A recent post describes a security issue with RESTful services in GeoServer that was fixed for GeoServer 2.0.1. A patch has been created for 1.7.x and is now available. Any users using the restconfig plugin with GeoServer 1.7 are urged to apply the patch.
Note that by applying the patch the same rules as described here apply. Users will have to either update systems that rely on anonymous access via GET operations or alternatively configure the security subsystem to allow them.
A feature that has become quite popular in GeoServer over the last year has been the RESTful configuration plug-in (“restconfig”), that allows one to configure a GeoServer instance programmatically via simple HTTP operations.
Recently the issue of security has come up with regards to the restconfig plug-in. Essentially it boils down to the fact that GeoServer allows anonymous access to any resource or service when the HTTP request method is GET. In the case of restconfig this can make sensitive information available anonymously such as database connection parameters which can contain passwords and the like.
To remedy this situation in 2.0.1 the GeoServer security subsystem has been extended to allow for configuring access to RESTful services. This is documented in the user guide.
The major caveat for users upgrading to 2.0.1 is that any systems that depended on the previous behavior of allowing GET access to resources without authentication will undoubtedly break. In this case users have two options:
Start supplying administrator credentials with all requests
Reconfigure GeoServer to allow for anonymous access for GET operations
A patch has been created for 1.7.x users as well.
Try it out. Please report any issues to the GeoServer users list. Thanks for using GeoServer!
With a large number of users upgrading to GeoServer 2.0, it’s no wonder we’ve had so many fixes and improvements make it into GeoServer 2.0.1, now available for download.
Possibly the most significant change since 2.0.0 has been the addition of the RESTful API to the security sub system. Previously, users were able to connect in a read-only capacity to otherwise secure services through RESTful GET requests. While this is a good fix for GeoServer, it does mean that users who were previously relying on anonymous read access to secure services must now authenticate before they can access them. More details are available for those who are interested.
Other changes include usability changes to the administration UI, an updated Windows installer that now contains service and console installation options, and over 100 other issues fixed.
As always, we owe a debt of gratitude to all those that have contributed bug reports, fixes, patches and features. A special thanks goes out to LISAsoft for managing this release.
CSIRO is now hiring seven software developers “to join an established team within CSIRO Earth Science and Resource Engineering (CESRE). As part of the Australian Spatial Research Data Commons (ASRDC) Project, this team is responsible for investigating and implementing open source and open standards based software for geospatial information exchange using Open Geospatial Consortium (OGC) web services.”
CSIRO is Australia’s national science agency.
As advertised on seek.com.au:
Senior Software Engineer - Leading Role http://www.seek.com.au/users/apply/index.ascx?Sequence=39&PageNumber=1&jobid=16484299
Software Engineers - 5 Positions http://www.seek.com.au/users/apply/index.ascx?Sequence=72&PageNumber=1&jobid=16484529
Software Engineer - Administrator http://www.seek.com.au/users/apply/index.ascx?Sequence=56&PageNumber=1&jobid=16484057
The same positions on the CSIRO recruitment website:
Positions Details - 2009/995 - Senior Software Engineer - Leading Role https://recruitment.csiro.au/asp/job_details.asp?RefNo=2009%2F995
Positions Details - 2009/996 - Software Engineers - 5 Positions https://recruitment.csiro.au/asp/job_details.asp?RefNo=2009%2F996
Positions Details - 2009/994 - Software Engineer - Administrator https://recruitment.csiro.au/asp/job_details.asp?RefNo=2009%2F994
Applications close on 10 January 2010. These are fixed-term positions of approximately 18 months (term end 30 June, 2011).
The positions will be based at the Australian Resources Research Centre, 26 Dick Perry Ave, Kensington WA, Australia. This is in an inner suburb of Perth, Western Australia. http://maps.google.com.au/maps?f=q&source=s_q&hl=en&geocode=&q=26+Dick+Perry+Ave+Kensington+WA&sll=-31.993227,115.885849&sspn=0.969029,2.073669&ie=UTF8&hq=&hnear=26+Dick+Perry+Ave,+Kensington+Western+Australia+6151&ll=-31.994847,115.884718&spn=0.242253,0.518417&z=12
Street view: http://maps.google.com.au/maps?f=q&source=s_q&hl=en&geocode=&q=26+Dick+Perry+Ave+Kensington+WA&sll=-31.993227,115.885849&sspn=0.969029,2.073669&ie=UTF8&hq=&hnear=26+Dick+Perry+Ave,+Kensington+Western+Australia+6151&ll=-31.995238,115.885892&spn=0.001893,0.00405&t=h&z=19&layer=c&cbll=-31.995244,115.8861&panoid=-fbF3xYlc6_RMyuiOUPYMQ&cbp=12,356.75,,0,5.95
Lately, I have been working on adding support for the **TIME **attribute for GeoServer in WMS GetMap requests via an improvement of the ImageMosaic raster store:
You can get some more details on the GeoSolutions blog.