vaadin and spring security

Hello everyone,
I’m working on a transversal security layer for a vaadin application,can you tell me what are the best available options for doing this?i mean is there an available enough mature framework for this purpose?
I had the idea of spring security as a first thought but is it a good choice?having in mind that spring security intercepts http requests(URL based) for security purpose which is not very compatible with vaadin philosophy.
thank you in advance for the help.

Deteled your duplicate post to Miscellaneous Discussions. Please see
this message regarding double posting

I’m not that familiar with Spring Security, hope someone else answers.

Actually, Spring Security is a good fit for Vaadin with respect to its philosophy, but not if you use it exactly like you would use it in a JSP application. Unfortunately, that is how most people are using it because doing it right would take more initial effort, and at least I have not had the time to write nice and clean utilities for it.

You should note that the HTTP request interceptor based approach is just one of many possible approaches on top of the very modular and flexible Spring Security core, and even the interceptor chain part is quite modular. A clean implementation would probably require replacing two or three of those building blocks. The default implementations of other parts of the interceptor stack work just fine.

I have written a little more about how this should be done e.g.
, as well as somewhere else I cannot find right now. The trick would be to replace two or three of the interceptors in the chain with ones that are aware of Vaadin, and handle e.g. asking for login when the user is not logged in.

Some client side changes to (a subclass of) ApplicationConnection might also be needed to make handling of expired authentication etc. a little smoother, but should not be required for the basic functionality.

All this said, a quick search for “vaadin spring security” will return several examples of how people have done it the simple way (e.g. using a JSP login page) and maybe also a little better than that, and many seem to be happy with those solutions.

Ah… my previous reply focused on the login and session tracking part, whereas you seem to be more interested in authorization for access to certain parts of the application.

If you are interested in view-level authorization checking, you could simply extend something like the
add-ons and check for authorization at view activation time. For more fine-grained access (e.g. enabling and disabling buttons in a view based on active roles), you can also query Spring Security directly or via some helper classes.