Securing RESTful Services with GeoServer 2.0.1
A feature that has become quite popular in GeoServer over the last year has been the RESTful configuration plug-in (“restconfig”), that allows one to configure a GeoServer instance programmatically via simple HTTP operations.
Recently the issue of security has come up with regards to the restconfig plug-in. Essentially it boils down to the fact that GeoServer allows anonymous access to any resource or service when the HTTP request method is GET. In the case of restconfig this can make sensitive information available anonymously such as database connection parameters which can contain passwords and the like.
To remedy this situation in 2.0.1 the GeoServer security subsystem has been extended to allow for configuring access to RESTful services. This is documented in the user guide.
The major caveat for users upgrading to 2.0.1 is that any systems that depended on the previous behavior of allowing GET access to resources without authentication will undoubtedly break. In this case users have two options:
-
Start supplying administrator credentials with all requests
-
Reconfigure GeoServer to allow for anonymous access for GET operations
A patch has been created for 1.7.x users as well.
Try it out. Please report any issues to the GeoServer users list. Thanks for using GeoServer!
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release