Skip to content

Overview

The goal of this appjar is to provide complete authentication and authorization management for enterprise Vaadin applications, covering everything from user login to fine-grained runtime access control.

Most web applications share a common set of user management requirements: authenticating users securely, assigning them access rights, and controlling which parts of the application they can reach. Implementing these correctly takes significant effort and discipline, especially as the number of users, roles, and views increases over time. User Manager addresses this problem in full by providing administration views and a configurable security model that an administrator can operate at runtime without modifying the application code.

Authentication

User Manager provides a login mechanism backed by Spring Security. Users authenticate with their credentials, and administrators manage those credentials through the administration interface — there is no open self-registration. Instead, administrators generate secure, time-limited links to invite new users or initiate password resets. These links are distributed externally and expire after a configurable period, preventing unauthorised account creation.

Users who are already authenticated can change their own password through a dedicated view that enforces the application's password validation rules.

External Authentication Providers

In addition to username and password, User Manager can delegate authentication to external identity providers over OAuth2 and OpenID Connect. Built-in support is shipped for Google and GitHub, and a small SPI lets developers add custom providers — including integrations such as Vaadin SSO Kit — without modifying the appjar itself.

Each provider is configured at runtime through a dedicated administration view. Administrators can enable or disable providers, store the client ID and secret, choose a default group for users created via the provider, and decide whether new users may sign up automatically through the provider or only those that have been pre-provisioned. The regular username and password provider is treated as just another entry in this list, so an application can run with both authentication mechanisms side by side, or with regular authentication entirely disabled in favour of external login only.

Pre-provisioned users can complete their registration link either by setting a password or by signing in through one of the configured external providers, as long as the external account matches the username chosen by the administrator. After registration, both paths remain available: a user who has set a password can still sign in with Google or GitHub, and a user who registered through Google can later receive a password reset link to enable regular login.

Roles

Authorization in User Manager is built on roles, also referred to as authorities. A role is a named permission category that can be assigned directly to a user. Vaadin security annotations such as @RolesAllowed respect these assignments, allowing developers to restrict individual views at development time.

Roles are managed through an administration view where administrators can create, rename, and delete them, and review how many users and groups each role is associated with.

Groups

When the number of users and roles grows, assigning roles to each user individually becomes error-prone and time-consuming. Groups address this by acting as a reusable bundle of roles. An administrator creates a group, assigns a set of roles to it, and then adds users to it; those users inherit all of the group's roles automatically.

Groups are optional. Applications with a small user base or a flat role structure can rely on direct role assignment alone.

Access Rules

Access Rules are the most distinctive feature of User Manager. While @RolesAllowed annotations define access requirements at development time, Access Rules allow administrators to define and modify those requirements at runtime without touching the code.

Each rule specifies which roles are required or disallowed for a given view path. Paths can be matched using exact strings, simple patterns, or regular expressions, which allows a single rule to cover many views at once. Rules are evaluated in priority order, so administrators can define broad access policies and then add specific exceptions for particular paths.

This makes User Manager particularly well suited to applications where security policies evolve frequently, where access decisions involve people outside the development team, or where the number of protected views makes annotation-based management impractical.