ace-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.W. Janssen (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (ACE-511) ScriptServlet does not apply security
Date Thu, 28 Jan 2016 10:41:40 GMT

     [ https://issues.apache.org/jira/browse/ACE-511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

J.W. Janssen reassigned ACE-511:
--------------------------------

    Assignee: J.W. Janssen

> ScriptServlet does not apply security
> -------------------------------------
>
>                 Key: ACE-511
>                 URL: https://issues.apache.org/jira/browse/ACE-511
>             Project: ACE
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: 2.0.1
>         Environment: n/a
>            Reporter: Sander Mak
>            Assignee: J.W. Janssen
>            Priority: Critical
>              Labels: ace-next-security
>         Attachments: ACE-511.patch
>
>
> Looking at the sourcecode, authentication on endpoints is enforced by calling AuthenticationService
from the servlet's service() methods. However, the ScriptServlet (executing arbitrary Gogo
scrips) does not call this service.
> I'm not sure what the rationale is for not using an HttpContext and/or Servlet filter
to enforce authentication on all endpoints, but that would have prevented this situations
from arising...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message