[ https://issues.apache.org/jira/browse/SLING-12074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17775638#comment-17775638 ]
Carsten Ziegeler commented on SLING-12074: ------------------------------------------ PR in https://github.com/apache/sling-org-apache-sling-scripting-core/pull/26 which uses Sling API for an internal request. This avoids checking for a WebConsoleSecurityProvider2 (which was buggy anyway) and a default servlet being registered just for the console > ScriptingVariablesConsolePlugin might use wrong security provider > ----------------------------------------------------------------- > > Key: SLING-12074 > URL: https://issues.apache.org/jira/browse/SLING-12074 > Project: Sling > Issue Type: Bug > Components: Scripting > Affects Versions: Scripting Core 2.4.8 > Reporter: Carsten Ziegeler > Assignee: Carsten Ziegeler > Priority: Major > Fix For: Scripting Core 2.4.10 > > > In order to show the variable bindings, the webconsole plugin introduced with > SLING-3543 and then refined with SLING-10147 uses a "trick" and actually > invokes Sling via a servlet to get the requested information. > The check in the servlet is only checking if there is a > WebConsoleSecurityProvider2 registered - it is not checking whether it is the > correct one, nor whether that is actually using Sling authentication. > With new features added to the Sling API we can completely remove that > default servlet and let the plugin directly call into Sling. This gives a > "correct" check, removes the unneeded default servlet and reduces the > dependency on the web console. -- This message was sent by Atlassian Jira (v8.20.10#820010)