these days I’m facing a fundamental problem – let’s call it an architectural design decision.
So my team and I build typical line of business (lob)-web-applications for my company. For my purpose, lob means especially this:
- A lot of user-interaction (entering data, CRUD entities, display data, aggregating data, statistics and reports, validation and so on)
- Very restrictive (users have to login, users have different permission-levels, they can make different kinds of changes on different entities, display various reports and so on)
For an example, let’s take an ordinary approval-workflow: I need a new laptop, so I go to the “ressources-webApp” and create a new purchase requisition. My boss gets a notification and has to approve my request. In the next step, the proper department has to buy the laptop and finish my requisition.
I know this is a simple “hello world”-example and in real life you would use an existing software for this purpose (SAP or something like that), but it describes my use-case pretty well: data-driven and very restrictive (I can see all requisitions of my department but only change or delete my ones, I should not see the page for the approval or call the approval-api, my boss should only see the requests of his employees but not for the empolyees of another department, neither my boss nor I should see the page or be able to finish a requisition and so on).
Currently we are using ASP.NET MVC and WebAPI in combination with angularjs 1. For each “action” (page or view) exists a mvc-controller which listens to a specific route and returns the appropriate view. Each view references a specific angular-controller. Also each view may consist of different “partial views” (components or controls). To handle data the angular-controller calls webAPI-controllers which also listen to specific routes and handle the request (GET/POST/PUT/DELETE). Each controller (mvc and webAPI) checks the authorization-token of each http-request which comes in a cookie, if the user is allowed to open the page or call the action.
Now I’m wondering how to do this in a SPA-application with angular 2. Angular 2 sounds pretty interesting for me and has some nice benefits over angular 1, so I want to try angular 2. It seems that with angular 2 you only can build a SPA-application (compared to the “classical” MPA-application I mentioned above, where every page comes from the server and contains a angular-controller).
Generally I’m not disinclined to SPA, but I’m not sure how to handle the security-questions mentioned above.
In addition there are other common problems with SPA: not working back-buttons from the browser, no way to enter a specific url directly to the browser, no bookmarking etc.
So, do you have any advice, tip or best practice for me? Do you think that SPA is a good “pattern” for lob-web-applications? And if yes, how would you handle the security-problems as well as the other common SPA-problems?
Best regards, Alex