Hi, I am struggling, as I can't get a simple layer group to be visible in GetCapabilities response for unauthenticated users. I am fairly certain there is some issue/bug regarding data security and layer groups.
Similar problems have been posted by other users, but I don't see any real solutions in the answers: https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/CADQ3-ytgSi7mF-ap9fukMWKF_hbKcqAPVYN%2BOWHa_NBm%2BxVOJw%40mail.gmail.com/#msg36625778 https://osgeo-org.atlassian.net/browse/GEOS-9376 Use case is to bundle few cascaded layers to a single group, that would be listed for a web app. Listing the layers naturally is done via GetCapabilities. I have a workspace "example.com", which contains the cascaded store, the layers I want to group and the layer group itself. I can see the layer group in the GetCapabilities when I am logged in to Geoserver. But making the same request from unauthenticated browser session results in that layer group disappear from the GetCapabilities document. All advertised "normal layers" in the same workspace list fine in GetCapabilities for both authenticated and unauthenticated users. Result is the same with either SINGLE/OPAQUE CONTAINER/NAMED TREE setting for the layer group. (In the end I would like to set it as OPAQUE CONTAINER). And note: I can make GetMap requests to the layer group, it works fine as it should be! The inconsistency is that it does not appear in the GetCapabilities. I've come to conclusion that there is some inconsistency with the data security settings and layer groups, as eventually I can get the layer group appear in the GetCapablities for unauthenticated users. But this requires to relax security to level which I'm not comfortable with. The starting point with security settings, that make the layer group NOT visible in the GetCapablities for unauthenticated users (but GetMap works): *.*.r=ADMIN *.*.w=GROUP_ADMIN,ADMIN example.*.r=* mode=HIDE I tried adding "example.<layer-group-name>.r=*", no luck. I tried adding "example.<included-layer-name>.r=*", no luck Eventually I tried to remove the "ADMIN" requirement for read all, so the settings became: *.*.r=*. *.*.w=GROUP_ADMIN,ADMIN example.*.r=* mode=HIDE And tada, the layer group appeared to the GetCapabilities document for unauthenticated users. But naturally I would not like to expose everything readable by default. And I am confused, because having the workspace read for everybody works with normal layers, as in they appear in GetCapabilities. But a simple layer group in the workspace is not included in the GetCapabilities. I tried to go through the source code and even some test cases, but I couldn't find anything relevant to this with my limited knowledge of the code base. Can anyone confirm, that there is a problem with this regarding layer groups appearing in GetCapabilities? Or is this an intended feature? I feel it pretty strange, that I can happily make a GetMap request to this layer group, but it doesn't appear in the Capabilities. Thank you very much for any feedback on this. Best regards, Joni _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users