Problem with Spring Security and AngularJS

Question

Problem with Spring Security and AngularJS

Navigation

#1 by (6 votes)

2

I'm trying to set up my site so that I skip the login in a view in AngularJS (my view in angle is called /validate#/validateusername/ ) but I could not get it, any suggestions on how I can achieve this?

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
  auth.inMemoryAuthentication().withUser("137").password("user").roles("USER");
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
        .antMatchers("/forgotpassword").permitAll()
        .antMatchers("/validateusername/").permitAll()
        .anyRequest().authenticated()
        .and()
            .formLogin()
            .loginPage("/login")
            .usernameParameter("username")
            .permitAll()
        .and()
            .logout()
            .logoutSuccessUrl("/login?logout")
            .permitAll()
    .and().csrf().disable();

angularjs spring-mvc spring-security

asked by Edgar Conrado 29.01.2016 в 23:54

source

1 answer

Calling Ajax does nothing Is there any way to pass data between links?

score 6 · Accepted Answer

It seems that you are confusing URL handling of AngularJS on the client side (based on hashes #) with the configuration of Spring Security .

Remember that Spring Security handles security on the server side, while AngularJs works on the client side.

If you are still in the one-page environment of AngularJS and navigate to another page with a hash (#) in the URL (check this link ) you would not be making calls to the server.

What you actually do is ask AngularJS to do the render of a template or different state.

That's behavior on the client side, so Spring Security is not involved. You make calls to the server when you access an HTML file which could be returned statically without any authentication, or for example if you have a REST API configured, to obtain data from your server (typically returning data in JSON format).

I believe that for this to work the data for your protected resource ( "/validate" ) should not be included in the main application, requiring a different server-side resource. This could include either the HTML file for the page or the data. Your application AngularJS should recognize that this resource is not available and show some message to the user to communicate that there are not enough permissions.

Just to finish, I think you could concentrate the permissions instead on your REST APIs instead of the pages themselves, since usually the AngularJS applications work on a single page .