Add Login
- Steps to Set Up Authentication
- Add Spring Security Dependency
- Create a Security Configuration Class
- Create a Login View
Most enterprise applications require users to authenticate before accessing the application. Vaadin applications use Spring Security for all security features, including authentication. Any authentication method available in Spring Security can also be used in a Vaadin application.
This guide shows you how to set up in-memory authentication for development and testing purposes.
Warning
|
Never Use Hard-Coded Credentials In Production
In-memory authentication is convenient for development, but production applications must use a more secure approach, such as JDBC authentication, LDAP authentication, or OAuth 2.0. Refer to the Spring Security Reference Manual for more details.
|
Steps to Set Up Authentication
To enable authentication in a Vaadin application, follow these steps:
-
Add the Spring Security dependency to your project.
-
Create a Spring Security configuration class.
-
Create a login view.
-
Grant access to specific views and layouts.
This guide covers the first three steps. For the fourth step, see the Protect Views guide.
Add Spring Security Dependency
Since Vaadin applications are built on Spring Boot, adding the Spring Security starter dependency enables authentication:
Source code
XML
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Create a Security Configuration Class
Simply adding Spring Security to your project locks you out of your application unless you configure authentication. You must define a UserDetailsService
and a login form to allow users to log in.
Tip
|
It’s best practice to create a dedicated package for security-related classes. If your root package is com.example.application , place the security configuration inside: com.example.application.security
|
This is a minimal implementation of a security configuration class:
Source code
SecurityConfig.java
SecurityConfig.java
@EnableWebSecurity
@Configuration
@Import(VaadinAwareSecurityContextHolderStrategyConfiguration.class) 1
class SecurityConfig {
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// Configure Vaadin's security using VaadinSecurityConfigurer
http.with(VaadinSecurityConfigurer.vaadin(), configurer -> { 2
// TODO Configure the login view
});
return http.build();
}
@Bean
public UserDetailsManager userDetailsManager() {
LoggerFactory.getLogger(SecurityConfig.class)
.warn("NOT FOR PRODUCTION: Using in-memory user details manager!"); 3
var user = User.withUsername("user")
.password("{noop}user")
.roles("USER")
.build();
var admin = User.withUsername("admin")
.password("{noop}admin")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
-
Imports
VaadinAwareSecurityContextHolderStrategyConfiguration
, required for Vaadin security to work with Spring Security. -
Always call with
VaadinSecurityConfigurer.vaadin()
— this ensures that the application is properly configured. -
Tip: Log a warning message whenever using a configuration that shouldn’t end up in production.
The VaadinSecurityConfigurer
class provides essential security configurations out of the box, including:
-
CSRF protection
-
Default request caching
-
Access restriction to Vaadin views and services