GeoServer 3 Status Report How We Got Here How It’s Going 

Andrea Aime Technical Lead [email protected] @geowolf GeoSolutions Innovative, robust, cost-effective solutions leveraging best-of-breed Open Source products. This presentation is brought to you by 2 Jody Garnett Product Owner [email protected] @[email protected] GeoCat Government Geographic Data publishing Gabriel Roldan Geospatial Solutions Architect [email protected] linkedin.com/in/gabriel-roldan Camptocamp Innovative solutions by open source experts 

GeoServer at a Glance Java Web Application to share and edit geospatial data. Publish data from any major spatial data source using open standards. Core Protocols WMS – maps WFS – vector WFS-T – editing WCS – coverage WMTS – tiles TMS – tiles WMS-C – tiles Extension/community protocols WPS – process CSW – search OGC API - Features - vector OGC API - json + rest standards OGC STAC - spatio-temporal asset catalogue 3 Core Contributors 2025 sponsors 

March 2027 September 2025 2.27.x Releases covered by this presentation YOU ARE HERE 2.28.x March 2026 2.28.x 4 September 2026 3.0.x 3.0.x 3.0.x 

2024 Roadmap Challenge Change of Approach for Public Planning 5 

GeoServer is built on top of Spring, a popular framework used to build web applications (among other things) GeoServer uses Spring 5.3, EOL August 2024 Just upgrade to Spring 6… no? Not so fast. Spring 6 requires: ● Java EE → Jakarta EE ● Java 11 → Java 17 The Java upgrade avalanche…. starts in Spring! 6 Spring 5 → 6 JavaEE → Jakarta EE Java 11 → Java 17 Spring security 5 → 6 

Java Enterprise Edition, a platform/API to develop enterprise and web applications Among others, provides the basics for writing a web application, known as a Servlet (input, output, parameter parsing, HTTP headers and so on) Java EE is dead… and donated to Eclipse Foundation as new Jakarta EE project, which uses different package names and a new API → incompatible with older libraries Once Jakarta EE is adopted, all users for Java EE need to switch to it → Wicket 7 uses Java EE, we need Wicket 10! Java EE to Jakarta EE 7 JavaEE → Jakarta EE Wicket 7 → Wicket 10 Java 11 → Java 17 

Wicket is the UI framework used by GeoServer Upgrading it is normally expensive, and hard to get funds Back in 2016, code sprint in Victoria Wicket 1.4 -> 6.0 and then 6.0 -> 7.0: 10 people working full time for a week, plus some remote participants Now we need to do: ● Wicket 7 → Wicket 8 (java 11, Java EE) ● Wicket 8 → Wicket 9 (java 11, Java EE) ● Wicket 9 → Wicket 10 (java 17, Java EE) Wicket migration 8 

● GeoServer current uses Java 11+ ● But Spring 6 and Wicket 10 require Java 17 ● We need to migrate the whole codebase to use Java 17, plus some dependencies ● Java 17 offers new functionality but it’s stricter ● Java Advanced Imaging (used for raster processing) performs a few operations that are not allowed ● Warnings for the moment, but eventually they will be blocked! ● We need to do something about JAI! Java 11 to Java 17 9 Java 11 → Java 17 JAI → ImageN 

● Java Advanced Imaging is not open source… how do we make compatible with Java 17? ● Jody had Oracle donate its sources to the Eclipse Foundation under Apache license ● Rebranded as ImageN ● We can fix that one and switch GeoTools/GeoServer to user it ● It’s a lot of work! Java Advanced Imaging to … ImageN 10 

● We need to upgrade Spring security to 6 ● Incompatible changes ○ CAS support ○ OAuth support ● Community modules (popular ones): ○ OAuth ○ OpenID connect ● Are built on a library that is not compatible with Spring Security 6 ● Wholesale rewrite needed! Back to Spring… security! 11 Spring security 5 → 6 OAuth/OpenID connect modules rewrite Spring 5 → 6 

The Java upgrade avalanche…. A visual summary 12 Spring 5 → 6 JavaEE → Jakarta EE Wicket 7 → 10 Tomcat 9 → 10 Spring security 5 → 6 OAuth/OpenID connect modules rewrite Java 11 → Java 17 Jetty 9 → 12 JAI → ImageN 

We have a lot of work to do … how do we fund and organize it for minimal disruption? Buildings block switch view 13 Java Enterprise Edition Java 11 GeoTools Spring Security 5.7.10 Wicket 7 GeoServer 2.24 Spring Framework 5.3.27 JAI 1.1.3 ImageIO 1.1 JAI-EXT ImageIO-Ext Tomcat 9 Jetty 9.4 GeoWebCache GeoFence mapfish-print-v2 Jakarta Enterprise Edition 10 Java 17 GeoTools Spring Security 6.1 GeoServer 3.0 Spring Framework 6 ImageN 1.0 ImageIO 1.1 ImageIO-Ext Tomcat 11 Jetty 12 GeoWebCache GeoFence mapfish-print-v2 ImageN-EXT Wicket 10 

