[jira] [Commented] (OFBIZ-12033) Separate login service for API calls

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-12033) Separate login service for API calls

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303327#comment-17303327 ]

Girish Vasmatkar commented on OFBIZ-12033:
------------------------------------------

Hi [~mbrohl] : Yes, the bearer auth and basic auth are already working but they are using existing OFBiz login service to authenticate the user. There is no issue as such but the existing service is also doing other stuff related to session that we do not need for REST, hence I had created this ticket - to write a separate login service that just gets username, password from headers and then just compare username/password without creating any session.

I am yet to work on that separate service. Please let me know what you think of this.

 

> Separate login service for API calls
> ------------------------------------
>
>                 Key: OFBIZ-12033
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12033
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>            Reporter: Girish Vasmatkar
>            Assignee: Girish Vasmatkar
>            Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to authenticate users before generating auth tokens for REST API and GraphQL calls. However, we figured that a session is also getting created and returned in response which is defeating the purpose of having an API in place. Even though that session is not getting used anywhere when subsequent calls are made using the token, we still think it is an extra session lying around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service (basicAuthUserLogin) that would just do username/password matching and be done with it without ever calling request.getSession(). This will ensure that APIs are stateless and no session is generated.{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)