[
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303759#comment-17303759
]
Michael Brohl commented on OFBIZ-12033:
---------------------------------------
While starting to remove the obsolete files for OFBIZ-12197 and seeing the
security group dem data file, a thought comes to mind which we should discuss:
How do we assign the valid user login(s) to different REST endpoints? We
certainly don't want to let *any* UserLogin be using the endpoints (see below).
There can be dfferent scenarios:
* the assignment is implicit because of some registration (also through the
REST API, e.g. in an app)
* the assignment is configured in the backend (manually created UserLogins)
Which raises another question: how do we define different main endpoints for
different sets of functionality?
The could be several requirements for this:
* different API versions available at the same time
(/my-api/v1/create-product, /my-api/v2/create-product)
* different functionalities, e.g. 2 different apps connecting to the same
OFBiz instance.
for example, a webshop app and a service app (/webshop/*, /service/*), each
having different users!
* or even different plugins providing a rest API each
I first thought this will be achieved through the definition of different
webapps in the respective plugin's ofbiz-component.xml but from the demo
implementation it seems that the main endpoint is defined by the rest-api
plugin (/rest/) and the paths are coming from the
rest-impl-demo/api/rest-impl-demo.rest.xml file as well as exportable service
definitions.
I believe that there should be a way to compose sets / combinations of main
endpoints or paths with the corresponding api and assign different sets of
UserLogins to it.
Some more examples:
REST API #1 is a webshop API
(/rest)/webshop/orders
(/rest)/webshop/orders/1000
(/rest)/webshop/create-order
(/rest)/webshop/show-cart
REST API #2 and #3 is an product management API with different versions
(/rest)/pim/v1/products
(/rest)/pim/v1//products/123456
(/rest)/pim/v1//products/create
(/rest)/pim/v2/products
(/rest)/pim/v2//products/123456
(/rest)/pim/v2//products/create
REST API #4 is a content delivery server
(/rest)/cdn/images
(/rest)/cdn/images/101010
(/rest)/cdn/content/111111
Each of these API's should have their own swagger UI pages and different sets
of valid users.
It is not clear to me how this could be achieved with the current
implementation or if this leaves room for improvement?
> Separate login service for API calls
> ------------------------------------
>
> Key: OFBIZ-12033
> URL: https://issues.apache.org/jira/browse/OFBIZ-12033
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Reporter: Girish Vasmatkar
> Assignee: Girish Vasmatkar
> Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
> authenticate users before generating auth tokens for REST API and GraphQL
> calls. However, we figured that a session is also getting created and
> returned in response which is defeating the purpose of having an API in
> place. Even though that session is not getting used anywhere when subsequent
> calls are made using the token, we still think it is an extra session lying
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service
> (basicAuthUserLogin) that would just do username/password matching and be
> done with it without ever calling request.getSession(). This will ensure that
> APIs are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
