Starting at Tour of Heroes. In my last post I had just redone my tour of heroes app for the newly released angular (angular2, 4?, whatever). I had added a spring boot back end for the heroes service and all went well. But what I really wanted was do a deep-ish dive with angular-cli and the angular router. This led down a rabbit hole of exploration into the angular ecosystem. I have arrived at the other end with some interesting (to me anyway) technology findings and an overall appreciation for where angular currently is from a framework maturity level. This blog entry will document some of that discovery. The source for client and server is on my github account.
First stop: Security. For some reason I take a somewhat masochistic interest in web security. I don't really enjoy working in that space but I never feel like I can start even a play project without solving this problem of authentication and authorization. As a learning exercise I decided to implement a JWT (json web token) approach with the goal of keeping my backend as stateless as possible.
JWT Server. As there are two sides to this coin, server and client, I started with the server. I'm using spring boot and was hoping the spring security project provided a module out of the box for JWT. No such luck. I ended up utilizing a series of web posts to learn about implementing the JWT handling with spring security. Pretty much my entire server side JWT handling ended up being lifted from this repo on github. It uses spring security and plugs in JWT handling in the right spots. I have a simple User/Authority/UserAuthority set of tables in Postgresql that I use for authn/authz. I then used the JWT handling code from the repo to manage token creation, handling and validation within a filter.
JWT Client. I next turned to angular. I had already implemented routing within the app and added a route/component to log in. I used the angular2-jwt library to help implement the passing of the JWT token on all REST calls to the server. The general idea with JWT is that once the user is logged in, all http calls have the token attached (cookie or header) from the client side and the server (in my case a filter on spring boot) will pull the token and validate/authenticate the user. Angular2-jwt accomplishes this on the client by providing an AuthHttp object which takes place of the normal http object through which you make your rest calls. AuthHttp just wraps http and adds the token to the call. I currently store the token in local storage. This has the weird effect of never logging me out. Somewhere the expiration time is being ignored, but I'll leave that and the large topic of JWT for another blog post.
More to come. Just now realizing I have too much to post in just a single blog entry so I'll leave off here. In my next post I hope to include my work with different grid/table components, treeview components, angular forms, bootstrap and material styling, prime-ng components and a whole lot around websockets and STOMP protocol. Maybe 2 more posts!
Part II here.