We're updating the issue view to help you get more done. 

Geoserver object names cannot contain special characters (dot,...) when the are used in URLs for the REST API.

Description

The class org.springframework.security.web.FilterChainProxy used by org.geoserver.security.GeoServerSecurityFilterChainProxy
changed its default behavior.

The proxy uses an instance of org.springframework.security.web.firewall.StrictHttpFirewall instead of org.springframework.security.web.firewall.DefaultHttpFirewall.

The class StrictHttpFirewall disallows (as default ) the usage of special characters(dot,colon,...) in an URL. As a consequence the GeoServer Rest API cannot handle GeoServer objects ( layers, featuretypes,...) with a special character in their name.

Btw, dots are required by INSPIRE.

Restoring the original behavior can be done by adding the following bean definition

<bean id="defaultFirewall" class="org.springframework.security.web.firewall.DefaultHttpFirewall"/>

to applicationSecurityContext.xml

Should I prepare a pull request for master and 2.14.x ?

Environment

Spring Security Version 4.2.7
Geoserver 2.14.x and master

Status

Assignee

Andrea Aime

Reporter

Christian Mueller

Triage

Fix versions

Affects versions

2.14.1
2.15-RC

Components

Priority

High