Dear list, I am facing problems with the behaviour of permissions for layer groups in MIXED mode.
Assume I have a workspace "ws", a global group "my_lyr_group" and one layer "thelayer" belonging to both the workspace "ws" and the layer group "my_lyr_group". If I set CHALLENGE catalog mode and these rules: *.*.r = * ws.thelayer.r = MYROLE then any WMS request to the layer group returns a HTTP 401 code, triggering authentication (as I would expect). If I set the MIXED catalog mode instead, then a HTTP 200 code is returned, but the following error content is returned: <?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "https://devel.gvsigonline.com/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd";> <ServiceExceptionReport version="1.1.1" > <ServiceException code="LayerNotDefined"> No layers have been requested </ServiceException></ServiceExceptionReport> I would expect that MIXED mode would behave the same as CHALLENGE, since I am requesting a group containing a restricted layer and thus authentication should be triggered (i.e. 401 code returned). Now, if I set CHALLENGE catalog mode and these rules: *.*.r = MYROLE ws.thelayer.r = * then any WMS request to the layer group returns a HTTP 200 code and the request is successful. If I set MIXED mode instead, then the request returns a 401 error and authentication is triggered. We are requesting a global layer group which only contains a non-restricted layer, so it can be argued that the group is restricted (since the *.*.r rule requires a specific role) and then the 401 code is correct. BUT then it should behave the same in CHALLENGE mode. And in my opinion it makes more sense the behaviour exhibited by CHALLENGE mode, since it allows requesting a layer group if the layer inside is not restricted. If the group has a mix of restricted and non restricted layers, then I am not sure which is the right behaviour, but I think it should still be the same for MIXED and CHALLENGE mode. I would love to hear your opinion about this (mis)behaviour of layergroups in MIXED mode. Note that there are additional problems with return codes if WMTS (GWC) is used, this is documented in https://osgeo-org.atlassian.net/browse/GEOS-9977 but I think it is a different (but related) problem. Finally, I realised that there is no way to change layergroup permissions from Geoserver REST API, even if it is possible to do so in the web interface. I can see layergroup permissions in REST API, but whenever I want to add or modify a rule: [...] HTTP 422 [...] Invalid rule my_lyr_group.r, the expected format is workspace.layer.mode=role1,role2,... I think this is also a bug (or gap in the API). I will add a summary of my tests, in case it is useful as reference: - - - RULES *.*.r = * ws.thelayer.r = MYROLE CHALLENGE WMS request to my_lyr_group => 401 WMTS request to my_lyr_group => 403 MIXED WMS request to my_lyr_group => 200 code (expected 401) Body: <?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "https://devel.gvsigonline.com/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd";> <ServiceExceptionReport version="1.1.1" > <ServiceException code="LayerNotDefined"> No layers have been requested </ServiceException></ServiceExceptionReport> WMTS request to my_lyr_group => 400 (expected 401) - - - RULES *.*.r = MYROLE ws.thelayer.r = * CHALLENGE WMS request to my_lyr_group => 200 WMTS request to my_lyr_group => 200 MIXED WMS request to my_lyr_group => 401 (expected 200) WMTS request to my_lyr_group => 400 (expected 200) - - - RULES *.*.r = MYROLE ws.thelayer.r = MYROLE CHALLENGE WMS request to my_lyr_group => 401 WMTS request to my_lyr_group => 403 (expected 401) MIXED WMS request to my_lyr_group => 401 WMTS request to my_lyr_group => 400 (expected 401) Thanks in advance, César Martínez Izquierdo PS: Tested with Geoserver 2.22.2, but I assume that it still applies in the last version if no changes have been made in this area. I will test again as soon as I can using the last version. -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - César Martínez Izquierdo GIS developer - - - - - - - - - - - - - - - - - - - - SCOLAB: http://www.scolab.es - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
