I understand that Vaadin uses some logic to only expose the UI code and then calls the server to access the code through Javascript. However let's say I have a Listener for example with some code that references other classes. So let's say I have something like:
PojoClass data = DatabaseClass.getDataFromDatabase();
doSomeProcessingOnData(data);
..
myTextField.setValue(data.getSomeValue());
..
Now how I can be sure that the code behind DatabaseClass is not exposed as Javascript. I assume this just happens, but more specifically how can say the doSomeProcessingOnData(data) method which may have calls to say 4-5 different classes that has some internal IP property not be exposed? I understand PojoClass will be exposed but I don't want the internals of doSomeProcessingOnData(data) to be exposed.
The business logic of your Vaadin app remains on the server-side in pure Java. So no risk of exposure.
Vaadin remotes the user-interface to the client.
For example, when a button is clicked, a signal is sent by the client-side JavaScript library to the server to run the ClickListener code on the server. If that server-side Java code causes changes to the state of the user interface widgets, then Vaadin relays those widget state changes to the client’s JavaScript library for visual updating to the user. The client-side remains blissfully unaware that your server-side Java code connected to a database, called on a web service, opened a socket connection to a data feed, made some accounting calculations resulting in a new "Grand Total" value, posted a message to a queue, sent out an email, and wrote entries into an audit trail. All the client-side knows is: "button clicked" --> "Grand Total textField has new value to display".