[jira] [Commented] (OFBIZ-12033) Separate login service for API calls

Sun, 28 Mar 2021 10:50:06 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310265#comment-17310265
 ] 

Girish Vasmatkar commented on OFBIZ-12033:
------------------------------------------

Hi [~mbrohl]

Sorry, I have been out of action for sometime.

I think the use case you have mentioned does make sense. My initial approach 
was to just let the service the endpoint attaches to govern the authentication 
because it looked reasonable at that time that if the user is able to auth 
themselves and get the token generated for them, then the actual auth and 
authorization can be taken care of by OFBiz framework during the service call.

 

Turns out, as you mentioned, the REST APIs should also support application 
level authorization. This I believe will be similar to how the OFBiz standard 
applications are authorized. 

 

+1 for this as I feel this will be a very mature addition or rather much needed 
addition to the plug in. 

 

As far as wiki page for RESR goes, no there is none yet. There were some more 
improvements I was planning to work on before having wiki page.

> Separate login service for API calls
> ------------------------------------
>
>                 Key: OFBIZ-12033
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12033
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>            Reporter: Girish Vasmatkar
>            Assignee: Girish Vasmatkar
>            Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to 
> authenticate users before generating auth tokens for REST API and GraphQL 
> calls. However, we figured that a session is also getting created and 
> returned in response which is defeating the purpose of having an API in 
> place. Even though that session is not getting used anywhere when subsequent 
> calls are made using the token, we still think it is an extra session lying 
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service 
> (basicAuthUserLogin) that would just do username/password matching and be 
> done with it without ever calling request.getSession(). This will ensure that 
> APIs are stateless and no session is generated.{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to