[Geoserver-devel] [JIRA] (GEOS-9602) Changeing GeoServer admin password via REST requires a reload before the password is used

Thu, 30 Apr 2020 21:06:13 -0700 

Richard Sharp ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A85a45f1d-bcd5-495d-83e6-890cab335ed1
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-9602?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 ) GEOS-9602 ( 
https://osgeo-org.atlassian.net/browse/GEOS-9602?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 ) Changeing GeoServer admin password via REST requires a reload before the 
password is used ( 
https://osgeo-org.atlassian.net/browse/GEOS-9602?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.17.0 Assignee: Unassigned Created: 
01/May/20 6:04 AM Environment:

Debian 10.3

Priority: Medium Reporter: Richard Sharp ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A85a45f1d-bcd5-495d-83e6-890cab335ed1
 )

To recreate, first create a new admin password:

```
>>> curl -u admin:geoserver -X PUT 
>>> http://localhost:8080/geoserver/rest/security/self/password -H "accept: 
>>> application/json" -H "content-type: application/json" -d "

{ \"newPassword\": \"test\"}

"
```

Note the log indicates the change was successful:

```
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful 
for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful 
for service named default
29 Apr 20:44:48 INFO [security.xml] - Successful lock: 
security/usergroup/default/users.xml.lock
29 Apr 20:44:48 INFO [geoserver.security] - Start storing user/groups for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Storing user/groups successful for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful 
for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Adjusted last modified for file: 
security/usergroup/default/users.xml
29 Apr 20:44:48 INFO [geoserver.security] - Start reloading user/groups for 
service named default
29 Apr 20:44:48 INFO [geoserver.security] - Reloading user/groups successful 
for service named default
29 Apr 20:44:48 INFO [geoserver.security] - Adjusted last modified for file: 
security/usergroup/default/users.xml
29 Apr 20:44:48 INFO [geoserver.rest] - Changed password for user admin
```

Then observe the new password does not work:

```
>>> curl -u admin:test -X GET http://localhost:8080/geoserver/rest/layers -H 
>>> "accept: application/json"

29 Apr 20:46:27 WARN [geoserver.security] - Failed login, user admin from 
172.17.0.1
29 Apr 20:46:27 INFO [geoserver.security] - Brute force attack prevention, 
delaying login for 1385ms
```

But the original password works fine:
```
>>> curl -u admin:geoserver -X GET http://localhost:8080/geoserver/rest/layers 
>>> -H "accept: application/json"
{"layers":{"layer":[{"name":"tiger:giant_polygon","href":"http:\/\/localhost:8080\/geoserve....
```

( 
https://osgeo-org.atlassian.net/browse/GEOS-9602#add-comment?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-9602#add-comment?atlOrigin=eyJpIjoiODNmZWY5NzBmNWNiNDM5Mzg1MWRjZGNhNmVkMjFhOTciLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100125- 
sha1:9c01ca7 )
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to