You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Girish Vasmatkar (Jira)" <ji...@apache.org> on 2020/09/30 06:24:00 UTC

[jira] [Created] (OFBIZ-12033) Separate login service for API calls

Girish Vasmatkar created OFBIZ-12033:
----------------------------------------

             Summary: Separate login service for API calls
                 Key: OFBIZ-12033
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12033
             Project: OFBiz
          Issue Type: Sub-task
          Components: ALL COMPONENTS
            Reporter: Girish Vasmatkar


We're using {color:#2a00ff}userLogin {color}{color:#000000}service to authenticate users before generating auth tokens for REST API and GraphQL calls. However, we figured that a session is also getting created and returned in response which is defeating the purpose of having an API in place. Even though that session is not getting used anywhere when subsequent calls are made using the token, we still think it is an extra session lying around in tomcat's session cache. {color}
{color:#000000} {color}
{color:#000000}Proposal is to implement a new basic userLogin service (basicAuthUserLogin) that would just do username/password matching and be done with it without ever calling request.getSession(). This will ensure that APIs are stateless and no session is generated.{color}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)