As simplify the permission management, I prefer to manage all
authentication access by the SOA. So only service will manage the
authentication.
So if you convert a minilang to groovy report the problematic to the
service definition related. Otherwise normally you haven't this problem
on groovy. Maybe I missed something, don't hesitate to send a patch with
the problem not solved for help my mind :)
Nicolas
On 22/01/2018 09:17, Jacques Le Roux wrote:
Hi Dennis,
That's a good question! I just saw that you also put a comment in the
current OFBIZ-10031 patch:
// login-required tag?
If we refer to the available documentation we have
"Require a user login to run this method. Defaults to "true".
Optional. Attribute type: constant."
and
"If auth=false when you hit the request, even if you're not logged in,
it will allow you to go through. If auth=true, when you hit the
request if you're not logged in it will forward you over to the login
page"
The later comes from an old David's E. Jones document: the "Apache
OFBiz Advanced Framework - Training Video Transcription"
Here we have 2 options
1. We consider it simply as a service and then login-required is not
needed. This is for instance what has been done for
getPartyAccountingPreferences in
http://svn.apache.org/viewvc?view=revision&revision=1796731 There the
default (login-required=true) was used
2. It seems redundant if you look at it from a service POV. But a
simple method can also be used in another context and I guess that's
why we have
this apparent redundancy. So we can do only 1 if it's only used as
a service (I guess for a service implementation much of the time, if not
always) else we need to change the call (in other simple-method/s)
to service call/s and then do 1.
About
>Where does this get checked and when?
It's checked in SimpleMethod.exec(MethodContext methodContext) But
given my proposition above it should not be needed to port this part.
About auth=true when you are not in the context of an UI (jobs):
runShoppingListAutoReorder shows that's then userLogin is supposed to
be in context.
I did not check but I guess, if auth=true, at this stage the service
engine would have already rejected the call if the userLogin is not in
the context.
More thoughts are welcome.
Jacques
Le 05/01/2018 à 14:06, Dennis Balkir a écrit :
Hi Devs,
at the moment I am doing some Minilang to Groovy conversions
(CategoryServices to be precise) and I found a simple method
(getAssociatedProductsList), which set the tag „login-required“ to
false.
I then checked the service-definition of this method (which it had),
and there it also sets the „auth“ tag to false.
I tried to find, where these tags get checked in the Engine-Codes,
specifically the serviceengine.xml, SimpleServiceEngine.java,
ServiceEngine.java and SimpleMethod.java, but I cannot find for sure,
where the authentication gets checked.
The question for me is now: Is it necessary for the simple method to
have the „login-required“ tag set to false, if the service definition
set "auth" to false already?
Where does this get checked and when?
And of course: When the set of the „login-required“ tag in the
simple-method is necessary, as well as the set „auth“ tag, how do I
implement the „login-required=false“ in Groovy?
Thanks in advance for your help
Kind regards