Potential vulnerability bypassing GWC data security

Description

In certain GeoServer configuration setups, it's possible to bypass the "Enable Data Security" option in GeoWebCache and gain access to cached WMS tiles that should be private.

I can provide more detailed information on the types of configurations that exhibit this issue, but since this could be considered a security issue, I thought I'd see how you wanted to proceed first. I also have a potential patch for this bug that I can share. So let me know if you'd like for me to share more details and the patch in private or in public.

Thanks!

Environment

None

Status

Assignee

Unassigned

Reporter

n

Triage

Fix versions

Affects versions

2.9.0

Components

Priority

Medium
Configure