GeoServer 2.26 and beyond

Andrea Aime Technical Lead [email protected] @geowolf GeoSolutions Innovative, robust, cost-effective solutions leveraging best-of-breed Open Source products. This presentation is brought to you by GeoSolutions 2 Enterprise Support Services Deployment Subscription Professional Training Customized Solutions

GeoServer Releases 2024 Update 3

September 2025 March 2024 2.24.x Releases covered by this presentation YOU ARE HERE 2.25.x September 2024 2.25.x 4 March 2025 2.26.x 2.26.x 2.26.x

● Security fixes for supported versions only ○ In September 2024 “supported” is 2.25.x and 2.25.0 ○ In April 2025 “supported” will mean 2.26.x and 2.27.x ● Please upgrade your GeoServer installations! ● Always two, there are. No more. No less. ○ Balance between stability and encouraging development ○ Easier to get answers - user forum and stack exchange typically cover only supported versions Are you using a older version? Upgrade! Photo by SpaceX on Unsplash 5

Configuration and Setup 6

Demo request page rewritten ● Demo request page rewritten ● Works fully with Javascript, no server side helper ● Can show response in-line, with headers ● Can show response in separate page ● WPS and WCS request builders switched as well 2.25.2+ Dave Blasby GeoCat GeoCat Live

Demo request page, input and output 2.25.2+ Dave Blasby GeoCat GeoCat Live

WCS and WPS request builders 2.25.2+ Dave Blasby GeoCat GeoCat Live

● OGC API services now show up in the home page under their general category ● Old and new services for the same purpose, side by side OGC APIs at home Dave Blasby GeoCat GeoCat Live 2.26.x 10 COM MUN NITY

Mapping Data making a scene! 11

Raster Attribute Table support - .aux.xml sidecar file associating pixel values with various classifications and colors - Generate SLDs out of them and associate with layers - Mimics QGIS RasterAttributeTable plugin - The RAT in the screenshot has 30k entries! - Graduated to extension! 2.25.x Andrea Aime GeoSolutions NOAA 12

AUTO:97004, Geostationary satellite - Extended AUTO code for GeoStationary Satellite projection - Only actual customizable parameter is latitude of origin 2.25.x Andrea Aime GeoSolutions Eumetsat 13 AUTO:97004,9001,0,0 AUTO:97004,9001,90,0

MapML module improvements 14 2.26 Andrea, Joseph, Daniele GeoSolutions Natural Resources Canada ● Maps for HTML initiative ● Have a tag just like we have a tag ● Lots of novelties ○ MapML CRS authority ○ Better WMS integration, WFS viewer ○ MapML vector tiles with CSS client side styling ○ Better multi-layer handling ○ Custom WMS dimensions ○ Output templating with Freemarker

GeoCSS language improvements 15 2.26 Andrea Aime ● Multi-layer styles ● Scale dependencies by zoom level @mode 'Flat'; @TileMatrixSet 'WorldCRS84Quad' tiger:poly_landmarks { /* @title parks and green spaces */ [CFCC in ('D82', 'D32', 'D84', 'D85')] { fill: #B4DFB4; stroke: #88B588; }; … } tiger:tiger_roads [@z > 12] { stroke: #666666, #FFFFFF; stroke-width: 6, 4; z-index: 1, 2; … } tiger:poi [@z > 14] { mark: symbol('circle'), mark-size: 11, 7; … } ♥

WMS Graticules ● Community module (datastore + rendering transformation) ● Add a graticule to your WMS map ● Specify sizes for zoom levels ● Automatically calculate label points for the grid ● Automatically redraws on each zoom or pan. 16 2.25.x Ian Turton Eumetsat COM MUN NITY

Improved Polygon Label Function Improvement: - Automatic “tolerance” based on polygon size - Compare with centroid or envelope center 17 2.26 Andrea Aime GeoSolutions ♥ Tolerance 0.1 (too small for some polygons) Previously: “maximum inscribed circle”: - Rectangle → infinite max circles! - Tolerance → has to be “just” right or this happens (see below)

