How to implement secure login


I’d like to implement a secure (HTTPS) login in my Vaadin App. How would I do that?

The scenario would look like:

  1. Visitor enters my Vaadin App via unsecure URL - some infos can be viewed without being logged in.
  2. Visitor clicks login button/link - here I need to switch to HTTPS to display the login window.
  3. all further actions on App remain in HTTPS until the logout button/link is hit.

Hope someone can give me a glue.

Thanks a lot!


One option is to go for JAAS. From Vaadin application point of view that means that you just put the application to a protected URI and enable the login for that URI in your web server. In the Vaadin application you can then access the user information from the session once authenticated.

I used this approach with WebLogic and the hardest part was to create the LoginModule for that environment. I quickly found these instructions how you would use JAAS in Tomcat:

The same thing goes for the SSL: It is a server level feature that you can switch on. Again, here are instructions for Tomcat:

Probably you can make the same Vaadin application available both http and https. Link to a login page would then point to the https-version (that is protected with JAAS login). That makes it use the (automatic) redirects to the actual JAAS login page to perform the authentication before letting users to access it.

Thanks! - I’ll have a look at this approach, but this would mean I need to implement a non-Vaadin based login mechanism (or probably via two Vaadin applications).

Is there a chance to get the login process (I described above) implemented within just one Vaadin application?

The SSL is always managed by the server (not by servlets) and I’m afraid that makes it impossible to switch to SSL completely inside a Vaadin application.

In the simplest case I think you can make the same Vaadin application available using both plain http as well as SSL protected https. Then it should be possible to show a login view when the https version is first accessed (for example in
or if the a new session is created for https-connection simply in Application.init). Furthermore, if the authentication fails, redirect back to http version (or maybe just show the public part of the application over https).

Does this sound a feasible?

That sounds good. My application is still available via http/https - but how would I implement the redirect to https or http via TransactionListener or while doing login/logout?

The transaction listener is something that is inviked for every request, so that is that sense a safe bet. However, if the session is not shared between the http and https version (which depends on how cookies are shared - i guess that they are not) you can simply do the redirecting in after in application close or use the

Okay, thanks! I tried by setting the logout URL and closing the application. This works in general, but it does not work for following URL: http://localhost:8888/#login - here the loading/waiting indicators appear and that’s it. I trigger the application closing by clicking a button. This sets the logout URL:

public void buttonClick(ClickEvent event)

The response looks like: [quote]


I’m using the Toolkit Productivity Tools (tpt) to manage views within a single window. Basically this works fine also using the URL posted above in new browser window. Only the redirect doesn’t work - is this a Vaafin issue?

I posted an issue on that since using logout URLs without URI fragment is working: