Hi All, We have identified an issue in new Store REST API in API Manager 1.10.0 as follows.
1. A new user is created using the admin console and added subscriber permission ( OR a user is signed up using Store web app) 2. Now without logging in to store at least once, the user invokes the Store REST API. (say, to to create an Application) 3. We can see that the request is failed. If the user try invoking the REST API after logging in to the Store at least once, the request will be successful. The reason for the issue is that, the user (subscriber) is added to AM_SUBSCRIBER table in login flow. When the user invoke the REST API without logging in to Store at lease once, the request fails as the subscriber is not yet added to AM_SUBSCRIBER table. To solve the above issue we are looking into following choices. 1. At the point the user is authenticated in REST API, we create a JWT and add it to CXF message context with additional information (including whether the subscriber is already added to AM_SUBSCRIBER or not). Then we use a separate CXF interceptor (say PostAuthenticationInterceptor) to retrieve the JWT from the message context, read required parameters from it and add the user to the AM_SUBSCRIBER if he is not added already. 2. Similar approach to the above method without using JWT. We set the authenticated user to the carbon context. It is read by a separate CXF Interceptor, and the user is added to AM_SUBSCRIBER if he is not yet already added. Both choices are based on using a separate Interceptor so we have following advantages. 1. We use a common set of Authentication interceptors for both Publisher and Store REST APIs but we don't need to execute this flow for Publisher REST API. We can easily do it by removing the PostAuthenticationInterceptor from beans.xml in Publisher REST API web app and keep it only in Store beans.xml. 2. For any authenticated mechanism (Basic or OAuth or any new authentication mechanism) we need this flow to be executed in Store REST API. This can be easily achieved using an Interceptor. Appreciate your thoughts on this. Thanks, Malintha -- Malintha Amarasinghe Software Engineer *WSO2, Inc. - lean | enterprise | middleware* http://wso2.com/ Mobile : +94 712383306
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
