I'm building a webapp with angular for the front and java for the backend (stack spring-boot, spring security, jwt, ...) I'm a little confused about how things should work together.
In dev mode, it works fine :
I have proxified my backend api call with something like below
proxy.conf.js
const PROXY_CONFIG = [{
context: [
"/api"
],
target: "http://localhost:8080",
secure: false
}]
module.exports = PROXY_CONFIG;
and setup the spring security configuration like this
...
private static final String[] AUTH_WHITELIST = {
"/signup",
"/h2-console/*",
"/login",
"/api/public/**",
"/error",};
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.headers().frameOptions().disable()
.and()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers(AUTH_WHITELIST)
.permitAll()
.anyRequest().authenticated();
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
For production mode, I would like the backend to serve the api and frontend generated by angular in one jar and be able to start my webapp like this :
java -jar myWebapp.jar
Let me show you my pom files
frontend module pom.xml :
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<!-- Build -->
<build>
<!-- Resources -->
<resources>
<resource>
<directory>./dist</directory>
<targetPath>static</targetPath>
</resource>
</resources>
<!-- Plugin -->
<plugins>
<!-- Maven frontend plugin -->
<plugin>
<groupId>com.github.eirslett</groupId>
<artifactId>frontend-maven-plugin</artifactId>
<version>1.10.0</version>
<configuration>
<workingDirectory>./</workingDirectory>
<nodeVersion>v12.16.1</nodeVersion>
<npmVersion>6.14.5</npmVersion>
</configuration>
<executions>
<execution>
<id>install node and npm</id>
<goals>
<goal>install-node-and-npm</goal>
</goals>
</execution>
<execution>
<id>npm install</id>
<goals>
<goal>npm</goal>
</goals>
</execution>
<execution>
<id>npm run build</id>
<goals>
<goal>npm</goal>
</goals>
<configuration>
<arguments>run build</arguments>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
backend module pom.xml :
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
...
<!-- Build -->
<build>
<plugins>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>copy-resources-frontend</id>
<phase>validate</phase>
<goals>
<goal>copy-resources</goal>
</goals>
<configuration>
<outputDirectory>${basedir}/src/main/resources/static/</outputDirectory>
<resources>
<resource>
<directory>${basedir}/../frontend/dist/</directory>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
The question : Now, my backend serve the api and the static content generated by angular.
I have 4 types of query :
- /api/private/** => Only if authenticated
- /api/public/** => Everyone
- any static resources like index.html or logo.png => Everyone
- /dashboard or /profile => route angular which should be allowed by spring security and will be handled by angular router
How should I update my spring security configuration for not blocking the static content ? Is it safe to setup spring security with permitAll on /** except for /api/private/** (which should be authenticated) so all static content is availlable ?
