How to handle authentication and authorization

I’m just testing Vaadin as a presentation layer technology for my Grails applications using Grails Vaadin plugins.
The first tests are very impressive but I still have to figure out how to integrate basic security (authentication/authorization).

Is there something specific in Vaadin related to that? Is there a sample application somewhere with basic Spring security integration?

I’ve used Shiro (
plugin) for my vaadin application.
Shiro is much simpler for integration and it’s permission based security model is much easier for use in vaadin app.

I’ve just installed the plugin and read the documentation, and it all looks fine when you’re using a page-based presentation because authorization is based on URL’s and controllers, and it redirects you to the Login page if you’re not already logged in.

But how did you adapt that to Vaadin, where the URL is always the same and where you’re more likely to display the login form in a popup window than in a separate page? In particular, is there any way to configure security at the business service level like Spring Security allows it?

Take a look at the
add-on, it provides both authentication and authorization for Vaadin applications.

I agree, it is assumed to be used for controllers.
But, Security layer may be added by yourself.

You must be using some view handling solution (appfoundation, tpt or navigator7)
in all frameworks it is easy to set view interceptor (or add security code to page factory)
so you can easily secure page transitions.

Login logic may be also easily implemented: implement view or window or popup and call

Securing components is also easy: use

if (SecurityUtils.subject.isPermitted("ui:view:someaction")){// create button and add to ui}

Also i’ve implemented little “security manager” which stores references to components and sets visibility to true or false depending on user permissions (it also listens user login/logout to trigger components visibility).
This way i have completely secured ui (in fact the result is comparable with gsp pages when you use security restiction tags: user just don’t see secured areas)

About services you are right, shiro doesn’t provide annotations to secure service methods (at least I didn’t find it). But it is not hard to add some to sping.

I know it is some kind of reinventing the wheel, but this way you get enterprise quality security framework and complete control on it.

I can provide some code snippets if you interested in it

p.s. AppFoundation is a great framework! But unfortunately security module depends on persistent module, which is not usefull with grails. Still you should definately look at it (maybe you will find a way to use it)

The authentication module depends on the persistence module, the auhtorization module can be used with or without persistence (JPAPermissionManager and MemoryPermissionManager respectively).

OK then. If I have to do most of the work, the least I do, the better. So I think I’m gonna go with the new Spring Security ACL plugin (

I’m sorry, Kim for misguiding people. But when i was searching for security solution, i’ve tried to look for appfoundation at first. Notion in documentation about dependency on persistence module was a showstopper for me.

Maybe it’s better to improve module documentation in order to prevent such wrong conclusions (as i know appfoundation is the only availible vaadin specific security library)

Sebastien, I’ve found this description of spring security vaadin integration (
it should be usefull