Whilst working on a CMIS server implementation I happened to be examining the CmisBrowserBindingServlet class and noticed that for HTTP POST requests POSTHttpServletRequestWrapper is instantiated before any authentication checks are carried out (e.g. before getCallContextHandler() is invoked where a TokenHandler can check the request).
POSTHttpServletRequestWrapper appears to process multi-part requests as soon as it is created, getting an output stream to store data. Unless I am mistaken (and forgive me if I am), it is conceivable that this approach is vulnerable to Denial of Service attacks: you can send a bunch of POST requests with multi-part data to the server that will cause it to allocate memory (if less than memory threshold) and or temp file space (if greater than memory threshold) and exhaust system resources. I would suggest that authentication should be checked before processing multi-part requests in keeping with best practices (e.g. rejecting unauthenticated requests as soon as possible).
