[
https://issues.apache.org/jira/browse/SLING-11678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17634780#comment-17634780
]
Konrad Windszus commented on SLING-11678:
-----------------------------------------
For me this functionality should have less dependency on Sling engine than it
should have on Felix Web Console as this is not Sling-specific at all. So I
would say that binding it to the Sling context does limit its usage for no
reason but binding it to the web console OTOH seems acceptable (as it is much
more lightweight than Sling)
In fact the WebConsole ReST API is used to install this bundle e.g. from Sling
IDE
(https://github.com/apache/sling-ide-tooling/blob/c26c37581748a74627cc822e564388bccd8c26f6/eclipse/eclipse-core/src/org/apache/sling/ide/eclipse/core/internal/SlingLaunchpadBehaviour.java#L112-L113).
> Protect the Tooling Support Install servlet
> -------------------------------------------
>
> Key: SLING-11678
> URL: https://issues.apache.org/jira/browse/SLING-11678
> Project: Sling
> Issue Type: Improvement
> Reporter: Konrad Windszus
> Priority: Major
>
> Currently the endpoint provided by Tooling Support Endpoint doesn't require
> authentication so every anonymous user can install arbitrary bundles.
> I would suggest to migrate the endpoint to a [web console
> plugin|https://felix.apache.org/documentation/subprojects/apache-felix-web-console/extending-the-apache-felix-web-console/providing-web-console-plugins.html]
> to benefit from its built in authentication.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