Improved vector tiles generation 18 2.26 Andrea Aime ♥ @mode "Flat"; tiger:poly_landmarks { fill: gray; vt-attributes: 'CFCC,LANAME'; vt-labels: true; } tiger:tiger_roads [@z > 11] { stroke: black; vt-attributes: 'NAME'; vt-coalesce: true; } tiger:poi [@z > 12] { mark: symbol(square); } ● New vendor option flags to control attributes, polygon label points, geometry merging ● As usual, driven by the style (scale dependencies, filters, and now vendor options too)

Data sources and formats News and Updates 19

GDAL raster sources speed up ● Implementation is using the GDAL API in a more efficient way ● Used to compute statistics on the fly, even if missing (now only if they are pre-computed) ● Used to open the source 2 times per render ● More work planned (will we see a generic GDAL raster store for example?) 2.25.x Andrea Aime GeoSolutions MOSS 20

Image mosaic: min/max merge mode ● Given N overlapping images in a mosaic ● Compute for each overlapping pixel the min or the max value 2.26.x Andrea Aime GeoSolutions Naval Research Laboratory 21

Vector mosaicking store ● Useful to handle thousands of files with similar structure ● Database used only to index them ● Much cheaper than storing everything in a database (on cloud) ● Not suitable if on the fly aggregations are needed ● Great if the end user application mostly pulls a few files (one?) at a time ● Ongoing performance optimizations (best on 2.25.x and newer) 2.25 Joseph Miller, Andrea Aime GeoSolutions TROO/Eumetsat 22 COM MUN NITY

Services News and Updates 23

GWC tile generation speedup 2.26.x Mitchell Bosecke ? 24 - Significant speed up by external contributor! - Changes across the board - Faster PNG encoding for tiles in a MetaTile (ImageIO-EXT) - Less locking contention (GWC) - Better parallelization (Geoserver, merged yesterday on dev branch) Before After

GWC file system “filter parameters” management - GWC creates separate cache for extra request parameters that cause tile contents to change - TIME, CQL_FILTER - STYLES, ENV, VIEWPARAMS, … - Values are not necessarily file system friendly - SHA-1 of params identify them - Mapping between all SHA-1 and its values stored in a single file - Used to cause contention and lockups on the (network) file system - Fixed 2.26.x Andrea Aime GeoSolutions Eumetsat 25 With the previously mentioned fix for #880, in PR #1230, we now get substantial performance improvements with FileBlobStore. This is anywhere between 2x to 12x the performance, in terms of throughput (there are so many variables to our setup that I can't put a precise figure on it - but this, with other config tweaks to allow us to scale, brings us close to the 12x mark) https://github.com/GeoWebCache/geowebca che/issues/1276

- Azure blob store allows storing tiles in Azure blobs - Better cloud integration, lower costs - Some mass tile removal operations paginate over tiles to delete them - Sudden change in behavior meant the pagination would never end… infinite requests. Infinite is … expensive! * termination token switched from null to empty string - Ongoing work to improve Azure blob store (Gabriel Roldan, Camptocamp) - Online tests against Azurite emulator and against actual cloud - Upgrade Azure SDK from 11 to 12 (completely different API, it means a rewrite) Critical fix on Azure blob store 2.24 + Andrea Aime GeoSolutions Strabag 26 COM MUN NITY

● New OGC Standards ○ Self describing OpenAPI ○ REST / JSON ○ Building on from W3C collaboration and STAC / WFS3 progress ● Trying to collect funding to graduate Features to extension There is a full presentation on this topic right after this one! Stay if interested! OGC API community module Andrea Aime GeoSolutions GeoSolutions OGC GeoNovum API Common Maps API Coverages API Implementing (as part of TB14/TB15) Looking for volunteers/sponsors Process API Records API Features API Tiles API Styles API STAC API CITE compliant! 27 COM MUN NITY 2.24 +

