Minilang to Groovy: login-required tag questions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Minilang to Groovy: login-required tag questions

Dennis Balkir
Hi Devs,

at the moment I am doing some Minilang to Groovy conversions (CategoryServices to be precise) and I found a simple method (getAssociatedProductsList), which set the tag „login-required“ to false.
I then checked the service-definition of this method (which it had), and there it also sets the „auth“ tag to false.
I tried to find, where these tags get checked in the Engine-Codes, specifically the serviceengine.xml, SimpleServiceEngine.java, ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, where the authentication gets checked.

The question for me is now: Is it necessary for the simple method to have the „login-required“ tag set to false, if the service definition set "auth" to false already?
Where does this get checked and when?
And of course: When the set of the „login-required“ tag in the simple-method is necessary, as well as the set „auth“ tag, how do I implement the „login-required=false“ in Groovy?

Thanks in advance for your help

Kind regards
--
Dennis Balkir
Trainee

Fon +49 521 448 157-90
Fax +49 521 448 157-99

Company and Management Headquarters:
ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland
Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de

Court Registration: Amtsgericht Bielefeld HRB 41683
Chief Executive Officer: Martin Becker, Michael Brohl

Reply | Threaded
Open this post in threaded view
|

Re: Minilang to Groovy: login-required tag questions

Jacques Le Roux
Administrator
Hi Dennis,

That's a good question! I just saw that you also put a comment in the current OFBIZ-10031 patch:

// login-required tag?

If we refer to the available documentation we have

"Require a user login to run this method. Defaults to "true". Optional. Attribute type:  constant."

and

"If auth=false when you hit the request, even if you're not logged in, it will allow you to go through. If auth=true, when you hit the request if
you're not logged in it will forward you over to the login page"

The later comes from an old David's E. Jones document: the "Apache OFBiz Advanced Framework - Training Video Transcription"

Here we have 2 options

 1. We consider it simply as a service and then login-required is not needed. This is for instance what has been done for
    getPartyAccountingPreferences in http://svn.apache.org/viewvc?view=revision&revision=1796731 There the default (login-required=true) was used
 2. It seems redundant if you look at it from a service POV. But a simple method can also be used in another context and I guess that's why we have
    this apparent redundancy. So we can do only 1 if it's only used as a service (I guess for a service implementation much of the time, if not
    always) else we need to change the call (in other simple-method/s) to service call/s and then do 1.

About

 >Where does this get checked and when?

It's checked in SimpleMethod.exec(MethodContext methodContext) But given my proposition above it should not be needed to port this part.

About auth=true when you are not in the context of an UI (jobs): runShoppingListAutoReorder shows that's then userLogin is supposed to be in context.
I did not check but I guess, if auth=true, at this stage the service engine would have already rejected the call if the userLogin is not in the context.

More thoughts are welcome.

Jacques

Le 05/01/2018 à 14:06, Dennis Balkir a écrit :

> Hi Devs,
>
> at the moment I am doing some Minilang to Groovy conversions (CategoryServices to be precise) and I found a simple method (getAssociatedProductsList), which set the tag „login-required“ to false.
> I then checked the service-definition of this method (which it had), and there it also sets the „auth“ tag to false.
> I tried to find, where these tags get checked in the Engine-Codes, specifically the serviceengine.xml, SimpleServiceEngine.java, ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, where the authentication gets checked.
>
> The question for me is now: Is it necessary for the simple method to have the „login-required“ tag set to false, if the service definition set "auth" to false already?
> Where does this get checked and when?
> And of course: When the set of the „login-required“ tag in the simple-method is necessary, as well as the set „auth“ tag, how do I implement the „login-required=false“ in Groovy?
>
> Thanks in advance for your help
>
> Kind regards

Reply | Threaded
Open this post in threaded view
|

Re: Minilang to Groovy: login-required tag questions

Nicolas Malin-2
As simplify the permission management, I prefer to manage all
authentication access by the SOA. So only service will manage the
authentication.

So if you convert a minilang to groovy report the problematic to the
service definition related. Otherwise normally you haven't this problem
on groovy. Maybe I missed something, don't hesitate to send a patch with
the problem not solved for help my mind :)

Nicolas


On 22/01/2018 09:17, Jacques Le Roux wrote:

