Return-Path: X-Original-To: apmail-ofbiz-user-archive@www.apache.org Delivered-To: apmail-ofbiz-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1EFDF17D2C for ; Tue, 21 Oct 2014 00:50:26 +0000 (UTC) Received: (qmail 59643 invoked by uid 500); 21 Oct 2014 00:50:25 -0000 Delivered-To: apmail-ofbiz-user-archive@ofbiz.apache.org Received: (qmail 59613 invoked by uid 500); 21 Oct 2014 00:50:25 -0000 Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@ofbiz.apache.org Delivered-To: mailing list user@ofbiz.apache.org Received: (qmail 59596 invoked by uid 99); 21 Oct 2014 00:50:25 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2014 00:50:25 +0000 X-ASF-Spam-Status: No, hits=2.3 required=5.0 tests=SPF_HELO_PASS,SPF_SOFTFAIL,URI_HEX X-Spam-Check-By: apache.org Received-SPF: softfail (nike.apache.org: transitioning domain of pprice@churchforge.com does not designate 162.253.133.43 as permitted sender) Received: from [162.253.133.43] (HELO mwork.nabble.com) (162.253.133.43) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2014 00:49:59 +0000 Received: from mjoe.nabble.com (unknown [162.253.133.57]) by mwork.nabble.com (Postfix) with ESMTP id 065C1834590 for ; Mon, 20 Oct 2014 17:49:58 -0700 (PDT) Date: Mon, 20 Oct 2014 17:47:28 -0700 (PDT) From: pprice To: user@ofbiz.apache.org Message-ID: <1413852448921-4657131.post@n4.nabble.com> Subject: AJAX is unsecure. auth="true" not honored on controller. MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org We've been playing with the Practice application that can be downloaded from here and we noticed that if you perform the request to create a user from non-authenticated client, the Person record is still created. The relevant entry from the controller.xml looks like: The check is honored in that the request returns the HTML for the login page, but the createPracticePerson service is still invoked and the Person record is created. I am still new to ofbiz, but this is not what I would expect to happen, please help me understand what incorrect assumptions I am making and how to secure an AJAX request like this. Thanks! -- View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html Sent from the OFBiz - User mailing list archive at Nabble.com.