ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: Calling service remotely - security concern
Date Thu, 01 Jul 2010 07:58:30 GMT
In your example you needed 1st to know the login/pwd couple. So I can't see the problem here.

Jacques

From: "Muhammed Aamir" <mail@aamir.pk>
>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>> 
>>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or
>>> my understanding is wrong). Any user (calling service remotely) can pass
>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>> sort of method on some other GV) which might not belong to her.

Sent from my iPhone

On Jul 1, 2010, at 1:42, David E Jones <dejc@me.com> wrote:

>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>> 
>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or
>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>> sort of method on some other GV) which might not belong to her.



Mime
View raw message