Using Spring Security with single page application

[James Equalizer]

Hi,

I am currently working on a project that uses Spring 3 REST services on the backend and a single-page-application architecture on the front-end based on the Javascript MVC framework.

Now I would like to secure my application using Spring Security. I could easily placed authentication based on LDAP and set up authorization accesses over my REST urls as there is enough documentation for it. I would call that 'back-end security'.

However, I am bit stuck over two points client-wise:

• As the client is 100% made of javascript files, should I restrict access over my .js files with intercept-url patterns so that they do not get loaded if the user do not have access to that page?
• Should I keep the jsessionid and spring security tokens in a javascript mvc model object and send it back to the server everytime I make a rest call? HTTP being stateless, I guess that should be possible.

Thanks for any help,
Jimmy

[Marten Deinum]

Why would/should it be different as other web based applications? You still call urls and those should be secured and if the URL is called by a browser, piece of javascript or whatever doesn't matter. It is the URL that matters.

How and where you store your credentials is up to you, by default spring security stores it in the session you could replace it by a mechanism that stores it in a cookie instead.

[James Equalizer]

Thanks for you reply Marten, I was in fact just looking for best practices with spa architecture using Spring Security. Handling the credentials in the cookie seems indeed the best way here.

Why would/should it be different as other web based applications? You still call urls and those should be secured and if the URL is called by a browser, piece of javascript or whatever doesn't matter. It is the URL that matters.

How and where you store your credentials is up to you, by default spring security stores it in the session you could replace it by a mechanism that stores it in a cookie instead.