I would say setting it to false would be the easiest route to closing this 
hole.  If somebody wants the service exported OOTB then they'd need to improve 
it with authentication and authorization.

Regards
Scott

On 15/09/2011, at 5:30 PM, Sascha Rodekamp wrote:

> +1
> is it better to set the export to false or enable the authorization? 
> 
> Am 14.09.2011 um 17:10 schrieb Scott Gray <[email protected]>:
> 
>> +1
>> 
>> I would say it was fine if the service required auth and it then checked if 
>> the user had permission to view details about the order but it doesn't seem 
>> to do any authorization checks at all.
>> 
>> Regards
>> Scott
>> 
>> On 15/09/2011, at 2:40 AM, Dimitri Unruh wrote:
>> 
>>> Hi everybody,
>>> 
>>> at the moment the  getOrderStatusservice is defined with export="true". Is 
>>> this really necessary?
>>> I would like to close it? 
>>> What do you think?
>>> 
>>> Viele Grüße
>>> Best Regards
>>> 
>>> 
>>> Dimitri Unruh
>>> Consultant AEW
>>> Lynx-Consulting GmbH
>>> Johanniskirchplatz 6
>>> 33615 Bielefeld
>>> Deutschland
>>> Fon: +49 521 5247-0
>>> Fax: +49 521 5247-250
>>> Mobil: +49 160 90 57 55 13
>>> 
>>> 
>>> Wir laden Sie herzlich ein:
>>> DSAG-Jahreskongress
>>> Datum: 11. - 13. Oktover 2011, Congress Center Leipzig, Halle 2 Stand B01
>>> 
>>> Besuchen Sie uns an unserem Stand und freuen Sie sich auf einen intensiven 
>>> Informations- und Erfahrungsaustausch rund um das Thema Mobility! 
>>> 
>>> 
>>> Company and Management Headquarters:
>>> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
>>> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>>> 
>>> Court Registration: Amtsgericht Bielefeld HRB 35946
>>> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>>> 
>>> 
>>> http://www.lynx.de/haftungsausschluss
>> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to