Docs

Documentation versions (currently viewingVaadin 24)
Documentation translations (currently viewingEnglish)

Add Login

Learn how to add user login to a Vaadin application using Spring Security.

Most enterprise applications require users to authenticate before accessing the application. Vaadin applications use Spring Security for all security features, including authentication. Any authentication method available in Spring Security can also be used in a Vaadin application.

This guide shows you how to set up in-memory authentication for development and testing purposes.

Warning
Never Use Hard-Coded Credentials In Production
In-memory authentication is convenient for development, but production applications must use a more secure approach, such as JDBC authentication, LDAP authentication, or OAuth 2.0. Refer to the Spring Security Reference Manual for more details.

Steps to Set Up Authentication

To enable authentication in a Vaadin application, follow these steps:

  1. Add the Spring Security dependency to your project.

  2. Create a Spring Security configuration class.

  3. Create a login view.

  4. Grant access to specific views and layouts.

This guide covers the first three steps. For the fourth step, see the Protect Views guide.

Add Spring Security Dependency

Since Vaadin applications are built on Spring Boot, adding the Spring Security starter dependency enables authentication:

Source code
XML
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Create a Security Configuration Class

Simply adding Spring Security to your project locks you out of your application unless you configure authentication. You must define a UserDetailsService and a login form to allow users to log in.

Tip
It’s best practice to create a dedicated package for security-related classes. If your root package is com.example.application, place the security configuration inside: com.example.application.security

This is a minimal implementation of a security configuration class:

Source code
SecurityConfig.java
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) 1
class SecurityConfig {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // Configure Vaadin's security using VaadinSecurityConfigurer
        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> { 2
            // TODO Configure the login view
        });
        return http.build();
    }

    @Bean
    public UserDetailsManager userDetailsManager() {
        LoggerFactory.getLogger(SecurityConfig.class)
            .warn("NOT FOR PRODUCTION: Using in-memory user details manager!"); 3
        var user = User.withUsername("user")
                .password("{noop}user")
                .roles("USER")
                .build();
        var admin = User.withUsername("admin")
                .password("{noop}admin")
                .roles("ADMIN")
                .build();
        return new InMemoryUserDetailsManager(user, admin);
    }
}
  1. Imports VaadinAwareSecurityContextHolderStrategyConfiguration, required for Vaadin security to work with Spring Security.

  2. Always call with VaadinSecurityConfigurer.vaadin() — this ensures that the application is properly configured.

  3. Tip: Log a warning message whenever using a configuration that shouldn’t end up in production.

The VaadinSecurityConfigurer class provides essential security configurations out of the box, including:

  • CSRF protection

  • Default request caching

  • Access restriction to Vaadin views and services

Create a Login View

You can implement the login view using Flow or Hilla. Follow the guides below: