Hi,

I developed a plugin about vcenter web client and i  deployed it to vCenter server. I can invoke  the interface directly through the restclient tool。

and web.xml was configed SessionManagementFilter   

ex:

<filter>

      <filter-name>sessionManagementFilter</filter-name>

      <filter-class>com.vmware.vise.security.SessionManagementFilter</filter-class>

   </filter>

<filter-mapping>

       <filter-name>sessionManagementFilter</filter-name>

       <url-pattern>/*</url-pattern>

   </filter-mapping>

I do not know what happened,why person who is not authorized can invoke the interface.

sdk version :vimclients-public-sdk-6.0.0.3633101

vSphere Web Client Version 6.0.0 Build 3617395

plugin develop by html , javascript and java.

So this is a serious problem 。