David Winslow created GEOS-5053:
-----------------------------------
Summary: Denial of service opportunity in REST API using new
security system
Key: GEOS-5053
URL: https://jira.codehaus.org/browse/GEOS-5053
Project: GeoServer
Issue Type: Bug
Components: Security
Reporter: David Winslow
Assignee: Andrea Aime
Priority: Critical
After making a REST request with bad credentials on trunk, subsequent requests
with correct credentials will fail authentication.
For example, I see this when using the release dataset:
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H
'Accept: text/xml'
# 200
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver.json
-H 'Accept: text/xml'
# 401
$ curl http://localhost:8080/geoserver/rest/workspaces -u admin:geoserver -H
'Accept: text/xml'
# 401! Should be 200 again
Restarting GeoServer seems to bring back the user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
