Security - what is the Vaadin "right" way?

There is a simple demonstration of RIA security with Vaadin that looks great for the main window ( The solution is to remove all components until a user successfully logs in. I can’t figure out how to apply this same approach when using Navigator7 or other windows in general. I don’t want to bloat the project with JAAS or spring security.

If there is no right way, then why not enhance the core Vaadin security API a little… seems only thing there right now is setUser() on the application.

After trying to roll my own solution, it looks like managing security with “setUser” only works well for a single application level window. This is unfortunate but when has a java framework ever done everything well? I may have to add JAAS and container managed security back.

The issue I ran into was if you logout of one application level window, there is no way to notify the other app level windows of the application state changes without adding push or poll overhead. If i removed components from all app level windows, i get an error that the application state is out of synch on the windows where the event was not initiated. Maybe if i could catch this error on the server, i could replace that error with my login dialog but that is over my head.

This is true - there is no way to notify the other app level windows of the application state changes, without adding push or poll - ! The only alternative I can think of is to destroy the http session (i.e. close the Vaadin application) and tell all of the other windows to refresh via javascript; I’m not sure that’s possible, but without poll or push that’s only thing left.

Even if you could catch the error and replace it with the login, the problem (being out of sync with the server) would still be there - that error message essentially means that something has changed on the server without being updated in the browser - to which the solution is poll/push.