[Geoserver-devel] [JIRA] (GEOS-9795) Geowebcache does not check security data rules on WTMS requests

Karl created an issue

GeoServer / BugGEOS-9795

Geowebcache does not check security data rules on WTMS requests

Issue Type:

BugBug

Affects Versions:

2.18.0

Assignee:

Unassigned

Created:

18/Nov/20 3:09 AM

Environment:

Ubuntu 20.04.1 LTS
openjdk version “11.0.9.1” 2020-11-04

Priority:

MediumMedium

Reporter:

Karl

I have defined this data security config, so all access in READ to anything must be authenticated:

 *.*.r 	ROLE_AUTHENTICATED
*.*.w 	GROUP_ADMIN,ADMIN
*.*.a 	GROUP_ADMIN,ADMIN

But it seems that if a client request WMTS tiles without authentication, and that they are cached by GWC, they are returned to the client instead of returning 401 error, which is a big security hole…

I came across this conversation of 2013 which resumes my problem : http://osgeo-org.1560.x6.nabble.com/Unable-to-get-GeoServer-GWC-to-apply-authentication-to-my-WMTS-tile-requests-td5085389.html

It looked like a patch was merged in the past, but today I encounter the exact same problem…
https://github.com/geoserver/geoserver/pull/341

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100151-sha1:7c1a4b0)

Atlassian logo