Documentation

Build the library and run the four reference demos.

Secure Vaadin views with annotations, SPI services, and access evaluators.

Secure REST handlers with subject resolution, permission annotations, and the authorization filter.

Secure plain Java services with Secured.wrap(…) — same annotations, no framework. CLI / desktop / batch apps.

@Secured compile-time processor + runtime SecuredProxy.wrap(…) — enforce annotations on plain Java methods.

Typesafe policy builder, @RequiresPolicy, sealed PolicyDecision, resource-aware authorization.

TenantId, tenant-scoped keys, SecurityVersion drift detection — role refresh for active sessions.

11 store SPIs, in-memory defaults, Eclipse Store reference, contract testkit, store-backed services.

Argon2id / bcrypt / scrypt, post-KDF pepper, compare-and-swap CredentialStore, atomic password change, breached-password checks, abuse detection.

OWASP ASVS V2, NIST SP 800-63B and a full 40-CWE traceability matrix with threat-vector coverage.

Modules, package layout, decision model, SecurityServiceResolver, reusable building blocks, mutation coverage.

First-run mechanism for creating the very first administrator account.

LogoutService.logout(SubjectId, LogoutScope) — current session or every session of the subject.

SecurityAuditService + 27 sealed AuditEvent types, ring-buffer sink, Vaadin /audit route, REST /api/audit.

LoginAttemptPolicy with lockout UI in Vaadin and 429 + Retry-After in REST.

Idle / absolute lifetime + session-id rotation after login.

What’s delivered and what’s still open.

00.70.00 — multi-tenancy, persistence, Policy API, method security, account lifecycle.