Stacy Rendall ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A91a5da0c-aca0-477f-ba8a-c890e5bf285e ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-11029?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) GEOS-11029 ( https://osgeo-org.atlassian.net/browse/GEOS-11029?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) OGC API - Tiles + Authkey - can see Vector Tiles with no key or invalid key ( https://osgeo-org.atlassian.net/browse/GEOS-11029?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.23.1 Assignee: Unassigned Components: Vector Tiles Created: 16/Jun/23 6:33 AM Environment: Using Docker version of Geoserver, which is 2.23-SNAPSHOT, and extensions/community modules are 2.23-SNAPSHOT from 11th June build Priority: High Reporter: Stacy Rendall ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A91a5da0c-aca0-477f-ba8a-c890e5bf285e ) [http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913: {z}/{y}/{x}?f=application/vnd.mapbox-vector-tile&authkey=f04cc884-0733-42f7-bd37-c8ed3fa6f148|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z} / {y}/{x}?f=application/vnd.mapbox-vector-tile&authkey=f04cc884-0733-42f7-bd37-c8ed3fa6f148] Works correctly, where the provided valid key maps to a role/group/user that is allowed to see the data. However the following also allow the data to be seen (in my testing sometimes just at certain zoom levels, other times at all zoom levels): * [http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z}/{y} / {x}?f=application/vnd.mapbox-vector-tile&authkey=notvalid|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:%7Bz%7D/%7By%7D/%7Bx%7D?f=application/vnd.mapbox-vector-tile&authkey=notvalid] * [http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:{z}/{y}/{x} ?f=application/vnd.mapbox-vector-tile|http://localhost:8080/geoserver/ogc/tiles/v1/collections/workspace:dataset/tiles/EPSG:900913/EPSG:900913:%7Bz%7D/%7By%7D/%7Bx%7D?f=application/vnd.mapbox-vector-tile] For comparison the following endpoints will correctly limit access, returning nothing for missing or invalid authkey: * [http://localhost:8080/geoserver/gwc/service/tms/1.0.0/workspace:dataset@EPSG:900913@pbf/ {z}/{x}/{-y}.pbf|http://localhost:8080/geoserver/gwc/service/tms/1.0.0/workspace:dataset@EPSG:900913@pbf/%7Bz%7D/%7Bx%7D/%7B-y%7D.pbf] * [http://localhost:8080/geoserver/gwc/service/wmts?REQUEST=GetTile&SERVICE=WMTS&VERSION=1.0.0&LAYER=workspace:dataset&STYLE=&TILEMATRIX=EPSG:900913:{z} &TILEMATRIXSET=EPSG:900913&FORMAT=application/vnd.mapbox-vector-tile&TILECOL= {x} &TILEROW= {y} |http://localhost:8080/geoserver/gwc/service/wmts?REQUEST=GetTile&SERVICE=WMTS&VERSION=1.0.0&LAYER=workspace:dataset&STYLE=&TILEMATRIX=EPSG:900913:%7Bz%7D&TILEMATRIXSET=EPSG:900913&FORMAT=application/vnd.mapbox-vector-tile&TILECOL=%7Bx%7D&TILEROW=%7By%7D] ( https://osgeo-org.atlassian.net/browse/GEOS-11029#add-comment?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-11029#add-comment?atlOrigin=eyJpIjoiZWIxMWExM2RmNDYwNGIwNDlmNDViZGRhNzY1NzUzZTgiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100226- sha1:d46780b )
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
