UsernamePasswordAuthenticationFilter 与自定义端点

huangapple go评论129阅读模式
英文:

UsernamePasswordAuthenticationFilter vs own endpoint

问题

假设我想处理一个 API 端点 /login,该端点接收一个带有 username&password 内容的请求体,并在响应头中返回一个 JWT 令牌。

使用以下代码中的 UsernamePasswordAuthenticationFilter 有什么区别:

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
    try {
        LoginDto loginDto = new ObjectMapper().readValue(request.getInputStream(), LoginDto.class);
        return getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(
                loginDto.getUsername(),
                loginDto.getPassword(),
                Collections.emptyList()
            )
        );
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
}

相比之下,自己编写 @PostMapping("/login") 方法并在其中调用 UserService,有何不同之处?
在单个端点上调用过滤器的原因/优势是什么?

英文:

Let's say I want to handle an api endpoint /login, which gets a username&password body and returns a JWT token in a header.

What's the difference between using UsernamePasswordAuthenticationFilter with

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
    try {
        LoginDto loginDto = new ObjectMapper().readValue(request.getInputStream(), LoginDto.class);
        return getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(
                loginDto.getUsername(),
                loginDto.getPassword(),
                Collections.emptyList()
            )
        );
    } catch (IOException e) {
        throw new RuntimeException(e);
    }
}

over providing my own @PostMapping("/login"), where I call a UserService myself?
What's the reason/advantage for calling a filter on a single endpoint?

答案1

得分: 3

UsernamePasswordAuthenticationFilter的主要优势是与Spring更好地集成,优于您自定义的登录请求。使用它,框架为您提供了以下便捷方式:

  • 管理事件,如:成功登录后,登录不成功和成功注销后的事件。

  • 该过滤器的结果是一个Spring Authentication对象,因此如果需要,在“其余登录请求”中也可以使用它。

以下是如何使用它的一些示例(在这两个示例中,您将看到如何配置您的UserService):

UsernamePasswordAuthenticationFilter

UsernamePasswordAuthenticationFilter + JWT

然而,管理自己的登录端点也是一个广泛使用的选项。如果您真的不需要/使用上述优势,那么创建自己的端点来管理该请求是合适的。

英文:

The main advantage of UsernamePasswordAuthenticationFilter is a better integration with Spring than your custom login request. Using it the framework provides you nices ways to:

  • Manage events like: after a successful login, an unsuccesful login and after a successful logout.

  • The result of that filter is an Spring Authentication object so, you will be able to use it in "the rest of login request" if you need.

Some examples about how to use it (in both ones you will see how your UserService should be configured):

UsernamePasswordAuthenticationFilter

UsernamePasswordAuthenticationFilter + JWT

However, manage your own login endpoint is a widely used option too. If you really don't need/use the above advantages, it is suitable to create your own endpoint to manage that request.

huangapple
  • 本文由 发表于 2020年8月31日 05:17:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/63662244.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定