Help needed for securing for single page application

General
1

I have created a single page application in Vaadin 24. It communicates with another application via REST API to get the data content. I have created a login popup form as well.
My application allows users to use it without login in read only mode.
For making changes user have to login. Users with higher privileges can also generate documents from the content.
I wrote a code that sends username/ password to the supporting application and get back an instance of User class. However, it is doing it in plain text and therefore not secure.
I haven’t use any Vaadin or Spring security packages.
I studied the Vaadin documentation at How to enable security in your Vaadin application but it all uses BeforEnterObserver which is not applicable to my case.
Can someone, please, advise me how to make my application secure.
Code sample will be also appreciated.

2

Code sample with this description might be bit too much to ask, would need to know much more about the API server (is it using some standard authentication mechanism), requirements and also what is your Vaadin application like, Quarkus, Spring Boot or something else…

Couple of commens/questions that hopefully help you to right direction:

Passwords are always kind of problematic as at some point they must be cleartext (on the way to the place where they are actually verified). Whether it is secure or not, depends on your environment and how you handle them. I assume your Vaadin application has (or will have) https on. On the second trip (from app server to REST API) your “clear text passwords” you are probably already better off. Your REST API probably already has https on (or it is within the same DMZ as your app server), so I expect that trip is secured.

In your case, it might be that dropping in a library like Spring Security just increases the complexity. Especially if you are not familiar with it already. Same with BeforeEnterObserver based access check. Our docs examples (utilising both, at least under the hood) only covers role based access checks to actual views, but there are many other ways to implement authorization to various functions. In your case best option might be to have just one view and in case the session is logged in, you display the edit button (or something similary).

3

AI created advertising.