Is it a good practice to authenticate user from Database in Filter?

Question

I am creating a Rest API (Spring Boot project) for Android App. What should be the ideal way of authenticating User from the database?

1. Querying database in Controller Class
2. Querying database in Filter Class
3. Using Spring Security

    public class TokenValidationFilter implements Filter {

        Connection connection = null; 

        @Override
        public void doFilter(ServletRequest request, 
            ServletResponse response, FilterChain chain)
          throws IOException, ServletException {
            final String accessToken = req.getHeader("accessToken");
            final String userId = req.getHeader("userId");

            // Do Sql Query to Authenticate User
        }

        @Override
        public void init(FilterConfig filterConfig) throws ServletException {}
 }

Answer 1

You shouldn't be needing to add your own Filter.

When you use Spring security, it works by adding a filter only, for e.g., BasicAuthenticationFilter. And on top of this it allows you to manage things which otherwise you'd need to do on your own.

For e.g., it allows you to use the Authenticated principal by simple means of SecurityContextHolder.getContext().getAuthentication() as it works on the basis of ThreadLocal you can use this anywhere in your code.

What about managing Authorization for different URLs? Or managing CORS config?

All these things are achievable through a simple builder pattern for you while configuring Spring security using the framework.

Plus, if you want to go for OAuth later on, the security framework is integrated with it, you can get it working very easily by using AuthorizationServer and ResourceServer

Even for the simplest of configurations for a basic authentication you should go with using the security framework, rather than authentication using a be-spoke solution.

Also you can think that there are other things integrated with the security framework like Auditing your database transactions modified by which user, etc.

What you'll be writing (and going to refactor in future) in your own Filter is already written in the framework for you to use.

Answer 2

1. Querying database in Controller Class

No, doing like this will make your business controller tighly coupled with the authentication mecanism which is not the purpose of such kind of components

2. Querying database in Filter Class

I assume you talk about Servlet Filter class. This way you'll probably reinvent the wheel and end up with a lot of home-made boilerplate code. And as you talk about Spring Security point 3, I assume that you have a Spring backend.

3. Using Spring Security

Definetely the way to go if you have a Spring Backend. Spring security provides some standard authentication mecanism (BASIC auth for instance). You can add some Spring Security extension like OAuth2 or SAML if have such requirements. It is a widely used framework, so finding help should not be a problem. Besides, Spring Security allows you to create your own Security Configuration in case none of the standard is ok for you.

From a mobile app point of you, setting a Basic Authentication to get Json Web token and then access the API with the token should be pretty straight forward and maintenaible with Spring Security. Or you can rely on some standard like OAuth2 - OpenIdConnect. Either way should be ok with Spring Security.