[
https://issues.apache.org/jira/browse/SLING-12074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17775638#comment-17775638
]
Carsten Ziegeler commented on SLING-12074:
------------------------------------------
PR in https://github.com/apache/sling-org-apache-sling-scripting-core/pull/26
which uses Sling API for an internal request. This avoids checking for a
WebConsoleSecurityProvider2 (which was buggy anyway) and a default servlet
being registered just for the console
> ScriptingVariablesConsolePlugin might use wrong security provider
> -----------------------------------------------------------------
>
> Key: SLING-12074
> URL: https://issues.apache.org/jira/browse/SLING-12074
> Project: Sling
> Issue Type: Bug
> Components: Scripting
> Affects Versions: Scripting Core 2.4.8
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: Scripting Core 2.4.10
>
>
> In order to show the variable bindings, the webconsole plugin introduced with
> SLING-3543 and then refined with SLING-10147 uses a "trick" and actually
> invokes Sling via a servlet to get the requested information.
> The check in the servlet is only checking if there is a
> WebConsoleSecurityProvider2 registered - it is not checking whether it is the
> correct one, nor whether that is actually using Sling authentication.
> With new features added to the Sling API we can completely remove that
> default servlet and let the plugin directly call into Sling. This gives a
> "correct" check, removes the unneeded default servlet and reduces the
> dependency on the web console.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