Initial community response: Wicket Updates Wicket 8→9 - Migration: Wicket 9 update - CSP: Content Security Policy headers - Restrictions to mitigate vulnerabilities - Combo of community testing - Dialog: Wicket 9 deprecates “dialog” - Wicket 10 drops completely! - Asking us to roll our own! - Thanks to David for implementing this - GeoServer 2.27.0: - Delayed release to get Wicket dialog - testing: release candidate → nightly build - CSP testing was laborious, public release very valuable to stabilizing this work 14 Wicket 7→8 - Migration: Single developer (Brad Hards) started work in 2024! - Community lacked capacity to review and address feedback - Peter and Jody shared a test plan, noting what screens have been changed - However very difficult to provide instructions on how to find each screen - GeoServer 2.25.x: - Wicket 8 missed the release window - Work was continued in Draft for 2.26.x 2.26.0 Community BradHards Dave Blasby 

Consortium response to 2024 Roadmap Challenge Call for Crowdfunding 15 

Company consortium - Call for Crowdfunding! 16 Roadmap challenge did not update GeoServer “in time” for Spring Framework 5.3 EOL. Three companies stood up and started organizing the upgrade, contacting their customers and the larger community: ● More work than any one company! ● More funding than any one customer :) ● A detailed plan and target funding ● Collecting interested parties ● Regular meetings, progress updates 

So many changes… 17 ● We never attempted such a large change ● But it must be done to ensure GeoServer future ● So many changes deserve a new name 3 

GeoServer 3: the funding 18 ● Funding secured! Took several months of relentless work from the 3 companies ● Some of the work came in as in-kind donations ● We can still use extra funds, we’re going to use them to make GeoServer 3 better Crowdfunding page [email protected] Online pledge form 

19 Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp. 

GeoServer 3: the plan 20 May-Sept 2025 Oct-Dec 2025 Jan-Mar 2026 

Milestone 1 Preparation (in progress) 21 

● In M1 we get as close as possible to the intended upgrades, without breaking anything ● Any change we perform still works on Java 11 and Spring 5 ● Results collected in standard GeoServer series: ○ 2.27.0 ○ 2.28.0 M1 preparation: nearing the precipice 22 

Andreas Watermeyer ● Getting to Spring Security 6 can only be done along with Spring 6 ● However, preparations can be done: ○ Upgrading to the latest Spring Security 5.8 (done) ● Provided in-kind by Andreas Watermayer GeoServer 2.28: Spring Security upgrade 23 2.26.0 ITS Digital Solutions GmbH 

● OAuth modules cannot be upgraded, they are being rewritten from scratch (landed, but still WIP): GeoServer 2.28: OAuth community modules 24 Andreas Watermeyer 2.28.0 ITS Digital Solutions GmbH 

● We have to switch a lot of dependent libraries ● The three projects (GEoTools, GeoWebCache, GeoServer) need to be consistent ● Centralizing all dependencies management in a single BOM file used by all 3 projects ● Will make it easier to switch dependencies in the future GeoServer 2.28: Centralized Bills Of Materials 25 2.28.x Gabriel Roldan GeoServer 3 

● Spring 6 requiring Java 17 as the minimum means that everything depending on it also has to set that minimum version → GeoServer and GeoWebCache ● However, GeoTools is also developed in tandem with the other two → switch to Java 17 as well ● Changes landed one early July 2025… massive! (next slide) ● More changed yet to land! ● OpenRewrite automated migration to Java 17 ● Will make the code use 17 coding patterns GeoServer 2.28: Java 17 as the minimum 26 2.28.x Gabriel Roldan GeoServer 3 OPENREWRITE 

GeoServer 2.28: Java 17 as the minimum 27 2.28.x Gabriel Roldan GeoServer 3 

● Jody got the sources of JAI as donated to Eclipse as open source, (and called the result ImageN so you can “imagine” what you want to visualize). ● ImageN can be modified to comply with Java 17 ● Also, it can be made more modern ○ Reduce code synchronization, increasing scalability ○ Removing “finalizers” ● There is a catch… it does not have a single test! GeoServer 2.28: ImageN 28 2.28.x GeoSolutions GeoCat GeoServer 3 

● GeoServer/GeoTools actually use JAI-EXT ● What? Yes, JAI raster operators are pluggable ● JAI-EXT replaces most of them to add ○ Modular structure ○ Bug fixes ○ Performance improvements ○ NoDATA support ● Guess what? JAI-EXT has tests! ● Combine! ○ Take JAI operators superceded by JAI-EXT and move them into a legacy module ○ Merge JAI-EXT into ImageN GeoServer 2.28: ImageN + JAI-EXT 29 2.28.x GeoServer 3 GeoSolutions GeoCat 

● Code sprint in May, 4 devs, one week ● Got about 50% of the way ● Will use the FOSS4G EU code sprint to march on ○ Andrea and Jody, 2 days GeoServer 2.28: ImageN + JAI-EXT 30 2.28.x GeoServer 3 GeoSolutions GeoCat 

