Vaadin GUI - Server message security

Hi. Vaddin/GWT n00b here.
Quick question - does Vaadin implement some sort of a message validation mechanism before acting on JSON messages received from the GUI ?
Did a quick search on this forum, judging from the “Invalid Security Key” error reported here there is some level of validation, could someone please elaborate on the details ?


I don’t know the internals and of Vaadin security but there are some presentations available on vaadin security model to get you started :


My understanding is that Vaadin keeps the state of the UI stored in both the server and client (the latter meaning stored in the http session). Whenever a call comes in, these states are checked to make sure the client and server are in sync so that malicious calls can be ignored.

I don’t have any references handy about it now, but if you read
this forum thread about a stateless version of Vaadin
, it may give you more insight into what is currently happening with the stateful model.