[ https://issues.apache.org/jira/browse/OFBIZ-12033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rohit Koushal updated OFBIZ-12033: ---------------------------------- Attachment: OFBIZ-12033.patch > Separate login service for API calls > ------------------------------------ > > Key: OFBIZ-12033 > URL: https://issues.apache.org/jira/browse/OFBIZ-12033 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS > Reporter: Girish Vasmatkar > Assignee: Michael Brohl > Priority: Minor > Attachments: OFBIZ-12033.patch > > > We're using {color:#2a00ff}userLogin {color}{color:#000000}service to > authenticate users before generating auth tokens for REST API and GraphQL > calls. However, we figured that a session is also getting created and > returned in response which is defeating the purpose of having an API in > place. Even though that session is not getting used anywhere when subsequent > calls are made using the token, we still think it is an extra session lying > around in tomcat's session cache. {color} > {color:#000000} {color} > {color:#000000}Proposal is to implement a new basic userLogin service > (basicAuthUserLogin) that would just do username/password matching and be > done with it without ever calling request.getSession(). This will ensure that > APIs are stateless and no session is generated.{color} -- This message was sent by Atlassian Jira (v8.20.10#820010)