Girish Vasmatkar created OFBIZ-12033:
----------------------------------------
Summary: Separate login service for API calls
Key: OFBIZ-12033
URL: https://issues.apache.org/jira/browse/OFBIZ-12033
Project: OFBiz
Issue Type: Sub-task
Components: ALL COMPONENTS
Reporter: Girish Vasmatkar
We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
authenticate users before generating auth tokens for REST API and GraphQL
calls. However, we figured that a session is also getting created and returned
in response which is defeating the purpose of having an API in place. Even
though that session is not getting used anywhere when subsequent calls are made
using the token, we still think it is an extra session lying around in tomcat's
session cache. {color}
{color:#000000} {color}
{color:#000000}Proposal is to implement a new basic userLogin service
(basicAuthUserLogin) that would just do username/password matching and be done
with it without ever calling request.getSession(). This will ensure that APIs
are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
