ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David E Jones <d...@me.com>
Subject Re: Calling service remotely - security concern
Date Thu, 01 Jul 2010 08:23:17 GMT

I believe I addressed that in my original response.

-David


On Jul 1, 2010, at 2:21 AM, Scott Gray wrote:

> I think Muhammed's point is that once a user has authenticated using their own username/password,
it is possible that they could retrieve another user's UserLogin record and then use it to
execute services without needing to know that user's password.
> 
> Regards
> Scott
> 
> HotWax Media
> http://www.hotwaxmedia.com
> 
> On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote:
> 
>> In your example you needed 1st to know the login/pwd couple. So I can't see the problem
here.
>> 
>> Jacques
>> 
>> From: "Muhammed Aamir" <mail@aamir.pk>
>>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat
(or
>>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>> sort of method on some other GV) which might not belong to her.
>> 
>> Sent from my iPhone
>> 
>> On Jul 1, 2010, at 1:42, David E Jones <dejc@me.com> wrote:
>> 
>>>>>> All service where auth="true" take at least three  IN (or INOUT)
parameters
>>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>>> No. 1 and 2 definitely make sense. However 3 might be a security
threat (or
>>>>>> my understanding is wrong). Any user (calling service remotely) can
pass
>>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>>> sort of method on some other GV) which might not belong to her.
>> 
>> 
> 


Mime
View raw message