● New community module ● Generate GetFeature outputs from the same templates as GetFeatureInfo WFS HTML Freemarker output format Alessio Fabiani GeoSolutions Comune di Genova 2.25.x 28 COM MUN NITY

Distribution 29

Community module packaging reworked 2.25 Andrea Aime GeoSolutions Geopard 30 COM MUN NITY ● 71 community modules, each one with its specific dependencies ● Some dependencies just won’t match (e.g. S3 and Azure blob store ones are not compatible) ● Before: try to force everyone on the same set of dependencies (ideal, but impractical for community modules) ● Now: each one controls what gets packaged in their zip ● Also, COG modules are now split per cloud geoserver-2.24-SNAPSHOT-cog-plugin.zip geoserver-2.25-SNAPSHOT-cog-http-plugin.zip geoserver-2.25-SNAPSHOT-cog-azure-plugin.zip geoserver-2.25-SNAPSHOT-cog-google-plugin.zip geoserver-2.25-SNAPSHOT-cog-s3-plugin.zip

Security Vulnerabilities Same policy, with updated name and now CVE numbers. 31

Disclosure Policy Update (GSIP 220) ● Name Changed ○ “Responsible Disclosure” to “Coordinated Vulnerability Disclosure” ● Policy unchanged: ○ Communicate first ○ Stable and maintenance branches patched ○ Patches are released for downloads ○ Share vulnerability with community ● Communication changed: ○ GeoServer nows provides CVE Numbers ○ Automated scans flag dependencies with known vulnerabilities, only if a vulnerability is confirmed will we provide a CVE number 32 2.24 Jody GeoCat GeoCat Map

CVE-2024-36401 - 9.8 Critical (RCE) ● Unauthenticated Remote Code Execution ○ Exploit using GetMap/GetFeature requests ● June 18th: Patched GeoServer versions were released with an indication to upgrade immediately ○ 2.25.2, 2.24.4, 2.23.6 ● June 30th: CVE and nature of issue announced ● July 1st: Security systems autoscan ● July 2nd: Active exploits in the wild ○ 10k systems vulnerable ● July 15th: CISA’s Known Exploited Vulnerabilities ● August 5th: CISA compliance deadline ○ required for civilian federal government agencies ● September 6th: thehackernews.com update ○ used in multiple campaigns 2.23+ Steve Ikeoka 🔥🔥🔥 33 ● This is what “urgent” looks like: ● GeoSolutions is also sharing with the community patched jars built for customers that could not upgrade ● Available here ● Covered versions: ○ 2.25.1 ○ 2.24.3 ○ 2.24.2 ○ 2.22.2 ○ 2.20.7 ○ 2.19.2 ○ 2.18.0

Community Building Building up some muscle 34

● Geoserver-users Geoserver-devel → OSGeo Discourse ○ Can login with credentials you have and ask (or answer) a question ○ Forum approach allows repetitive questions to stay answered ○ Previously email list has seen a similar level of involvement as gis stackexchange (which is a surprising result) ○ Ability to drop-in and engage without long term commitment ○ GSIP-225 Reducing friction on communication channels 35 2.26 Jody ♥

No more release candidates? ● Developers have been asking for community uptake on RC testing for a while ● It’s a “once every six months” activity ● Response has been tepid/missing ○ But massive thanks to the few that did provide feedback, we love you! ● Time to accept reality: RCs, under this conditions, are just busywork ● GeoServer 2.26.0 will be released directly, without a RC ● Going forward: Help test nightly builds! (docker nightly builds included!) 36 Release Candidate

Roadmap Planning 37

● The community has a very loose “road map”, often missing funds to enact it ● Core developers are mostly employed in companies providing commercial services for GeoServer, or using it in a product, or hosting solution → customer driven (no other significant source of funding) ● Other developers pop up occasionally to provide improvements, fixes and new features they need ● Larger changes require planning and funding! Roadmap - whatever you want to push for Community 38 Everyone ♥

