Let's say I have an administration view. In the constructor of the view, I check that the user have ADMIN role. Then I create a view. During interaction of the user with the view, I see many Vaadin internal client-server calls. Should I worry about the security aspects of these calls, where I may potentially be hacked. Or it is safe and Vaadin will handle the security aspects of these calls?
Asked
Active
Viewed 59 times
1
alexanoid
- 24,051
- 54
- 210
- 410
1 Answers
6
The security model in Vaadin Flow is based on views and components, rather than the request-based model that is common in web frameworks that work on a lower abstraction level.
As long as you trust that the regular session mechanism provided by the servlet container is safe enough, then you can assume that the Vaadin components that you create for one user will only be available for that user. Vaadin takes care of individual requests to see that they are related to a component instance that belongs to the session that the component was created for.
Leif Åstrand
- 7,820
- 13
- 19