This question is related to system security.
I’m using a Vaadin Hilla application with Java Spring Boot on the server side and TypeScript on the client side. After deployment, a .jar file is generated that includes the compiled application, and the frontend assets are served to the client.
As I understand it, not all frontend assets are delivered immediately—some are only loaded when lazy-loading is triggered. My question is:
1. Are the JavaScript and TypeScript files (from the „generated“ directory) that enable access to Java endpoints included in the .jar file?
2. If I wrap a frontend request to access a Java endpoint in a lazy-loaded component, how does this affect when and how those JavaScript and TypeScript files are sent to the client?
- Typically yes. They don’t need to; you could e.g. serve them from a CDN.
- That shouldn’t affect anything.
Thanks for such a quick reply. Can I somehow prevent client to see my endpoint’s functions/parameters?
Not without making it impossible to call those endpoints which would defeat the whole purpose.
If you are worried about security - Vaadin Flow is the framework of choice where no function(name) is available on the client side because everything runs on the server.
I think the essence of the question was different. Namely, is it possible not to immediately transfer the interfaces of all endpoints to the client, but using, for example, ‘lazy load’ to open only those that are needed by the corresponding view?
For example, first the client must log in - therefore he receives the Login form and with it only the Endpoint Login description, then, having received the corresponding right, let’s say, he goes to the order registration form, which accordingly loads only the interface descriptions it needs. Thus, the client will only know a strictly limited set of JS interfaces, not all at once.
The code to call a specific endpoint is only included in the lazy loading bundle of the views that use that endpoint.
But there’s no direct support for requiring the user to be logged in before downloading specific bundles.