vaadin user management


i want to implement user management in my vaadin application.
for that i investigated and found options for user management, for example; ThreadLocal pattern way, appfoundation add-on, etc…

i cannot use appfoundation add-on, because my data coming from a rmi call.

then i want to implement my own-implementation.
the way i’m thinking to follow is below;

Application instance created is per session and Application class has methods named setUser, getUser.
i will create my user model object, which contains username, password, name surname etc.
at first the user object will be null, and after he/she logged in i will set user object with setUser method.
and in the application, i get the user object and check if it is null or not.
if it is null user not logged in and if it is not null user is logged in.
and i will use this method with navigator7 addon (so Application is my own MyApplication class which extends from NavigableApplication class)

i’m wondering that this method has any disadvantages (security related, or any other stuff) or not?
or i’m missing something?

and a question, because of Application instance is created per session, can i store my session variables in the Application as a property?

thx in advance.

You can store data which would go into the session into the Application object.

Using this technique has several implication :

  • Application might need to be serialized/deserialized by some containers so every data you add in there need to be serializable too (or transient)
  • You can’t use getApplication in components constructor. getApplication returns null until the component has been attached (by setContent or addComponent) to it. So if you need to access your “session data” or your user object at that time, you will have to find some other way to do it (pass the instance to the constructor, ThreadLocal, …)

this chapter of the book
for more details.

Thx Mathias,

about getting Application instance in the constructors; i get Application instance in the attach() method without any problem.

now i will read that chapter in the book, then if i will have any questions i’ll ask again.

You mean for password, etc… security related things?

Dont re-invent the wheel , The servlet container will already do user management for you…

Use a JAAS Login Module to authentication your user and the Container will manage your user for you…

If you use Java EE , the user can be retrieved from the javax.ejb.SessionContext , if not using Java EE , you can get the authenticated user from javax.servlet.http.HttpServletRequest getUserPrincipal()

We use a custom Server Authentication Module (SAM) ( JSR-196 ) to do Form Based authentication, The SAM is configured to invoke the correct JAAS context.

edit: But as noted your principal should implement so that the Container can serialize you application and sessions…
You should also implement if I’m not mistaken

For all the data in there, actually. Your session contains the state of the UI, which is the state of your Application object and everything that it holds. The container could serialize session at any time: in a clustered environment, if the session hasn’t been active for some period of time, etc.

Note that static fields are automatically transient, but you don’t really need to have any static fields in your application classes except for immutable values like constants.


Thx Bobby,

It is clear for me, wondering just one thing, let me tell it.

Assume, a user didn’t interact with the application for a while and my Application’s state is serialized and User object is also serialized as not null.
But this time the session timed out, then user come back again to use the application.
because of session is timed out normally user should be logged out and needs to logged in again.

my question is; because of our application’s state is serialized, does it go with deserializing the application (don’t need to login again) or in any case it creates the session from stratch?

thx in advance for your answers.