage());
} else {
    // do something
}

Thanks to the GWT team for those enhancements for client side validation.

Securing Spring Faces (Webflow 2 + Spring Security 3) application.

The post is for people who are using Spring Faces and need basic security aspects.

Update your spring faces dependency in the pom.xml if your project is a maven one :
There is a bug in the 2.3.0 Release between the flow executor and phase listener. This is important because our login page is a facelet which is not in a flow.

<dependency>
	<groupId>org.springframework.webflow</groupId>
	<artifactId>spring-faces</artifactId>
	<version>2.3.1.BUILD-SNAPSHOT</version>
</dependency>

Add context security file to the configuration with this content :

<security:http auto-config="true">
		<security:intercept-url pattern="/views/**" access="ROLE_USER"/>
		
		<security:form-login 
			login-processing-url="/j_spring_security_check"
			login-page="/" authentication-failure-url="/"
			default-target-url="/flowprocess/shopping" />
			
		<security:logout/>
	</security:http>
	
	<security:user-service id="userService">
    		<security:user name="guest" password="guest" authorities="ROLE_USER"/>
  	</security:user-service>
	
	<security:authentication-manager>
		<security:authentication-provider user-service-ref="userService"/>
	</security:authentication-manager>

Configuring security into webflow in 2 steps:

1 – Adding secure flow context listener into the configuration file as shown below :

<beans:bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener" />

<beans:bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener"/>

<flow-executor id="flowExecutor">
	<flow-execution-listeners>
		<listener ref="facesContextListener"/>
		<listener ref="securityFlowExecutionListener"/>
	</flow-execution-listeners>
</flow-executor>

2 – Configure the flow to check access and authorizations before runing by adding the secure tag into the flow.xml file:

<flow start-state="identifyCustomer" xmlns="http://www.springframework.org/schema/webflow"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/webflow
	http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd">

<secured attributes="ROLE_USER"/>
…

</flow>

Very Important Notice : If we’re using subflows in our architecture, Spring does not propagate the secured configuration to child. Secure tag must be explicitely mentionned in all our subflows. I hope this will be a fix in further releases.

Create a Spring security form-login as index page into the project.

<h:form prependId="false" >
			
	<table class="form">
		<tr>
		<td><h:outputLabel value="Identifiant: " for="j_username" /></td>
		<td><h:inputText id="j_username" required="true" value="#{authenticationBean.username}" styleClass="textInput" /></td>
		
		</tr>
		<tr>
		<td><h:outputLabel value="Mot de passe " for="j_password" /></td>
		<td><h:inputSecret id="j_password" required="true" value="#{authenticationBean.password}" styleClass="textInput" /></td>
		</tr>
	</table>
				 
	<div class="buttonContainer">
		<h:commandLink styleClass="styledButton" action="#{authenticationBean.onLogin}" value="Connect"  />
	</div>
					
</h:form>

Now the flow is secure and to execute it, user should give corrects credentials. In the next article i’ll integrate OpenID authentication.

In my project i have shopping-flow wich use customer-flow as subflow. To check the point in notice above, try to call directly the shopping/customer here unsecured access to the subflow and secured access, redirection to the login

The complete project source code is available here github