azure - Best Practice: Calling separate Web-API Service from Single Page Application (SPA) -
hy all
we discussing around architecture of following scenario:
- single page application (javascript driven html5 application asp.net webapi)
- separate rest service (webapi only) businesslogic, dal, database-connectivity
- security on azure ad (adal)
what the way call rest-service single page application?
at moment seeing possibilities:
1) calling rest-service directly client (browser) via cors:
client (browser) -> rest-service
...like in example: https://github.com/azureadsamples/singlepageapp-webapi-angularjs-dotnet
2) calling webapi-service single page application, calls rest-service:
client (browser) -> webapi spa -> rest-service
for first variant, see security questions. save this? if rest-service in internal network , spa in dmz?
for second variant, best practices here? because need our controllers:
spa controller example:
//get /api/models public iqueryable<model> get() { // create httpclient instance var resp = client.getasync("http://localhost:9472/api/models").result; var result = resp.content.readasasync<ilist<model>>().result.asqueryable(); return result; }
rest-service (localhost:9472) controller example:
//get /api/models public iqueryable<model> get(){ return _repository.getallmodels(); }
-> right way it?
thanks help!
kind regards, peter
i have finished large enterprise style spa using, nearly, architecture describe in option 1.
generally speaking keep things simple. more points of failure introduce increased risk in terms of maintenance, uptime, scalability etc. if don't need proxy service don't introduce sake of - service no less secure.
can explain security concerns option 1, , can alleviate them you?
-- edit --
i see point on spa being within dmz , restful service being internal, spa able call restful service require way expose outside world. depending on security have in place, case of moving dmz otherwise going need proxy in-between outside world , internal rest service.
Comments
Post a Comment