I've just got something a bit like this working. I have been supplied with the corporate SSO filter which pops a JSP login and sets the user name in the session, then it expects the target URL to deliver the application. Vaadin and JSP doesn't play too well together, especially when the SSO session times out and the SSO filter intercepts the JSON calls from the browser.
Here's the general approach:
1) Make sure your SSO filter is before the UIFilter already in the Explorer. It took me a confusing day to realise mine was the other way around.
2) Clone a copy of the Activiti UIFilter and change it to add your resources for exclusion so it doesn't put a /ui in front of them.
3) Add your own LoginHandler (I cloned the one in Activiti Explorer) and change the method:
authenticate(HttpServletRequest request, HttpServletResponse response)
so that it extracts the user name and, if you have them, permissions, from the session and set them up. The code for doing this if you have a username and password is in the existing handler so just modify it as you need to. Remember you don't need to check the password now. My SSO filter doesn't do authorisation, just authentication, so I need to create my users in the Activiti db and use the existing code, ie everything except check the password.
4) And one truly vital thing: make sure your login jsp includes the text "Vaadin-Refresh"" on it. This means the browser end will force a refresh if your SSO session times out because it sees that Vaadin-Refresh in the message.
If you want to send an actual URL containing the user/password (I've reread the original question) then you'd probably want to take it apart with a filter, set the user name in the session and use the same general approach I did.
