You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ace.apache.org by "Marcel Offermans (JIRA)" <ji...@apache.org> on 2015/06/05 23:57:00 UTC

[jira] [Commented] (ACE-511) ScriptServlet does not apply security

    [ https://issues.apache.org/jira/browse/ACE-511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14575298#comment-14575298 ] 

Marcel Offermans commented on ACE-511:
--------------------------------------

I don't think there is a rationale for this, you should be able to secure any endpoint. I'd classify this as a bug.

> ScriptServlet does not apply security
> -------------------------------------
>
>                 Key: ACE-511
>                 URL: https://issues.apache.org/jira/browse/ACE-511
>             Project: ACE
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: 2.0.1
>         Environment: n/a
>            Reporter: Sander Mak
>            Priority: Critical
>
> Looking at the sourcecode, authentication on endpoints is enforced by calling AuthenticationService from the servlet's service() methods. However, the ScriptServlet (executing arbitrary Gogo scrips) does not call this service.
> I'm not sure what the rationale is for not using an HttpContext and/or Servlet filter to enforce authentication on all endpoints, but that would have prevented this situations from arising...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)