Karl ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5fb47b8a2730d8007658240b ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-9795?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) GEOS-9795 ( https://osgeo-org.atlassian.net/browse/GEOS-9795?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) Geowebcache does not check security data rules on WTMS requests ( https://osgeo-org.atlassian.net/browse/GEOS-9795?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.18.0 Assignee: Unassigned Created: 18/Nov/20 3:09 AM Environment: Ubuntu 20.04.1 LTS openjdk version "11.0.9.1" 2020-11-04 Priority: Medium Reporter: Karl ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5fb47b8a2730d8007658240b ) I have defined this data security config, so all access in READ to anything must be authenticated: *.*.r ROLE_AUTHENTICATED *.*.w GROUP_ADMIN,ADMIN *.*.a GROUP_ADMIN,ADMIN But it seems that if a client request WMTS tiles without authentication, and that they are cached by GWC, they are returned to the client instead of returning 401 error, which is a big security hole... I came across this conversation of 2013 which resumes my problem : http://osgeo-org.1560.x6.nabble.com/Unable-to-get-GeoServer-GWC-to-apply-authentication-to-my-WMTS-tile-requests-td5085389.html It looked like a patch was merged in the past, but today I encounter the exact same problem.. https://github.com/geoserver/geoserver/pull/341 ( https://osgeo-org.atlassian.net/browse/GEOS-9795#add-comment?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-9795#add-comment?atlOrigin=eyJpIjoiY2VhNDg1MzU0NzkyNDExYzg0YjA0MzM2YjMxYWVjMzMiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100151- sha1:7c1a4b0 )
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
