Hi Malintha, Can you please explain me the following?
In the API Manager store UI or jaggery APIs, users required to login prior to create applications or subscribe to APIs etc. In the store REST API we are passing an authentication header for invoking APIs. Have we eliminated from user login in this approach? Thanks. On Tue, Jan 12, 2016 at 3:15 PM, Malintha Amarasinghe <malint...@wso2.com> wrote: > Hi All, > > We have identified an issue in new Store REST API in API Manager 1.10.0 as > follows. > > 1. A new user is created using the admin console and added subscriber > permission ( OR a user is signed up using Store web app) > 2. Now without logging in to store at least once, the user invokes the > Store REST API. (say, to to create an Application) > 3. We can see that the request is failed. > > If the user try invoking the REST API after logging in to the Store at > least once, the request will be successful. > > The reason for the issue is that, the user (subscriber) is added to > AM_SUBSCRIBER table in login flow. When the user invoke the REST API > without logging in to Store at lease once, the request fails as the > subscriber is not yet added to AM_SUBSCRIBER table. > > To solve the above issue we are looking into following choices. > > 1. At the point the user is authenticated in REST API, we create a JWT > and add it to CXF message context with additional information (including > whether the subscriber is already added to AM_SUBSCRIBER or not). Then we > use a separate CXF interceptor (say PostAuthenticationInterceptor) to > retrieve the JWT from the message context, read required parameters from it > and add the user to the AM_SUBSCRIBER if he is not added already. > 2. Similar approach to the above method without using JWT. We set the > authenticated user to the carbon context. It is read by a separate > CXF Interceptor, and the user is added to AM_SUBSCRIBER if he is not yet > already added. > > Both choices are based on using a separate Interceptor so we have > following advantages. > > 1. We use a common set of Authentication interceptors for both > Publisher and Store REST APIs but we don't need to execute this flow for > Publisher REST API. We can easily do it by removing > the PostAuthenticationInterceptor from beans.xml in Publisher REST API web > app and keep it only in Store beans.xml. > 2. For any authenticated mechanism (Basic or OAuth or any new > authentication mechanism) we need this flow to be executed in Store REST > API. This can be easily achieved using an Interceptor. > > Appreciate your thoughts on this. > > Thanks, > Malintha > -- > Malintha Amarasinghe > Software Engineer > *WSO2, Inc. - lean | enterprise | middleware* > http://wso2.com/ > > Mobile : +94 712383306 > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Best Regards, *Thilini Cooray* Software Engineer Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> E-mail : thili...@wso2.com WSO2 Inc. www.wso2.com lean.enterprise.middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