JakartaEE is the latest version of JavaEE API defining a Java “Web Application” Hard almost “all at once upgrade”. Split in 3 phases, we need volunteers and funding. GeoServer 3 crowdfunding campaign 39

We are at a turning point in the Java ecosystem. Spring 5 is no longer supported, but Spring 6 requires switching from JavaEE to Jakarta EE (API break) and Java 17 as the minimum GeoServer 3 crowdfunding campaign 40 Spring 5 → 6 JavaEE → Jakarta EE Wicket 7 → 10 Tomcat 9 → 10 Spring security 5 → 6 OAuth/OpenID connect modules rewrite Java 11 → Java 17 Jetty 9 → 12 JAI → ImageN

● Getting to Spring Security 6 can only be done along with Spring 6 ● However, preparations can be done: ○ Upgrading to the latest Spring Security 5.8 (done) ○ The Auth/OpenID community modules are currently based on outdated libraries ○ An upgrade is not feasible, the API is too different ○ They are being rewritten from scratch (work in progress): GeoServer 3: Spring Security and OAuth 41

● Spring 6 requiring Java 17 as the minimum means that everything depending on it also has to set that minimum version → GeoServer and GeoWebCache ● However, GeoTools is also developed in tandem with the other two → switch to Java 17 as well ● Java Advanced Imaging is performing some operations that are no longer allowed in newer versions of Java. ● Thankfully, Eclipse got the sources of JAI as open source, and called the result ImageN GeoServer 3: Java 17 as the minimum 42

● ImageN can be modified to comply with Java 17 ● Also, it can be made more modern ○ Reduce code synchronization, increasing scalability ○ Removing “finalizers”, which will be removed soon ● There is a catch… it does not have a single test! ● However, JAI-EXT provides replacement JAI operations (bug fixes, NODATA, performance) and has tests → merge it into ImageN and get an initial test coverage ● More tests will need to be written ● Then switch GeoTools, GeoWebCache and GeoServer to use ImageN GeoServer 3: ImageN 43

● Oracle dropped Java Enterprise Edition ● Project donated to the Jakarta foundation for future development ● It contains all the basics for web development (Servlet, Filters, …) ● Jakarta EE provides the same concepts, with newer API, and a different Java Package ● An application can be either Java EE or Jakarta EE, mix is not allowed ● Spring 6 requires Jakarta EE! ● Jakarta EE applications require a different servlet container too GeoServer 3: Jakarta EE 44 ● Java EE ○ Up to Tomcat 9 ○ Up to Jetty 9 ● Jakarta EE ○ Tomcat 10+ ○ Jetty 10+ Switch all GeoWebCache and GeoServer code to Jakarta EE

● Wicket is used to write the GeoServer administration console ● Jakarta EE? Whoops, supported only since Wicket 10 ● GeoServer is using Wicket 7! ● Wicket upgrades are usually a lot of work ● Multi-step process ○ Prepration: Wicket 7 → 8 ○ Preparation: Wicket 8 → 9 ○ Wicket 9 enforces Content Security Policy ■ Browser restricting inline style/inline javascript usage ■ Helps fendig off Cross Site Scripting attacks ■ GeoServer UI has lots of both ○ Wicket 9 →10 can only be done along with all other changes GeoServer 3: Wicket 10 45

GeoServer 3: the plan, 3 phases 46

GeoServer 3: the funding 47 ● It’s going to be a massive amount of work ● We never attempted something of this size before ● Some of the work is being done with “in-kind” donations (AKA developers attacking a single problem and donating the result) ● Much of the work will have to be performed in a large code sprint ○ Several developers ○ For a long time ● We need your support! Crowdfunding page [email protected] Online pledge form

Thanks! 48