[
https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420462#comment-13420462
]
Amardeep Singh Jhajj commented on OFBIZ-4956:
---------------------------------------------
Hi Jacques,
I didn't check each one by one due to time shortage but checked many of them.
But we need to make sure that application components urls should only accessed
by authorized users. As I mentioned the example url above that can be access by
anyone which is bad.
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk,
> Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch,
> OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with
> auth="false". So anyone can hit this urls and can access any resources
> without authorization.
> For Example -
> https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any
> resource by changing the dataResourceId). I think all the url should be
> secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
