Add Login
- Steps to Set Up Authentication
- Add Spring Security Dependency
- Create a Security Configuration Class
- Create a Login View
Most enterprise applications require users to authenticate before accessing the application. Vaadin applications use Spring Security for all security features, including authentication. Any authentication method available in Spring Security can also be used in a Vaadin application.
This guide shows you how to set up in-memory authentication for development and testing purposes.
Warning
|
Never Use Hard-Coded Credentials In Production
In-memory authentication is convenient for development, but production applications must use a more secure approach, such as JDBC authentication, LDAP authentication, or OAuth 2.0. Refer to the Spring Security Reference Manual for more details.
|
Steps to Set Up Authentication
To enable authentication in a Vaadin application, follow these steps:
-
Add the Spring Security dependency to your project.
-
Create a Spring Security configuration class.
-
Create a login view.
-
Grant access to specific views and layouts.
This guide covers the first three steps. For the fourth step, see the Protect Views guide.
Add Spring Security Dependency
Since Vaadin applications are built on Spring Boot, adding the Spring Security starter dependency enables authentication:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Create a Security Configuration Class
Simply adding Spring Security to your project locks you out of your application unless you configure authentication. You must define a UserDetailsService
and a login form to allow users to log in.
Tip
|
It’s best practice to create a dedicated package for security-related classes. If your root package is com.example.application , place the security configuration inside: com.example.application.security
|
This is a minimal implementation of a security configuration class:
@EnableWebSecurity
@Configuration
class SecurityConfig extends VaadinWebSecurity {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http); 1
// TODO Configure the login view
}
@Bean
public UserDetailsManager userDetailsManager() {
LoggerFactory.getLogger(SecurityConfig.class)
.warn("NOT FOR PRODUCITON: Using in-memory user details manager!"); 2
var user = User.withUsername("user")
.password("{noop}user")
.roles("USER")
.build();
var admin = User.withUsername("admin")
.password("{noop}admin")
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user, admin);
}
}
-
Always call
super.configure()
— this ensures that the application is properly configured. -
Tip: Log a warning message whenever using a configuration that shouldn’t end up in production.
The VaadinWebSecurity
class provides essential security configurations out of the box, including:
-
CSRF protection
-
Default request caching
-
Access restriction to Vaadin views and services
Note
|
If you need to customize security rules, such as allowing anonymous access to static resources, do so before calling super.configure() . This is because VaadinWebSecurity applies a catch-all rule that requires authentication for all requests.
|