All service where auth="true" take at least three IN (or INOUT) parameters by deffault 1) login.username 2) login.password and 3) loginUser.
No. 1 and 2 definitely make sense. However 3 might be a security threat (or my understanding is wrong). Any user (calling service remotely) can pass loginUser GV (which he some how got hold of, may be by invoking getRelated sort of method on some other GV) which might not belong to her. Regards
