Why Non-Admin Users Can Access WFS but Not GeoServer REST API

Posted by on

 

πŸ›°️ Why Non-Admin Users Can Access WFS but Not GeoServer REST API (/rest/styles)

Understanding GeoServer’s Security Model and How to Configure Read-Only REST Access


🌍 Background

GeoServer provides two major ways to interact with geospatial data and configurations:

  1. OGC Services (WMS, WFS, WCS, etc.) — used to serve maps and data.

  2. REST API (/geoserver/rest) — used to manage workspaces, stores, layers, and styles.

While WFS/WMS are typically used by clients such as QGIS, OpenLayers, or web apps, the REST API is mostly for administrative automation — creating or updating configurations programmatically.

However, a common confusion arises:

“My normal GeoServer user can access WFS/WMS endpoints but gets 401 Unauthorized when trying to access /geoserver/rest/styles.”

This article explains why that happens and how to safely enable read-only REST API access for non-admin users (e.g., to view or download .sld files).

⚖️ 1. The Root Cause — Two Separate Security Systems

GeoServer maintains two distinct security layers for different endpoint types:

Endpoint Type Example Controlled By Default Access
OGC Services (WMS, WFS, WCS) /geoserver/wfs /geoserver/wms Service Security (in GeoServer UI) Often public or role-restricted
REST API (Admin interface) /geoserver/rest/styles /geoserver/rest/layers security/rest.properties (in data directory) Admin-only by default

🌐 2. Why WFS Works for Non-Admins

The Service Security settings in GeoServer UI allow flexible control:

GeoServer → Security → Service Security

Here you can define which roles or users can access WFS/WMS/WCS services.
So, if your new user has a role such as ROLE_USER or even anonymous access enabled, WFS requests like:

https://yourdomain.com/geoserver/wfs?service=WFS&request=GetCapabilities

will work without issue.

πŸ”’ 3. Why /rest/styles Fails

When you access:

https://yourdomain.com/geoserver/rest/styles

you are using the REST configuration API, not the public OGC services.

GeoServer checks the file:

GEOSERVER_DATA_DIR/security/rest.properties

This file defines which roles are allowed to use HTTP methods (GET, POST, PUT, DELETE) on the REST API.

Default configuration (admin-only)

GET=ROLE_ADMINISTRATOR POST=ROLE_ADMINISTRATOR PUT=ROLE_ADMINISTRATOR DELETE=ROLE_ADMINISTRATOR

This means only users with the administrator role can perform any REST operation — even simple reads.

🧩 4. Granting Read-Only REST Access to Other Users

To allow other authenticated users to view styles (or other resources) without being full admins, modify the same file:

✅ Example: Allow ROLE_USER or ROLE_AUTHENTICATED to GET

# Allow GET for admin and regular authenticated users GET=ROLE_ADMINISTRATOR,ROLE_USER,ROLE_AUTHENTICATED # Restrict write operations to admins only POST=ROLE_ADMINISTRATOR PUT=ROLE_ADMINISTRATOR DELETE=ROLE_ADMINISTRATOR

Then restart GeoServer for changes to apply.

πŸ” 5. Restarting GeoServer

Depending on your setup:

If GeoServer runs as a service:

sudo systemctl restart geoserver

If under Tomcat:

sudo systemctl restart tomcat9

If standalone:

cd /opt/geoserver/bin ./shutdown.sh ./startup.sh

Verify with:

sudo systemctl status geoserver

πŸ” 6. Creating a Custom Read-Only Role

For finer control, create a dedicated role.

  1. In GeoServer UI:

    • Go to Security → Roles

    • Add a new role, e.g. ROLE_REST_READER

  2. Assign this role to the user.

  3. Update rest.properties:

    GET=ROLE_ADMINISTRATOR,ROLE_REST_READER POST=ROLE_ADMINISTRATOR PUT=ROLE_ADMINISTRATOR DELETE=ROLE_ADMINISTRATOR

  4. Restart GeoServer.

Now only users with ROLE_REST_READER can list or fetch style .sld files via the REST API.

🌍 7. Accessing Styles via REST

Once configured, the following endpoints work:

Purpose URL Example Output
List all styles /geoserver/rest/styles XML/JSON list
Download a specific SLD /geoserver/rest/styles/polygon.sld Raw SLD XML

🧱 8. Making Styles Public via Nginx (Optional)

If you want .sld files to be publicly viewable but keep the rest of the REST API secure, you can use Nginx to safely proxy just those files.

Example Nginx config

# Public read-only access to .sld files location ~* ^/geoserver/styles/(.*\.sld)$ { proxy_pass http://127.0.0.1:8080/geoserver/rest/styles/$1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # Only allow GET requests limit_except GET { deny all; } }

Now both URLs will work:

https://yourdomain.com/geoserver/styles/polygon.sld https://yourdomain.com/geoserver/rest/styles/polygon.sld

But only GET requests will be allowed — no modification or deletion.

πŸ“Š 9. Understanding /geoserver/styles vs /geoserver/rest/styles

Path Purpose Accessible by Default Notes
/geoserver/styles/polygon.sld Static-like style path ❌ Usually 404 Not exposed unless proxied
/geoserver/rest/styles/polygon.sld REST API endpoint ✅ Admin only Use this for programmatic access

The REST version is the official, supported way to fetch styles.

⚙️ 10. Security Recap

Task Recommended Access
View maps or data Use /wfs or /wms — control via Service Security
Manage configurations Use /rest — control via rest.properties
Allow limited REST reads Create a role like ROLE_REST_READER
Publicly expose only SLDs Use Nginx proxy rules

🧠 Summary

  • WFS/WMS and REST endpoints have completely separate security configurations.

  • Non-admin users can use WFS because Service Security allows it.

  • REST endpoints like /rest/styles are admin-only by default.

  • Use rest.properties to grant specific roles read access (GET only).

  • Restart GeoServer after changes.

  • Optionally use Nginx to safely proxy and expose only .sld files.

πŸ› ️ Example Working Setup (Summary)

rest.properties

GET=ROLE_ADMINISTRATOR,ROLE_REST_READER POST=ROLE_ADMINISTRATOR PUT=ROLE_ADMINISTRATOR DELETE=ROLE_ADMINISTRATOR

Nginx block

location ~* ^/geoserver/styles/(.*\.sld)$ { proxy_pass http://127.0.0.1:8080/geoserver/rest/styles/$1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; limit_except GET { deny all; } }

Commands

sudo systemctl restart geoserver sudo systemctl status geoserver

πŸš€ Conclusion

GeoServer’s REST API is powerful but deliberately restricted for security reasons.
Understanding that it’s separate from OGC service access helps avoid confusion.

By tuning rest.properties and optionally using Nginx, you can:

  • Keep your GeoServer secure

  • Allow safe read-only REST access

  • Provide public .sld downloads for users or applications


Naba Kumar Chouhan

Comments

Post a Comment