Security for Vaadin applications based on Spring Boot Security
This add-on serves as glue between Vaadin and Spring Boot Security with the goal of bringing both worlds together as seamlessly as possible. The URL-based security of Spring is replaced with annotations directly on your Vaadin views and endpoint methods. Access rules can be defined using expressions, like
hasRole('ADMIN') or any Java code.
Version 3.0+ requires Vaadin 23.
Version 2.2+ supports Vaadin 21.
Version 2.0+ supports Vaadin 20.
For Vaadin 14 support, see version 1.x.
Its features mainly focus on two areas:
- Authentication: You configure most parts of your Spring Security filter chain (AuthenticationManager, AuthenticationProviders, UserDetailsService, remember-be authentication, etc.) in your WebSecurityConfigurerAdapter as you would otherwise. This add-on will (by default) configure the form login and logout and wrap them in a simple Java (i.e. server-side) API. This API can be used in your login view to which the user will be automatically forwarded. This allows you to stay completely in Java and Vaadin; no HTML login page or URL redirection necessary. But authentication can also be completely customized to use Web SSO mechanisms instead. See the project page for links to examples like Keycloak and Kerberos.
- Access control: Access control works for views and endpoints using annotations. Access rules are defined using Spring Security expressions or custom Java code for more advanced requirements. There's also a Java API to facilitate fine-grained control within your views and endpoints, so it is e.g. possible to also have publicly accessible views with partially restricted content. Access rules for routes can also be changed at runtime.
Please let me know if you're successfully using this add-on. Otherwise let me know what doesn't work for you; there's always room for improvement.
SecurityContextHolderis now configured to be Vaadin-aware.
VaadinSecurity#getAuthentication(...)is obsolete now.
- Support for Spring Boot 2.7's deprecation of
WebSecurityConfigurerAdapter. Configuring a
SecurityFilterChainno longer leads to an error.