I've created https://issues.apache.org/jira/browse/OFBIZ-12033 for the
same. Thank you, all.
Best,
Girish
HotWax Systems
On Tue, Sep 29, 2020 at 1:39 PM Mridul Pathak
wrote:
> +1
>
> Thanks.
> Mridul Pathak
>
> On Tue, Sep 29, 2020 at 1:29 PM Michael Brohl
> wrote:
>
> > +1
> >
> > With an
+1
Thanks.
Mridul Pathak
On Tue, Sep 29, 2020 at 1:29 PM Michael Brohl
wrote:
> +1
>
> With an addition: we should do the implementation in a way that the
> user/password matching is implemented only once and used in both login
> methods (not just copy & paste into another method).
>
> It
+1
With an addition: we should do the implementation in a way that the
user/password matching is implemented only once and used in both login
methods (not just copy & paste into another method).
It might take some refactoring to pull these part out of the login event.
Best regards,
Michael
+1
Jacopo
On Sat, Sep 26, 2020 at 6:35 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:
> Hi
>
> I am using userLogin service to authenticate users before generating auth
> tokens for REST API and GraphQL calls. However, I figured that a session is
> also getting created and
+1
Jacques
Le 26/09/2020 à 13:56, Deepak Dixit a écrit :
Hi Girish,
I think it's a good idea to use a separate login method for REST to
avoid sessions.
We have *userLogin* service that do the login related work, so we can have
separate wrapper method for REST like LoginWorker.login()
Kind
You're right Jacques. SameState=None exposes CSRF. Thanks for pointing
that out.
On Sat, Sep 26, 2020 at 10:34 AM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
> Thanks Gavin,
>
> I'd just note that in this case your are not protected from CSRF.
> Fortunately the REST effort is only in
Hi Girish,
I think it's a good idea to use a separate login method for REST to
avoid sessions.
We have *userLogin* service that do the login related work, so we can have
separate wrapper method for REST like LoginWorker.login()
Kind Regards,
Deepak Dixit
On Sat, Sep 26, 2020 at 2:54 PM
Hello
I am not sure if we can talk about sessions when we're talking about REST.
The REST implementation is mapping Resources with OFBiz services and the
services are executing in a context using "userLogin" and that is all the
REST implementation is doing. Extracting userLogin from token and
Thanks Gavin,
I'd just note that in this case your are not protected from CSRF. Fortunately the REST effort is only in trunk. And, as explained in
security.properties, in trunk we can use org.apache.ofbiz.security.CsrfDefenseStrategy in such case.
Jacques
Le 26/09/2020 à 07:38, Gavin Mabie a
Sessions are extremely useful and even indispensable for an ERP system
where statefullnes are critical for audit trail purposes. Stateless
requests don't care about transactions beyond the actual request/response.
Besides, sessions are only problematic when a new session gets created for
each REST
10 matches
Mail list logo
