|
The GeoServer 2.7.2 security fix breaks POST requests in JBoss. The security fix only allows jar, http and https URLs for schemas but JBoss uses vfs URLs when reading jar files which GeoServer isn’t allowing.
WCS 1.0.0
Caused by: org.xml.sax.SAXException:
Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wcs-13.2.jar/org/geotools/wcs/getCoverage.xsd
WCS 1.1.1
Caused by: org.xml.sax.SAXException:
Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wcs-13.2.jar/org/geotools/wcs/v1_1/wcsAll.xsd
WPS 1.0.0
Caused by: org.xml.sax.SAXException:
Entity resolution disallowed for vfs:/var/jboss/workspace/BuildSvr_FNMOC/jboss/geoserver/deployments/geoserver.war/WEB-INF/lib/gt-xsd-wps-13.2.jar/org/geotools/wps/wpsAll.xsdk
ENVIRONMENT:
RHEL 6.x
Java 1.7.0_85-b15 (Oracle)
JBoss 7.1.1 Final
Geoserver 2.7.2
Geoserver WPS plugin 2.7.2
STEPS TO REPRODUCE:
- Start with Geoserver 2.7.2 running in Jboss 7.1.1 container.
- Copy the image file test_image.tif to the GEOSERVER_DATA_DIR.
- Copy the Geoserver WPS plugin (fnmoc-wps-test-1.0.0.jar) into
<JBOSS_HOME>/standalone/deployments/geoserver.war/WEB-INF/lib directory.
- (Re)Start JBoss 7.1.1
- Create workspace ‘test’ in Geoserver 2.7.2.
- Create GeoTiff layer ‘test_image’ in Geoserver 2.7.2
- Verify that you can see the layer ‘test:test_image’ in Layer Previewer.
- To see the error run the following curl commands,
curl -v -XPOST -d @wcs-post-1.0.0.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wcs
curl -v -XPOST -d @wcs-post-1.1.1.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wcs
curl -v -XPOST -d @test-wps-post-1.0.0.xml -H 'Content-type:application/xml' http://localhost:8080/geoserver/wps
|