Sander Mak created ACE-511:
------------------------------
Summary: ScriptServlet does not apply security
Key: ACE-511
URL: https://issues.apache.org/jira/browse/ACE-511
Project: ACE
Issue Type: Bug
Components: Authentication
Affects Versions: 2.0.1
Environment: n/a
Reporter: Sander Mak
Priority: Critical
Looking at the sourcecode, authentication on endpoints is enforced by calling
AuthenticationService from the servlet's service() methods. However, the
ScriptServlet (executing arbitrary Gogo scrips) does not call this service.
I'm not sure what the rationale is for not using an HttpContext and/or Servlet
filter to enforce authentication on all endpoints, but that would have
prevented this situations from arising...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
