OFBiz OFBiz - User

AJAX is unsecure. auth="true" not honored on controller.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
pprice
Reply | Threaded
Open this post in threaded view
|

AJAX is unsecure. auth="true" not honored on controller.

pprice
We've been playing with the Practice application that can be downloaded from here and we noticed that if you perform the request to create a user from non-authenticated client, the Person record is still created.

The relevant entry from the controller.xml looks like: 
<request-map uri="createPracticePersonByAjax">
    <security https="true" auth="true"/>
    <event type="service" invoke="createPracticePerson"/>
    <response name="success" type="request" value="json"/>
    <response name="error" type="request" value="json"/>
</request-map>

The 
auth="true"
 check is honored in that the request returns the HTML for the login page, but the createPracticePerson service is still invoked and the Person record is created. I am still new to ofbiz, but this is not what I would expect to happen, please help me understand what incorrect assumptions I am making and how to secure an AJAX request like this.

Thanks!
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: AJAX is unsecure. auth="true" not honored on controller.

Jacques Le Roux
Administrator
Are you still interested and is this still true now?

Jacques

Le 21/10/2014 02:47, pprice a écrit :

> We've been playing with the Practice application that can be downloaded from
> here
> <https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Tutorial+-+A+Beginners+Development+Guide>
> and we noticed that if you perform the request to create a user from
> non-authenticated client, the Person record is still created.
>
> The relevant entry from the controller.xml looks like:
>
>
> The  check is honored in that the request returns the HTML for the login
> page, but the createPracticePerson service is still invoked and the Person
> record is created. I am still new to ofbiz, but this is not what I would
> expect to happen, please help me understand what incorrect assumptions I am
> making and how to secure an AJAX request like this.
>
> Thanks!
>
>
>
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
pprice
Reply | Threaded
Open this post in threaded view
|

Re: AJAX is unsecure. auth="true" not honored on controller.

pprice
This issue may still be exist, but we've chosen not to pursue a solution with ofbiz.

Thanks.

-Preston

On Wed, Jan 7, 2015 at 2:38 PM, Jacques Le Roux [via OFBiz] <[hidden email]> wrote:
Are you still interested and is this still true now?

Jacques

Le 21/10/2014 02:47, pprice a écrit :

> We've been playing with the Practice application that can be downloaded from
> here
> <https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Tutorial+-+A+Beginners+Development+Guide>
> and we noticed that if you perform the request to create a user from
> non-authenticated client, the Person record is still created.
>
> The relevant entry from the controller.xml looks like:
>
>
> The  check is honored in that the request returns the HTML for the login
> page, but the createPracticePerson service is still invoked and the Person
> record is created. I am still new to ofbiz, but this is not what I would
> expect to happen, please help me understand what incorrect assumptions I am
> making and how to secure an AJAX request like this.
>
> Thanks!
>
>
>
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>


If you reply to this email, your message will be added to the discussion below:
http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131p4660963.html
To unsubscribe from AJAX is unsecure. auth="true" not honored on controller., click here.
NAML



--
Preston M. Price
KidCheck


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify KidCheck at [hidden email]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of KidCheck. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Finally, the recipient should check this email and any attachments for the presence of viruses. KidCheck accepts no liability for any damage caused by any virus transmitted by this email.
Free forum by Nabble Edit this page