Skip to content
Flag of Europe
Made in the European Union · Independently built · Released under EUPL 1.2
Documentation
Roadmap
v00.72.00 — Delivered

v00.72.00 — Delivered

✅ Delivered in 00.72.00 — the latest release on Maven Central. The public DX types carry @ExperimentalSecurityApi until the wiring follow-ups planned for V00.73. See the 00.72.00 release notes and Quick Start.

Theme

After 00.70 (integration layer) and 00.71 (credential stack), the technical surface is broad — but the entry barrier is high. A new integrator today has to know several SPIs, write their META-INF/services entries exactly, and understand the wiring order. Most mistakes happen in the integration, not in the security code.

v00.72.00 is a deliberate stabilisation / adoption release. It adds no new security primitives and replaces no SPI. It makes the power built up across V00.60–V00.71 accessible through four connected DX building blocks — and it lands before later infrastructure (Security Event Bus, MFA, OIDC) widens the surface again, so those modules can plug into the same builders, diagnostics and starter.

The four building blocks

1. Fluent bootstrap

A typesafe builder per adapter — VaadinSecurity.bootstrap(), RestSecurity.bootstrap(), StandaloneSecurity.bootstrap() — that configures authentication, authorization, audit, sessions, policies, roles and credentials in one call path and returns a diagnostic SecurityRuntime.

SecurityRuntime runtime = VaadinSecurity.bootstrap()
    .subjectType(User.class)
    .authentication(new MyAuthService())
    .authorization(new MyAuthzService())
    .audit(a -> a.ringBuffer(256).logging())
    .sessions(s -> s.idleTimeout(Duration.ofMinutes(30)).rotateOnLogin())
    .loginRoute("/login")
    .mode(SecurityBootstrapMode.PRODUCTION)
    .install();

SecurityBootstrapModeCOMMUNITY_DEFAULTS / DEVELOPMENT / PRODUCTION / STRICT. STRICT fails loud on any missing critical SPI; the others record warnings. Every applied default is visible (defaulted=true) in a secret-free startup log.

2. @SecurityAutoService

A dependency-free annotation + JDK-only processor that generates the META-INF/services files for you — no external Google AutoService library (Maven Enforcer blocks it). A marker-comment protocol preserves hand-written entries across rebuilds.

@SecurityAutoService(AuthenticationService.class)
public final class MyAuthService implements AuthenticationService<Credentials, User> {  }

3. security-vaadin-starter

A declarative layer over the existing Secured* components: SecuredUi.button / link / menuItem builders, a @SecureRoute(roles, permissions, policy) annotation with most-restrictive-wins semantics, and development / production / strict profiles.

4. Visible compile-time wrapper path + diagnostics

security-processor and proxybuilder (from V00.70) are positioned as a first-class DX feature, surfaced through SecurityDiagnostics.inspect() with a SecurityProcessorReport and a missing-wrapper warning for @Secured classes without a generated <Type>Secured.

Scope discipline

  • No new runtime dependency in security-core.
  • Fully additive — manual META-INF/services, direct SecurityServiceResolver access and hand-wired bootstraps all keep working.
  • Diagnostics never include secrets — subject IDs, role and permission names only.

Status

  • Released on Maven Central (00.72.00); 7 new modules (16 → 22).
  • DX surface marked @ExperimentalSecurityApi; live sub-builder wiring + the wrapper-index writer are staged for V00.73.
  • First-PIT coverage on the new modules; uplift tracked for V00.73.

Source

Konzept-V00.72.00.md in the project repository is the canonical design document.

v00.71.00 — Deliveredv00.80.00 — Planned