Very sloppy!
I'm using my spring + security angular application on the BE. To overcome authorization, I had to make the following crutch:
Spring returns its own authorization page with a form and cookies.
My BE development partner created a restful method, to which I send parameters from the application's angular (login + password + remember me attribute) - and after receiving these parameters, it emulates filling and submitting a spring form and returns a set of headers + cookies generated by the spring in the response security.
The rest (except for this crutch) is pure restful.
Based on the set of user roles, I already at the front determine which sections of the menu / navigation are visible to the user.
Theoretically, he can manually enter the URL of the section that is not visible in the browser and go to it.
But I do not consider it necessary to fence protection at this level.
Even if it hits an "inaccessible" page - there is a role check at the restful API level