Documentation versions (currently viewingVaadin 24)


The best practices for securing applications, configuring security, authentication and role-based access control for views.

Hilla is a combined client and server programming model. As an application developer, you make a decision about how much of the application state is stored on the server and how much is stored in the user’s browser. The following sections describe the best practices for securing such applications.


An introduction to the Hilla security architecture and how it works in practice.
Controlling Endpoint Access
How to specify the role-based access control rules as annotations for the endpoint class or its individual methods.
Authentication with Spring Security
How to configure authentication with Spring Security.
Accessing Auth Data
Accessing authentication data such as username and roles on the server side, as well as transferring the data to the client.
Stateless Authentication
Using stateless authentication to persist authentication on the client side between requests.
Offline Authentication
Storing the authentication data in the browser for offline applications.
Best Practices
Best practices in authentication and authorization, data validation, and SSL and HTTPS.