Minilang to Groovy: login-required tag questions

> Hi Devs,
>
> at the moment I am doing some Minilang to Groovy conversions (CategoryServices to be precise) and I found a simple method (getAssociatedProductsList), which set the tag „login-required“ to false.
> I then checked the service-definition of this method (which it had), and there it also sets the „auth“ tag to false.
> I tried to find, where these tags get checked in the Engine-Codes, specifically the serviceengine.xml, SimpleServiceEngine.java, ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, where the authentication gets checked.
>
> The question for me is now: Is it necessary for the simple method to have the „login-required“ tag set to false, if the service definition set "auth" to false already?
> Where does this get checked and when?
> And of course: When the set of the „login-required“ tag in the simple-method is necessary, as well as the set „auth“ tag, how do I implement the „login-required=false“ in Groovy?
>
> Thanks in advance for your help
>
> Kind regards

> Hi Dennis,
>
> That's a good question! I just saw that you also put a comment in the
> current OFBIZ-10031 patch:
>
> // login-required tag?
>
> If we refer to the available documentation we have
>
> "Require a user login to run this method. Defaults to "true".
> Optional. Attribute type:  constant."
>
> and
>
> "If auth=false when you hit the request, even if you're not logged in,
> it will allow you to go through. If auth=true, when you hit the
> request if you're not logged in it will forward you over to the login
> page"
>
> The later comes from an old David's E. Jones document: the "Apache
> OFBiz Advanced Framework - Training Video Transcription"
>
> Here we have 2 options
>
> 1. We consider it simply as a service and then login-required is not
> needed. This is for instance what has been done for
>    getPartyAccountingPreferences in
> http://svn.apache.org/viewvc?view=revision&revision=1796731 There the
> default (login-required=true) was used
> 2. It seems redundant if you look at it from a service POV. But a
> simple method can also be used in another context and I guess that's
> why we have
>    this apparent redundancy. So we can do only 1 if it's only used as
> a service (I guess for a service implementation much of the time, if not
>    always) else we need to change the call (in other simple-method/s)
> to service call/s and then do 1.
>
> About
>
> >Where does this get checked and when?
>
> It's checked in SimpleMethod.exec(MethodContext methodContext) But
> given my proposition above it should not be needed to port this part.
>
> About auth=true when you are not in the context of an UI (jobs):
> runShoppingListAutoReorder shows that's then userLogin is supposed to
> be in context.
> I did not check but I guess, if auth=true, at this stage the service
> engine would have already rejected the call if the userLogin is not in
> the context.
>
> More thoughts are welcome.
>
> Jacques
>
> Le 05/01/2018 à 14:06, Dennis Balkir a écrit :
>> Hi Devs,
>>
>> at the moment I am doing some Minilang to Groovy conversions
>> (CategoryServices to be precise) and I found a simple method
>> (getAssociatedProductsList), which set the tag „login-required“ to
>> false.
>> I then checked the service-definition of this method (which it had),
>> and there it also sets the „auth“ tag to false.
>> I tried to find, where these tags get checked in the Engine-Codes,
>> specifically the serviceengine.xml, SimpleServiceEngine.java,
>> ServiceEngine.java and SimpleMethod.java, but I cannot find for sure,
>> where the authentication gets checked.
>>
>> The question for me is now: Is it necessary for the simple method to
>> have the „login-required“ tag set to false, if the service definition
>> set "auth" to false already?
>> Where does this get checked and when?
>> And of course: When the set of the „login-required“ tag in the
>> simple-method is necessary, as well as the set „auth“ tag, how do I
>> implement the „login-required=false“ in Groovy?
>>
>> Thanks in advance for your help
>>
>> Kind regards
>
>

> As simplify the permission management, I prefer to manage all >
> authentication access by the SOA. So only service will manage the >
> authentication.>
>
> So if you convert a minilang to groovy report the problematic to the >
> service definition related. Otherwise normally you haven't this problem >
> on groovy. Maybe I missed something, don't hesitate to send a patch with >
> the problem not solved for help my mind :)>
>
> Nicolas>
>
>
> On 22/01/2018 09:17, Jacques Le Roux wrote:>
> > Hi Dennis,>
> >>
> > That's a good question! I just saw that you also put a comment in the >
> > current OFBIZ-10031 patch:>
> >>
> > // login-required tag?>
> >>
> > If we refer to the available documentation we have>
> >>
> > "Require a user login to run this method. Defaults to "true". >
> > Optional. Attribute type:  constant.">
> >>
> > and>
> >>
> > "If auth=false when you hit the request, even if you're not logged in, >
> > it will allow you to go through. If auth=true, when you hit the >
> > request if you're not logged in it will forward you over to the login >
> > page">
> >>
> > The later comes from an old David's E. Jones document: the "Apache >
> > OFBiz Advanced Framework - Training Video Transcription">
> >>
> > Here we have 2 options>
> >>
> > 1. We consider it simply as a service and then login-required is not >
> > needed. This is for instance what has been done for>
> >    getPartyAccountingPreferences in >
> > http://svn.apache.org/viewvc?view=revision&revision=1796731 There the >
> > default (login-required=true) was used>
> > 2. It seems redundant if you look at it from a service POV. But a >
> > simple method can also be used in another context and I guess that's >
> > why we have>
> >    this apparent redundancy. So we can do only 1 if it's only used as >
> > a service (I guess for a service implementation much of the time, if not>
> >    always) else we need to change the call (in other simple-method/s) >
> > to service call/s and then do 1.>
> >>
> > About>
> >>
> > >Where does this get checked and when?>
> >>
> > It's checked in SimpleMethod.exec(MethodContext methodContext) But >
> > given my proposition above it should not be needed to port this part.>
> >>
> > About auth=true when you are not in the context of an UI (jobs): >
> > runShoppingListAutoReorder shows that's then userLogin is supposed to >
> > be in context.>
> > I did not check but I guess, if auth=true, at this stage the service >
> > engine would have already rejected the call if the userLogin is not in >
> > the context.>
> >>
> > More thoughts are welcome.>
> >>
> > Jacques>
> >>
> > Le 05/01/2018 à 14:06, Dennis Balkir a écrit :>
> >> Hi Devs,>
> >>>
> >> at the moment I am doing some Minilang to Groovy conversions >
> >> (CategoryServices to be precise) and I found a simple method >
> >> (getAssociatedProductsList), which set the tag „login-required“ to >
> >> false.>
> >> I then checked the service-definition of this method (which it had), >
> >> and there it also sets the „auth“ tag to false.>
> >> I tried to find, where these tags get checked in the Engine-Codes, >
> >> specifically the serviceengine.xml, SimpleServiceEngine.java, >
> >> ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, >
> >> where the authentication gets checked.>
> >>>
> >> The question for me is now: Is it necessary for the simple method to >
> >> have the „login-required“ tag set to false, if the service definition >
> >> set "auth" to false already?>
> >> Where does this get checked and when?>
> >> And of course: When the set of the „login-required“ tag in the >
> >> simple-method is necessary, as well as the set „auth“ tag, how do I >
> >> implement the „login-required=false“ in Groovy?>
> >>>
> >> Thanks in advance for your help>
> >>>
> >> Kind regards>
> >>
> >>
>
>