Method security is case sensitive
---------------------------------
Key: GEOS-4012
URL: http://jira.codehaus.org/browse/GEOS-4012
Project: GeoServer
Issue Type: Bug
Components: Security
Affects Versions: 1.7.7, 1.7.x
Environment: GeoServer 1.7.7
Reporter: Craig McIlwee
Assignee: Andrea Aime
I set up security on WFS.GetFeature, but if the client uses some other case (e.g. getfeature) in the URL then security is bypassed.
# Add to security.properties: {{wfs.GetFeature=ROLE_WFS_READ}}
# Add to users.properties: {{test=test,ROLE_WFS_READ}}
# Navigate to {{http://localhost:8080/geoserver/wfs?request=GetFeature&service=wfs&version=1.0.0&typename=topp:states\}}, confirm authentication prompt in browser
# Navigate to {{http://localhost:8080/geoserver/wfs?request=getfeature&service=wfs&version=1.0.0&typename=topp:states\}} (note case change in request param), you will get the data without authenticating first
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira