WMTS tile requests fail with "RequestRejectedException: The request was rejected because the URL was not normalized"

Description

RESTful WMTS tile requests can fail on GeoServer 2.14 in default configuration, even with the default dataset. The exception comes from Springs' StrictHttpFirewall: "RequestRejectedException: The request was rejected because the URL was not normalized.". Exception is triggered any time two slashes appear in the URL path (//).

For a specific example, take "tasmania" layer in the default dataset. It has a single unnamed style and a ResourceURL template:

When a compliant WMTS client fills out the URL template, it replaces {{style}} with an empty string and sends a request for http://mydomain/geoserver/gwc/rest/wmts/tasmania//EPSG:4326/EPSG:4326:0/0/1?format=image/png. The double-slash in this URL's path triggers Jetty's firewall, and request fails.

A potential workaround here is to avoid making RESTful tile requests, and to use WMTS service via KVP instead. Unfortunately this option is not available for most WMTS clients. I'm not sure if there is a way to customize StrictHttpFirewall options on a GeoServer installation without rebuilding it from source — please let me know if it is.

This problem is not reproducible in 2.13's default configuration.

Potentially related issue: https://osgeo-org.atlassian.net/browse/GEOS-8913

Environment

None

Activity

Show:
Tobias
January 7, 2019, 10:54 AM

I guess that geoserver has updated its spring security dependencies. Recently there was url path checking introduced:

https://docs.spring.io/spring-security/site/docs/4.2.7.RELEASE/apidocs/org/springframework/security/web/firewall/StrictHttpFirewall.html

— Rejects URLs that are not normalized to avoid bypassing security constraints. There is no way to disable this as it is considered extremely risky to disable this constraint. A few options to allow this behavior is to normalize the request prior to the firewall or using DefaultHttpFirewall instead. Please keep in mind that normalizing the request is fragile and why requests are rejected rather than normalized.

An url seems not to be normalized if there are double slashes within the path or "../" parts to access the parent directory.

Here is another issue for this: https://stackoverflow.com/questions/48453980/spring-5-0-3-requestrejectedexception-the-request-was-rejected-because-the-url.

Andrea Aime
February 8, 2019, 10:09 AM

I've made a PR to address this one, anyone wants to review?
https://github.com/geoserver/geoserver/pull/3355

Assignee

Andrea Aime

Reporter

Matvei Stefarov

Triage

None

Fix versions

Affects versions

Priority

Medium
Configure