0

these days I’m facing a fundamental problem – let’s call it an architectural design decision.

So my team and I build typical line of business (lob)-web-applications for my company. For my purpose, lob means especially this:

  • A lot of user-interaction (entering data, CRUD entities, display data, aggregating data, statistics and reports, validation and so on)
  • Very restrictive (users have to login, users have different permission-levels, they can make different kinds of changes on different entities, display various reports and so on)

For an example, let’s take an ordinary approval-workflow: I need a new laptop, so I go to the “ressources-webApp” and create a new purchase requisition. My boss gets a notification and has to approve my request. In the next step, the proper department has to buy the laptop and finish my requisition.

I know this is a simple “hello world”-example and in real life you would use an existing software for this purpose (SAP or something like that), but it describes my use-case pretty well: data-driven and very restrictive (I can see all requisitions of my department but only change or delete my ones, I should not see the page for the approval or call the approval-api, my boss should only see the requests of his employees but not for the empolyees of another department, neither my boss nor I should see the page or be able to finish a requisition and so on).

Currently we are using ASP.NET MVC and WebAPI in combination with angularjs 1. For each “action” (page or view) exists a mvc-controller which listens to a specific route and returns the appropriate view. Each view references a specific angular-controller. Also each view may consist of different “partial views” (components or controls). To handle data the angular-controller calls webAPI-controllers which also listen to specific routes and handle the request (GET/POST/PUT/DELETE). Each controller (mvc and webAPI) checks the authorization-token of each http-request which comes in a cookie, if the user is allowed to open the page or call the action.

Now I’m wondering how to do this in a SPA-application with angular 2. Angular 2 sounds pretty interesting for me and has some nice benefits over angular 1, so I want to try angular 2. It seems that with angular 2 you only can build a SPA-application (compared to the “classical” MPA-application I mentioned above, where every page comes from the server and contains a angular-controller).

Generally I’m not disinclined to SPA, but I’m not sure how to handle the security-questions mentioned above.

In addition there are other common problems with SPA: not working back-buttons from the browser, no way to enter a specific url directly to the browser, no bookmarking etc.

So, do you have any advice, tip or best practice for me? Do you think that SPA is a good “pattern” for lob-web-applications? And if yes, how would you handle the security-problems as well as the other common SPA-problems?

Best regards, Alex

Alex
  • 1,593
  • 1
  • 8
  • 12
  • 1
    First of all, this kind of question belongs to programmers StackExchange, not here. Anyway, here's my 2 cents on employing SPA: All security-related behavior must be fully implemented by back-end (WebApi2), SPA like Angular2 should only be used to enhance the UX (e.g. check role to show/hide CTAs). Last but not least, I don't see the problems you mentioned in Angular2 (history, bookmarking, etc.), they are handling them quite well imo. – Harry Ninh Oct 04 '16 at 10:26
  • Thanks for your response. I didn't know that angular2 is able to handle these problems. I will check that. I agree that security needs to be performed in the server, but thats exact the problem: I want to check if the user is permitted to request the page "/admin/index". With serverside techniques (ASP.NET MVC) I can check the session-cookie or whatever and authorize the user, but I can't do that on the client. How do I check if the user is permitted to request the page "/admin/index" in SPA? – Alex Oct 04 '16 at 10:56
  • 1
    @HarryNinh when referring other sites, it is often helpful to point that [cross-posting is frowned upon](http://meta.stackexchange.com/tags/cross-posting/info) – gnat Oct 04 '16 at 11:09

0 Answers0