Vaadin 24.4 integrates with React, unifies Flow and Hilla development, and more!

Performance testing in Vaadin apps

Petr Müller
On Oct 17, 2017 6:01:00 AM

Website speed and responsiveness are two of the primary quality requirements in Web projects, as they have direct impact on revenue, both positive and negative. Although Vaadin is a great open-source web framework for developing rich internet applications, it is no secret that testing the performance of Vaadin based applications is not a trivial task. What makes it difficult? And how do you run load tests on Vaadin apps in the most effortless way?

Why is it difficult to load test Vaadin 8 apps

In a nutshell, to test the performance of your app, you must be able to put it under load. You can do that by using a performance testing tool to create a test scenario, which is then automatically performed by a large number of virtual users. And that’s where it gets complicated for Vaadin.

As one of its security features, Vaadin tries to prevent the so-called cross-site request forgery (more about CSRF on Wikipedia). One method of defending against CSRF is for the server to generate a random token that is sent to the user and then checked when processing requests.


The security tokens (or dynamic values) need to be obtained from the returned HTTP responses and then correlated with every request for every virtual user (and there can be thousands).

What a token looks like in a request:

  "uidl":"{\"Vaadin-Security-Key\":\"bda6f482-785b-4c67-a7d9-cbc5c3b679ee\"}", ...

The load test has to have a mechanism for dealing with this. That’s where the automatic correlation comes in.

Using automatic correlation

Although it is possible to find some workarounds to the dynamic values issue, none of them are suitable for use in production environment. There are many tools to use for general performance testing, however; there is a special Vaadin module included in the tool to deal with this problem.

The Vaadin module within automatically correlates all Vaadin dynamic values. Those include the aforementioned security keys (CSRF tokens), but also UI ids, sync ids and connector ids. Beyond that, it also adds validation assertions to make sure that the script is working as expected.

This is how the recorded test scenario looks. It includes Automatically added response extractors for sync ID, security key, UI id and a bunch of connector IDs:

And this is an example of the correlated request body:


How to make it work

The Vaadin module works without any special configuration. If you want to try it, all you have to do is download, use it to record and run a load test, and the rest is taken care of automatically.

For a complete guide on the specifics of Vaadin performance testing, you can follow this step by step tutorial.

Good luck with the testing and give us a shout if you have any questions or feedback.

Petr Müller
Petr is part of the team developing load and performance testing tool You can reach out to him and the rest of the team on Twitter @SmartMeterIO.
Other posts by Petr Müller