3

The scenario is this: I'm developing a Java EE application with an Angular 2 frontend. The client has an Apache server which is usually used to serve static resources and an Oracle Weblogic for the dynamic part. The problem is that by default the Angular 2 App and the Weblogic server will not be able to talk each other due to the Same Origin Policy.

So far I have 3 possible deployment approaches in mind:

  1. Set up a Reverse Proxy in Apache to point the REST endpoints to Weblogic

  2. Package the Angular App in a WAR/EAR and deploy it to Weblogic. So I would end up with something like: myserver/myapp for the UI and myserver/myapp-rest for the Backend.

  3. Package the Angular App in the same WAR as the Java backend. So I would end up with myserver/myapp for the UI and myserver/myapp/api for the REST endpoints.

There is a 4th option which would be setting up CORS, but I'm worried about the security using that approach.

Which is the right approach?

Improve this question

1 Answer 1

Reset to default
3

If you are allowed to make infra decisions , change apache webserver to nginx , we switched to nginx and got lot of added values in terms of concurrent processing. In our project the angular client is served by nginx webserver which talks to java backend hosted on tomcat 8.x(our app server) , also there are couple of tiers after app-server a separate DB server and an elastic search server.

Don't feel intimidated to set up CORS, you will eventually need to allow some origins requests which don't originate on your domain and port.

If your java tech stack has spring mvc , then setting up CORS is just a matter of adding few lines of configuration. You can even hardcode your angular url to allow backend server to serve requests only from your angular URL. In normal JavaEE world, CORS is just another filter or interceptor where you can set response headers with all the allowed origins, http methods etc. It's very simple you can look it up.

For your given choices

    1. seems plausible and a value addition that you get is you can delegate SSL encryption to proxy server .
    1. seems rather odd, you would want to separate the static content server from dynamic contents server, your angular js bundles, assets etc are mostly static, if you keep your static server separate then you can configure cookie-less domains down the line that would make serving a lot faster.

  • 3 same as 2.

I would strongly suggest the CORS option , from my past experiences.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So, CORS is the way to go. Are there any advantages compared to the other approaches I described?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.