What sort of comment were you hoping for? -David
On Jun 30, 2010, at 1:49 PM, Muhammed Aamir wrote: > Any comments? > > > On Jun 28, 2010, at 18:20, Muhammad Aamir <[email protected]> wrote: > >> I didn't dare to to see the service engine code. However, I just called a >> service and passed only userLogin GV and was able to execute the service >> (without passing username/password): >> >> Map res = rd.runSync("userLogin", >> UtilMisc.toMap("login.username", >> "admin", "login.password", "ofbiz")); >> System.out.println(res.get("responseMessage")); >> System.out.println(res.get("errorMessage")); >> System.out.println(res.get("successMessage")); >> >> GenericValue gv = (GenericValue)res.get("userLogin"); >> >> res = rd.runSync("someService", UtilMisc.toMap("userLogin", >> gv)); >> System.out.println(res.get("responseMessage")); >> System.out.println(res.get("errorMessage")); >> System.out.println(res.get("successMessage")); >> >> >> Regards >> >> On Mon, Jun 28, 2010 at 6:06 PM, David E Jones <[email protected]> wrote: >> >> One quick point: it's userLogin, not loginUser. >> >> Take a look at the service engine code. You'll see that even if you pass in >> the userLogin GenericValue object the username/password are verified, it >> isn't just accepted as pre-authenticated or something. >> >> -David >> >> >> On Jun 28, 2010, at 8:54 AM, Muhammad Aamir wrote: >> >>> All service where auth="true" take at least three IN (or INOUT) parameters >>> by deffault 1) login.username 2) login.password and 3) loginUser. >>> >>> No. 1 and 2 definitely make sense. However 3 might be a security threat (or >>> my understanding is wrong). Any user (calling service remotely) can pass >>> loginUser GV (which he some how got hold of, may be by invoking getRelated >>> sort of method on some other GV) which might not belong to her. >>> >>> Regards >> >>
