Carsten Ziegeler created SLING-12074:
----------------------------------------
Summary: ScriptingVariablesConsolePlugin might use wrong security
provider
Key: SLING-12074
URL: https://issues.apache.org/jira/browse/SLING-12074
Project: Sling
Issue Type: Bug
Components: Scripting
Affects Versions: Scripting Core 2.4.8
Reporter: Carsten Ziegeler
Assignee: Carsten Ziegeler
Fix For: Scripting Core 2.4.10
In order to show the variable bindings, the webconsole plugin introduced with
SLING-3543 uses a "trick" and actually invokes Sling via a servlet to get the
requested information.
The check in the servlet is only checking if there is a
WebConsoleSecurityProvider2 registered - it is not checking whether it is the
correct one, nor whether that is actually using Sling authentication.
With new features added to the Sling API we can completely remove that default
servlet and let the plugin directly call into Sling. This gives a "correct"
check, removes the unneeded default servlet and reduces the dependency on the
web console.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
