Best practise for using Views

I hope someone can give me some advices what are the best practise to create an application with multiple views where one view is restricted to logged in users.

I have multiple views in my application:
welcomeView = This view should always be displayed if the user is not logged in and if none of the views 1 to 2 is requested.
view1 = This view should always be accesseable also if the user is logged in, if this view is not called and the user is logged in he should be redirected to the backendView

view2 = Same as view1, always be accessible, also if the user is logged in

backendView = This view is only be accessable if the user is logged in, and expect view1 odr view2 is requested the logged in user should always be redirected to this view, especially if he calls a view which is not defined or if he calls the application URL (

View1 has an empty name, meaning name=“”
View2 has the following viewname: name=“view2”
Welcome: name=“welcome”
Backend: name=“backend”

Currentley I use the following code:

Application UI:

public class ApplicationUI extends UI {

protected void init(VaadinRequest request) {
    new Navigator(this, this);
    getNavigator().addView(WelcomeView.NAME, WelcomeView.class);
    getNavigator().addView(BackendView.NAME, BackendView.class);
    getNavigator().addView(View1.NAME, View1.class);
    getNavigator().addView(View2.NAME, View2.class);

    // Load the right view, application controller is only created if the user has sucessfully logged in
     if(getSession().getAttribute("applicationController") != null && getPage().getUriFragment() == null)
    if(getPage().getUriFragment() == null)
    // We use a view change handler to ensure the user is always redirected
    // to the login view if the user is not logged in.
    getNavigator().addViewChangeListener(new ViewChangeListener() {

        public boolean beforeViewChange(ViewChangeEvent event) {
            // Check if a user has logged in
            boolean isLoggedIn = getSession().getAttribute("applicationController") != null;
            boolean isWelcomeView = event.getNewView() instanceof WelcomeView;
            if(isLoggedIn && (isWelcomeView || isLoginView)) {
                log.debug("Go to backend");
                return false;
            return true;

[/code]I check in the backend view if the user is logged in or not:

public class BackendView extends VerticalLayout implements View {

public static String NAME = "backend";
private ApplicationController applicationController;

public BackendView() {
    // Set the title of the page
    Page.getCurrent().setTitle("Application Backend");

public void enter(ViewChangeEvent event) {
    // create the controller
    if(getSession().getAttribute("applicationController") != null)
        this.applicationController = (ApplicationController) getSession().getAttribute("applicationController");
    else {
        // "Logout" the user
        getSession().setAttribute("applicationController", null);

        // Refresh this view, should redirect to login view

[/code]When the user makes a logout the following procedure is executed:

// “Logout” the user
getSession().setAttribute(“applicationController”, null);

// Expire the session

// Refresh this view, should redirect to login view
[/code]The application behaves as expected, but I want to ensure if this is a good approach an esspecially secure. We want to keep the application as simple as possible therefore we do not want to use the spring framework for this “simple” access management.

Can someone give me some advices how tho improve this apporoach, or is this a bad implementation?