Any comments?
On Jun 28, 2010, at 18:20, Muhammad Aamir <[email protected]> wrote: > I didn't dare to to see the service engine code. However, I just called a > service and passed only userLogin GV and was able to execute the service > (without passing username/password): > > Map res = rd.runSync("userLogin", > UtilMisc.toMap("login.username", > "admin", "login.password", "ofbiz")); > System.out.println(res.get("responseMessage")); > System.out.println(res.get("errorMessage")); > System.out.println(res.get("successMessage")); > > GenericValue gv = (GenericValue)res.get("userLogin"); > > res = rd.runSync("someService", UtilMisc.toMap("userLogin", > gv)); > System.out.println(res.get("responseMessage")); > System.out.println(res.get("errorMessage")); > System.out.println(res.get("successMessage")); > > > Regards > > On Mon, Jun 28, 2010 at 6:06 PM, David E Jones <[email protected]> wrote: > > One quick point: it's userLogin, not loginUser. > > Take a look at the service engine code. You'll see that even if you pass in > the userLogin GenericValue object the username/password are verified, it > isn't just accepted as pre-authenticated or something. > > -David > > > On Jun 28, 2010, at 8:54 AM, Muhammad Aamir wrote: > > > All service where auth="true" take at least three IN (or INOUT) parameters > > by deffault 1) login.username 2) login.password and 3) loginUser. > > > > No. 1 and 2 definitely make sense. However 3 might be a security threat (or > > my understanding is wrong). Any user (calling service remotely) can pass > > loginUser GV (which he some how got hold of, may be by invoking getRelated > > sort of method on some other GV) which might not belong to her. > > > > Regards > >