> Hi Dennis,
>
> That's a good question! I just saw that you also put a comment in the
> current OFBIZ-10031 patch:
>
> // login-required tag?
>
> If we refer to the available documentation we have
>
> "Require a user login to run this method. Defaults to "true".
> Optional. Attribute type:  constant."
>
> and
>
> "If auth=false when you hit the request, even if you're not logged in,
> it will allow you to go through. If auth=true, when you hit the
> request if you're not logged in it will forward you over to the login
> page"
>
> The later comes from an old David's E. Jones document: the "Apache
> OFBiz Advanced Framework - Training Video Transcription"
>
> Here we have 2 options
>
> 1. We consider it simply as a service and then login-required is not
> needed. This is for instance what has been done for
>    getPartyAccountingPreferences in
> http://svn.apache.org/viewvc?view=revision&revision=1796731 There the
> default (login-required=true) was used
> 2. It seems redundant if you look at it from a service POV. But a
> simple method can also be used in another context and I guess that's
> why we have
>    this apparent redundancy. So we can do only 1 if it's only used as
> a service (I guess for a service implementation much of the time, if not
>    always) else we need to change the call (in other simple-method/s)
> to service call/s and then do 1.
>
> About
>
> >Where does this get checked and when?
>
> It's checked in SimpleMethod.exec(MethodContext methodContext) But
> given my proposition above it should not be needed to port this part.
>
> About auth=true when you are not in the context of an UI (jobs):
> runShoppingListAutoReorder shows that's then userLogin is supposed to
> be in context.
> I did not check but I guess, if auth=true, at this stage the service
> engine would have already rejected the call if the userLogin is not in
> the context.
>
> More thoughts are welcome.
>
> Jacques
>
> Le 05/01/2018 à 14:06, Dennis Balkir a écrit :
>> Hi Devs,
>>
>> at the moment I am doing some Minilang to Groovy conversions
>> (CategoryServices to be precise) and I found a simple method
>> (getAssociatedProductsList), which set the tag „login-required“ to
>> false.
>> I then checked the service-definition of this method (which it had),
>> and there it also sets the „auth“ tag to false.
>> I tried to find, where these tags get checked in the Engine-Codes,
>> specifically the serviceengine.xml, SimpleServiceEngine.java,
>> ServiceEngine.java and SimpleMethod.java, but I cannot find for sure,
>> where the authentication gets checked.
>>
>> The question for me is now: Is it necessary for the simple method to
>> have the „login-required“ tag set to false, if the service definition
>> set "auth" to false already?
>> Where does this get checked and when?
>> And of course: When the set of the „login-required“ tag in the
>> simple-method is necessary, as well as the set „auth“ tag, how do I
>> implement the „login-required=false“ in Groovy?
>>
>> Thanks in advance for your help
>>
>> Kind regards
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Minilang to Groovy: login-required tag questions

Dennis Balkir
In reply to this post by Dennis Balkir
Thanks to both of you, this actually helped me to understand this a bit further.
Since this method has the auth-tag set in the service description i will let the service do the authentication, just as you suggested


On 2018/01/24 23:27:34, Nicolas Malin <[hidden email]> wrote:

> As simplify the permission management, I prefer to manage all >
> authentication access by the SOA. So only service will manage the >
> authentication.>
>
> So if you convert a minilang to groovy report the problematic to the >
> service definition related. Otherwise normally you haven't this problem >
> on groovy. Maybe I missed something, don't hesitate to send a patch with >
> the problem not solved for help my mind :)>
>
> Nicolas>
>
>
> On 22/01/2018 09:17, Jacques Le Roux wrote:>
> > Hi Dennis,>
> >>
> > That's a good question! I just saw that you also put a comment in the >
> > current OFBIZ-10031 patch:>
> >>
> > // login-required tag?>
> >>
> > If we refer to the available documentation we have>
> >>
> > "Require a user login to run this method. Defaults to "true". >
> > Optional. Attribute type:  constant.">
> >>
> > and>
> >>
> > "If auth=false when you hit the request, even if you're not logged in, >
> > it will allow you to go through. If auth=true, when you hit the >
> > request if you're not logged in it will forward you over to the login >
> > page">
> >>
> > The later comes from an old David's E. Jones document: the "Apache >
> > OFBiz Advanced Framework - Training Video Transcription">
> >>
> > Here we have 2 options>
> >>
> > 1. We consider it simply as a service and then login-required is not >
> > needed. This is for instance what has been done for>
> >    getPartyAccountingPreferences in >
> > http://svn.apache.org/viewvc?view=revision&revision=1796731 There the >
> > default (login-required=true) was used>
> > 2. It seems redundant if you look at it from a service POV. But a >
> > simple method can also be used in another context and I guess that's >
> > why we have>
> >    this apparent redundancy. So we can do only 1 if it's only used as >
> > a service (I guess for a service implementation much of the time, if not>
> >    always) else we need to change the call (in other simple-method/s) >
> > to service call/s and then do 1.>
> >>
> > About>
> >>
> > >Where does this get checked and when?>
> >>
> > It's checked in SimpleMethod.exec(MethodContext methodContext) But >
> > given my proposition above it should not be needed to port this part.>
> >>
> > About auth=true when you are not in the context of an UI (jobs): >
> > runShoppingListAutoReorder shows that's then userLogin is supposed to >
> > be in context.>
> > I did not check but I guess, if auth=true, at this stage the service >
> > engine would have already rejected the call if the userLogin is not in >
> > the context.>
> >>
> > More thoughts are welcome.>
> >>
> > Jacques>
> >>
> > Le 05/01/2018 à 14:06, Dennis Balkir a écrit :>
> >> Hi Devs,>
> >>>
> >> at the moment I am doing some Minilang to Groovy conversions >
> >> (CategoryServices to be precise) and I found a simple method >
> >> (getAssociatedProductsList), which set the tag „login-required“ to >
> >> false.>
> >> I then checked the service-definition of this method (which it had), >
> >> and there it also sets the „auth“ tag to false.>
> >> I tried to find, where these tags get checked in the Engine-Codes, >
> >> specifically the serviceengine.xml, SimpleServiceEngine.java, >
> >> ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, >
> >> where the authentication gets checked.>
> >>>
> >> The question for me is now: Is it necessary for the simple method to >
> >> have the „login-required“ tag set to false, if the service definition >
> >> set "auth" to false already?>
> >> Where does this get checked and when?>
> >> And of course: When the set of the „login-required“ tag in the >
> >> simple-method is necessary, as well as the set „auth“ tag, how do I >
> >> implement the „login-required=false“ in Groovy?>
> >>>
> >> Thanks in advance for your help>
> >>>
> >> Kind regards>
> >>
> >>
>
>  


--
Dennis Balkir
Trainee

Fon +49 521 448 157-90
Fax +49 521 448 157-99

Company and Management Headquarters:
ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland
Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de

Court Registration: Amtsgericht Bielefeld HRB 41683
Chief Executive Officer: Martin Becker, Michael Brohl