CMIS Workbench with cookies enabled logs into Nuxeo every time
Using CMIS Workbench 0.10.0 with various bindings and cookies enabled, I see a “Login Success” entry in the Nuxeo audit trail for every CMIS operation performed. I expected to see only one for the initial login. Thoughts?
This is by design, the CMIS endpoint is not designated as stateful so does not generate a (needless) HTTP session which does not create a JSESSIONID cookie.
Edit: it's possible to make an endpoint use a stateful HTTP session and therefore a cookie through some config. To do that, the
<authenticationPlugin> of the
authenticators extension point defining the authentication for the given URL pattern must include
<stateful>true</stateful>. This is done for instance here. Compare this with the standard binding for the browser binding endpoint here.
I can think of lots of cases where it would be useful to pin a CMIS client to a particular server-side cluster node to optimize authentication and leverage server-side caching. For example, say I would to download the content of all the documents in a folder. I might like the server performing the getChildren operation to also perform the getContentStream for each child so as to leverage the server-side getChildren cache.