enapps-enorman commented on a change in pull request #7:
URL:
https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7#discussion_r583103189
##########
File path:
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##########
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
@Override
protected void doGet(SlingHttpServletRequest request,
SlingHttpServletResponse response)
throws ServletException, IOException {
+ if (webconsoleSecurity == null) {
+ log("Acccess forbidden as the WebConsoleSecurity reference is not
set");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ } else if (!(webconsoleSecurity instanceof
WebConsoleSecurityProvider2)) {
+ log("Acccess forbidden as the WebConsoleSecurity reference does
not implement WebConsoleSecurityProvider2");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ } else if
(!((WebConsoleSecurityProvider2)webconsoleSecurity).authenticate(request,
response)) {
+ // the request is terminated without any more response sent back
to the client.
+ // The WebConsoleSecurityProvider2 implementation may have sent
auth challenge to the client
+ // in the case of anonymous access.
+ if (!response.isCommitted()) {
Review comment:
I guess I didn't think there was a code path where the response was
touched before the servlet was called. But I suppose it is possible that some
filter has done something before calling the servlet, so I'll change it to do
the same check for all the cases.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
