[Geoserver-users] Cannot disable security on GWC REST API

GeoServer 2.8.2 with Jetty 9.3

I am trying to disable authentication entirely on the geoserver/gwc/rest endpoint to make it easier for our applications to automate cache truncation when data updates are loaded.

I have tried:

1. Updating rest.properties under data_dir/security to this:

/;GET=IS_AUTHENTICATED_ANONYMOUSLY
/;POST,DELETE,PUT=IS_AUTHENTICATED_ANONYMOUSLY

This seems to have no effect. Maybe its only tied to the geoserver/rest endpoint?

2. Disabling security on the gwc filter chain using the admin web interface. Also, have tried adding the anonymous filter and removing the basic filter in this filter chain’s settings.

Oddly enough, it seems to switch itself back to default settings after the configuration reloads (either manual reload on server status page or server restart)

I am testing this by using curl as described here: http://docs.geoserver.org/stable/en/user/geowebcache/rest/seed.html

Still haven’t figured this one out. Reposting. Thanks.

GeoServer 2.8.2 with Jetty 9.3

I am trying to disable authentication entirely on the geoserver/gwc/rest endpoint to make it easier for our applications to automate cache truncation when data updates are loaded.

I have tried:

1. Updating rest.properties under data_dir/security to this:

/;GET=IS_AUTHENTICATED_ANONYMOUSLY
/;POST,DELETE,PUT=IS_AUTHENTICATED_ANONYMOUSLY

This seems to have no effect. Maybe its only tied to the geoserver/rest endpoint?

2. Disabling security on the gwc filter chain using the admin web interface. Also, have tried adding the anonymous filter and removing the basic filter in this filter chain’s settings.

Oddly enough, it seems to switch itself back to default settings after the configuration reloads (either manual reload on server status page or server restart)

I am testing this by using curl as described here: http://docs.geoserver.org/stable/en/user/geowebcache/rest/seed.html

Jason Newmoyer
Newmoyer Geospatial Solutions
843.606.0424
jason@anonymised.com

On Thu, Apr 7, 2016, at 12:10 PM, Jason Newmoyer wrote:

1. Updating rest.properties under data_dir/security to this:

/**;GET=IS_AUTHENTICATED_ANONYMOUSLY

/**;POST,DELETE,PUT=IS_AUTHENTICATED_ANONYMOUSLY

This seems to have no effect. Maybe its only tied to the geoserver/rest endpoint?

Yes, the GWC and GS REST APIs are completely separate so changing the security on one has no effect on the other.

2. Disabling security on the gwc filter chain using the admin web interface. Also, have tried adding the anonymous filter and removing the basic filter in this filter chain’s settings.

Oddly enough, it seems to switch itself back to default settings after the configuration reloads (either manual reload on server status page or server restart)

I am testing this by using curl as described here: http://docs.geoserver.org/stable/en/user/geowebcache/rest/seed.html

That’s really odd. Before you reload the change is in effect and gives you the behaviour you want though? I did a quick test on 2.9 and disabling the security on the chain and adding the anonymous filter allowed for unauthenticated access and it presists over restart and reload.

You might try checking if DATA_DIR/security/config.xml is getting updated when you save the change.

–

Kevin Michael Smith

smithkm@anonymised.com

The config.xml is not updating. What could be the cause of that?

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Cannot-disable-security-on-GWC-REST-API-tp5257280p5260869.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Seems there might be a bug with the security module there. Any changes to the filter chains do not get saved to the config.xml file.

After manually updating the config.xml to disable security on the gwc filter chain, then restarting the server, it worked fine. Reloading the catalog/config did not do the trick.

Thanks.