Geoserver object names cannot contain special characters (dot,...) when the are used in URLs for the REST API.

Description

The class org.springframework.security.web.FilterChainProxy used by org.geoserver.security.GeoServerSecurityFilterChainProxy
changed its default behavior.

The proxy uses an instance of org.springframework.security.web.firewall.StrictHttpFirewall instead of org.springframework.security.web.firewall.DefaultHttpFirewall.

The class StrictHttpFirewall disallows (as default ) the usage of special characters(dot,colon,...) in an URL. As a consequence the GeoServer Rest API cannot handle GeoServer objects ( layers, featuretypes,...) with a special character in their name.

Btw, dots are required by INSPIRE.

Restoring the original behavior can be done by adding the following bean definition

<bean id="defaultFirewall" class="org.springframework.security.web.firewall.DefaultHttpFirewall"/>

to applicationSecurityContext.xml

Should I prepare a pull request for master and 2.14.x ?

Environment

Spring Security Version 4.2.7
Geoserver 2.14.x and master

Status

Assignee

Andrea Aime

Reporter

Christian Mueller

Triage

Fix versions

Affects versions

Components

Priority

High
Configure