Securing only a single UI

I’m working on an app with CDI, Push and security and I’m running into a problem I can’t seem to find a good solution for.

The app consists of an EAR with several EJB and a Vaadin webapp. The app utilizes several roles to secure the application and requires login before using the webapp.

As part of this app new users can be enrolled that have to confirm their e-mail address and enter a security code to register their account. The UI for this needs to be accessible through an unsecured UI, this is where I run into problems.

  • Just removing the security requirement from the URL of the registration-UI doesn’t work because Vaadin tries to communicatie with the server through a single URL that is shared between all UI’s.
  • Moving the registration UI to a separate webapp doesn’t work, because you currently can’t have multiple webapps with CDI extensions in a single EAR.

A separate issue I encountered is that Push doesn’t work with websockets because it loses all security credentials when you do so (That is: any request coming through the websocket loses the logged in principal and thus cannot access any EJB that requires a specific role).

Any ideas on how to secure my UI while still having a single UI that is not secured ?