Corneau, The way we have done it is to keep the Angular client as dumb as possible. The only permissions we keep on the client is wether a link shows, button shows, or a page can be displayed based on the user that is logged in, we call these UI permissions. I am not worried about a user hacking these permissions in their browser since they would just go to blank pages since the server is ultimately responsible for delivering the content based on the user that is logged in to the server. As far as a URL being called by an unauthenticated or unauthorized user, we just check authentication and authorization in all of our REST endpoints and send back status 40X with a message for the client.
So in our Angular client we store an array we call uiPermissions: [“showButton1”, “showButton2”, “showPage1”, “showPage2”] So in short, we don’t use Shiro URL filters. I think the filters are more geared to a traditional multi page site. Warren > On Feb 12, 2015, at 6:00 PM, Corneau Damien <[email protected]> wrote: > > Hi, > > I've been using Apache Shiro in multiple projects, however we are now working > with a project made with AngularJS. > > Usually we would apply some custom URL filters in order to keep some pages > public, and some available only to logged users. > > One problem is that AngularJS is using hashbang in its urls in order to take > care of the routing, making every request look the same and URL filters not > being able to apply. > > There is a way to delete hashbang in AngularJS but it would still be active > on IE9. Which means that the security would only apply on some web > browsers... not that secure. > > Did anybody had experience using Apache Shiro with AngularJS at an URL level? > Or does anybody know a way to 'fix' this kind of hashbang problem? > > Thank you
