In Spring Integration, handlers and interceptors look like they basically achieve the same thing. There are even some 'duped' implementations, such as MessageTransformingChannelInterceptor and MessageTransformingHandler, which as far as I can tell provide the same functionality with different semantics.
Is there a time when one is appropriate and not another? If it's a matter of preference then I'm guessing that there'd be some sort of convention?
Thanks,
Roy
My general rule of thumb is to use interceptors sparingly; and typically, only for "passive" things like logging, wire tap etc.
Some users like to do message validation in interceptors; especially if they want to apply the same validation to multiple channels, perhaps with a global interceptor with an appropriate channel pattern.
The transforming interceptor was created in a very early iteration of the framework (2008) and we should probably remove (at least) the only mention of it in the reference (in the XML section).
Handlers
Handler means a Class which handles with certain thing.
For example, in the Spring framework, a HandlerMapping is used to map requests to specific controllers or handlers based on the URL pattern or request method.
Handler is responsible for processing a request and generating a response while a Filter is responsible for modifying or inspecting a request or response
Interceptors
Interceptors share a common API for the server and the client side.
Interceptors are often used to implement cross-cutting concerns such as transaction management, security, or logging.
Interceptors are part of Spring's AOP framework and are used to intercept method calls to Spring beans. They allow you to add behaviour to a method call before or after it is executed. Interceptors can be configured using annotations or XML configuration. Interceptors are used to intercept method calls to Spring beans.
Related
We're using Brave's ExtraFieldPropagation feature to propagate custom fields (e.g. an internal-only request identifier) between services as HTTP headers.
Some of our services make requests to external services using a RestTemplate or Feign client in the course of processing a request. Since Sleuth enhances all RestTemplate beans and Feign clients with the propagation feature, this means that external services receive the internal-only headers, which I'd like to avoid.
I know of two workarounds that allow me to avoid this behavior, both of which are flawed:
Instantiate a client object manually as opposed to using a #Bean so that Sleuth does not add an interceptor. The downside I see here is that developers have to remember to follow this pattern to avoid leaking information, and this is difficult to enforce.
Add an interceptor that removes these headers from outgoing requests. The downsides here are that a) I need separate interceptors for RestTemplate and Feign clients (not a huge deal); b) it looks like Feign client interceptors do not have a way to influence order of execution (see javadoc here), so I can't guarantee that the new interceptor will run last / after the Sleuth one.
Is there a way to customize Sleuth (e.g. via some kind of injector bean) such that, prior to injecting headers in an outgoing HTTP request, I can reason about the destination of the request? I saw documentation regarding custom injector beans, but it appears those no longer exist in spring boot >= 2. I can't seem to find an equivalent construct in Brave.
You can unsample a given URL which means that the headers will be propagated but not sent to Zipkin. You can't disable instrumentation for only some of the URLs cause we're instrumenting all of the components that are registered as beans.
I'm using Kafka in Spring Boot project. There are a lot of benefits in case you have simple flow (to use #KafkaListener, #KafkaHandler) and spring prepares almost everything for development.
In my application I have different handlers for the same message data. I want to use SpEL to manage handlers manipulating header data, but I've not detected corresponding API for that.
So my question: is it possible to manage my handlers via SpEL in case I have special headers for that (Header for example "X-OPERATION_TYPE":"patch")? How?
P.S.
I can make workarounds using GoF Strategy as example, but I hope spring already has solution for that case.
There is not such a "conditional routing" in Spring for Apache Kafka, but you can do that routing manually in the single #KafkaListener with plain if...else or switch.
For more comprehensive routing logic it would be better to take a look into Spring Integration: https://docs.spring.io/spring-integration/docs/5.0.9.RELEASE/reference/html/messaging-routing-chapter.html
I have a vanilla Spring Boot application that consists of a controller, a service and a DAO layer. The controller code calls the service code and so on.
To implement some semblance of security, I am currently using Spring Security 4.0.x's global method security annotations in combination with Spring Security ACL to lock down my service methods.
Requests that go through my controllers are auth-ed and authorized just fine because a principal / user is in context. HOWEVER, I also have some additional non-user facing code that listens for messages from an AWS queue. Within this listener code I invoke some secured services (to stay DRY and not duplicate business logic) but for this situation no user is in scope.
Generally speaking:
For a situation like the one I'm describing, what is a good / acceptable way to authenticate user-less method invocations e.g. ones that don't come through an HTTP request (or to bypass the check)? I am considering manually setting the SecurityContextHolder with a "system user" in my message listener code but this has some code smell.
Is method level security better applied at the controller level?
I'm getting started at building REST APIs with Spring annotated controllers.
My question is very simple: how to perform authentication/authorization in a common place rather than the APIs?
Being an expert C# developer I usually create a custom FilterAttribute for my controllers in order to implement any required authentication code.
I'm not going to use #Secured attribute because I work on custom REST authorization based on custom HTTP headers. I have understood that #Secured works with predefined roles, or perhaps I didn't understand its usage well.
Does Spring offer annotations to perform early filtering of Controllers working on the HttpRequest?
There is a filter-based authentication and authorization plugin at the web container level, provided by Spring Security. However, you can also apply security annotations to the controllers. . . Behind the scenes this uses Aspect Oriented programming to modularize the security concern. Take a look at Spring Security and AOP.
Once you understand a little about the AOP side of things you can customize the authorization however you like - role-based, time of day, whatever - this can be driven by custom annotations.
For Requests handling, struts 2 uses FilterDispatcher whereas Spring uses Servlet(dispatcher servlet) for dispatching the requests. What difference does this make? I mean they are doing the same job that is handling the incoming requests but using different strategies, one is using servlet other is using filter dispatcher.
Struts2 and spring mvc are different web frameworks that follow mvc design pattern. The architecture of both differs. Since they are different frameworks, they have different ways of achieving the same thing i.e. request handling. You can read more about FilterDispatcher here.