I believe I addressed that in my original response. -David
On Jul 1, 2010, at 2:21 AM, Scott Gray wrote: > I think Muhammed's point is that once a user has authenticated using their > own username/password, it is possible that they could retrieve another user's > UserLogin record and then use it to execute services without needing to know > that user's password. > > Regards > Scott > > HotWax Media > http://www.hotwaxmedia.com > > On 1/07/2010, at 7:58 PM, Jacques Le Roux wrote: > >> In your example you needed 1st to know the login/pwd couple. So I can't see >> the problem here. >> >> Jacques >> >> From: "Muhammed Aamir" <[email protected]> >>>>> All service where auth="true" take at least three IN (or INOUT) >>>>> parameters >>>>> by deffault 1) login.username 2) login.password and 3) loginUser. >>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat >>>>> (or >>>>> my understanding is wrong). Any user (calling service remotely) can pass >>>>> loginUser GV (which he some how got hold of, may be by invoking getRelated >>>>> sort of method on some other GV) which might not belong to her. >> >> Sent from my iPhone >> >> On Jul 1, 2010, at 1:42, David E Jones <[email protected]> wrote: >> >>>>>> All service where auth="true" take at least three IN (or INOUT) >>>>>> parameters >>>>>> by deffault 1) login.username 2) login.password and 3) loginUser. >>>>>> No. 1 and 2 definitely make sense. However 3 might be a security threat >>>>>> (or >>>>>> my understanding is wrong). Any user (calling service remotely) can pass >>>>>> loginUser GV (which he some how got hold of, may be by invoking >>>>>> getRelated >>>>>> sort of method on some other GV) which might not belong to her. >> >> >
