Vaadin 10 Spring Security

Are there any plans to have a Spring Security integration in Vaadin 10 like we have seen for Vaadin 8?
What would be the best approach? I could think of using BeforeEnter… but that would be needed on every view. Do you have any ideas for a more generic approach?

Hi Thomas,

If you have a pro subscription, you can see Spring Security integration in the Spring Starter pack:

In short - what the starter app is doing is having a beforeEnter on the MainView.

   public void beforeEnter(BeforeEnterEvent event) {
      if (!SecurityUtils.isAccessGranted(event.getNavigationTarget())) {

All the other views that use the MainView for layout will automatically be checked.

@Route(value = "listeditor", layout = MainView.class)

Thanks Martin,
sometimes the solution is so near, but one doesn’t see it.

Yeah, been there too :slight_smile:

BTW - I was trying out different deployment options this weekend and ran into issues when trying to deploy as a stand-alone spring-boot jar. I was looking through the forum and noticed that you had a question along the same lines about 2 months ago.

Did you ever find a solution to it?

(I wanted to reply to your original post, but the forum search is rather useles, so I wasn’t able to find it again).

No I did not find a solution. As far as I could see Vaadin is loading the resources using the SerlvetContext which doesn’t play nice with Spring Boot packaging. Do you think we should file a ticket on this?

There is a open ticket:

(I didn’t try this solution or the blog post)

Just for sharing knowledge. The security working for me with the

	public void beforeEnter(BeforeEnterEvent event) {
		log.debug("BeforeEnterEvent: navigate to {}", event.getNavigationTarget().getCanonicalName());
		VaadinRequest currentRequest = VaadinService.getCurrentRequest();
		HttpServletRequest httpServletRequest = ((VaadinServletRequest)currentRequest).getHttpServletRequest();
		String requestUrl = httpServletRequest.getRequestURL().toString();
		String pathInfo = currentRequest.getPathInfo();
		// base URI
		String baseUrl = Optional.ofNullable(requestUrl)
				.map(str -> str.replaceAll(pathInfo+"$", "/"))
		URI uri = null;
		try {
			uri = new URI(baseUrl);
		} catch (URISyntaxException e) {
		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

		String destination = UI.getCurrent().getRouter().getUrl((Class<? extends Component>) event.getNavigationTarget());
		log.debug("Destination is {}", uri.getRawPath()+destination);

		// now we have the url path we can check against spring if this user has access
		boolean access = webPrivs.isAllowed( uri.getRawPath()+destination, authentication);
		log.debug(String.format("Allowed: %b %s", access, ""));

		if(!access) event.rerouteTo(AccessDeniedView.class);

Hey guys,

we added a new tutorial about the integration of Spring Security into Vaadin: It is still work in progress but I would like to collect feedback for future improvements.