Unable to ANONYMOUSLY access mbstyles since 2.26.3 release

Hi,
I have a mbstyles defined in a GeoServer workspace. We have always been able to request these styles as an anonymous user - such as:

https:///geoserver/rest/workspaces/TestWS/styles/MBStyle_Test.mbstyle

Since we moved past 2.26.2, this no longer works.

I can see that security associated with REST was tightened as part of the 2.26.3 release. We already had the entries in the rest.properties file. However, even with these rules included in the rest.properties file - we get a 404 response. However, if we login to Geoserver as the admin user, and then in a different tab request the style file - it now works.

So, the style exists in the workspace, our GET request is formatted currently, but we are unable to access the style anonymously.

The following is the rules we have in the rest.properties file:

/rest/workspaces/*/styles/**;GET=IS_AUTHENTICATED_ANONYMOUSLY
/rest/**;POST,DELETE,PUT=ROLE_ADMINISTRATOR

Help on this matter would be very much appreciated

Interesting, there is a similar problem reported in the issue tracker: GEOS-11913

Can you confirm that this occurred between 2.26.1 and 2.26.2? That would give a starting point to look where the regression occurred.

I had a review of what changed, see GEOS-11913 for notes.

1. In security/rest.properties there is more requests: GET → GET,HEAD,OPTIONS

2. In security/config.xml the filters have been updated:

   • filters rest: path="/rest.*,/rest/**"
   • filters gwc: path="/gwc/rest.*,/gwc/rest/**"

If you are in position to test and provide feedback it woudl be appreciated.