[
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17685195#comment-17685195
]
Rohit Koushal edited comment on OFBIZ-12033 at 2/7/23 10:16 AM:
----------------------------------------------------------------
_Thanks_ [~mbrohl]{_},{_}
{quote}What do you mean by the first solution
{quote}
{_}It is more of the traditional Java way of writing API's in JAX-RS, Once we
add the rest-api plugin, we can write Java API's within the package
*org.apache.ofbiz.ws.rs.resources* inside any component{_}{_}. As an example,
check out the AuthenticationResource.java class, which has a REST endpoint at
/rest/auth/token.{_}
_Note that any component I mean, whether it's part of the application, plugin,
or framework, can contain these API resources, as long as they are part of the
{*}org.apache.ofbiz.ws.rs.resources package{*}._
was (Author: rohit.koushal):
_Thanks_ [~mbrohl]{_},{_}
{quote}What do you mean by the first solution
{quote}
{_}It is more of the traditional Java way of writing API's in JAX-RS, Once we
add the rest-api plugin, we can write Java API's within the package
*org.apache.ofbiz.ws.rs.resources* inside any component{_}{_}. As an example,
check out the AuthenticationResource.java class, which has a REST endpoint at
/rest/auth/token.{_}
_Note that any component, whether it's part of the application, plugin, or
framework, can contain these API resources, as long as they are part of the
{*}org.apache.ofbiz.ws.rs.resources package{*}._
> Separate login service for API calls
> ------------------------------------
>
> Key: OFBIZ-12033
> URL: https://issues.apache.org/jira/browse/OFBIZ-12033
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Reporter: Girish Vasmatkar
> Assignee: Michael Brohl
> Priority: Minor
> Attachments: OFBIZ-12033.patch
>
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
> authenticate users before generating auth tokens for REST API and GraphQL
> calls. However, we figured that a session is also getting created and
> returned in response which is defeating the purpose of having an API in
> place. Even though that session is not getting used anywhere when subsequent
> calls are made using the token, we still think it is an extra session lying
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service
> (basicAuthUserLogin) that would just do username/password matching and be
> done with it without ever calling request.getSession(). This will ensure that
> APIs are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
