Le 22/01/2019 à 10:11, Michael Brohl a écrit :
3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*

Yes, that's not a problem it's only few ms (if even) as long as there is no JWT 
passed. Else all the other pre-processors would also be concerned...


The problem is: without explicitely switching it off, it will parse a provided JWT token on every request *even if you don't want to use the SSO feature*. You might want to use the Authorization: Bearer <token> header for other scenarios than SSO. Implementing a REST service for example, which is the reason I stumbled upon this.

Implicitely turning the feature on when the header is present is not a good idea, we should separate concerns.

Ha I see your point now, I had still my code in mind. Before I was only doing a

   request.getHeader("Authorization");

And that was also the reason I wanted a simple Authorization header, that's 
fast.

In one the first implementations I remember I used to have a properties to decide if the JWT was on or off for the same reason. I removed it after because it was not costly with the code above

I agree it makes sense again now

Thanks

Jacques

Reply via email to