[jira] [Created] (OFBIZ-4956) "auth" should be true for all the request url used for Application components.

Amardeep Singh Jhajj created OFBIZ-4956:
-------------------------------------------

             Summary: "auth" should be true for all the request url used for Application components.
                 Key: OFBIZ-4956
                 URL: https://issues.apache.org/jira/browse/OFBIZ-4956
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL APPLICATIONS
            Reporter: Amardeep Singh Jhajj
             Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04


Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.

For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG

Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amardeep Singh Jhajj updated OFBIZ-4956:
----------------------------------------

    Attachment: OFBIZ-4956.patch
                OFBIZ-4956-Release-11.04.patch
                OFBIZ-4956-Release-10.04.patch

Patch attached for Release branches and trunk.
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414607#comment-13414607 ]

Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------

Hi Amardeep,

Did not review anything yet (just a glance). Did you check them one by one, did you think about reasons those requests could not need to use auth, or even should not need?
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420462#comment-13420462 ]

Amardeep Singh Jhajj commented on OFBIZ-4956:
---------------------------------------------

Hi Jacques,

I didn't check each one by one due to time shortage but checked many of them. But we need to make sure that application components urls should only accessed by authorized users. As I mentioned the example url above that can be access by anyone which is bad.
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420497#comment-13420497 ]

Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------

I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420497#comment-13420497 ]

Jacques Le Roux edited comment on OFBIZ-4956 at 7/23/12 8:13 AM:
-----------------------------------------------------------------

== ADD INFO ==
I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
Like those in ordermgr, eg:
* getAssociatedStateList
* crosssell
               
      was (Author: jacques.le.roux):
    I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
                 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira