AngularJS Web Application with Spring Security

Question

I am working on implementing Spring Security in an AngularJS application. I am relatively new to both technologies, and I have found several very helpful sites with tutorial

Answer 1

You seem to be confusing Angular's client-side URL handling (based on the hashes, like '/#/splash') with Spring MVC's (and therefore Spring Security's) server-side URL handling.

Remember that Spring Security secures access to URLs on the server side, and that Angular is a single-page, client-side library.

When you first access your Angular page, you are getting it from the server, and Spring Security can restrict access depending on the login.

If you're still in your single-page Angular environment on the client, and navigate via Angular to "page" with a hash in the URL (See the AngularJS $location guide about hashbang URLs), you are not making a server request. You are requesting Angular to render a different template or state. This is client-side behavior, so Spring Security is not involved. You make a server request when you access a template HTML file (which Spring may return statically without authentication) or if you have set up a REST api to get data from your server (typically returning JSON formatted data for your application to use).

I believe that to make this work, the data for your protected resource ("/inventory") would have to not be included in the main application, requiring a separate server-side resource. This could include either the HTML template for the page and/or the data. Your AngularJS application should be able to recognize that this resource is not available and display something to the user to communicate the lack of authorization.