Ozwillo Datacore is a Cloud of shared Open Linked Data. Its goal is cross-business data collaboration and integration. By linking data from different business together, it allows creating value by developing new Ozwillo services on top of it.
To be scalable, Datacore should not call Kernel for HTTP each request (ex. introspection endpoint to validate Bearer / access token header and get groups). Expiry time for this behaviour should be ex. 1h like Atol access tokens.
20141110 update : the difference in latency between mock auth and OAuth2 Kernel token check has become very visible in the new playground UI auth. The simplest solution is to put a constrained FIFO map cache when checking token in RemoteTokenServices (and possibly when playground gets one in PlaygroundAuthenticationResource).
OBSOLETED on 20141110 :
NO Do it using existing Spring Security mechanisms if possible.
session management. Can be used if it stores an authentified OAuth2 Authentication in session, and reuses it in another request if its own Bearer / access token header match, if not expired. However, using session for this is maybe too much, since there is no need for a session besides that (no business model to keep in memory between requests), which is itself a good thing for scalability.
NOT USEFUL auth kept across session through cookie, by Remember-Me Authentication using InMemoryTokenRepositoryImpl. That's not what we want, and we don't want (non test ex. browser) Datacore clients to use cookies. In addition, it makes browser-based testing harder, so it may as well be disabled if possible (check it by putting breakpoints in InMemoryTokenRepositoryImpl or the filter).
So probably rather : develop a CachedIntrospectionEndpointClient using a HashMap (or even an EHCache ?!) of cached recently validated token and user information, on top of the regular JAXRS client that checks the access token expiry time.
however when shown a token, if it's getting old (expiration time has gone, or its age is more than a configured prop ex. 10 min), the cache should call the Introspection endpoint again (to validate it and get user information) and re-cache it
OPT make it expire on user logout, by listening to logout events (see Kernel EventBus API) if any (ex. emitted by Portal)
To be scalable, Datacore should not call Kernel for HTTP each request (ex. introspection endpoint to validate Bearer / access token header and get groups). Expiry time for this behaviour should be ex. 1h like Atol access tokens.
20141110 update : the difference in latency between mock auth and OAuth2 Kernel token check has become very visible in the new playground UI auth. The simplest solution is to put a constrained FIFO map cache when checking token in RemoteTokenServices (and possibly when playground gets one in PlaygroundAuthenticationResource).
OBSOLETED on 20141110 :