Documentation versions (currently viewingVaadin 24)


The best practices for securing applications, configuring security, authentication and role-based access control for views.

Hilla is a combined client and server programming model. As an application developer, you make a decision about how much of the application state is stored on the server and how much is stored in the user’s browser. The following sections describe the best practices for securing such applications.


An introduction to the Hilla security architecture and how it works in practice.
Controlling Endpoint Access
How to specify the role-based access control rules as annotations for the endpoint class or its individual methods.
Authentication with Spring Security
Configuring authentication with Spring Security.
Accessing Authentication Data
How to access authentication data on the server side, and how to transfer the data to the client.
Role-Based Access Control
How to restrict access for selected Hilla views based on roles defined for the logged-in user.
Stateless Authentication
Using stateless authentication to persist authentication on the client side between requests.
Offline Authentication
Storing the authentication data in the browser for offline applications.
Session Expiration
How to detect session expiration, for example to show a login view to the user.
Common Vulnerabilities
Dealing with vulnerabilities, such as SQL injection, cross-site request forgery, and Java serialization.
Best Practices
Best practices in authentication and authorization, data validation, and SSL and HTTPS.