>As a side question, please could you clarify is there a proper way (I found some but not sure they are correct) of protecting /service/console on public server? Currently the scripts refreshing could lead to the whole site become unreachable.
To protect the scripts, override the following bean as follows:
This ensure all console webscripts go through the 'webscripts.authenticator.basic' authenticator. We do this in Alfresco Share where we have the 'alfresco-feed' endpoint (used by that authenticator) authenticating using basic http auth against the Alfresco server.
<!-- Override WebScript View Resolver - authenticated for admin webscripts via alfresco-feed connector -->
<bean id="webscriptViewResolver" class="org.springframework.extensions.webscripts.servlet.mvc.WebScriptViewResolver">
<property name="container" ref="webscripts.container" />
<property name="authenticatorFactory" ref="webscripts.authenticator.basic" />
The other option is to remove those scripts from a runtime instance.