Virtual Service broken access when restricting permissions to a dataset

[thhomas]

Expected Behavior

I just created a brand new dataset geonode:pac_coastline and published it (visible on the demo platform here). Its default share rules are:

• Anonymous: Download
• Registered members: None With this setup, as an anonymous user, I am able to use its layer service and especially the WMS GetCapabilities

Now, I want to shift down the access to this dataset and giving anonymous users only view access. I change the share settings to:

• Anonymous: View
• Registered members: None

I should still be able as an anonymous user to use the layer service WMS GetCapabilities since the access is set to View.

Actual Behavior

But instead, I get a tomcat error message:

Steps to Reproduce the Problem

1. Upload a brand new dataset and publish it or use this one uploaded on the demo platform
2. Set the Share permissions to Download for anonymous user (got Resource>Share)
3. Access the virtual service WMS GetCapabilities without credentials (Incognito Window) (url)
4. Set the Share permissions to View for anonymous user (got Resource>Share)
5. Try to access the virtual service WMS GetCapabilities again and you have an error message.

Specifications

• GeoNode version: 4.4.x (visible on the demo version)
• Installation type (vanilla, geonode-project): the online demo version
• Installation method (manual, docker): the online demo version
• Platform:
• Additional details:

[giohappy]

I was able to reproduce this strange behaviour. The layer is available inside the global capabilities document for anonymous users but the layer 's capabilities is not allowed (it works for admin and owner).

I haven't tested master branch yet.

[etj]

Local test on GeoServer Version 2.27.1

Download access

getcapa available at http://10.10.100.5/geoserver/geonode/pat_po/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities

Only view access

GetCapa returns 404

curl -i 'http://10.10.100.5/geoserver/geonode/pat_po/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities'
HTTP/1.1 404 
Server: nginx/1.25.3
Date: Tue, 05 Aug 2025 10:05:22 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 683
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Security-Policy: base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';
Set-Cookie: JSESSIONID=xxx; Path=/geoserver; HttpOnly
Content-Language: en

<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.106</h3></body></html>

GeoFence is blocking the request indeed:

GeoFence log:

05 Aug 10:08:29 DEBUG  [geoserver.geofence] - Getting access limits for workspace geonode
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - Getting access limits for Layer pat_po + containers
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - IP source address found in Spring Request
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - Setting user for filter: anonymous
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - ResourceInfo filter: RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 DEBUG  [geofence.cache] - Request for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 DEBUG  [geofence.cache] - Loading RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 INFO   [services.RuleReaderServiceImpl] - Requesting access for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 DEBUG  [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+] is matching the following Rules:
05 Aug 10:08:29 DEBUG  [services.RuleReaderServiceImpl] -     Role:ROLE_ANONYMOUS
05 Aug 10:08:29 DEBUG  [services.RuleReaderServiceImpl] - No rules matching filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 DEBUG  [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+] on role ROLE_ANONYMOUS has access null
05 Aug 10:08:29 WARN   [services.RuleReaderServiceImpl] - No access for filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 INFO   [services.RuleReaderServiceImpl] - Returning AccessInfo[grant:DENY admin:false] for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:DEFAULT req:DEFAULT sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - Returning mode HIDE for resource FeatureTypeInfoImpl[pat_po]
05 Aug 10:08:29 DEBUG  [geoserver.geofence] - Returning VectorAccessLimits [readAttributes=null, writeAttributes=null, writeFilter=Filter.EXCLUDE, readFilter=Filter.EXCLUDE, mode=HIDE] for layer pat_po and user anonymous

[etj]

At first sight serv:DEFAULT req:DEFAULT will only match rules with service="*" and equest="*", so rule 4 (having service="WMS") will not be selected

[etj]

Also note that a getCapa on the whole workspace does return the layer:

curl -is 'http://10.10.100.5/geoserver/geonode/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities' | grep -C3 pat_po
      <BoundingBox CRS="EPSG:32647" minx="-5458943.763446136" miny="9771492.090069951" maxx="-4984546.6426488245" maxy="1.0242201322835915E7"/>
      <BoundingBox CRS="EPSG:32736" minx="-1430213.4804638035" miny="1.4883429258273883E7" maxx="-1137464.7767604406" maxy="1.519687874743429E7"/>
      <Layer queryable="1" opaque="0">
        <Name>pat_po</Name>
        <Title>pat_po</Title>
        <Abstract/>
        <KeywordList>
          <Keyword>pat_po</Keyword>
          <Keyword>features</Keyword>
        </KeywordList>
        <CRS>EPSG:3003</CRS>

In this case GeoFence is requested rules with serv:"WMS"+ req:"GETCAPABILITIES"+ and the previous bad filter is not causing errors:

05 Aug 10:22:19 DEBUG  [geoserver.geofence] - Getting access limits for Layer pat_po + containers
05 Aug 10:22:19 DEBUG  [geoserver.geofence] - IP source address found in OWSRequest
05 Aug 10:22:19 DEBUG  [geoserver.geofence] - Setting user for filter: anonymous
05 Aug 10:22:19 DEBUG  [geoserver.geofence] - ResourceInfo filter: RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:22:19 DEBUG  [geofence.cache] - Request for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:22:19 DEBUG  [geofence.cache] - Loading RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:22:19 INFO   [services.RuleReaderServiceImpl] - Requesting access for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:22:19 DEBUG  [util.FilterUtils] - ADDED Rule[id:45 pri:4 srv:WMS ws:geonode l:pat_po acc:ALLOW]
05 Aug 10:22:19 DEBUG  [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+] is matching the following Rules:
05 Aug 10:22:19 DEBUG  [services.RuleReaderServiceImpl] -     Role:ROLE_ANONYMOUS
05 Aug 10:22:19 DEBUG  [services.RuleReaderServiceImpl] -     Role:ROLE_ANONYMOUS ---> Rule[id:45 pri:4 srv:WMS ws:geonode l:pat_po acc:ALLOW]
05 Aug 10:22:19 DEBUG  [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+] on role ROLE_ANONYMOUS has access AccessInfoInternal[grant:ALLOW]
05 Aug 10:22:19 INFO   [services.RuleReaderServiceImpl] - Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"10.10.100.5"+ date:"2025-08-05"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"pat_po"+]
05 Aug 10:22:19 DEBUG  [geoserver.geofence] - Returning mode HIDE for resource FeatureTypeInfoImpl[pat_po]

