我想和你(社区)我的问题。
I want to share with you (community) my problem.
我用 MEAN
栈,所以我用 Node.js的
与防爆preSS
和 AngularJS
,我已经烧毛App应用程序。
I use MEAN
stack, so I use Node.js
with Express
and AngularJS
and I have singe app application.
我用护照
作为身份验证策略节点\\防爆preSS \\玉
code 。我想我的网页上创建管理部分来管理用户和他人的东西。
I use passport
as an authentication strategy in Node \ Express \ Jade
code.
I want to create admin section on my page to manage users and others stuff.
我也想保护这个AngularJS网站添加一些访问控制,以我的$ routeProvider像异步加载:
I want also protect this AngularJS sites loaded asynchronously by adding some access control to my $routeProvider like:
$routeProvider.when('/admin/users', {
templateUrl: '/views/admin/users.html',
auth: {
required: true,
roles: ['admin']
}
})
这是唯一的伪code,我想在我的真正的解决方案才达到。如果用户没有登录,应该重定向到 /登入
网页,如果用户登录并没有正确的角色来查看此网页,应重定向到appropiate查看与自定义信息。
This is only pseudocode which I want to achive in my real solution.
If user is not logged in, should be redirect to /signin
page, and if user is logged in and does not have proper role to view this page, should be redirect to appropiate view with custom information.
我preFER在服务器端处理访问控制,而只是没有提供什么由用户如果他/她应该不能够访问它。然后,我场和跨preT从服务器到不喜欢的东西重新路由到一个登录表单的响应。
I prefer to handle access control on the server side, and just not serve anything up to the user if s/he shouldn't be able to access it. Then I field and interpret the response from the server to do things like rerouting to a sign-in form.
这使得真正灵活的安全机制。例如,我可以配置我的东西防火墙后端安全,就像你描述的(这里的路线/ admin的所有它的后代应该保护)。我可以使用ACL来保护单个对象或的SecurityManager
,允许发出请求的用户更复杂的分析。
This allows for really flexible security mechanisms. For example, I can configure my backend security with a firewall for something like you've described (where a route "/admin" and all of its descendants should be protected). I can use ACLs to secure individual objects, or a SecurityManager
that allows for more complex analyses of the user making the request.
也许这是不是直接回答你的问题,而是鼓励不同的方法处理这个问题。尽管如此,我认为这是比任何东西,我在纯JS访问控制方面已经看到了更好的方法。
Maybe this isn't a direct answer to your question, but instead encouragement to approach the problem differently. Still I think it's a better approach than anything that I've seen in terms of pure JS access control.