In your excellent
article about authentication , you explore the case where you require the user to login before accessing any part of the application.
In my (common, JavaBlackBelt.com) case, anonymous visitors can use the site. When they trigger specific actions, they are requested to login, then we let them continue.
In our Struts2 application, we did write an annotation to be put on the actions that need to be protected. A Struts interceptor (a filter) detects the annotation before the action executes and shows the login form instead (if user not logged in). When logged in, the action is automatically executed.
With Vaadin, things are going to be different. I’ve no such entry points as actions to annotate. I could invent a mechanism, but before doing that…
My question is: has any of you had the same requirements for a Vaadin application, then which strategy did you implement?
Can you separate public and protected functionalities of your application into, say, different parts of the application. In this case you may have, for instance, 1 public window and 2 protected windows with an extra interface and functions. While your user is not authenticated, those 2 windows are replaced by a login window like from article above. So attempt to navigate to protected part of the application will cause authentication request.
Of curse, this will not help if you use anchors (#xxx) instead of url’s to switch views or want to authenticate several actions (buttons, links) within the same interface component (eg in Window).
Regarding the filters, I just thought that it could be possible to attach a filter which will analyze Vaadin requests from the client terminal and request http authentication when necessary, but not sure if this will be efficient from the point of implementation (I mean parsing terminal application UIDL requests)