[etj]

It seems that Dispatcher.REQUEST.get() returns null in calls in the form

http://localhost:8080/geoserver/WORKSPACENAME/LAYERNAME/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities

while

http://localhost:8080/geoserver/WORKSPACENAME/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities

request is not null and contains both service and request

[etj]

GeoServer launched via

MAVEN_OPTS="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,address=4000,server=y,suspend=n -Dgeofence-ovr=file:$(pwd)/geofence_datasource.properties" JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 mvn jetty:run -Pgeofence-server-h2

Request is

curl -is 'http://localhost:8080/geoserver/ws/PAT_PO/ows?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities'

Breakpoint in geofence module code where request is found to be null:

GeoServer stacktrace

   java.lang.Thread.State: RUNNABLE
	at org.geoserver.geofence.RuleFilterBuilder.withRequest(RuleFilterBuilder.java:45)
	at org.geoserver.geofence.GeofenceAccessManager.buildRuleFilter(GeofenceAccessManager.java:709)
	at org.geoserver.geofence.GeofenceAccessManager.getAccessLimits(GeofenceAccessManager.java:381)
	at org.geoserver.geofence.GeofenceAccessManager.getAccessLimits(GeofenceAccessManager.java:356)
	at org.geoserver.security.ResourceAccessManagerWrapper.getAccessLimits(ResourceAccessManagerWrapper.java:220)
	at org.geoserver.security.CatalogFilterAccessManager.getAccessLimits(CatalogFilterAccessManager.java:61)
	at org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:891)
	at org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:841)
	at org.geoserver.security.SecureCatalogImpl.checkAccess(SecureCatalogImpl.java:649)
	at org.geoserver.security.SecureCatalogImpl.checkAccess(SecureCatalogImpl.java:555)
	at org.geoserver.security.SecureCatalogImpl.getLayerByName(SecureCatalogImpl.java:345)
	at org.geoserver.catalog.impl.AbstractFilteredCatalog.getLayerByName(AbstractFilteredCatalog.java:269)
	at org.geoserver.catalog.impl.AbstractCatalogDecorator.getLayerByName(AbstractCatalogDecorator.java:463)
	at org.geoserver.catalog.impl.LocalWorkspaceCatalog.getLayerByName(LocalWorkspaceCatalog.java:264)
	at org.geoserver.ows.OWSHandlerMapping.lookupHandler(OWSHandlerMapping.java:79)
	at org.springframework.web.servlet.handler.AbstractUrlHandlerMapping.getHandlerInternal(AbstractUrlHandlerMapping.java:151)
	at org.springframework.web.servlet.handler.AbstractHandlerMapping.getHandler(AbstractHandlerMapping.java:499)
	at org.springframework.web.servlet.DispatcherServlet.getHandler(DispatcherServlet.java:1266)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1048)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:965)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
	at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:292)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:28)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:70)
	at org.geoserver.ows.HTTPHeadersCollector.doFilter(HTTPHeadersCollector.java:48)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.HTTPMethodFilter.doFilter(HTTPMethodFilter.java:36)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:181)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:41)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:39)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:52)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:168)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:80)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilterInternal(GeoServerSecurityContextPersistenceFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
	at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:139)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:116)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
	at org.eclipse.jetty.server.HttpChannel$$Lambda$1214/0x00000008411fe840.dispatch(Unknown Source)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.lang.Thread.run([email protected]/Thread.java:829)

Request is set in Dispatcher::handleRequestInternal after the calls to the AccessManager. Breakpoint at line 244: REQUEST.set(request);

GeoServer stacktrace

   java.lang.Thread.State: RUNNABLE
	at org.geoserver.ows.Dispatcher.handleRequestInternal(Dispatcher.java:244)
	at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:177)
	at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:51)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1072)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:965)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder$NotAsync.service(ServletHolder.java:1459)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
	at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
	at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:292)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:28)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:70)
	at org.geoserver.ows.HTTPHeadersCollector.doFilter(HTTPHeadersCollector.java:48)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.HTTPMethodFilter.doFilter(HTTPMethodFilter.java:36)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:181)
	at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:67)
	at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:41)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:39)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:352)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:52)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:168)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:80)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)
	at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilterInternal(GeoServerSecurityContextPersistenceFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:89)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190)
	at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:139)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SecurityHeadersFilter.doFilter(SecurityHeadersFilter.java:116)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:53)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
	at org.eclipse.jetty.server.HttpChannel$$Lambda$1214/0x00000008411fe840.dispatch(Unknown Source)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.lang.Thread.run([email protected]/Thread.java:829)

[etj]

The whole error is caused by GEOS-11897 Workaround in GeoFence documented in GEOS-11898 and PR at https://github.com/geoserver/geoserver/pull/8727 (PR on master and backport requested for 2.27.x)

[giohappy]

So this will be available with GS 2.27.3 (October 2025).