[Geoserver-devel] [jira] (GEOS-5990) Accesses to the secured catalog can start before the REQUEST thread local is set

Andrea Aime created BugGEOS-5990
Accesses to the secured catalog can start before the REQUEST thread local is set

Issue Type:

BugBug

Assignee:

Justin Deoliveira

Components:

Configuration

Created:

23/Aug/13 7:32 AM

Description:

During the KVP parse, and while running the init for the dispatcher callbacks, we have the REQUEST thread local set to null, and those can do catalog accesses.

Generally speaking, this is a problem for security systems as they cannot known about the current service, request and and version while evaluating the catalog access request.

However, it should be possible to load version, request and service before doing the rest of the KVP parse, and XML parses normally do not do any validation, thus they should not end up accessing the catalog

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Andrea Aime

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)