Vaadin authentication best practice

Question

I am interested in the best practice in authentication in Vaadin I think there is mainly two option here:

• ThreadLocal (can cause Out of memory, can have the same thread for different users)
• Spring Security + Vaadin integration (seems a little too much)

Which one do you prefer and why? (Security issues, easy development, other factors)

Answer 1

There are a lot of different ways for authentication in Vaadin.

1. Vaadin base authentication.
   • For Vaadin 6, try LoginForm.
   • For Vaadin 7, you can use the new & improved replacement implementation of LoginForm first available as a Add-On, then later built into Vaadin 7.7.
   • For Vaadin 8, use that same re-implemented LoginForm.
   • For Vaadin Flow, not implemented as of version 12. You could peruse the open source code, and build something similar. The “Listener” support is built into the superclasses, so you are not starting from scratch.
2. Add value into user session and check that value in init() method. (also easy)
3. Basic authentication (see tomcat example) (sometimes it very useful for customer, but usually you get container specific problem.)
4. Spring Security Vaadin 7.1 + Spring-Security Integration running in Tomcat Server (people loves Spring)
5. Apache shiro (never try but it was one of possible ways)

I recommend you to select 1 or 2 if you want make it easy or 4 if you want power security system.

Answer 2

Not quite to your question, but two mentions:

• New Persona for Vaadin "add-on"
  Uses the promising Persona authentication system invented by Mozilla. By Leif Åstrand. New, still at experimental stage.
  UPDATE Mozilla has abandoned this project.

• Stormpath
  A company dedicated to providing a user login management API and service for developers. There are some other companies that seem to dabble in this new area of authentication-as-a-service, but Stormpath is the only one I know of that is dedicated to it.

I've not used either of these, but they are on my To-Do list.