This is a nasty bug and can be fixed easily, but I want to discuss it to avoid generating side effects.
The URL(s) we are talking about are
http://…/geoserver
http://…/geoserver/
The security web filter chain has the following ant patterns
/web/**
/gwc/rest/web/**
The default filter chain matching all kinds of OGC services has the following ant pattern
/**
The above URLs match the default filter chain and a redirect to http://…/geoserver/web happens. This constellations causes strange behavior. A very simple example:
Activate SSL only on the default filter chain but NOT on the WEB filter chain.
http://…/geoserver becomes to https://…/geoserver/web switching from http to https. This should not happen.
Another example:
Remove the anonymous filter from the default filter chain
http://…/geoserver/web will use form based login, but http://…/geoserver will challenge the principal using basic auth. This is definitively unwanted.
I did some testing and the solution looks simple. It is enough to add the pattern “/” to web filter chain. The web filter would have the following ant patterns.
/web/**
/gwc/rest/web/**
/
Unfortunately I fear that this minor modification requires a minor migration in the security data dir and I can fix it on 2.3.x series.
The precondition I have to know about is:
Are there URLs like
http://…/geoserver?key=value&…
If there are such kind of URLs, I fear the solution wont work.
Thanks for your hints
Christian
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH