Spring Spring - 11 months ago 145
Java Question

Spring security without jsp

I will use Spring security in my Javascript frontend + Spring MVC project (A user management admin web app) I was trying to figure out if there is any security benefits to put these frontend html code especially in a jsp file in same server as my backend code, so I can take benefit of certain jsp tags. Or can I perfectly make it an ajax application, serve the frontend in a different server. and still use spring security fully?

Answer Source

Here I assume:

  • a javascript front end
  • a Spring MVC rest application serving mainly JSON

On a security point of view, spring security can only protect the back-end application, and you should remember that front-end security (hiding links or commands in a browser view) is only a illusion because a user can always forge a request, even an Ajax one.

On a user experience point of view, it is clear that you should never show a possibility to your user, and when he use it, tell him that he is not allowed to. So your front end must know what privileges are awarded to a user. Spring security comes with some tags that are useable server side in JSP pages, but for an Javascript frontend, you can (should?) implement a special URL server side that returns the current user abilities, send a request here as soon as the user is authenticated, and cache the result in the client session (Windows.sessionStorage). That way your javascript code knows what should be displayed to a particular user.