Paul Römer

Introduction to using Spring Security in Vaadin applications

All code examples can be found at Just check the available branches.

We get many questions in the forum about how to use Vaadin 10+ with Spring Security. We heard you, and we will help you. However, let’s start with the definition of "use," first:

Since Vaadin 10, Vaadin supports client-side templates in addition to the Java-only approach. That means we have to discuss two different types of client-side implementations. We can use as much Spring Security as possible by submitting a form to the configured endpoint or a little less by hooking into Spring Security’s authentication flow. Both have pros and cons we will elaborate.

After that, we will take a look at how to secure the router navigation and how to work with roles for more fine-grained security. Last but not least, we will introduce the addon ILAY that simplifies our task in securing the app and that allows us to not only enable entire views, but also components depending on the logged in user.

In sum we end up with:

  1. Configuring Spring Security

  2. Setting up a form-based login view (Java and Polymer based)

  3. Hooking into the authentication flow and avoid reloading (WIP)

  4. Secure routing (WIP)

  5. Finer grained security with roles on view and component level (WIP)

  6. ILAY (WIP)

Basic knowledge of Vaadin 14+, Spring Security, and Spring Boot is required for this tutorial. We will not discuss styling, production builds or other topics unrelated to security.

Get the base Vaadin + Spring starter

We are using as our starting point. When we started writing the tutorial the starter was using Vaadin 12.0.4 with Spring Boot 2.1.0.RELEASE but nowadays it is Vaadin 14.3.8 with Spring Boot 2.3.3.RELEASE.

├── pom.xml
├── src
│   └── main
│       ├── java
│       │   └── org
│       │       └── vaadin
│       │           └── paul
│       │               └── spring
│       │                   ├──
│       │                   ├──
│       │                   └──
│       └── resources
│           ├──
│           ├── banner.txt
│           └── META-INF
│               └── resources
│                   ├── frontend
│                   │   ├── src
│                   │   │   └── README
│                   │   └── styles
│                   │       └── README
│                   └── icons
│                       └── icon.png

The project setup is very minimalistic: a single Maven module, no styles, no Polymer templates (prepared folder structure), the typical SpringBoot Application class and a main view. Because this starter showcases Spring, it includes a message bean that is injected and used in the MainView. It is not relevant for this tutorial.

Now, run mvn spring-boot:run to build and start the web application.


Vaadin is an open-source framework offering the fastest way to build web apps on Java backends

Comments (12)

Paul Römer
2 years ago Jan 17, 2020 6:50am
Paul Römer
2 years ago Oct 21, 2019 5:34am
Dorothee Weiss
2 years ago Oct 24, 2019 12:05pm
Tatu Lund
2 years ago Jul 23, 2019 5:59pm
Prachueb Sirivongrungson
2 years ago Jul 24, 2019 3:11am
Marcus Hellberg
2 years ago Jul 24, 2019 8:09pm
Matti Tahvonen
2 years ago Jun 17, 2019 6:42am