[
https://issues.apache.org/jira/browse/ACE-511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14575298#comment-14575298
]
Marcel Offermans commented on ACE-511:
--------------------------------------
I don't think there is a rationale for this, you should be able to secure any
endpoint. I'd classify this as a bug.
> ScriptServlet does not apply security
> -------------------------------------
>
> Key: ACE-511
> URL: https://issues.apache.org/jira/browse/ACE-511
> Project: ACE
> Issue Type: Bug
> Components: Authentication
> Affects Versions: 2.0.1
> Environment: n/a
> Reporter: Sander Mak
> Priority: Critical
>
> Looking at the sourcecode, authentication on endpoints is enforced by calling
> AuthenticationService from the servlet's service() methods. However, the
> ScriptServlet (executing arbitrary Gogo scrips) does not call this service.
> I'm not sure what the rationale is for not using an HttpContext and/or
> Servlet filter to enforce authentication on all endpoints, but that would
> have prevented this situations from arising...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
