Hello
We had Geoserver 2.26.2 and configured the rest security as per “Providing anonymous read-only access” → REST Security — GeoServer 2.28.0 User Manual
This worked well and issuing a GET without auth to geoserver/rest/workspaces.json resulted in a collection of workspaces. From 2.27 (and in 2.28.1) it results in an empty collection. Authenticating as admin returns the workspace collection as expected. Same with /layers.json for instance.
The security/rest.properties looks as follows:
# Default REST security configuration.
#
# By default this configuration locks down every rest call. The following is an example of a more
# lax configuration in which read only (GET) access is allowed anonymously:
#
/**;GET=IS_AUTHENTICATED_ANONYMOUSLY
/**;POST,DELETE,PUT=ADMIN
#
# The following is an example of a configuration that could be used with the restconfig plugin in
# which only configuration in a specific workspace is restricted:
#
#/rest/workspaces/topp*;GET=ADMIN
#/rest/workspaces/topp/**;GET=ADMIN
#/**;POST,DELETE,PUT=ADMIN
#
#
#/**;GET=ADMIN
#/**;POST,DELETE,PUT=ADMIN
Please advice whether this is a known issue with Geoserver or whether I’m misunderstanding something : ) I would like to make GET available for the rest interface without authentication in 2.28.1.
Edit. In addition , if the rest.properties file for /**;GET=a role and a user with that role tries a request like mentioned to the rest api then the result is the same, empty collection. It seems as if the authentication requirement is met (in order to receive http200 and not 403 or 401) but when the result is to be produced something goes astray. Unless the user is an admin