[Geoserver-devel] [JIRA] (GEOS-9270) Mixed catalog mode makes WFS getFeature POST with OGC filter fail (403 forbidden) when user has no permissions for unrelated workspace

Sander Kleykens created an issue

GeoServer / BugGEOS-9270

Mixed catalog mode makes WFS getFeature POST with OGC filter fail (403 forbidden) when user has no permissions for unrelated workspace

Issue Type:

BugBug

Affects Versions:

2.15.0

Assignee:

Unassigned

Components:

Security

Created:

26/Jun/19 1:36 PM

Priority:

MediumMedium

Reporter:

Sander Kleykens

How to reproduce1. Start with a clean geoserver instance

  1. Enable hide or challenge catalog mode

  2. Create workspaces ‘au’ and ‘am’

  3. Create 1 layer in workspace ‘au’ (with name ‘a’) and 1 layer in workspace ‘am’ (with name ‘b’) from shapefiles

  4. Add a role “Reader”

  5. Add a user “Reader” and make him a member of the role “Reader”

  6. Add a security rule for ‘au.a’ and only allow the “Reader” role to read

  7. Add a security rule for ‘am.b’ and only allow the “ADMIN” role to read

  8. Perform a POST request to ‘/wfs?REQUEST=GetFeature&VERSION=1.1.0&SERVICE=WFS’ with basic authentication using the “Reader” user and an OGC filter in the POST data. For example:

    <?xml version="1.0" encoding="UTF-8"?><wfs:GetFeature xmlns:au="http://localhost:8085/au" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wfs="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:ows="http://www.opengis.net/ows" xmlns:xlink="http://www.w3.org/1999/xlink" outputFormat="text/xml; subtype=gml/3.1.1" resultType="results" service="WFS" version="1.1.0">
     <wfs:Query srsName="urn:x-ogc:def:crs:EPSG:31370" typeName="au:CNTR_RG_01M_2016_4326">
      <ogc:Filter>
       <ogc:PropertyIsEqualTo>
      <ogc:PropertyName>CNTR_ID</ogc:PropertyName>
      <ogc:Literal>BE</ogc:Literal>
      </ogc:PropertyIsEqualTo>
      </ogc:Filter>
     </wfs:Query>
    </wfs:GetFeature>
    
    
  9. See that the request succeeds and returns results (if the OGC filter matches features)

  10. Change the catalog mode to mixed

  11. Try the request again

  12. See that the request fails with a 403 forbidden HTTP code

Expected behavior

Since the OGC filter used for the getFeature request limits our search to a specific layer, the request should succeed in mixed catalog mode, just as it does in challenge or hide mode.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100105-sha1:1febb2f)

Atlassian logo