Milestone 2 Migration 31 

● Oracle dropped Java Enterprise Edition ● Project donated to the Jakarta foundation for future development ● It contains all the basics for web development (Servlet, Filters, …) ● Jakarta EE provides the same concepts, with newer API, and a different Java Package ● An application can be either Java EE or Jakarta EE, mix is not allowed ● Spring 6 requires Jakarta EE! ● Jakarta EE applications require a different servlet container too GeoServer 3: Jakarta EE 32 ● Java EE ○ Up to Tomcat 9 ○ Up to Jetty 9 ● Jakarta EE ○ Tomcat 10+ ○ Jetty 10+ Switch all GeoWebCache and GeoServer code to Jakarta EE 3.0.x GeoServer 3 GeoServer 3 

● Java Architecture for XML Binding ● XML/Java bean mapping library ● Jakarta EE inherited that too ● Used in: ○ ImageIO-EXT (parsing GDAL XML sidecar files), ○ GeoTools (image mosaic, netcdf, raster attribute tables)ù ○ GeoServer (security, mapml) ● Initial work by community and Andrea, to be completed Jakarta EE aside: JAXB 33 3.0.x GeoServer 3 GeoServer 3 

● Upgrade all of the code to use Spring 6 ● Upgrade all code to use Spring Security 6 ● OpenRewrite recipe to do part of the work ● Central Authentication Service module migration Spring 6 and Spring 6 security 34 3.0.x GeoServer 3 GeoServer 3 

● Starting from Spring 5 rewrite of the old Oauth modules ● Generalize OAuth2 module - split into plugins ● Migrate to Spring 6 Oauth 2, OpenId connect, Keycloak 35 3.0.x GeoServer 3 GeoServer 3 

● Wicket 10 requires jakarta EE and Java 17, can only be done in M2 ● Stricter Content Security Policy rules enabled by default ● API changes ● OpenRewrite recipe to initiate the move ● Make it compile, all the tests pass, and then start the CSP fun GeoServer 3: Wicket 10 36 3.0.x GeoServer 3 GeoServer 3 

● Printing module ● Still based on Mapfish print 2 (version 3 is incompatible config wise) ● Will migrate it to Jakarta EE/Spring 6/… Mapfish Print 37 3.0.x GeoServer 3 GeoServer 3 

● The code bridging OGC API to GeoServer (OGC API dispatcher) is complex ● Basically bringing an unified view between classic services and OGC APIs ● Same callbacks for: ○ Control flow (traffic control) ○ Service security control ○ Response overrides (e.g. features templating) ● Quite sensitive to API changes (use public Spring API, but not the type that’s fully documented) OGC API modules 38 3.0.x GeoServer 3 GeoServer 3 

● GeoServer core and extensions module build ● GeoServer 3 starts up and mostly works in the embedded jetty ● General development can resume Expected status at the end of M2 39 3.0.x GeoServer 3 GeoServer 3 

Milestone 3 Delivery 40 

● Deploy and verify it works ● Update Docker image to Java 17/Tomcat 10 Tomcat 10/11, Docker image 41 3.0.0 GeoServer 3 GeoServer 3 

● The GeoServer UI is dated (16+ years old) ● CSS refresh for the UI to make it more modern ● Generalize reference to services (e.g. maps not WMS, tiles not WMTS) ● Better handling of mobiles maybe? UX refactor 42 3.0.0 GeoServer 3 GeoServer 3 

● Test integration with avid users of the GeoServer services ○ GeoNode (REST API, Authentication, OGC services) ○ MapStore (OGC services, authentication, various WPS) ● Identify and fix any issue Upstream testing: GeoNode, MapStore 43 3.0.0 GeoServer 3 GeoServer 3 

● Two related, but separate, advanced authorization systems ● Also code heavy and in need to be migrated to Jakarta EE/Java 17 ● Apply code migrations, lessons learned, and test Upstream testing: GeoNode/GeoServer ACL 44 3.0.0 GeoServer 3 GeoServer 3 

● GeoServer Cloud has a significant portion of code ○ Apply automatic migrations and lessons learned from GeoServer ○ Fix as needed Upstream migration and testing: GeoServer Cloud 45 3.0.0 GeoServer 3 GeoServer 3 

● GeoServer has lots of community modules! ○ After M2 at best the will compile ○ some might be kicked out! ○ This is an area where “in-kind” participation is very welcome ● The final part of the funding will be used to recover and make usable as many community modules as possible ● Priority set: cog, elasticsearch, features-templating, geoparquet, graticule, gwc-azure-blob, hz-cluster, jdbcconfig, jdbcstore, jms-cluster, jwt-headers, libdeflate, ncwms, oseo, ogcapi, pgconfig, proxy-base-ext, rest-openapi, schemaless-features, smart-data-loader, stac-datastore, vector-mosaic, wfs-freemarker, wps-longitudinal-profile Community modules 46 3.0.0 GeoServer 3 GeoServer 3 

● Starts up and works in Tomcat, Jetty, Docker, installers ● All core and extensions modules work ● Passes OGC compliance tests ● New OAuth2 modules work properly ● Most important community modules are preserved ● Transparently reads and upgrades from a GeoServer 2 data directory Final expected state 47 3.0.0 GeoServer 3 GeoServer 3 

Thanks! 48 

49 Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.