You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Michael Brohl (Jira)" <ji...@apache.org> on 2021/12/01 17:09:00 UTC

[jira] [Comment Edited] (OFBIZ-12033) Separate login service for API calls

    [ https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310295#comment-17310295 ] 

Michael Brohl edited comment on OFBIZ-12033 at 12/1/21, 5:08 PM:
-----------------------------------------------------------------

Thanks [~gvasmatkar] ,

I have the following idea to enhance the REST API to support endpoint authentication (permission to use an endpoint/API set.

We can enhance the API DSL with an optional "securityGroup" attribute in both "resource" and "operation". If it is set on "resource" level which also specifies the endpoint, it will also be used for the "operation" level except it is set there also.

Example:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<api publish="false" description="Product Information Management API" displayName="PIM API" name="PIM" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/rest-api.xsd">
    <resource description="APIs related to Product and related entities" displayName="Product Resource" name="Product Resource" 
        path="/products" auth="true" securityGroup="PIM-USER">
        <!-- this will use the securityGroup PIM-USER -->
        <operation verb="post" description="Creates a product.">
            <service name="createProduct"/>
        </operation>
 
        <!-- this will use the securityGroup PIM-ADMIN -->
        <operation verb="delete" path="/{productId}" description="Deletes a product based on productId."
            securityGroup="PIM-ADMIN" >
            <service name="deleteProduct"/>
        </operation>
    </resource>
</api>
{code}
This will allow a user with securityGroup "PIM-USER" to create a product but not to delete one if he is not in securityGroup "PIM-ADMIN".

What do you think?

If you haven't already implemented the separate login service, I would do it together with this proposal and provide a PR for this.

OK?

Edit: just thinking about having this on the "api" level as well, will rework this comment soon.


was (Author: mbrohl):
Thanks [~gvasmatkar] ,

I have the following idea to enhance the REST API to support endpoint authentication (permission to use an endpoint/API set.

We can enhance the API DSL with an optional "securityGroup" attribute in both "resource" and "operation". If it is set on "resource" level which also specifies the endpoint, it will also be used for the "operation" level except it is set there also.

Example:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<api publish="false" description="Product Information Management API" displayName="PIM API" name="PIM" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/rest-api.xsd">
    <resource description="APIs related to Product and related entities" displayName="Product Resource" name="Product Resource" 
        path="/products" auth="true" securityGroup="PIM-USER">
        <!-- this will use the securityGroup PIM-USER -->
        <operation verb="post" description="Creates a product.">
            <service name="createProduct"/>
        </operation>
 
        <!-- this will use the securityGroup PIM-ADMIN -->
        <operation verb="delete" path="/{productId}" description="Deletes a product based on productId."
            securityGroup="PIM-USER" >
            <service name="deleteProduct"/>
        </operation>
    </resource>
</api>
{code}
This will allow a user with securityGroup "PIM-USER" to create a product but not to delete one if he is not in securityGroup "PIM-ADMIN".

What do you think?

If you haven't already implemented the separate login service, I would do it together with this proposal and provide a PR for this.

OK?

Edit: just thinking about having this on the "api" level as well, will rework this comment soon.

> Separate login service for API calls
> ------------------------------------
>
>                 Key: OFBIZ-12033
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12033
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>            Reporter: Girish Vasmatkar
>            Assignee: Michael Brohl
>            Priority: Minor
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to authenticate users before generating auth tokens for REST API and GraphQL calls. However, we figured that a session is also getting created and returned in response which is defeating the purpose of having an API in place. Even though that session is not getting used anywhere when subsequent calls are made using the token, we still think it is an extra session lying around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service (basicAuthUserLogin) that would just do username/password matching and be done with it without ever calling request.getSession(). This will ensure that APIs are stateless and no session is generated.{color}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)