I didn't dare to to see the service engine code. However, I just called a
service and passed only userLogin GV and was able to execute the service
(without passing username/password):
Map res = rd.runSync("userLogin", UtilMisc.toMap("login.username",
"admin", "login.password", "ofbiz"));
System.out.println(res.get("responseMessage"));
System.out.println(res.get("errorMessage"));
System.out.println(res.get("successMessage"));
GenericValue gv = (GenericValue)res.get("userLogin");
res = rd.runSync("someService", UtilMisc.toMap("userLogin", gv));
System.out.println(res.get("responseMessage"));
System.out.println(res.get("errorMessage"));
System.out.println(res.get("successMessage"));
Regards
On Mon, Jun 28, 2010 at 6:06 PM, David E Jones <[email protected]> wrote:
>
> One quick point: it's userLogin, not loginUser.
>
> Take a look at the service engine code. You'll see that even if you pass in
> the userLogin GenericValue object the username/password are verified, it
> isn't just accepted as pre-authenticated or something.
>
> -David
>
>
> On Jun 28, 2010, at 8:54 AM, Muhammad Aamir wrote:
>
> > All service where auth="true" take at least three IN (or INOUT)
> parameters
> > by deffault 1) login.username 2) login.password and 3) loginUser.
> >
> > No. 1 and 2 definitely make sense. However 3 might be a security threat
> (or
> > my understanding is wrong). Any user (calling service remotely) can pass
> > loginUser GV (which he some how got hold of, may be by invoking
> getRelated
> > sort of method on some other GV) which might not belong to her.
> >
> > Regards
>
>
