[GitHub] [sling-org-apache-sling-scripting-core] kwin commented on a change in pull request #7: SLING-10147 block unauthorized access to SlingBindingsVariablesListJsonServlet

Wed, 24 Feb 2021 23:56:23 -0800 


kwin commented on a change in pull request #7:
URL: 
https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7#discussion_r582613339



##########
File path: 
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##########
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
     @Override
     protected void doGet(SlingHttpServletRequest request, 
SlingHttpServletResponse response)
             throws ServletException, IOException {
+        if (webconsoleSecurity == null) {
+            log("Acccess forbidden as the WebConsoleSecurity reference is not 
set");

Review comment:
       small typo: Acccess -> access

##########
File path: 
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##########
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
     @Override
     protected void doGet(SlingHttpServletRequest request, 
SlingHttpServletResponse response)
             throws ServletException, IOException {
+        if (webconsoleSecurity == null) {
+            log("Acccess forbidden as the WebConsoleSecurity reference is not 
set");
+            response.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        } else if (!(webconsoleSecurity instanceof 
WebConsoleSecurityProvider2)) {
+            log("Acccess forbidden as the WebConsoleSecurity reference does 
not implement WebConsoleSecurityProvider2");
+            response.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        } else if 
(!((WebConsoleSecurityProvider2)webconsoleSecurity).authenticate(request, 
response)) {
+            // the request is terminated without any more response sent back 
to the client.
+            //    The WebConsoleSecurityProvider2 implementation may have sent 
auth challenge to the client
+            //    in the case of anonymous access.
+            if (!response.isCommitted()) {

Review comment:
       why the check for isCommitted only here and not for the other two cases?

##########
File path: 
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##########
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
     @Override
     protected void doGet(SlingHttpServletRequest request, 
SlingHttpServletResponse response)
             throws ServletException, IOException {
+        if (webconsoleSecurity == null) {
+            log("Acccess forbidden as the WebConsoleSecurity reference is not 
set");
+            response.sendError(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        } else if (!(webconsoleSecurity instanceof 
WebConsoleSecurityProvider2)) {
+            log("Acccess forbidden as the WebConsoleSecurity reference does 
not implement WebConsoleSecurityProvider2");

Review comment:
       small typo: Acccess -> access




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to