Hi. Vaddin/GWT n00b here.
Quick question - does Vaadin implement some sort of a message validation mechanism before acting on JSON messages received from the GUI ?
Did a quick search on this forum, judging from the “Invalid Security Key” error reported here there is some level of validation, could someone please elaborate on the details ?
I don’t know the internals and of Vaadin security but there are some presentations available on vaadin security model to get you started :
slides ,
videos
My understanding is that Vaadin keeps the state of the UI stored in both the server and client (the latter meaning stored in the http session). Whenever a call comes in, these states are checked to make sure the client and server are in sync so that malicious calls can be ignored.