Hello All

We are using REST service with custom AdvancedAuthorizationProvider. I found that if I upload some file by url http://localhost:8080/modeshape-rest/sample/default/upload/someurl/image.png

The security works and call my AdvancedAuthorizationProvider when I try to get http://localhost:8080/modeshape-rest/sample/default/items/someurl/image.png or http://localhost:8080/modeshape-rest/sample/default/items/someurl/image.png/jcr:content

Unfortunately, I don't see call of AdvancedAuthorizationProvider when I try to get content of file by execute http://localhost:8080/modeshape-rest/sample/default/binary/someurl/image.png/jcr:content/jcr:data

I reviewed source of Modeshape 5.4.1 and found than the ModesShapes doesn't use security in getting any properties. In other worlds, If someone know URL anyone can get file without call my AdvancedAuthorizationProvider

The question: this behavior expected  or this is backdoor? If this error should someone create Jira issue?

Thanks.