Announcement Announcement Module
Collapse
No announcement yet.
Using Spring Security with single page application Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Spring Security with single page application

    Hi,

    I am currently working on a project that uses Spring 3 REST services on the backend and a single-page-application architecture on the front-end based on the Javascript MVC framework.

    Now I would like to secure my application using Spring Security. I could easily placed authentication based on LDAP and set up authorization accesses over my REST urls as there is enough documentation for it. I would call that 'back-end security'.

    However, I am bit stuck over two points client-wise:
    • As the client is 100% made of javascript files, should I restrict access over my .js files with intercept-url patterns so that they do not get loaded if the user do not have access to that page?
    • Should I keep the jsessionid and spring security tokens in a javascript mvc model object and send it back to the server everytime I make a rest call? HTTP being stateless, I guess that should be possible.

    Thanks for any help,
    Jimmy

  • #2
    Why would/should it be different as other web based applications? You still call urls and those should be secured and if the URL is called by a browser, piece of javascript or whatever doesn't matter. It is the URL that matters.

    How and where you store your credentials is up to you, by default spring security stores it in the session you could replace it by a mechanism that stores it in a cookie instead.

    Comment


    • #3
      Thanks

      Thanks for you reply Marten, I was in fact just looking for best practices with spa architecture using Spring Security. Handling the credentials in the cookie seems indeed the best way here.

      Originally posted by Marten Deinum View Post
      Why would/should it be different as other web based applications? You still call urls and those should be secured and if the URL is called by a browser, piece of javascript or whatever doesn't matter. It is the URL that matters.

      How and where you store your credentials is up to you, by default spring security stores it in the session you could replace it by a mechanism that stores it in a cookie instead.

      Comment

      Working...
      X