Securing RESTful Services with GeoServer 2.0.1

A feature that has become quite popular in GeoServer over the last year has been the RESTful configuration plug-in (“restconfig”), that allows one to configure a GeoServer instance programmatically via simple HTTP operations.

Recently the issue of security has come up with regards to the restconfig plug-in. Essentially it boils down to the fact that GeoServer allows anonymous access to any resource or service when the HTTP request method is GET. In the case of restconfig this can make sensitive information available anonymously such as database connection parameters which can contain passwords and the like.

To remedy this situation in 2.0.1 the GeoServer security subsystem has been extended to allow for configuring access to RESTful services. This is documented in the user guide.

The major caveat for users upgrading to 2.0.1 is that any systems that depended on the previous behavior of allowing GET access to resources without authentication will undoubtedly break. In this case users have two options:

  1. Start supplying administrator credentials with all requests
  2. Reconfigure GeoServer to allow for anonymous access for GET operations

A patch has been created for 1.7.x users as well.

Try it out. Please report any issues to the GeoServer users list. Thanks for using GeoServer!

5 Comments

  1. Amos
    Posted 2010/01/26 at 4:54 pm | Permalink

    Which versions of GeoServer are vulnerable to RESTful GET requests? Are 1.7.x installations vulnerable? Shouldn’t this warrant a big security notice on the home page?

  2. Posted 2010/01/26 at 5:02 pm | Permalink

    @Amos:

    At the moment 1.7.x installations are vulnerable yes. At this point a patch has not been back ported.

    As for putting a notice on the homepage this blog probably reaches a wider audience than those who visit our homepage daily. And this blog entry should show up in the news feed that is front and center on the home page. Although it has not at this moment. Will have to look into that.

  3. Amos
    Posted 2010/01/26 at 10:44 pm | Permalink

    Thanks Justin. I should have also asked: Are the installations vulnerable out of the box or was there something I would have had to turn on?

  4. Amos
    Posted 2010/01/26 at 10:48 pm | Permalink

    Ah, sorry. I did a tiny bit of digging and I see now that the “restconfig” extension is a separate download and does not appear to be bundled by default. Not as scary as I thought then.

  5. Posted 2010/05/19 at 12:12 pm | Permalink

    Ah, sorry. I did a tiny bit of digging and I see now that the “restconfig” extension is a separate download and does not appear to be bundled by default. Not as scary as I thought then.

Download GeoServer