angularj-universal icon indicating copy to clipboard operation
angularj-universal copied to clipboard
verified publisher icon swaechter

Integrate Spring Security

Open MarkVink opened this issue 8 years ago • 3 comments

I'm pleased to see your solution to provide a bridge between the popular Java framework Spring Boot and the popular front-end framework Angular. Your project will make it possible to just implement your application once -and render it both on the client and server side.

As of right now, the provided functionality will be sufficient for some simple websites: front-end application with a simple Java back-end. For those projects, the main requirement of this solution would be that it becomes tested and production-ready.

On the other hand, most websites with backend API's requires some sort of authentication. Therefore it would be great to implement Spring Security in the Spring Boot example - or at least have a discussion on how we could achieve such authentication.

Normally we could serve the Angular application and then use cookies or tokens to authenticate towards the back-end API. When a visitor refreshes the web page or follows a direct link, the Angular page will be rendered on the backend, without this knowledge. In my point of view, we should pass some information from the current request on the Angular application.

MarkVink avatar Aug 10 '17 19:08 MarkVink

Thank you very much! As you mentioned, AngularJ Universal is already working for simple applications, but we need to cover more workflows (Read: More complex applications) and cover the code base with tests.

During my hiking trip last weekend I thought about moving all Spring related functionality into an own Spring Boot starter. I want to keep the SDK/render technology technology/web framework independent, but due the fact that I am using Spring Boot at work and for private projects, I am really interested in having a "zero configuration or only via properties" solution like given with a Spring Boot starter.

I would like to use this thread for collecting requirements for 1.) a real world application and 2.) for a Spring Boot starter library (The more technical part of both):

1.) Real world requirements:

  • Render a page on the server side, serve the result and provide a transition to the client side (See issue #8)
  • AJAX/REST request to unauthenticated endpoint
  • AJAX/REST request to authenticated endpoint (JWT/OAuth2 etc.)
  • Store an access token via cookie or local storage etc.
  • Redirect via server
  • Animations (To be honest: I completely ignored them at the moment, looks like a lot of pain)

2.) Spring Boot starter requirements (Check out https://jira.spring.io/browse/SPR-13508):

  • Provide a template view system so a Spring developer can use ModelAndView to serve an AngularJ Universal server side render page. In case we have more render implementations beside the V8RenderEngine one, one has to provide a bean with the desired render engine (For example a bean method that returns an AlternativeRenderEngine aka RenderEngine object). On the other hand it should also be possible to handle this situation with classpath scanning.
  • Provide the resources to make a client transition possible. Otherwise we have to server side render all page requests. That's possible but will require more resources and somehow eliminates the advantages of server side rendered SPA's
  • Integrate the Angular routing into the Spring routing (See thoughts bellow)
  • Allow settings changes via properties

At the moment I am not sure what people (@MarkVink @srinivasvsk) expect from a Spring security integration. I would be really glad if they would be able to share their thoughts/example code etc..

A few personal thoughts/discussion points:

  • In traditional system that use server side rendering (like JSP), accessing an unauthorized endpoint ends up in a redirect, for example to the login page. The redirect happens before the endpoint is even accessed & rendered. I am not sure if we should ask the Angular application for all endpoints (Lazy loading?) and add the endpoints to our Spring Boot application of if the Angular application should handle the redirect to it's login page itself. The first approach is in my humble opnion really complicated whereas the second one is more or less only a wildcard action to / (But guess what will happen if someone is going to misspell an endpoint - hello index page HTML and bye bye JSON and 404 error code)
  • If you are using AJAX/REST requests while server side rendering a page, you have to state the full (!) URL + URI of a request. Requests like /api/quotes won't work and has to be replaced with http://localhost:8080/api/quotes etc. If you are using localost you will lose all information for virtual hosts (https://en.wikipedia.org/wiki/Virtual_hosting). If somehow possible we have to work with the host name of the request (That also require that the server endpoint is running during tests etc.). At the moment I use a hard coded value (https://github.com/swaechter/angularj-universal/blob/master/angularj-universal-application/src/main/angular/src/app/settings.ts)

Hopefully I didn't miss a thing, otherwise mention it and I will ask it

swaechter avatar Aug 14 '17 20:08 swaechter

@MarkVink With commit 5ed904a9772087da1141903870070412068222bf I added a working Spring Boot starter integration which:

  • Setup the renderer
    • Load the index template and server bundle
    • Create a resource asset provider
    • Create a V8 render engine and renderer
  • Provides a view engine that is rendering views with ModelAndView like here: https://github.com/swaechter/angularj-universal/blob/master/angularj-universal-example-spring-boot/src/main/java/ch/swaechter/angularjuniversal/example/springboot/ContentController.java

At the moment you have to define all your routes as ModelAndView and hardcoded in the view resolver (See https://github.com/swaechter/angularj-universal/blob/master/angularj-universal-spring-boot-starter/src/main/java/ch/swaechter/angularjuniversal/springboot/starter/AngularJUniversalViewResolver.java#L53). I already have an idea how to solve that.

Today or in the next few days I will also add a more business-ish application with JWT Token authentication/Login system, Bootstrap UI and more (I am open for input).

As soon as we have these things implemented, I see nothing that prevents the use of AngularJ Universal in a production environment.

swaechter avatar Aug 22 '17 10:08 swaechter

Simon,

Thanks so much for providing this library, your library makes it easy to render Angular2 on Server Side using (Spring Boot or JavaEE) with minimal configuration.

I really like the design and the idea of having two rendering options:

  1. angularj-universal-renderer: Render SDK that provides the core functionality and allows a developer to implement an own render solution.

  2. angularj-universal-renderer-v8: Specific render solution that uses a Node.js/V8 engine for rendering.

I have a question, above you mentioned

Animations (To be honest: I completely ignored them at the moment, looks like a lot of pain)

Do you mean by not having the "window, document, navigator, and other browser types - do not exist on the server"?

I think Angular5 will have strategy that reuses DOM elements/CSS rendered on the server.

kamalhashi avatar Aug 22 '17 14:08 kamalhashi