Problems with OIDC Bearer setup

pamroe · March 24, 2025, 1:37pm

Hi,

I have configured my Geonetwork (v4.4.6) instance to work with OIDC, using Keycloak as IDP. When using the web interface, this works as expected, redirecting to login and back, then creating rows in the Geonetwork DB for user and group based on information from Keycloak.
For instance, if my Keycloak user is named “test-user” and has a role like “test:Reviewer”, this is interpreted correctly and a new user row with name=“test-user” and profile=“Reviewer” is set, as well as the group row “test”. However, with CSW transactions, the same does not work. If a user which has not previously logged in via the web interface, tries to make a request to the csw-publication endpoint, I get the following response:

200 OK
<?xml version="1.0" encoding="UTF-8"?>
<ows:ExceptionReport xmlns:ows="http://www.opengis.net/ows" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2.0" xsi:schemaLocation="http://www.opengis.net/ows http://schemas.opengis.net/ows/1.0.0/owsExceptionReport.xsd">
    <ows:Exception exceptionCode="NoApplicableCode">
        <ows:ExceptionText>Cannot process transaction: Service not allowed</ows:ExceptionText>
    </ows:Exception>
</ows:ExceptionReport>

Whereas if I’ve logged in once via web, then make a request to csw-publication, it works as expected, setting group and user ownership of the metadata record. Is this expected behaviour, or am I missing something?

From the logs (see below), it looks like the intended behaviour is to add the user, but it seems like this step fails. The metadata record gets inserted, but not indexed, and ownership (group/user) is NULL.

Best regards,
Pål Marius

My ENV-vars that I use for OIDC bearer setup:

GEONETWORK_SECURITY_TYPE: openidconnectbearer
OPENIDCONNECT_CLIENTSECRET: <my-secret>
OPENIDCONNECT_CLIENTID: <my-client-id>
OPENIDCONNECT_SERVERMETADATA_CONFIG_URL: https://<my-keycloak-server>/realms/<my-realm>/.well-known/openid-configuration
OPENIDCONNECT_IDTOKENROLELOCATION: resource_access.<my-client-id>.roles
OPENIDCONNECT_LOGSENSITIVE_INFO: "true"

Excerpt from Geonetworks logs:

