ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gray <scott.g...@hotwaxmedia.com>
Subject Re: Calling service remotely - security concern
Date Thu, 01 Jul 2010 08:21:11 GMT
I think Muhammed's point is that once a user has authenticated using their own username/password,
it is possible that they could retrieve another user's UserLogin record and then use it to
execute services without needing to know that user's password.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote:

> In your example you needed 1st to know the login/pwd couple. So I can't see the problem
here.
> 
> Jacques
> 
> From: "Muhammed Aamir" <mail@aamir.pk>
>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or
>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>> sort of method on some other GV) which might not belong to her.
> 
> Sent from my iPhone
> 
> On Jul 1, 2010, at 1:42, David E Jones <dejc@me.com> wrote:
> 
>>>>> All service where auth="true" take at least three  IN (or INOUT) parameters
>>>>> by deffault 1) login.username 2) login.password and 3) loginUser.
>>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat
(or
>>>>> my understanding is wrong). Any user (calling service remotely) can pass
>>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated
>>>>> sort of method on some other GV) which might not belong to her.
> 
> 


Mime
View raw message