ace-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sander Mak (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ACE-511) ScriptServlet does not apply security
Date Thu, 22 Jan 2015 16:10:38 GMT
Sander Mak created ACE-511:
------------------------------

             Summary: ScriptServlet does not apply security
                 Key: ACE-511
                 URL: https://issues.apache.org/jira/browse/ACE-511
             Project: ACE
          Issue Type: Bug
          Components: Authentication
    Affects Versions: 2.0.1
         Environment: n/a
            Reporter: Sander Mak
            Priority: Critical


Looking at the sourcecode, authentication on endpoints is enforced by calling AuthenticationService
from the servlet's service() methods. However, the ScriptServlet (executing arbitrary Gogo
scrips) does not call this service.

I'm not sure what the rationale is for not using an HttpContext and/or Servlet filter to enforce
authentication on all endpoints, but that would have prevented this situations from arising...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message