This recently came up as a question from a partner, "In SaaS, can a external program call a JSP in the NOSESSION directory and thereby bypass Bb authentication? This was possible in self and managed hosting of Learn."
I posted the question to our subject matter experts and got several responses that are quite helpful:
You can just add authentication=“N” as an attribute to the <…Page> tag. Obviously, not recommended, nor ideal. Calling an endpoint remotely should have some sort of protection, even if it’s not via Learn. JSP seems like the worst way to accomplish this.
Other than error pages, the only valid purpose I can see for requests NOT using a BbSession is a server/app/db liveness check, and we already have the /webapps/portal/healthCheck servlet for that purpose (which is a nosession servlet, and the only one we have in the app other than error pages). You really don't want to create a session for such requests that should merely check whether the server is up, but you also really shouldn't bombard the server with a multitude of such checks from different tools, or you're bound to introduce stability issues.
There are other valid reasons I can think of.. The scorm AICC endpoint, the webservice endpoints etc all have their own authentication methods that don’t want a learn session. But I agree that they should be very careful about an unauthenticated endpoint.