Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Valentine2016-05-06 00:21:42
JavaScript
Valentine, 2016-05-06 00:21:42

How to properly secure an Angular 2 + Spring REST application?

Good day to all! I ran into the following problem: I'm building Front-end ( Angular 2+ TypeScript ) with Webpack. The application must be fully secured, accessing any page requires a role (ADMIN,USER ).
Webpack , on the other hand , optimizes the code with one of its plugins ( CommonsChunkPlugin ) , resulting in many small pieces: Js, one html file, and assets, as in the screenshot below
757fc9f853a6440e9f4d19f9eab9b78e.png
:
using Spring Security , we define access, for example like this:

.antMatchers("/home", "/") 
.hasAnyRole("USER", "ADMIN") 
 Определим кастомную форму логирования : 
.formLogin().loginPage("/login") 
.usernameParameter("username").passwordParameter("password")

We also implement the following interfaces so that they give only statuses, except for - AuthentificationEntryPoint , because I still need a redirect from it:
AuthentificationSuccessHandler, AuthentificationFailureHandler, AuthentificationEntryPoint principal (well, as I understand it, maybe you need to ask something else, I will be glad to help), and if it is not there, then redirect to the logging page. In theory, this should be done by the spring itself when requesting the server, because I require a role for each resource. But if I transfer everything to the client, and do permitAll() on all resources
, then you can, in theory, take my code, remove the check and the server will be left without protection for resources at all.
If you transfer everything to the server, then you will have to open access to all resources, because I don’t know which of the chunks is responsible for the logging form, but I need it to load and be able to log in. To make it clearer: with this approach, of course, I can secure the URLs: /admin, /user , but when I go to the same /user , I can safely go where I don’t have rights, let’s say “ /admin/ dashboard ”, the main thing is that this is not accessed through the URL, but through the internal router-link , and the application will make a request not to localhost:8080/ admin/dashboard , but to localhost:8080/ 4.chunk.js , i.e. to the resource that is shared. I repeat, because I don’t know which of the chunks is responsible for what and, accordingly, I can’t restrict access to them.
Thank you very much for your attention, I hope you will suggest the most rational solution!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
Dmitry Belyaev, 2016-05-06
@bingo347

The right decision is to secure the backend api and not the client code

Similar questions
K
Katie Divs2015-03-25 18:17:53
Why doesn't search work in Sublime 3? 2Reply
T
Timofey2015-04-01 11:13:34
sails.js impressions? 5Reply
R
Rain Summers2015-04-07 12:24:11
phpstorm. How to disable non-disabled "Inspections: cannot resolve file"? 5Reply
X
xmoonlight2019-09-11 19:35:03
Development of OS update policy ideology: is it necessary and how often? 4Reply
W
WordPress WooCommerce2017-04-18 17:20:38
How to get the issue id & id of the initiator through the ticket creation hook? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question