One quick point: it's userLogin, not loginUser. Take a look at the service engine code. You'll see that even if you pass in the userLogin GenericValue object the username/password are verified, it isn't just accepted as pre-authenticated or something.
-David On Jun 28, 2010, at 8:54 AM, Muhammad Aamir wrote: > All service where auth="true" take at least three IN (or INOUT) parameters > by deffault 1) login.username 2) login.password and 3) loginUser. > > No. 1 and 2 definitely make sense. However 3 might be a security threat (or > my understanding is wrong). Any user (calling service remotely) can pass > loginUser GV (which he some how got hold of, may be by invoking getRelated > sort of method on some other GV) which might not belong to her. > > Regards
