Securing AngularJS SPA with Spring Security 3.2

Question

Any help, advice and experience is welcome.

Im currently having a separate AngularJS SPA on a Apache HTTP Server and a Spring Backend on a Tomcat 7 Servlet. The backend serves as a Rest API for the SPA. Some rest resources will require a user to have a certain role.

I've been searching the internet for days on what and how to implement the best security strategy:

• Basic Auth
• Digest
• oAuth
• Stateless, Cookies? Sessions? Tokens? CSRF?

How would you go about communicating Spring Security in Json or XML to your SPA to show the user an authentication page or an "your successfully authenticated page"?

Any help is appreciated.

Answer 1

I finally figured out how to make the SPA authenticate with my Rest Backend.

In spring security I created a

• Custom SimpleUrlAuthenticationFailureHandler which returns a HTTP-Unauthorizated if a login attempt fails.
• Custom SavedrequestAwareAuthenticationSuccessHandler which returns Http-Oke if a login attempt is successful.
• Custom AuthenticationEntryPoint which returns Http-Unauthorizated instead of a redirect.
• Custom LogoutSuccessHandler which returns Http-OK.
• I disabled CSRF.

If anyone needs more help feel free to let me know or message me.