[Geoserver-devel] [JIRA] (GEOS-9602) Changeing GeoServer admin password via REST requires a reload before the password is used

Richard Sharp created an issue

GeoServer / BugGEOS-9602

Changeing GeoServer admin password via REST requires a reload before the password is used

Issue Type:

BugBug

Affects Versions:

2.17.0

Assignee:

Unassigned

Created:

01/May/20 6:04 AM

Environment:

Debian 10.3

Priority:

MediumMedium

Reporter:

Richard Sharp

To recreate, first create a new admin password:

>>> curl -u admin:geoserver -X PUT [http://localhost:8080/geoserver/rest/security/self/password](http://localhost:8080/geoserver/rest/security/self/password) -H "accept: application/json" -H "content-type: application/json" -d "

{ \"newPassword\": \"test\"}

"

Note the log indicates the change was successful:

29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful for service named default
29 Apr 20:44:48 INFO [security.xml] - Successful lock: security/usergroup/default/users.xml.lock
29 Apr 20:44:48 INFO [geoserver.security] - Start storing user/groups for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Storing user/groups successful for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Adjusted last modified for file: security/usergroup/default/users.xml
29 Apr 20:44:48 INFO [geoserver.rest] - Changed password for user admin

Then observe the new password does not work:

>>> curl -u admin:test -X GET [http://localhost:8080/geoserver/rest/layers](http://localhost:8080/geoserver/rest/layers) -H "accept: application/json"

29 Apr 20:46:27 WARN [geoserver.security] - Failed login, user admin from 172.17.0.1
29 Apr 20:46:27 INFO [geoserver.security] - Brute force attack prevention, delaying login for 1385ms

But the original password works fine:

>>> curl -u admin:geoserver -X GET [http://localhost:8080/geoserver/rest/layers](http://localhost:8080/geoserver/rest/layers) -H "accept: application/json"
{"layers":{"layer":[{"name":"tiger:giant_polygon","href":"http:\/\/localhost:8080\/geoserve....

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100125-sha1:9c01ca7)

Atlassian logo