What should the security configuration look like?

[peholmst]

The current security configuration should be improved:

• The application services are quite fine-grained, but the views are secured with roles. Because of this, the authorities are roles even though they should be more like permissions.
• Users need to get assigned lots of roles to be able to do basic tasks.
• The user database is really simple, but still uses its own custom UserDetailsService. It could just use the built-in Spring Security services if it wasn't for the displayName attribute.
• There is no way of managing users or changing the password.
• There is no support for multi-factor authentication.
• There is no support for passkeys.
• Having the login UI implemented with Vaadin creates a new session with a Vaadin UI just to be able to login. This can in theory be used as a DoS attack vector. Just hit the login page enough times to consume lots of memory.

Given that this application should demonstrate a proper way of doing security in production, this is just not good enough. But what should we implement instead?

[peholmst]

Two alternatives that come to mind:

1. Let Spring Security handle everything, enabling both form login, 2FA, and pass keys. Theme the form login so that it matches the rest of the application. We would still have to implement a user interface for managing users and if we need additional information like profile pictures and display names, we probably need a custom user details service as well.
2. Use Keycloak. It should be possible to fire it up as a test container and use it during local development, but it adds some complexity to the application. You could also have separate security configurations, one for local development and another for production but that would make things even more complex.

If the user pictures are the employee pictures from #3 , then we need to figure out how to do this mapping.

[simasch]

I would never run a Vaadin application in the internet without a revers proxy that will prevent from Ddos attacks in front.