Vaadin-XS and reverse proxy / sso integration problem

Here is a question on the usage of Vaadin-XS in a proxied/SSO environnement.

When following the default usage guidelines (), that is using the “GetEmbedJS” call, the resulting javascript that is
embedded in the page is pointing future call directly
to the physical server where the Vaadin application and not to the proxied location
.

In a production environnement, often a reverse-proxy (for SSO or other security purproses) would sit in the middle between the client’s browser and the server hosting the Vaadin application.

The “GetEmbedJS” uses the
getApplicationUrl
from the standard AbstractApplicationServlet to constructs the various theme/widgetset URLs that will be placed in the final javascript magic that will be embedded to the page.

Problem here is as mentionned that getApplicationUrl is not aware of the existence of a reverse proxy, so this will at the end “forward” embedded calls directly to the server hosting the application and not through the reverse proxy.

What would be the best solution to overcome this problem ? For the moment we are not using the GetEmbedJS anymore but instead we are using diretly the full magical javascript.
Is there place here for an evolution in the Vaadin XS or in Vaadin getApplicationUrl() to improve integration ?

Would be very happy to get some feedback and thought on this matter,

thanks in advance

Eric.

Hi,

I have two possible solutions how this could be improved:

  1. Add configuration possibities. There could be an init parameter setting (via web.xml) where you could force the application url.

  2. Vaadin XS servlet could sneak possible headers that reverse proxies often add. I’d remember seeing something like X-Forwarded or something. With those one might be able to use multiple proxies with one app server. Also that would be zero conf.

Would you fill some enhancement tickets about these to dev.vaadin.com? At least the first option should be rather “safe” and simple feature to implement.

cheers,
matti