Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
To assist resolving SLING-10147 it would helpful if we could reasonably rely on there always being at least one WebConsoleSecurityProvider service available.
The use case is that a webconsole plugin needs to make http requests outside of the OsgiManager servlet to retrieve some information to display in the plugin UI. The goal is that the security checking of that other endpoint would perform the same security checks that would be needed to access the webconsole itself. Reusing the WebConsoleSecurityProvider service in both places would be ideal.
To make that the case, the proposal is to refactor the default "basic" authentication mechanism of the webconsole into a WebConsoleSecurityProvider class and expose it as a service. A very low service.ranking of this last resort security provider should ensure that any other WebConsoleSecurityProvider component that exists would be used instead.
Attachments
Issue Links
- is required by
-
SLING-10147 scripting variables implementation details are exposed to not authorized users
- Closed
- links to