Le 22/01/2019 à 10:11, Michael Brohl a écrit :
3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*
Yes, that's not a problem it's only few ms (if even) as long as there is no JWT
passed. Else all the other pre-processors would also be concerned...
The problem is: without explicitely switching it off, it will parse a provided JWT token on every request *even if you don't want to use the SSO
feature*. You might want to use the Authorization: Bearer <token> header for other scenarios than SSO. Implementing a REST service for example,
which is the reason I stumbled upon this.
Implicitely turning the feature on when the header is present is not a good idea, we should separate concerns.
Ha I see your point now, I had still my code in mind. Before I was only doing a
request.getHeader("Authorization");
And that was also the reason I wanted a simple Authorization header, that's
fast.
In one the first implementations I remember I used to have a properties to decide if the JWT was on or off for the same reason. I removed it after
because it was not costly with the code above
I agree it makes sense again now
Thanks
Jacques
