Giters

spring-guides / tut-spring-security-and-angular-js

Spring Security and Angular:: A tutorial on how to use Spring Security with a single page application with various backend architectures, ranging from a simple single server to an API gateway with OAuth2 authentication.

Home Page:https://spring.io/guides/tutorials/spring-security-and-angular-js/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

redirect always to login page (not to basic authentication window)

umbreak opened this issue · comments

commented

I find the example multiple UIs and Gateway very useful. However, if you access directly several other resources (localhost:8181 or localhost:8080/ui/) you will be prompted with the basic auth.

In most of production environment, any access to a protected resource will result in a redirection to the login page. I find appropriate to have a centralized authentication&authorization point, like the Gateway is doing, and every request to any resource in the system which is not logged, should be redirected to the login page in the Gateway. In this case we assure that it is really a centralized login point.

I've tried to implement that changing the httpBasic in GatewayApplication for formLogin and changed the gateway.js authenticate function to POST the login with x-www-form-urlencoded. This works for the requests to the backend but as soon as we access the ui and come back to the backend...it does not work. I also did not find a solution to redirect anything in the ui (localhost:8181) when access directly and there are no credentials.

commented

Why would users ever have a link to the back end services directly if there is a gateway? The point of the gateway is that you don't have to deal with this kind of problem.

commented

I do understand your point, however, anything which is exposed is likely to be accessed directly or not.

Localhost:8080/ui is exposed, so there should be a way to handle that possible access.

commented

It's easy to deny access. What you are trying to do is not worth the extra effort IMO, because the backend services should not need to know about the gatweway.

commented

In case anyone wanted to try it, adding OAuth2 and making the backends @EnableResourceServer would have a nice side effect (for the OP) of denying access by default to browsers trying to contact the backends directly.

Also, irrespective of whether you use tokens or not, (as I think is pointed out in the tutorial) you can set up the backends with different (or no) user credentials than the gateway. That way browsers do not have access even if authenticated with the gateway.