Let's study a strategy to implement authorization outside UI components. Web frameworks can be classified as:

• Component-based frameworks
• Request/response-based frameworks

Vaadin Framework is a component-based framework. It abstracts away the concept of request and response. You don't have to think much about it when developing a Vaadin application, and that's one of the key features of the framework. Thanks to its ability to allow developers to implement a web application by directly using the Java programming language, developers can use any object-oriented technique to implement features such as authorization. In fact, in the previous section, we explored how to do so using simple Java if statements.

Request/response based frameworks, on the other hand, usually make it a bit harder to use the approach we discussed in the previous section (coding the authorization logic directly in the UI component), in part because the UI layer runs in the client side. Coding authentication rules in the client side is a no-go. How do request/response based frameworks implement authorization? Typically, these frameworks include a front controller, a software entity that processes all the requests and decides which portion of your code should be invoked. It's then easy to add a filter to secure the requested resources according to a set of rules. In short, authorization is implemented with a combination of server-side code (which decides what to show in the browser) and a filter securing URLs according to authorization rules.

Can we use something similar with Vaadin? Let's explore the capabilities of Vaadin regarding request information to see how we can take advantage of it in order to design an authentication mechanism that is completely decoupled from the actual UI components.