Thanks for the tip. We are already checking permissions on our API. The UI permissions are interesting since it is not user related.
The main reason we wanted the URL filters was to no load part of the page before getting a unauthenticated status code and redirecting to login page. But I guess it can't be helped. On Feb 14, 2015 2:29 AM, "Warren Bell" <[email protected]> wrote: > Corneau, > > The way we have done it is to keep the Angular client as dumb as possible. > The only permissions we keep on the client is wether a link shows, button > shows, or a page can be displayed based on the user that is logged in, we > call these UI permissions. I am not worried about a user hacking these > permissions in their browser since they would just go to blank pages since > the server is ultimately responsible for delivering the content based on > the user that is logged in to the server. As far as a URL being called by > an unauthenticated or unauthorized user, we just check authentication and > authorization in all of our REST endpoints and send back status 40X with a > message for the client. > > So in our Angular client we store an array we call uiPermissions: > > [“showButton1”, “showButton2”, “showPage1”, “showPage2”] > > So in short, we don’t use Shiro URL filters. I think the filters are more > geared to a traditional multi page site. > > Warren > > > > On Feb 12, 2015, at 6:00 PM, Corneau Damien <[email protected]> > wrote: > > > > Hi, > > > > I've been using Apache Shiro in multiple projects, however we are now > working with a project made with AngularJS. > > > > Usually we would apply some custom URL filters in order to keep some > pages public, and some available only to logged users. > > > > One problem is that AngularJS is using hashbang in its urls in order to > take care of the routing, making every request look the same and URL > filters not being able to apply. > > > > There is a way to delete hashbang in AngularJS but it would still be > active on IE9. Which means that the security would only apply on some web > browsers... not that secure. > > > > Did anybody had experience using Apache Shiro with AngularJS at an URL > level? Or does anybody know a way to 'fix' this kind of hashbang problem? > > > > Thank you > >