2025-03-24 14:22:10 2025-03-24T14:22:10,226 DEBUG [geonetwork.security] - Adding a new user: test@example.com(0) - RegisteredUser
2025-03-24 14:22:10 2025-03-24T14:22:10,226 DEBUG [geonetwork.security] - Identified group:profile (test:Reviewer) from user token.
2025-03-24 14:22:10 2025-03-24T14:22:10,227 DEBUG [geonetwork.security] - Identified group:profile (test:Reviewer) from user token.
2025-03-24 14:22:10 2025-03-24T14:22:10,233 DEBUG [org.hibernate.SQL] - select distinct usergroup0_.groupId as col_0_0_ from UserGroups usergroup0_ where usergroup0_.profile=? and usergroup0_.userId=0
2025-03-24 14:22:10 2025-03-24T14:22:10,237 ERROR [geonetwork.csw] - Cannot process transaction
2025-03-24 14:22:10 2025-03-24T14:22:10,239 ERROR [geonetwork.csw] -  (C) StackTrace
2025-03-24 14:22:10 ServiceNotAllowedEx : Service not allowed
2025-03-24 14:22:10     at org.fao.geonet.kernel.datamanager.base.BaseMetadataOperations.checkOperationPermission(BaseMetadataOperations.java:241)
2025-03-24 14:22:10     at org.fao.geonet.kernel.datamanager.base.BaseMetadataOperations.getOperationAllowedToAddInternal(BaseMetadataOperations.java:213)
2025-03-24 14:22:10     at org.fao.geonet.kernel.datamanager.base.BaseMetadataOperations.getOperationAllowedToAdd(BaseMetadataOperations.java:202)
2025-03-24 14:22:10     at org.fao.geonet.kernel.datamanager.base.BaseMetadataOperations.setOperation(BaseMetadataOperations.java:150)
2025-03-24 14:22:10     at org.fao.geonet.kernel.datamanager.base.BaseMetadataOperations.setOperation(BaseMetadataOperations.java:124)
2025-03-24 14:22:10     at org.fao.geonet.kernel.DataManager.setOperation(DataManager.java:448)
2025-03-24 14:22:10     at org.fao.geonet.component.csw.Transaction.insertTransaction(Transaction.java:277)
2025-03-24 14:22:10     at org.fao.geonet.component.csw.Transaction.execute(Transaction.java:149)
2025-03-24 14:22:10     at org.fao.geonet.component.csw.CatalogDispatcher.dispatchI(CatalogDispatcher.java:137)
2025-03-24 14:22:10     at org.fao.geonet.component.csw.CatalogDispatcher.dispatch(CatalogDispatcher.java:99)
2025-03-24 14:22:10     at org.fao.geonet.services.main.CswPublicationDispatcher.serviceSpecificExec(CswPublicationDispatcher.java:119)
2025-03-24 14:22:10     at org.fao.geonet.services.NotInReadOnlyModeService.exec(NotInReadOnlyModeService.java:54)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceInfo.execService(ServiceInfo.java:227)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceInfo.noTransactionExec(ServiceInfo.java:142)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceInfo$1.doInTransaction(ServiceInfo.java:121)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceInfo$1.doInTransaction(ServiceInfo.java:118)
2025-03-24 14:22:10     at jeeves.transaction.TransactionManager.runInTransaction(TransactionManager.java:75)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceInfo.execServices(ServiceInfo.java:115)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceManager.dispatch(ServiceManager.java:458)
2025-03-24 14:22:10     at jeeves.server.dispatchers.ServiceManager.dispatch(ServiceManager.java:396)
2025-03-24 14:22:10     at jeeves.server.JeevesEngine.dispatch(JeevesEngine.java:572)
2025-03-24 14:22:10     at org.fao.geonet.services.main.GenericController.dispatch(GenericController.java:151)
2025-03-24 14:22:10     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2025-03-24 14:22:10     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2025-03-24 14:22:10     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2025-03-24 14:22:10     at java.base/java.lang.reflect.Method.invoke(Method.java:566)
2025-03-24 14:22:10     at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
2025-03-24 14:22:10     at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
2025-03-24 14:22:10     at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
2025-03-24 14:22:10     at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:903)
2025-03-24 14:22:10     at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:809)
2025-03-24 14:22:10     at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
2025-03-24 14:22:10     at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1072)
2025-03-24 14:22:10     at jeeves.config.springutil.JeevesDispatcherServlet.access$001(JeevesDispatcherServlet.java:44)
2025-03-24 14:22:10     at jeeves.config.springutil.JeevesDispatcherServlet$1.doInTransaction(JeevesDispatcherServlet.java:56)
2025-03-24 14:22:10     at jeeves.config.springutil.JeevesDispatcherServlet$1.doInTransaction(JeevesDispatcherServlet.java:52)
2025-03-24 14:22:10     at jeeves.transaction.TransactionManager.runInTransaction(TransactionManager.java:75)
2025-03-24 14:22:10     at jeeves.config.springutil.JeevesDispatcherServlet.doDispatch(JeevesDispatcherServlet.java:49)
2025-03-24 14:22:10     at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:965)
2025-03-24 14:22:10     at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
2025-03-24 14:22:10     at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
2025-03-24 14:22:10     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
2025-03-24 14:22:10     at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
2025-03-24 14:22:10     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
2025-03-24 14:22:10     at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:292)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.fao.geonet.monitor.webapp.WebappMetricsFilter.doFilter(WebappMetricsFilter.java:121)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.fao.geonet.monitor.webapp.MetricsRegistryInitializerFilter.doFilter(MetricsRegistryInitializerFilter.java:58)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.fao.geonet.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:110)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
2025-03-24 14:22:10     at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
2025-03-24 14:22:10     at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
2025-03-24 14:22:10     at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.fao.geonet.web.CORSResponseFilter.doFilter(CORSResponseFilter.java:133)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.geonetwork.http.SessionTimeoutCookieFilter.doFilter(SessionTimeoutCookieFilter.java:90)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.fao.geonet.web.GeoNetworkPortalFilter.doFilter(GeoNetworkPortalFilter.java:103)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
2025-03-24 14:22:10     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:117)
2025-03-24 14:22:10     at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
2025-03-24 14:22:10     at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:131)
2025-03-24 14:22:10     at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:149)
2025-03-24 14:22:10     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
2025-03-24 14:22:10     at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
2025-03-24 14:22:10     at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:187)
2025-03-24 14:22:10     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:118)
2025-03-24 14:22:10     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
2025-03-24 14:22:10     at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
2025-03-24 14:22:10     at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
2025-03-24 14:22:10     at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
2025-03-24 14:22:10     at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
2025-03-24 14:22:10     at jeeves.config.springutil.JeevesDelegatingFilterProxy.doFilter(JeevesDelegatingFilterProxy.java:74)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
2025-03-24 14:22:10     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
2025-03-24 14:22:10     at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
2025-03-24 14:22:10     at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
2025-03-24 14:22:10     at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
2025-03-24 14:22:10     at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
2025-03-24 14:22:10     at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
2025-03-24 14:22:10     at org.eclipse.jetty.server.Server.handle(Server.java:516)
2025-03-24 14:22:10     at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
2025-03-24 14:22:10     at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
2025-03-24 14:22:10     at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
2025-03-24 14:22:10     at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
2025-03-24 14:22:10     at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
2025-03-24 14:22:10     at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
2025-03-24 14:22:10     at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
2025-03-24 14:22:10     at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
2025-03-24 14:22:10     at java.base/java.lang.Thread.run(Thread.java:829)

davidblasby · July 29, 2025, 4:17pm

Hi,

I expect the issue has to do with the CSW. I think (not sure) CSW has its own web app and it’s probably not correctly setup with the oídc filters.

The filters should be setting up the user in the database in the same way as the web app. This happens very early in the request - and it looks like it’s happening. It could be failing to attach the security info to the request for csw or, more likely, there is a problem with a shared transaction.

What is the csw request you are making?