Hello,

I have to secure ExtJS single page application with Spring Security 4. Does anyone has some experience to prompt me how to achieve it in some nice way?

In Spring Security configuration I have to set up login-page entry point but in SPA I have only single index.html file which is mapped to spring application's context (my-server/my-app/index.html).
ExtJS app is embedded in war file deployed on Tomcat and located in webapp/static folder, where there are only:
  • index.html
  • app.js
  • app.json
  • resources/


How can I configure spring security to let ExtJS app know to fire login mask or just to load application?

The best thing which comes to my mind in such configuration is to protect only REST layer and permit access to whole front-end content. In my ExtJS Application class than first make request to server to check if user is authenticated/if session exists and than decide to show login mask or to load application. In login form authentication based on j_spring_security servlet will be performed and after success login mask will be destroyed and main application created.

The other way I can achieve authentication is to create second ExtJS application which will run under different url, e.g my-server/my-app/login and after successful authentication I will redirect to root to load main application. But in fact this breaks the single page application pattern.

Does anyone has experience in such topic? Which way of securing application is the best? Or maybe there are some other better ways to do it. Any help much appreciated!

Best regards,
Maciej