我应该将我的管理页面包含到 angular 项目中还是应该创建一个单独的页面? [英] Should I include my admin page into the angular project or should i create a seperate one?
问题描述
嘿,我正在为我的 SpringBoot 应用程序开发前端.我刚刚开始学习 Angular.如果我在同一个项目中创建管理页面,我不确定是否存在安全问题.
Hey i'm working on a frontend for my SpringBoot Application. I'm just starting to learn Angular. I'm not sure if there is a security issue if i create my admin-page in the same project.
管理页面和用户页面将共享大量代码,但其他任何人都不应访问管理操作(甚至数据).
Admin- and User-Page would share a lot of code but admin operations (or even data) shouldn't be accessable for anybody else.
到目前为止我发现了什么:我应该为管理员和用户创建两个 Angular 项目吗?
What i've found so far: Should I create Two Angular projects for Admin and Users?
那么创建一个包含两个模块的 Angular 项目应该是正确的方法吗?但是我该如何处理呢?或者我可以只构建一个具有身份验证和管理员/用户角色的单模块项目吗?最佳做法是什么?
So creating one Angular project with two modules should be the way to go right? But how do i approach that? Or can i just build a single one module project with authentification and admin/user roles? What would be best practice?
谢谢
推荐答案
我最近开发了一个项目,其中包含一组面向用户的页面和一组管理页面.
I've recently developed a project that has a user facing set of pages and an admin set of pages.
我构建项目的方式大致如下:
The way I have structured my project is roughly like the following:
|- AppModule
|-- app components
|-- app services
|-- app routing
|
|- SharedModule
|-- components
|
|- AdminModule
|-- admin components
|-- admin services
|-- admin routing
AppModule 和 AdminModule 都导入 SharedModule.AdminModule 是从 AppRouting 中的根管理路径延迟加载的,如下所示:
Both AppModule and AdminModule import SharedModule. AdminModule is lazy loaded from my root admin path in AppRouting like this:
{
path: 'admin',
canLoad: [AdminGuardService],
loadChildren: () => import('../modules/admin/admin.module').then(m => m.AdminModule)
}
其中 AdminGuardService 是一个路由守卫,用于检查当前用户是否具有管理员访问权限.
Where AdminGuardService is a route guard that checks if the current user has admin access.
延迟加载模块的好处是它与 AppModule 分开编译,并且仅在我的管理路径被点击时由浏览器加载.我将所有特定于管理员的 http 调用保留在我的管理员服务中,因此它们从未进入我的主应用程序包.
The benefit of a lazy loaded module is that it is compiled separately from AppModule, and is only loaded by the browser when my admin path is hit. I keep all of my admin-specific http calls in my admin services, so they never make it into my main app bundle.
从安全角度来看,没有什么可以阻止非管理员用户猜测您的管理员网址,无论它是在同一个项目中还是在不同的项目中.我所有的后端授权都是由我的 API 完成的.因此,如果非管理员用户猜测管理员 URL,他们将收到 401,我会将他们重定向回主应用程序.
From a security perspective, there's nothing to stop non-admin users guessing your admin urls regardless of whether it's in the same project or a different project. All of my backend authorization is done by my API. So if a non-admin user guesses an admin url, they will get a 401 and I will redirect them back to the main app.
这篇关于我应该将我的管理页面包含到 angular 项目中还是应该创建一个单独的页面?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
