Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
App Server Security, multi App's and url-pattern /VAADIN/*
Documentation regarding Auth and ACL within Vaadin application(s) seems to be a model that is very different to your typical app server url based auth+acl.
- Book of Vaadin (Rapid Auth)
- Authenticating Vaadin-based applications
- Application Environment (for later reference)
App servers provide us with a simple, reliable Authentication and (somewhate) universal URL --to--> role based ACL. Consequently if the app server allows the http request to be served (thats a non 401 or 403 error) then your servlet can reliably trust that the user is authenticated and the request is allowed to exec.
At this point in time I want to shelve "Role to URL based ACL" client side AJAX/RPC applications are very different and I understand that this model has extremely limited application in client side applications (i.e. Vaadin/GWT). Basically, this has to be done with the Authenticator class detailed here.
What I would like to use is the application server's ability to ensure that we know who the user is (reliably). I feel this is omitted from all of the online Vaadin Authentication doco. I would expect to see x2 applications, one for Anonymous (those who have not logged into the application server and have a valid session) and Onymous (those who have). Which leads to several things
- 1 x Vaadin Application for Anon Access
- 1 x Vaadin Application for Onymous
- 1 x Page reload/request when switching between the two (unavoidable).
- Q: The app server's url auth is incredibly reliable. We don't rely on our developers to write reliable + secure code, so why risk it?
- Q: Many application servers deal with complex SSO and authentication for us, why would we want to get involved in code unless we really need too?
- Q: Even if I run x2 (or more) applications, both of them will send AJAX/RPC requests too /VAADIN/*. Which (I fear) undermines my ability to truely restrict my ability to isolate the anon/ony access beyond the user interface. Is this fear valid? What are caveats here?
- Q: How would things like osgi bundles run independely if I can't uniquely constrain then to their own sub context in the same webapp?
- Q: If I just totally ditch the app server's url security, how can I be reassured that Vaadin has "as reliable" security?
Thanks for reading, I hope I was understandable :)