You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ace.apache.org by "J.W. Janssen (JIRA)" <ji...@apache.org> on 2016/01/28 11:50:40 UTC
[jira] [Resolved] (ACE-511) ScriptServlet does not apply security
[ https://issues.apache.org/jira/browse/ACE-511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
J.W. Janssen resolved ACE-511.
------------------------------
Resolution: Fixed
Applied patch from [~brampouwelse] in rev #1727306. This script now handles authentication in the same way as the other servlets.
> ScriptServlet does not apply security
> -------------------------------------
>
> Key: ACE-511
> URL: https://issues.apache.org/jira/browse/ACE-511
> Project: ACE
> Issue Type: Bug
> Components: Authentication
> Affects Versions: 2.0.1
> Environment: n/a
> Reporter: Sander Mak
> Assignee: J.W. Janssen
> Priority: Critical
> Labels: ace-next-security
> Attachments: ACE-511.patch
>
>
> Looking at the sourcecode, authentication on endpoints is enforced by calling AuthenticationService from the servlet's service() methods. However, the ScriptServlet (executing arbitrary Gogo scrips) does not call this service.
> I'm not sure what the rationale is for not using an HttpContext and/or Servlet filter to enforce authentication on all endpoints, but that would have prevented this situations from arising...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)