JSON services are not well protected

In some cases the liferay json services can presents important security holes :

1 - the less important : In some cases, we can access to some database informations (for exemple, knowing if an userId exists un Liferay database).
2 - the most important : In some cases, we can use json services to fill in liferay databases without any permissions needed !!!

1 - Access to DB informations

For exemple, if you load the url :

http://www.liferay.com/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=getUserById&serviceParameters=[%22userId%22]&userId=1234

The answer will be :

So, you know there is no user for this ID. In think it's not good to give this type of information to anyone.

2 - Fill the Liferay DB without permissions needed :

Some ServiceUtil are not well protected. For exemple, if you load the url :

http://www.liferay.com/c/portal/json_service?serviceClassName=com.liferay.mail.service.CyrusServiceUtil&serviceMethodName=addUser&serviceParameters=[%22userId%22,%22emailAddress%22,%22password%22]&userId=12345&emailAddress=%22aa@aa.com%22&password=test

You will add an user in the CyrusUser table (there is not protections on this service).

I've created this ticket in private because I think this is a very important an easy to user security hole !

It's sure, we can use the "json.service.invalid.class.names" to remove some classes. But, I think it would be better if we can use an include list instead of an exclude list (there is so many services).