[Geoserver-devel] [JIRA] (GEOS-11029) OGC API - Tiles + Authkey - can see Vector Tiles with no key or invalid key

Stacy Rendall created an issue

GeoServer / BugGEOS-11029

OGC API - Tiles + Authkey - can see Vector Tiles with no key or invalid key

Issue Type:

BugBug

Affects Versions:

2.23.1

Assignee:

Unassigned

Components:

Vector Tiles

Created:

16/Jun/23 6:33 AM

Environment:

Using Docker version of Geoserver, which is 2.23-SNAPSHOT, and extensions/community modules are 2.23-SNAPSHOT from 11th June build

Priority:

HighHigh

Reporter:

Stacy Rendall

[http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:

{z}/{y}/{x}?f=application/vnd.mapbox-vector-tile&authkey=f04cc884-0733-42f7-bd37-c8ed3fa6f148|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z}

/

{y}/{x}?f=application/vnd.mapbox-vector-tile&authkey=f04cc884-0733-42f7-bd37-c8ed3fa6f148]

Works correctly, where the provided valid key maps to a role/group/user that is allowed to see the data.

However the following also allow the data to be seen (in my testing sometimes just at certain zoom levels, other times at all zoom levels):

/

{x}?f=application/vnd.mapbox-vector-tile&authkey=notvalid|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z}/{y}/{x}?f=application/vnd.mapbox-vector-tile&authkey=notvalid]

?f=application/vnd.mapbox-vector-tile|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z}/{y}/{x}?f=application/vnd.mapbox-vector-tile]

For comparison the following endpoints will correctly limit access, returning nothing for missing or invalid authkey:

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100226-sha1:d46780b)

Atlassian logo