App Server Security, multi App's and url-pattern /VAADIN/*

Hi All,

Documentation regarding Auth and ACL within Vaadin application(s) seems to be a model that is very different to your typical app server url based auth+acl.

App servers provide us with a simple, reliable Authentication and (somewhate) universal URL --to–> role based ACL. Consequently if the app server allows the http request to be served (thats a non 401 or 403 error) then your servlet can reliably trust that the user is authenticated and the request is allowed to exec.

At this point in time I want to shelve “Role to URL based ACL” client side AJAX/RPC applications are very different and I understand that this model has extremely limited application in client side applications (i.e. Vaadin/GWT). Basically, this has to be done with the Authenticator class
detailed here

What I would like to use is the application server’s ability to ensure that we know
who the user is
(reliably). I feel this is omitted from all of the online Vaadin Authentication doco. I would expect to see x2 applications, one for Anonymous (those who have not logged into the application server and have a valid session) and Onymous (those who have). Which leads to several things

  • 1 x Vaadin Application for Anon Access
  • 1 x Vaadin Application for Onymous
  • 1 x Page reload/request when switching between the two (unavoidable).


  • Q: Aside from avoiding another page+javascript load, why would you not want to do this? If you’re doing async code splitting the difference should be minimal.
  • Q: The app server’s url auth is incredibly reliable. We don’t rely on our developers to write reliable + secure code, so why risk it?
  • Q: Many application servers deal with complex SSO and authentication for us, why would we want to get involved in code unless we really need too?
  • Q: Even if I run x2 (or more) applications, both of them will send AJAX/RPC requests too /VAADIN/*. Which (I fear) undermines my ability to truely restrict my ability to isolate the anon/ony access beyond the user interface. Is this fear valid? What are caveats here?
  • Q: How would things like osgi bundles run independely if I can’t uniquely constrain then to their own sub context in the same webapp?
  • Q: If I just totally ditch the app server’s url security, how can I be reassured that Vaadin has “as reliable” security?

Thanks for reading, I hope I was understandable :slight_smile: