[jira] [Updated] (SLING-12074) ScriptingVariablesConsolePlugin might use wrong security provider

[Carsten Ziegeler (Jira)]

     [ 
https://issues.apache.org/jira/browse/SLING-12074?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler updated SLING-12074:
-------------------------------------
    Description: 
In order to show the variable bindings, the webconsole plugin introduced with 
SLING-3543 and then refined with SLING-10147 uses a "trick" and actually 
invokes Sling via a servlet to get the requested information.
The check in the servlet is only checking if there is a 
WebConsoleSecurityProvider2 registered - it is not checking whether it is the 
correct one, nor whether that is actually using Sling authentication.
With new features added to the Sling API we can completely remove that default 
servlet and let the plugin directly call into Sling. This gives a "correct" 
check, removes the unneeded default servlet and reduces the dependency on the 
web console.

  was:
In order to show the variable bindings, the webconsole plugin introduced with 
SLING-3543 uses a "trick" and actually invokes Sling via a servlet to get the 
requested information.
The check in the servlet is only checking if there is a 
WebConsoleSecurityProvider2 registered - it is not checking whether it is the 
correct one, nor whether that is actually using Sling authentication.
With new features added to the Sling API we can completely remove that default 
servlet and let the plugin directly call into Sling. This gives a "correct" 
check, removes the unneeded default servlet and reduces the dependency on the 
web console.


> ScriptingVariablesConsolePlugin might use wrong security provider
> -----------------------------------------------------------------
>
>                 Key: SLING-12074
>                 URL: https://issues.apache.org/jira/browse/SLING-12074
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>    Affects Versions: Scripting Core 2.4.8
>            Reporter: Carsten Ziegeler
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: Scripting Core 2.4.10
>
>
> In order to show the variable bindings, the webconsole plugin introduced with 
> SLING-3543 and then refined with SLING-10147 uses a "trick" and actually 
> invokes Sling via a servlet to get the requested information.
> The check in the servlet is only checking if there is a 
> WebConsoleSecurityProvider2 registered - it is not checking whether it is the 
> correct one, nor whether that is actually using Sling authentication.
> With new features added to the Sling API we can completely remove that 
> default servlet and let the plugin directly call into Sling. This gives a 
> "correct" check, removes the unneeded default servlet and reduces the 
> dependency on the web console.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)