19

I am interested in the best practice in authentication in Vaadin I think there is mainly two option here:

  • ThreadLocal (can cause Out of memory, can have the same thread for different users)
  • Spring Security + Vaadin integration (seems a little too much)

Which one do you prefer and why? (Security issues, easy development, other factors)

czupe
  • 4,740
  • 7
  • 34
  • 52

2 Answers2

24

There are a lot of different ways for authentication in Vaadin.

  1. Vaadin base authentication.
    • For Vaadin 6, try LoginForm.
    • For Vaadin 7, you can use the new & improved replacement implementation of LoginForm first available as a Add-On, then later built into Vaadin 7.7.
    • For Vaadin 8, use that same re-implemented LoginForm.
    • For Vaadin Flow, not implemented as of version 12. You could peruse the open source code, and build something similar. The “Listener” support is built into the superclasses, so you are not starting from scratch.
  2. Add value into user session and check that value in init() method. (also easy)
  3. Basic authentication (see tomcat example) (sometimes it very useful for customer, but usually you get container specific problem.)
  4. Spring Security Vaadin 7.1 + Spring-Security Integration running in Tomcat Server (people loves Spring)
  5. Apache shiro (never try but it was one of possible ways)

I recommend you to select 1 or 2 if you want make it easy or 4 if you want power security system.

Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154
Taras Klym
  • 521
  • 6
  • 7
  • Thanks Taras, i rather love to read a comparing! But appreciate your efforts. (Upvoted/Accepted) – czupe Jan 08 '14 at 08:42
3

Not quite to your question, but two mentions:

  • New Persona for Vaadin "add-on"
    Uses the promising Persona authentication system invented by Mozilla. By Leif Åstrand. New, still at experimental stage.
    UPDATE Mozilla has abandoned this project.

  • Stormpath
    A company dedicated to providing a user login management API and service for developers. There are some other companies that seem to dabble in this new area of authentication-as-a-service, but Stormpath is the only one I know of that is dedicated to it.

I've not used either of these, but they are on my To-Do list.

Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154
  • Thanks for answer. Seems interesting, both of the solutions. However i need a database integrated solution not attached to mail and i think i sticked to ThreadLocal pattern. Seems way easier and lightweight than Spring Security! (upvoted) – czupe Jan 08 '14 at 02:02
  • 1
    Sadly I must note that [Mozilla has abandoned the Persona](http://www.computerworld.com/s/article/9246846/Mozilla_stops_work_on_Persona_sign_on_to_shift_resources_to_Firefox_OS_services) user-authentication project. Seemed very promising to me. I don't understand why the web industry refuses to build a simple straight-forward user authentication technology. – Basil Bourque Mar 30 '14 at 09:20