RE: Vaadin 8 CDI & servlet security

I don’t know about the annotation but isn’t forcing https something that you usually specify in the servlet container/web server settings, and not in the application directly? IE. For example, Tomcat has instructions to enable HTTPS.

I would like to enforce https on the vaadin ui. We are using CDI servlet with annotations. Is there a way to specify something like this:

@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))

And have it work with CDI servlet?


Another option would be writing a
which would intercept all requests matching one or more url patterns (Vaadin UI’s and/or any other resources in the web application). In the Filter you can check if the
request’s scheme
(request.getScheme()) is HTTPS and if not send an error or redirect.

This is typically done using web.xml or annotations on servlet. We dont want to use web.xml if possible, and prefer to stick with annotations. Since the @CDIUI annotation hides the servlet definition, need to know if there is an alternative way to do this.

Thanks. That is the approach we are taking for our Rest interfaces, but I was hoping vaadin might already have something available instead of having to do that or web.xml.

In that case, as you’re already using a filter to check the Rest interfaces, maybe it would be a good option to keep all this config in the same place and add an extra url-pattern for the Vaadin’s cdi servlet as well.