Uploaded image for project: 'GeoServer'
  1. GEOS-8908

Wrong Coverage Parameter Type for OVERVIEW POLICY causing Coverage layer to be deleted from the Catalog upon reload of configuration or restart.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.13.1
    • Fix Version/s: 2.13.3, 2.14.0
    • Component/s: Configuration
    • Labels:
      None

      Description

      When you set an Overview Policy in the Coverage parameters to any of the options, the parameter type is set to the full class name i.e. <org.geotools.coverage.grid.io.OverviewPolicy>QUALITY</org.geotools.coverage.grid.io.OverviewPolicy> as opposed to in earlier versions of Geoserver where this would be <string>QUALITY<string>.

      This raises a Caused by: org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx: Unauthorized class found, see logs for more details on how to handle it: org.geotools.coverage.grid.io.OverviewPolicy.

      See full log:

      018-08-28 09:42:16,297 ERROR [config.util] - Class org.geotools.coverage.grid.io.OverviewPolicy is not whitelisted for XML parsing.
      This is done to prevent Remote Code Execution attacks, but it might be
      you need this class to be authorized for GeoServer to actually work
      If you are a user, you can set a variable named GEOSERVER_XSTREAM_WHITELIST
        with a semicolon separated list of fully qualified names, or patterns
        to match several classes.The variable can be set as a system variable,
        an environment variable, or a servlet context variable, just like
        GEOSERVER_DATA_DIR.
        For example, in order to authorize the org.geoserver.Foo class,
        plus any class in the org.geoserver.custom package, one could set
        a system variable:
        -DGEOSERVER_XSTREAM_WHITELIST=org.geoserver.Foo;org.geoserver.custom.**
      If instead you are a developer, you can call allowTypes/allowTypeHierarchy against
        the XStream used for serialization by rolling a custom
        XStreamPersisterInitializer or customizing your XStreamServiceLoader.
      2018-08-28 09:42:16,299 WARN [org.geoserver] - Failed to load resource
      com.thoughtworks.xstream.converters.ConversionException:
      ---- Debugging information ----
      cause-exception     : org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx
      cause-message       : Unauthorized class found, see logs for more details on how to handle it: org.geotools.coverage.grid.io.OverviewPolicy
      class               : java.util.HashMap
      required-type       : java.util.HashMap
      converter-type      : com.thoughtworks.xstream.converters.collections.MapConverter
      line number         : 155
      class[1]            : org.geoserver.catalog.impl.CoverageInfoImpl
      converter-type[1]   : org.geoserver.config.util.XStreamPersister$CoverageInfoConverter
      version             : 2.13.1
      -------------------------------
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:79)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
              at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshallField(AbstractReflectionConverter.java:503)
              at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.doUnmarshal(AbstractReflectionConverter.java:429)
              at org.geoserver.config.util.XStreamPersister$ResourceInfoConverter.doUnmarshal(XStreamPersister.java:1923)
              at com.thoughtworks.xstream.converters.reflection.AbstractReflectionConverter.unmarshal(AbstractReflectionConverter.java:281)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
              at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1486)
              at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1466)
              at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1346)
              at org.geoserver.config.util.XStreamPersister.load(XStreamPersister.java:633)
              at org.geoserver.config.GeoServerLoader.depersist(GeoServerLoader.java:961)
              at org.geoserver.config.GeoServerLoader$LayerLoader.accept(GeoServerLoader.java:193)
              at org.geoserver.config.GeoServerLoader.loadCoverageStore(GeoServerLoader.java:669)
              at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:558)
              at org.geoserver.config.GeoServerLoader.readCatalog(GeoServerLoader.java:393)
              at org.geoserver.config.DefaultGeoServerLoader.loadCatalog(DefaultGeoServerLoader.java:36)
              at org.geoserver.config.GeoServerLoader.postProcessBeforeInitialization(GeoServerLoader.java:264)
              at org.geoserver.config.GeoServerLoaderProxy.postProcessBeforeInitialization(GeoServerLoaderProxy.java:59)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:409)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1620)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:555)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
              at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
              at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:296)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
              at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
              at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
              at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
              at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1531)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1276)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
              at org.springframework.beans.factory.support.ConstructorResolver.resolveConstructorArguments(ConstructorResolver.java:648)
              at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:145)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
              at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
              at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
              at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
              at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
              at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
              at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
      Caused by: org.geoserver.config.util.SecureXStream$ForbiddenClassExceptionEx: Unauthorized class found, see logs for more details on how to handle it: org.geotools.coverage.grid.io.OverviewPolicy
              at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:175)
              at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
              at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
              at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
              at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:72)
              at com.thoughtworks.xstream.converters.collections.MapConverter.putCurrentEntryIntoMap(MapConverter.java:110)
              at com.thoughtworks.xstream.converters.collections.MapConverter.populateMap(MapConverter.java:98)
              at com.thoughtworks.xstream.converters.collections.MapConverter.populateMap(MapConverter.java:92)
              at com.thoughtworks.xstream.converters.collections.MapConverter.unmarshal(MapConverter.java:87)
              at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
              ... 122 more
      Caused by: com.thoughtworks.xstream.security.ForbiddenClassException: org.geotools.coverage.grid.io.OverviewPolicy
              at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
              at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
              at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
              at org.geoserver.config.util.SecureXStream$DetailedSecurityExceptionWrapper.realClass(SecureXStream.java:150)
              ... 131 more
      

      This causes the coverage layer to be deleted from the catalog configuration upon catalog config reload or restart of geoserver.

      This issue is likely related to GEOS-8642 which mention boolean being confused with string for some cases.

        Attachments

          Activity

            People

            • Assignee:
              aaime Andrea Aime
              Reporter:
              steve.omondi Steve Omondi
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: