enapps-enorman commented on a change in pull request #7: URL: https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7#discussion_r583103189
########## File path: src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java ########## @@ -91,6 +102,24 @@ protected void activate(ComponentContext context) { @Override protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { + if (webconsoleSecurity == null) { + log("Acccess forbidden as the WebConsoleSecurity reference is not set"); + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return; + } else if (!(webconsoleSecurity instanceof WebConsoleSecurityProvider2)) { + log("Acccess forbidden as the WebConsoleSecurity reference does not implement WebConsoleSecurityProvider2"); + response.sendError(HttpServletResponse.SC_FORBIDDEN); + return; + } else if (!((WebConsoleSecurityProvider2)webconsoleSecurity).authenticate(request, response)) { + // the request is terminated without any more response sent back to the client. + // The WebConsoleSecurityProvider2 implementation may have sent auth challenge to the client + // in the case of anonymous access. + if (!response.isCommitted()) { Review comment: I guess I didn't think there was a code path where the response was touched before the servlet was called. But I suppose it is possible that some filter has done something before calling the servlet, so I'll change it to do the same check for all the cases. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org