Hi,
In my public API i need to register users with customer role, add rows in other related entities. (CustomerEntity, WebsiteInfoEntity and such…)
How is that supposed to happen?
Do I need to handle the above entirely with the anonymous user?
I assume that from this point and on, I will work with his user and password?
But what happened during the registration?
If you want to perform some actions on behalf of system you can use a middleware service and perform all operations under system session. Anonymous should not be used since usually anonymous is restricted user for anonymous access, e.g. login window or REST-API calls.
Create a custom middleware service RegistrationService with your register() method.
Use com.haulmont.cuba.security.app.Authentication bean and its withSystemUser method:
@Inject
protected Authentication authentication;
...
authentication.withSystemUser(() -> {
// register user here, create entities and so on
});
Call your middleware service from LoginWindow or from REST-API endpoint. Probably, in case of public REST-API you will need additional captcha check in Spring MVC controller to prevent spam.
But, in my website, when I calling RegistrationService.register() I need to identify someone or else I will get an exception on trying to invoke a service without a session.
Or what you are saying is that RegistrationService.register() should be unsecured and inside I will impersonate as system user? if so, why not doing that also when logging in?