I want to use JWT to authenticate access to my services using HttpApi.
I’ve looked at the examples posted to this forum, but I feel I need some advice how to implement this.
- The tokens will potentially have a long expiration time and I want to be able to revoke them at any time.
- As long as the token is valid the user should not have to login again
- In some cases the token will be pre-generated and as long as it’s valid user will not have to login
- I want to persist all tokens in a database
- I want to validate the token before a request is accepted
- I want to verify the token against the database, e.g I want to check the expiration time of tokens before the request is accepted
- Session must be valid as long as the token is valid
It seems the ApiSimpleAuthenticationManager will just create a session and the timeout of the sessionmanager will decide how long the session will be valid before the user will need to login again.
My initial reaction is that I need to implement my own AuthenticationManager which looking at the sources should be quite simple.
In ReadAuthenticationInfo I will implement my custom logic for validating tokens.
But how can I access the sessionmanager from my custom AuthenticationManager?