Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring authentication with HandlerInterceptor or AbstractAuthenticationProcessingFilter

What is the difference usage of spring org.springframework.web.servlet.HandlerInterceptor and org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

I am plan to add authentication for my application. But in HandlerInterceptor Doc it says,

In an async processing scenario, the handler may be executed in a separate thread while the main thread exits without rendering or invoking the postHandle and afterCompletion callbacks.

So in this case if handler execute in a seperate thread, i find the HandlerInterceptor in not suitable for authentication.

What would be the best way to implement authentication?

like image 467
Harshana Avatar asked Nov 03 '15 13:11

Harshana


People also ask

Which authentication is best in spring boot?

You can use custom token based implementation, you can create a custom token that you can store in DB but JWT is a good choice.

How do I authenticate in Spring Security?

Simply put, Spring Security hold the principal information of each authenticated user in a ThreadLocal – represented as an Authentication object. In order to construct and set this Authentication object – we need to use the same approach Spring Security typically uses to build the object on a standard authentication.

Which filter class is required for Spring Security?

Spring Security's web infrastructure is based entirely on standard servlet filters. It doesn't use servlets or any other servlet-based frameworks (such as Spring MVC) internally, so it has no strong links to any particular web technology.


1 Answers

Short answer: Use Spring Security. It supports Servlet 3.x Asynchronous Request Processing out of the box. See the documentation.

Long answer: HandlerInterceptor and AbstractAuthenticationProcessingFilter may be used for the same purpose but normally in a Spring based project authentication/authorization is handled by Spring Security (AbstractAuthenticationProcessingFilter).

HandlerInterceptor belongs to Spring MVC and - what I've seen so far in my career - used for custom logging, time measurement, HTTP header manipulation or (user) request context enhancement. A HandlerInterceptor may be placed before all or a specific Spring MVC controller and "lives" within the DispatcherServlet.

In contrast, Spring Security's filter chain integrates with javax.servlet.Filter. A simplified request flow looks like this:

Container connector
         V
Filter (Spring Security)
         V
DispatcherServlet (Spring MVC)
         V
HandlerInterceptor (Spring MVC)
         V
Controller (Spring MVC)

Spring Security may be used independently from Spring MVC (Take a look at AbstractAuthenticationProcessingFilter and you can see that it derives from GenericFilterBean which in turn implements Filter). That said, you can incorporate authentication/authorization with Spring Security in any other web framework e.g. JSF, GWT, Vaadin.

Primarily, Spring Security is used in

a Java EE-based enterprise software application

but you can use it in a desktop application like Swing too. Honestly, I didn't see it so far.

In my opinion, you should rely on a matured and feature rich framework like Spring Security or Apache Shiro for authentication/authorization. Most of the time such frameworks already have all the features your project requires. A popular framework that is used by many people reduces the probability of severe bugs or security holes due to frequent bug reports and security checks. Please don't reinvent the wheel which usually can't keep up the pace in regard to software quality and flexibility of a grown framework.

like image 167
ksokol Avatar answered Nov 03 '22 22:11

ksokol