Support requiring files to exist for GeoServer startup


Support a new environment variable / servlet context parameter / Java system property GEOSERVER_REQUIRE_FILE that lists one or more files that must exist for GeoServer startup.

This change addresses a vulnerability: without this setting, if GeoServer restarts and its data directory is on inaccessible storage such as a temporarily inaccessible network drive, GeoServer will revert to its default data directory location. With either an empty or default data directory, GeoServer will have an insecure default password. This change prevents GeoServer startup if any of one or more specified files do not exist.

This change is backwards compatible: if this option is not used, the original behaviour is preserved.

Original report from Carl:

Could a member of the PSC please contact me privately for details?

I would prefer using Google hangouts:




Ben Caradoc-Davies
July 16, 2016, 11:56 PM

Merged on master, 2.9.x, and 2.8.x.

Ben Caradoc-Davies
July 16, 2016, 4:23 AM

This issue has been the subject of an email discussion between the PSC and the reporter.

Ben Caradoc-Davies
July 11, 2016, 9:52 PM

I have emailed the reporter and the PSC to obtain details of the potential vulnerability.



Ben Caradoc-Davies


Carl Schroedl

Fix versions

Affects versions