Backend security interrogation


i am presenting a proof of concept to a client in a few days and i builded a demo in vaadin. Today i talked with a tech guy who told me that vaadin wasn’t safe for “internet application” it was more for intranet.

I’ve been told that the client will require a 3 tier application. I already created my application using a MVP pattern, so i have no logical code in my UI classes, everthing is separate, but apparently, because it still on the same server, my business logic is vulnerable.

I read in a couple of blog that it was possible to have the backend running on a separate server (another glassfish ?) than the UI, but i’ve never been able to find any exemple.

Is that something possible ?
how can i achieve this ?
Is there any way i could use vaadin for a “accessible from internet” application while also pleasing the security guys ?

Obvisouly i won’t be able to rewrite my demo in time, but if at least i could have something so say to defend my points.

Otherwise, vaadin will be discarded and i’ll have to study an other framework

While this should be possible ( Make Remote interfaces for your Business tier modules ) but this complicate things a bit.

This will exclude the use of JPA from the war since it sounds to me that the security guys want to make sure only the business tier has access to the data (and thus limits access to the persistence unit).
You will have to take care that you always limit the number of Objects/Entities you return/pass between the web and business tier.