Removing username/password of a WMS Store through the Rest API doesn't work anymore

Hi everyone

We experience a problem since Version 2.12.0 of the GeoServer. Version 2.11.5 was the last Version where it worked properly. With the newest Version 2.27.1 it still doesn’t work.

If you have a clean instance of the GeoServer you can run the following to create a WMS Store:

curl --silent --fail --request POST \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore" : {
    "name" : "swisstopo",
    "description" : "swisstopo",
    "type" : "WMS",
    "enabled" : true,
    "workspace" : {
      "name" : "cite"
    },
    "capabilitiesURL" : "https://wms.geo.admin.ch/?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities",
    "metadata" : {
      "useConnectionPooling" : false
    },
    "maxConnections" : 6,
    "readTimeout" : 60,
    "connectTimeout" : 30
  }
}'

If you look at http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo.json you see there is no user/password.

With the following command you can add a user/password:

curl --silent --fail --request PUT \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore": {
    "user": "test",
    "password": "test"
  }
}'

If you now execute the following command, the expected behaviour is that the username/password is completely removed:

curl --silent --fail --request PUT \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore": {
    "user": null,
    "password": null
  }
}'

In fact it’s not removed. The user is still there with an empty value and the password is still there with some value. If you again look at http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo.json you see something like this:

    ...
    "user": "",
    "password": "crypt1:JlxVVkiN7/OYKSmhXVjR1A==",
    ...

That causes problems because this credentials are then used.

You can’t really test it with the swisstopo WMS from the example because it doesn’t need credentials. I just used it to showcase the problem that the user/password is still in the config.

Has the way to remove user/password changed or is this actually a bug?

Hi @ruben-grossmann and welcome to the user forum.

Wow this is a good example of reporting an issue when you first notice it. The rest API was rewritten around that time porting to spring-framework infrastructure and a lot of inconsistencies were cleaned up.

My understanding is that updating content is done as an overlay, allowing a smaller payload to be supplied to only update the fields changed. I am not sure how that works for removing configuration which seems to be your intent with “user” and “password”.

Checking ServiceSettingsController:

        if (originalInfo != null) {
            OwsUtils.copy(info, originalInfo, clazz);
            geoServer.save(originalInfo);
        } 

OwsUtils.copy … is actually skipping null values on purpose:

                Object newValue = getter.invoke(source, null);
                if (newValue == null) {
                    continue;
                    // TODO: make this a flag whether to overwrite with null values
                }

So yes this appears to be a bug, with a helpful “TODO” if resources (volunteer or funding) permit.

aside: I wonder how I would handle it, perhaps with an annotation on username and password settings so this method could know that null was okay.

Hey @jive

Thanks for the praise. With the following script it was easy to test the versions:
test-geoserver.sh (3.8 KB)
Just have to ensure that the correct Java version is active.

Many thanks for the (fast) response. We will discuss how we handle this.

For future readers who have the same problem, it’s fixed: [GEOS-12060] REST API with PUT does not allow un un-set a field by aaime · Pull Request #9149 · geoserver/geoserver · GitHub

It’s at least merged into v2.28.3