After a bit of tinkering, I have managed to get Vaadin working with Spring Security.
Ideally, one could simply protect the entire webapp from unauthenticated requests and be secure. Unfortunately, when using form-based security, this results in 302 redirects to some login page. This is fine for the main browser page, but confuses the GWT AJAX client, which don’t know how to handle a 302 or 401 response. So if your authenticated session times out, the vaadin widgets in the browser will try to communicate with the server, which doesn’t response correctly. The vaadin application appears to hang unless you hit the browser page reload.
The simple solution I used was to :
- Leave the UIDL URIs completely unprotected so that unauthenticated sessions can communicate with the server
- Take note of the fact that unauthenticated users can try to hack away at the vaadin ApplicationServlet all day long, but if it takes care not to instantiate a new application, nothing much will happen.
- Extend the ApplicationServlet.getNewApplication() method to ensure that it will only instantiate a new Application instance if the request is authenticated
- If getNewApplication() was called from an unauthenticated request, issue a redirect to get the auth provider (Spring Security in my case) to send the browser back to the login page.
This works OK, but obviously leaves an attack vector.
A more robust solution would be to enhance the client-side Vaadin code to look for 302 and 40x response codes and handle them properly. I did this with ZK a couple of years ago and contributed a patch. All it really has to do is interpret at 302 or 40x error code as an expired session.
It looks to me that this could be done fairly easily around line 363 in the following source:
I’ll contribute a patch if I get a chance, but thought I would share first.
I think this would make Vaadin 10x easier to deploy in an enterprise context.
Great product, BTW. Very clean implementation.