I am fine with both solutions but I have a slight preference for A. I am not sure that every WebConsoleSecurity Provider2 implementation works if called inside Sling. Some filters or request dispatcher includes may lead to hiding the credentials, so that the authenticate method may return false although the user is in fact authenticated. Thanks for trying to solve this, Konrad
> On 24. Feb 2021, at 22:00, Eric Norman <[email protected]> wrote: > > RE: SLING-10147 <https://issues.apache.org/jira/browse/SLING-10147> - > scripting > variables implementation details are exposed to not authorized users > > The comments from the issue have revealed different opinions on the best > way to solve this. You may review the comments in jira for the details. > > I have prepared 2 pull requests with an attempt at a solution for the 2 > different approaches for your consideration: > > A. PR #5 > <https://github.com/apache/sling-org-apache-sling-scripting-core/pull/5> - > works with or without WebConsoleSecurityProvider2 service existing, but is > a more complex implementation with more code. > > B. PR #7 > <https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7> > - requires > WebConsoleSecurityProvider2 service to exist but is a > simpler implementation with less code. > > > Please vote to express your preference: > > [ ] +1A Approve the solution from PR #5 > [ ] +1B Approve the solution from PR #7 > [ ] 0 Don't care > [ ] -1 Neither solution, because ... > > This majority vote is open for at least 72 hours. > > Regards, > Eric Norman
