We've been playing with the Practice application that can be downloaded from here <https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Tutorial+-+A+Beginners+Development+Guide> and we noticed that if you perform the request to create a user from non-authenticated client, the Person record is still created.
The relevant entry from the controller.xml looks like: The check is honored in that the request returns the HTML for the login page, but the createPracticePerson service is still invoked and the Person record is created. I am still new to ofbiz, but this is not what I would expect to happen, please help me understand what incorrect assumptions I am making and how to secure an AJAX request like this. Thanks! -- View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html Sent from the OFBiz - User mailing list archive at Nabble.com.
