Hi,

I am currently working on a project that uses Spring 3 REST services on the backend and a single-page-application architecture on the front-end based on the Javascript MVC framework.

Now I would like to secure my application using Spring Security. I could easily placed authentication based on LDAP and set up authorization accesses over my REST urls as there is enough documentation for it. I would call that 'back-end security'.

However, I am bit stuck over two points client-wise:
  • As the client is 100% made of javascript files, should I restrict access over my .js files with intercept-url patterns so that they do not get loaded if the user do not have access to that page?
  • Should I keep the jsessionid and spring security tokens in a javascript mvc model object and send it back to the server everytime I make a rest call? HTTP being stateless, I guess that should be possible.


Thanks for any help,
Jimmy