Security framework with Vaadin 10

Flow
1

Hi,

I want to implement some security in the application I develop. But I’m not sure what would be a good framework for this. I never used one for this before.

So here my requirements:

  • I will use JEE 8

  • it will be a PWA (with Vaadin 12)

  • there is a separation in front- and backend users

  • frontend users will have different view steps (not registered, registered and different pay scales)

  • backend maybee to: admin, editor, … [but I’m not 100% sure about this atm]

  • it should be server independent (so JEE security wouldn’t be a good choice?)

  • and easy to use, of course

Has someone a good idea what would be a good choice?

Thanks and best regards,
Lars

2

Hi, I’d recommend Spring Security if you are using Spring or Apache Shiro if not (this might help: https://vaadin.com/directory/component/shiro-vaadin-integration).

3

I came to the conclusion that I write the security be my self.

So it’s more flexible, I’m independent from other people and it was more fun to develop.

4

That sounds risky. Take a look at, for example, this: https://security.stackexchange.com/questions/168261/what-does-dont-roll-your-own-security-mean

5

Let me elaborate that a bit: The linked article talk about cryptography, but I feel like it applies to any security-related subtopic. Basically, it may be tempting to implement your own security solution, but it’s easy to accidentally create vulnerabilities that you can’t find yourself. Experts spend a lot of time trying to come up with secure solutions, and it’s not easy.

6

No risk, no fun. :smiley:

I don’t write my own cryptography algorithm, that would be crazy. Just the protection when and as who you are logged in.