[ https://issues.apache.org/jira/browse/SLING-12074?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved SLING-12074. -------------------------------------- Resolution: Fixed > ScriptingVariablesConsolePlugin might use wrong security provider > ----------------------------------------------------------------- > > Key: SLING-12074 > URL: https://issues.apache.org/jira/browse/SLING-12074 > Project: Sling > Issue Type: Bug > Components: Scripting > Affects Versions: Scripting Core 2.4.8 > Reporter: Carsten Ziegeler > Assignee: Carsten Ziegeler > Priority: Major > Fix For: Scripting Core 2.4.10 > > > In order to show the variable bindings, the webconsole plugin introduced with > SLING-3543 and then refined with SLING-10147 uses a "trick" and actually > invokes Sling via a servlet to get the requested information. > The check in the servlet is only checking if there is a > WebConsoleSecurityProvider2 registered - it is not checking whether it is the > correct one, nor whether that is actually using Sling authentication. > With new features added to the Sling API we can completely remove that > default servlet and let the plugin directly call into Sling. This gives a > "correct" check, removes the unneeded default servlet and reduces the > dependency on the web console. -- This message was sent by Atlassian Jira (v8.20.10#820010)