We've been playing with the Practice application that can be downloaded from here and we noticed that if you perform the request to create a user from non-authenticated client, the Person record is still created.
The relevant entry from the controller.xml looks like: <request-map uri="createPracticePersonByAjax"> <security https="true" auth="true"/> <event type="service" invoke="createPracticePerson"/> <response name="success" type="request" value="json"/> <response name="error" type="request" value="json"/> </request-map> The auth="true"check is honored in that the request returns the HTML for the login page, but the createPracticePerson service is still invoked and the Person record is created. I am still new to ofbiz, but this is not what I would expect to happen, please help me understand what incorrect assumptions I am making and how to secure an AJAX request like this. Thanks! |
Administrator
|
Are you still interested and is this still true now?
Jacques Le 21/10/2014 02:47, pprice a écrit : > We've been playing with the Practice application that can be downloaded from > here > <https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Tutorial+-+A+Beginners+Development+Guide> > and we noticed that if you perform the request to create a user from > non-authenticated client, the Person record is still created. > > The relevant entry from the controller.xml looks like: > > > The check is honored in that the request returns the HTML for the login > page, but the createPracticePerson service is still invoked and the Person > record is created. I am still new to ofbiz, but this is not what I would > expect to happen, please help me understand what incorrect assumptions I am > making and how to secure an AJAX request like this. > > Thanks! > > > > -- > View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
This issue may still be exist, but we've chosen not to pursue a solution with ofbiz. Thanks. -Preston On Wed, Jan 7, 2015 at 2:38 PM, Jacques Le Roux [via OFBiz] <[hidden email]> wrote: Are you still interested and is this still true now? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify KidCheck at [hidden email]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of KidCheck. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Finally, the recipient should check this email and any attachments for the presence of viruses. KidCheck accepts no liability for any damage caused by any virus transmitted by this email. |
Free forum by Nabble | Edit this page |