Paul Römer

In the previous tutorial, we implemented view-based access control with plain Vaadin. As we do not like boilerplate code but love the flexibility, we suggest using ILAY, a security framework-agnostic Vaadin plugin.

Like our previous implementation ILAY works annotation-based and needs you to define access evaluators.

To get started, add the needed Maven dependency.


Next, let’s define the annotation we can use for the views.
@NavigationAnnotation(RoleBasedEvaluator.class) // (1)
public @interface SecuredByRole {
    String value() default ""; // (2)
  1. Links our annotation with an access evaluator. It is explained below.

  2. It is up to you on which data your security access check is based on. Here, the role name is enough.

And now we can start with defining an access evaluator. Like in the previous tutorial, we will implement a role-based security guard.
public class RoleBasedEvaluator implements AccessEvaluator<SecuredByRole> { // (1)
    public Access evaluate(Location location, Class navigationTarget, SecuredByRole annotation) { // (2)
        if(!SecurityUtils.isAccessGranted(navigationTarget, annotation)) {
            if(SecurityUtils.isUserLoggedIn()) {
                return Access.restricted(NotFoundException.class); // (3)
            } else {
                return Access.restricted(LoginView.ROUTE); // (4)

        return Access.granted(); // (5)
  1. Our access evaluators have to implement the AccessEvaluator interface and define a corresponding annotation.

  2. ILAY gives you all information needed + your custom annotation to decide whether to deny or grant access.

  3. Uses the Access class helpers to restrict access by an exception and let Vaadin handle the redirection.

  4. Uses the Access class helpers to restrict access and redirect to the login view (defining the login view’s class is not possible yet)

  5. Looks all is fine, let’s grant access to the view.

Now we have to use the annotation. Otherwise, it won’t be that much fun!
@SecuredByRole("ROLE_Admin") // (1)
public class AdminView extends VerticalLayout {
    public AdminView() {
        Label label = new Label("Looks like you are admin!");

  1. There it is! Only admins should be able to access the admin view.

Woohoo, that’s it. As usual, we prepared a demo application, just check out the branch login-overlay-form-ilay and execute mvn spring-boot:run.

PS: I heard rumors there is a backdoor in this app, you might wanna check the code.

Vaadin is an open-source framework offering the fastest way to build web apps on Java backends

Comments (12)

Paul Römer
2 years ago Feb 06, 2020 7:18am
Alex M
2 years ago Feb 06, 2020 11:38am
Paul Römer
2 years ago Feb 06, 2020 1:51pm
Paul Römer
2 years ago Feb 07, 2020 2:26pm
Alejandro Duarte
2 years ago Jan 30, 2020 2:44pm
Paul Römer
2 years ago Jan 30, 2020 5:52pm
Alexander W
2 years ago Feb 03, 2020 10:41am
Paul Römer
2 years ago Feb 04, 2020 1:32pm
Alexander W
2 years ago Feb 05, 2020 9:04pm