[Geoserver 2.2.2, Tomcat 7.0.22, Win Srvr 2008 R2]

I’m successfully loading files via cURL & REST services but I’m unsure about REST security, particularly with providing access to one workspace only.

The documentation explains how to secure the entire site or a specific resource. The default rest.properties is to lock down every rest call unless the user has the role ADMIN. This was confirmed - a curl request with no user details [curl -v -XGET http://host/geoserver/rest/workspaces/testWksp/] is not granted access, a curl request with ADMIN role [curl -v -u admin:geoserver -XGET http://host/geoserver/rest/workspaces/testWksp/] is granted access.

If I comment out all the lines in the user.properties I get the same results. Note I reload the geoserver deployment in Tomcat after changing the user.properties file.

This suggests that the REST service is secured completely by default and access is granted to users with administrative rights regardless of the lines in the user.properties file.

Ticket GEOS-5139 mentions a patch that was to be applied to 2.2-RC1. I’m not sure where this version sits compared to 2.2.2 which I have installed, IE, maybe the patch has been applied to the version I’m using but I’m unsure. But this ticket still suggests you need to include the default ‘all request lock’ [/**;GET,POST,PUT,DELETE=ROLE_ADMINISTRATOR] which by my account, isn’t required.

So, is the default ‘all request lock’ line in user.properties required still? Does this provide any additional security to the REST services?

Thanks in advance for the clarification.

Abe.

[http://docs.geoserver.org/stable/en/user/security/rest.html]
[https://jira.codehaus.org/browse/GEOS-5139]