Removing username/password of a WMS Store through the Rest API doesn't work anymore

GeoServer GeoServer User
1

Hi everyone

We experience a problem since Version 2.12.0 of the GeoServer. Version 2.11.5 was the last Version where it worked properly. With the newest Version 2.27.1 it still doesn’t work.

If you have a clean instance of the GeoServer you can run the following to create a WMS Store:

curl --silent --fail --request POST \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore" : {
    "name" : "swisstopo",
    "description" : "swisstopo",
    "type" : "WMS",
    "enabled" : true,
    "workspace" : {
      "name" : "cite"
    },
    "capabilitiesURL" : "https://wms.geo.admin.ch/?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities",
    "metadata" : {
      "useConnectionPooling" : false
    },
    "maxConnections" : 6,
    "readTimeout" : 60,
    "connectTimeout" : 30
  }
}'

If you look at http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo.json you see there is no user/password.

With the following command you can add a user/password:

curl --silent --fail --request PUT \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore": {
    "user": "test",
    "password": "test"
  }
}'

If you now execute the following command, the expected behaviour is that the username/password is completely removed:

curl --silent --fail --request PUT \
  --url http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo \
  --header 'Authorization: Basic YWRtaW46Z2Vvc2VydmVy' \
  --header 'Content-Type: application/json' \
  --data '{
  "wmsStore": {
    "user": null,
    "password": null
  }
}'

In fact it’s not removed. The user is still there with an empty value and the password is still there with some value. If you again look at http://localhost:8080/geoserver/rest/workspaces/cite/wmsstores/swisstopo.json you see something like this:

    ...
    "user": "",
    "password": "crypt1:JlxVVkiN7/OYKSmhXVjR1A==",
    ...

That causes problems because this credentials are then used.

You can’t really test it with the swisstopo WMS from the example because it doesn’t need credentials. I just used it to showcase the problem that the user/password is still in the config.

Has the way to remove user/password changed or is this actually a bug?

2

Hi @ruben-grossmann and welcome to the user forum.

Wow this is a good example of reporting an issue when you first notice it. The rest API was rewritten around that time porting to spring-framework infrastructure and a lot of inconsistencies were cleaned up.

My understanding is that updating content is done as an overlay, allowing a smaller payload to be supplied to only update the fields changed. I am not sure how that works for removing configuration which seems to be your intent with “user” and “password”.

Checking ServiceSettingsController:

        if (originalInfo != null) {
            OwsUtils.copy(info, originalInfo, clazz);
            geoServer.save(originalInfo);
        }

OwsUtils.copy … is actually skipping null values on purpose:

                Object newValue = getter.invoke(source, null);
                if (newValue == null) {
                    continue;
                    // TODO: make this a flag whether to overwrite with null values
                }

So yes this appears to be a bug, with a helpful “TODO” if resources (volunteer or funding) permit.

aside: I wonder how I would handle it, perhaps with an annotation on username and password settings so this method could know that null was okay.

3

Hey @jive

Thanks for the praise. With the following script it was easy to test the versions:
test-geoserver.sh (3.8 KB)
Just have to ensure that the correct Java version is active.

Many thanks for the (fast) response. We will discuss how we handle this.