0

I have a REST server over SSL. Initially, the client logs in with the credentials. To avoid sending the username/password for each request, I have created a custom token which is returned to the user in the login procedure. This token contains some information about the client (IP and user-agent) as well as an expiration time; and of course the token is sent encrypted.

Further calls include the token in a custom header field; which are verified in IDispatchMessageInspector

The approach works fine, but I am pretty sure it's not a good approach. Is there any benefit in using custom authentication than the message inspection?

Ace
  • 420
  • 2
  • 8
  • 25

1 Answers1

1

Message inspection is the checking, changing, and replacing of messages after they are received and before they are sent.

Custom authentication requires the authentication of a username and password, which is more suitable for login or other situations where a username and password are required.

Both types of verification have their own applications.As you said to avoid sending the username and password every time you can choose message inspection. Personal words also tend to be message inspection.

Jiayao
  • 510
  • 3
  • 7