[
https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414607#comment-13414607
]
Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------
Hi Amardeep,
Did not review anything yet (just a glance). Did you check them one by one, did
you think about reasons those requests could not need to use auth, or even
should not need?
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk,
> Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch,
> OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with
> auth="false". So anyone can hit this urls and can access any resources
> without authorization.
> For Example -
> https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any
> resource by changing the dataResourceId). I think all the url should be
> secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
