Reputation: 7647
Spring authentication with HandlerInterceptor or AbstractAuthenticationProcessingFilter
What is the difference usage of spring org.springframework.web.servlet.HandlerInterceptor and org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
I am plan to add authentication for my application. But in HandlerInterceptor Doc it says,
In an async processing scenario, the handler may be executed in a separate thread while the main thread exits without rendering or invoking the postHandle and afterCompletion callbacks.
So in this case if handler execute in a seperate thread, i find the HandlerInterceptor in not suitable for authentication.
What would be the best way to implement authentication?
Upvotes: 5
Views: 3509
Answers (1)
Reputation:
Short answer: Use Spring Security. It supports Servlet 3.x Asynchronous Request Processing out of the box. See the documentation.
Long answer: HandlerInterceptor and AbstractAuthenticationProcessingFilter may be used for the same purpose but normally in a Spring based project authentication/authorization is handled by Spring Security (AbstractAuthenticationProcessingFilter).
HandlerInterceptor belongs to Spring MVC and - what I've seen so far in my career - used for custom logging, time measurement, HTTP header manipulation or (user) request context enhancement. A HandlerInterceptor may be placed before all or a specific Spring MVC controller and "lives" within the DispatcherServlet.
In contrast, Spring Security's filter chain integrates with javax.servlet.Filter. A simplified request flow looks like this:
Container connector
V
Filter (Spring Security)
V
DispatcherServlet (Spring MVC)
V
HandlerInterceptor (Spring MVC)
V
Controller (Spring MVC)
Spring Security may be used independently from Spring MVC (Take a look at AbstractAuthenticationProcessingFilter and you can see that it derives from GenericFilterBean which in turn implements Filter). That said, you can incorporate authentication/authorization with Spring Security in any other web framework e.g. JSF, GWT, Vaadin.
Primarily, Spring Security is used in
a Java EE-based enterprise software application
but you can use it in a desktop application like Swing too. Honestly, I didn't see it so far.
In my opinion, you should rely on a matured and feature rich framework like Spring Security or Apache Shiro for authentication/authorization. Most of the time such frameworks already have all the features your project requires. A popular framework that is used by many people reduces the probability of severe bugs or security holes due to frequent bug reports and security checks. Please don't reinvent the wheel which usually can't keep up the pace in regard to software quality and flexibility of a grown framework.
Upvotes: 5
Related Questions
- Implementing Authorization in Spring
- UsernamePasswordAuthenticationFilter vs own endpoint
- spring authentication provider VS authentication processing filter
- To support a custom authentication flow, is it best to extend from OncePerRequestFilter or AbstractAuthenticationProcessingFilter?
- Spring Security two authenticationSuccessHandler
- Spring authentication for calls after login?
- Extending spring security UsernamePasswordAuthenticationFilter
- Best practice on Spring Security for this requirement
- Spring's AuthenticationProcessingFilter override
- How to use J2eePreAuthenticatedProcessingFilter and a custom authentication provider?