diff --git a/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java b/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java
index 44efce232e..d8229e0f8a 100644
--- a/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java
+++ b/source/java/org/alfresco/repo/web/scripts/RepositoryContainer.java
@@ -301,6 +301,17 @@ public class RepositoryContainer extends AbstractRuntimeContainer implements Ten
                 //
                 if (auth == null || auth.authenticate(required, isGuest))
                 {
+                    // The user will now have been authenticated, based on HTTP Auth, Ticket etc
+                    // Check that the user they authenticated as has appropriate access to the script
+                    
+                    // Check to see if they supplied HTTP Auth or Ticket as guest, on a script that needs more
+                    isGuest = authorityService.isGuestAuthority(AuthenticationUtil.getFullyAuthenticatedUser());
+                    if (isGuest && (required == RequiredAuthentication.user || required == RequiredAuthentication.admin))
+                    {
+                        throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires user authentication; however, a guest has attempted access.");
+                    }
+                    
+                    // Check to see if they're admin or system on an Admin only script
                     if (required == RequiredAuthentication.admin && !(authorityService.hasAdminAuthority() || AuthenticationUtil.getFullyAuthenticatedUser().equals(AuthenticationUtil.getSystemUserName())))
                     {
                         throw new WebScriptException(HttpServletResponse.SC_UNAUTHORIZED, "Web Script " + desc.getId() + " requires admin authentication; however, a non-admin has attempted access.");
diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java
index 464a02e46a..896e31fa03 100644
--- a/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java
+++ b/source/java/org/alfresco/repo/web/scripts/servlet/BasicHttpAuthenticatorFactory.java
@@ -116,7 +116,8 @@ public class BasicHttpAuthenticatorFactory implements ServletAuthenticatorFactor
                 logger.debug("URL ticket provided: " + (ticket != null && ticket.length() > 0));
             }
             
-            // authenticate as guest, if service allows
+            // If they requested explicit guest authentication,
+            //  Authenticate as guest (if allowed)
             if (isGuest && RequiredAuthentication.guest == required)
             {
                 if (logger.isDebugEnabled())