[
https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17685079#comment-17685079
]
Rohit Koushal edited comment on OFBIZ-12033 at 2/7/23 7:01 AM:
---------------------------------------------------------------
Hey [~mbrohl] and [~gvasmatkar]
In my analysis, I found that the reason for session creation during the
"userLogin" service call is due to the use of UtilHttp.getLocale(httpRequest)
in HttpBasicAuthFilter.java to pass locale information. The implementation can
be seen below.
{code:java}
public static Locale getLocale(HttpServletRequest request) {
if (request == null) {
return Locale.getDefault();
}
return getLocale(request, request.getSession(), null);
} {code}
So the cause of the issue is not the "userLogin" service, but the context
preparation part.
Here is the patch that will fix the session creation problem
[^OFBIZ-12033.patch]
*Asking for information purposes only.*
While reviewing the implementation of the REST component, I discovered that it
primarily focuses on exposing OFBiz services for REST calls. But what if a
service takes a complex object, such as a user-defined class (e.g.
GenericValue)? In that case, it may be necessary to define data mappers or do
we have a better solution?
Additionally, I discovered three methods for creating APIs with the existing
code, but I couldn't find any documentation or examples for two of them. Do we
have documents that I am missing?
The three methods I found are:
* Using a Java Resource
* Using rest.xml
* Exposing a Service as an API (documented in the READMe.doc file)
Thanks!!
was (Author: rohit.koushal):
Hey [~mbrohl] and [~gvasmatkar]
In my analysis, I found that the reason for session creation during the
"userLogin" service call is due to the use of UtilHttp.getLocale(httpRequest)
in HttpBasicAuthFilter.java to pass locale information. The implementation can
be seen below.
{code:java}
public static Locale getLocale(HttpServletRequest request) {
if (request == null) {
return Locale.getDefault();
}
return getLocale(request, request.getSession(), null);
} {code}
So the cause of the issue is not the "userLogin" service, but the context
preparation part.
Here is the patch that will fix the session creation problem
[^OFBIZ-12033.patch]
** Asking for information purposes only.**
While reviewing the implementation of the REST component, I discovered that it
primarily focuses on exposing OFBiz services for REST calls. But what if a
service takes a complex object, such as a user-defined class (e.g.
GenericValue)? In that case, it may be necessary to define data mappers or do
we have a better solution?
Additionally, I discovered three methods for creating APIs with the existing
code, but I couldn't find any documentation or examples for two of them. Do we
have documents that I am missing?
The three methods I found are:
* Using a Java Resource
* Using rest.xml
* Exposing a Service as an API (documented in the READMe.doc file)
Thanks!!
> Separate login service for API calls
> ------------------------------------
>
> Key: OFBIZ-12033
> URL: https://issues.apache.org/jira/browse/OFBIZ-12033
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Reporter: Girish Vasmatkar
> Assignee: Michael Brohl
> Priority: Minor
> Attachments: OFBIZ-12033.patch
>
>
> We're using {color:#2a00ff}userLogin {color}{color:#000000}service to
> authenticate users before generating auth tokens for REST API and GraphQL
> calls. However, we figured that a session is also getting created and
> returned in response which is defeating the purpose of having an API in
> place. Even though that session is not getting used anywhere when subsequent
> calls are made using the token, we still think it is an extra session lying
> around in tomcat's session cache. {color}
> {color:#000000} {color}
> {color:#000000}Proposal is to implement a new basic userLogin service
> (basicAuthUserLogin) that would just do username/password matching and be
> done with it without ever calling request.getSession(). This will ensure that
> APIs are stateless and no session is generated.{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
