JAAS for whole Vaadin application

Hi there,

I’m trying to secure my Vaadin application and already read
. The problem is, when I try to secure the whole app path starting at <url-pattern>/*</urlpattern> I run into the alert “Could not load vaadin-bootstrap.js”, So I added another constraint to allow /VAADIN/* .
Now it loads but thats already the end of it. It just says “Loading …” and nothing happens.
Here is the part of the web.xml I tried out:

    <description>Only this UI is protected</description>
    <description>Only valid users are allowed</description>





Do not place a security-constraint on /* but rather place security-constraint explicitly on all the UI/servlet mapping that require security.

I’m not 100% sure but I think /login* is not a valid pattern either , you might need to add /login and /login/* , at least in glassfish you will get warnings about /login*

If that does not help, enable finer/finest logging for your application servers’ security modules, that way you’ll be able to see what is going on. ( I susspect the Form-Auth-Module is redirecting to your /login page, does not have access, redirects to /login page , … ) you get the picture .

Note you will not see the redirects on the browser end…

Hi Bastel, not sure if that helps you.
What I did in my project was I have the login/error page in a own login folder.
So with this I can deny acces on /* but grant acces on the /login/*
At least this works on jetty.

With this I also do not need acces on /VAADIN/*
To make sure I also included a second Servlet mapping specially for the login where I use the Default Servlet of Jetty instead of the Vaadin Servlet. So the Vaadin Servlet only starts up after I succesfully authenticated the user.
No need for the login html site.

you can actually see my web.xml config here