Currently learning Vaadin8+SpringBoot for Vaadin made me wanna forget about HTML for a while. Anyways, all is good for some CRUD operations until I mixed in SpringSecurity in the project. Well, I've been searching for days now and no solution could fit in well with the expected requirements.

Expected output:

• Vaadin8+SpringBoot+SpringSecurity
• All in one project/module/artifact
• 2 @SpringUI (MainUI = "", LoginUI = "/login")
• Multiple @SpringViews contained by MainUI's ViewDisplay

Limitations:

• No login.html (from the Vaadin's demo backery app)
• No SpringMVC for login page
• No vaadin4Spring dependency
• Configurations done through annotations and not through XMLs

I know there's a way, I'm blocked how to progress on this. And if it's really not possible, need to understand as to why it isn't.

When you configure Spring Security, you need to allow anonymous access to the /login URL (either login.html if it is a non-vaadin form, or the login UI path if you want a separate UI for login). You also need to restrict access to the actual application UI. You also need to allow anonymous access to the static resources (i.e. /VAADIN/**).

The SecurityConfig in Bakery may give you a starting point. (Note: the starter or its parts cannot be redistributed as a code example or template)

There is a more detailed explanation here, though it only covers Vaadin and Spring Security integration (i.e. no spring-boot).