[Geoserver-devel] Geoserver start URL matches wrong security filter chain

This is a nasty bug and can be fixed easily, but I want to discuss it to avoid generating side effects.

The URL(s) we are talking about are

http://…/geoserver
http://…/geoserver/

The security web filter chain has the following ant patterns

/web/**
/gwc/rest/web/**

The default filter chain matching all kinds of OGC services has the following ant pattern

/**

The above URLs match the default filter chain and a redirect to http://…/geoserver/web happens. This constellations causes strange behavior. A very simple example:

Activate SSL only on the default filter chain but NOT on the WEB filter chain.

http://…/geoserver becomes to https://…/geoserver/web switching from http to https. This should not happen.

Another example:

Remove the anonymous filter from the default filter chain
http://…/geoserver/web will use form based login, but http://…/geoserver will challenge the principal using basic auth. This is definitively unwanted.

I did some testing and the solution looks simple. It is enough to add the pattern “/” to web filter chain. The web filter would have the following ant patterns.

/web/**
/gwc/rest/web/**
/

Unfortunately I fear that this minor modification requires a minor migration in the security data dir and I can fix it on 2.3.x series.

The precondition I have to know about is:

Are there URLs like

http://…/geoserver?key=value&…

If there are such kind of URLs, I fear the solution wont work.

Thanks for your hints
Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH