Spring Boot Security for Vaadin | Vaadin

Security for Vaadin applications based on Spring Boot Security

This add-on serves as glue between Vaadin and Spring Boot Security with the goal of bringing both worlds together as seamlessly as possible. The URL-based security of Spring is replaced with annotations directly on your Vaadin views and endpoint methods. Access rules can be defined using expressions, like hasRole('ADMIN') or any Java code.

Version 3.0+ requires Vaadin 23.
Version 2.2+ supports Vaadin 21.
Version 2.0+ supports Vaadin 20.
For Vaadin 14 support, see version 1.x.

Its features mainly focus on two areas:

  • Authentication: You configure most parts of your Spring Security filter chain (AuthenticationManager, AuthenticationProviders, UserDetailsService, remember-be authentication, etc.) in your WebSecurityConfigurerAdapter as you would otherwise. This add-on will (by default) configure the form login and logout and wrap them in a simple Java (i.e. server-side) API. This API can be used in your login view to which the user will be automatically forwarded. This allows you to stay completely in Java and Vaadin; no HTML login page or URL redirection necessary. But authentication can also be completely customized to use Web SSO mechanisms instead. See the project page for links to examples like Keycloak and Kerberos.
  • Access control: Access control works for views and endpoints using annotations. Access rules are defined using Spring Security expressions or custom Java code for more advanced requirements. There's also a Java API to facilitate fine-grained control within your views and endpoints, so it is e.g. possible to also have publicly accessible views with partially restricted content. Access rules for routes can also be changed at runtime.

For more details on how to use this add-on, please see the project page and/or take a look at the source code of the demo application.

Please let me know if you're successfully using this add-on. Otherwise let me know what doesn't work for you; there's always room for improvement.


Link to this version
StableReleased 16 June 2022Apache License 2.0
Framework Support
Vaadin platform 23+
Browser Independent
Install with
Release notes - Version 3.1.0
  • SecurityContextHolder is now configured to be Vaadin-aware. VaadinSecurity#getAuthentication(...) is obsolete now.
  • Support for Spring Boot 2.7's deprecation of WebSecurityConfigurerAdapter. Configuring a SecurityFilterChain no longer leads to an error.