GeoServer 2.28.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer recommended for production use. GeoServer 2.28.1 is made in conjunction with GeoTools 34.1, and GeoWebCache 1.28.1.

Thanks to Andrea Aime for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an important upgrade for production systems.

• GEOS-11921 - CVE-2025-21621 - Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format (Moderate)
• GEOS-11922 - CVE-2025-58360 - Unauthenticated XXE via WMS GetMap (High)

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts.

See project security policy for more information on how security vulnerabilities are managed.

Release notes

Improvement:

• GEOS-11950 WMS cascade: fully respect ‘restrict to layer bounds’ flag on GetMap requests

Bug:

• GEOS-4159 Layer from SQL view feature type details not refreshing after editing sql query (and refreshing attributes there)
• GEOS-11930 OGC-API extension breaks security REST API
• GEOS-11963 BlobStorePage breaks when failing to save a blob store configuration
• GEOS-11965 KMZ export incorrectly references remote icon URLs instead of embedding them in the KMZ archive

• GEOS-11981 POST /security/authproviders

  400: Unsupported className

• GEOS-11988 Fix bug: preserve metaTilingThreads=0 in saneConfig()

Task:

• GEOS-11898 GeoFence: issues in evaluation of virtual layer services access
• GEOS-11962 Run CITE tests against Java 17, 21 and 25
• GEOS-11987 ImageN 0.9.1 migration requires renaming of registryFile.jai to registryFile.imagen

For the complete list see 2.28.1 release notes.

Community Updates

Community module development:

• GEOS-11959 New community module GeoWebCache Google Cloud Storage
• GEOS-11961 OSEO layer management: Support creation of image mosaics in CRS other than 4326
• GEOS-11980 Add support for uploading a single parquet file to GeoServer via REST
• GEOS-11983 GSR /query fails with HTTP 500 when where parameter is empty

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.28 Series

Additional information on GeoServer 2.28 series:

• GeoServer 2.28 User Manual
• GeoServer 2025 Q4 Developer Update* Advertise and Enforce Attribute Restrictions

Release notes: ( 2.28.1 | 2.28.0 | 2.28-M0 )

GeoServer 3 is a major upgrade led by a consortium of Camptocamp, GeoSolutions, and GeoCat and backed by a successful crowdfunding activity.

This is a major investment in the future of GeoServer and we are pleased to provide a project update. The GeoServer 3 code sprint completed last week, and we have quite a list of accomplishments to share.

• Photos
• GeoServer 2.28.0
• GeoServer 2025 Q4 Developer Update

Milestone 1 Accomplished

With the release of GeoServer 2.28.0 earlier this month Milestone 1 is officially accomplished. Our goal for Milestone 1 was to clear the decks of as much work as possible before performing the big migration to Spring Framework 6. The key objectives met are:

• Replace the image processing engine, updating from Java Advanced Imaging 1.1.3 to Eclipse ImageN 0.9.0 which was released for the occasion. This is a major technical accomplishment, years in the making, combining the Oracle donation of the JAI codebase with all the work done by GeoSolutions on JAI-Ext.

  The Eclipse ImageN integration was completed for the release of GeoServer 2.28.0. This activity was directly sponsored by the Office of Public Works.

• Java 17 LTS minimum, and related maven “bill-of-materials” improvements, making it easier to manage the vast quantity of updates planned for Milestone 2.

• Replacement for GeoServer OAuth2 support with a new OAuth2 Open ID Connect module is available to try out today and has been tested (and documented) with Google, GitHub, Microsoft Azure and Keycloak authentication providers. A really nice accomplishment is integration testing with KeyCloak (using test containers) clearing the way for this to be a supported extension in the future. There of course remains work to do, with a list of functionalities to complete by the end of the project.

Milestone 1 was completed a few weeks behind schedule, and we are really happy with the result. Eclipse ImageN is now available to the public and included in GeoServer 2.28.0 for widespread use.

Milestone 2 Code Sprint

GeoSolutions hosted the Milestone 2 code sprint in mid October, arranging perfect weather 🌧️ for a productive indoor gathering.

Prior to the code sprint we performed a code-freeze across five projects, putting external work on hold to allow the team assembled in person to focus. With the path cleared OpenRewrite migrations were performed for JakartaEE, Spring 6.2, Spring Security 6.5, and Wicket 10.

This was followed by manual fixing to get each section to first compile, then pass tests, satisfy the quality assurance checks, and finally to run.

The initial steps went smoothly for ImageIO-Ext and GeoTools. The GeoTools migration took some time out to work on Elasticsearch testing, and updating the http client library to use the same version as the other projects.

For GeoServer careful work was required by the whole team, working module by module. Interesting challenges included:

• Changes made to the Spring Framework URL mapper, to identify which module is responsible for answering a request. Until this was addressed the entire application would compile but not function.
• Some OGC Standards use multi-part HTTP requests, and the Apache Common File Library used to separate out this content does not yet have a stable release for us to depend on.
• The Spring Security 6.5 Update was completed during the code Sprint. This activity was sponsored by the Office of Public Works.

The embedded web applications (GeoWebCache, MapFishPrint and GeoFence) took considerably more work. GeoWebCache in particular was deeply affected by the URL mapper changes, struggling to resolve workspaces and layers when integrated with GeoServer. GeoFence remains in progress and is scheduled to be addressed in Milestone 3.

The code sprint was very successful, it was really effective to have a team meet in person allowing modules to be worked on in parallel. This places the GeoServer 3 project on track and we are confident in meeting the community March release schedule.

Crowdfunding Thanks

We would like to thank all the organizations who have sponsored the GeoServer 3 Crowdfunding activity. We appreciate your trust and recognize your dedication to the GeoServer project.

GeoServer 3 is supported by the following organisation:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.

For more information visit the GeoServer 3 Crowdfunding page which provides an overview of the activity as a whole.

GeoServer 2.27.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.27.3 is made in conjunction with GeoTools 33.3, and GeoWebCache 1.27.3.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release addresses security vulnerabilities and is an important upgrade for production systems.

See project security policy for more information on how security vulnerabilities are managed.

Upgrade instructions

Please take note of the Upgrade Instructions, specifically:

• The global setting Unrestricted XML External Entity Resolution has been replaced with the ENTITY_RESOLUTION_UNRESTRICTED application property.

  This change primarily affects application schema users that have not yet adopted ENTITY_RESOLUTION_ALLOWLIST. See update instructions for details.

• Due to a user interface change, it is no longer necessary to generate a masterpw.info when upgrading an older data directory.

  If this file is present from an earlier upgrade, it is still considered a security warning and is noted on the welcome page.

Attribute Restrictions

Layer Feature Type Details has received a major improvement with an Edit attribute dialog making it easier to define the attribute name, description, type, nillability and for the first time restrictions. Attribute restrictions are used limit data values and are included in DescribeFeatureType.

Two types of restrictions are available:

• Options: Used to restrict set of numeric or string values to a provided set.
• Range: Used to restrict numeric values between a minimum inclusive and maximum inclusive limit.

Thanks to Alessandro Ricchiuti (GeoSolutions) for this powerful improvement.

For more information see Feature Type Details in the User Manual.

• GSIP-234 Advertise and Enforce Attribute Restrictions
• GEOS-11937 GSIP 234 - Advertise and Enforce Attribute Restrictions

Legend: Symbology Encoding Functions

This release includes a long-awaited improvement for legend graphic generation - creating a legend graphic when the Symbology Encoding Recode, Interpolate and Categorize functions are used.

<Fill>
  <CssParameter name="fill">
    <ogc:Function name="Recode">
      <!-- Value to Transform -->
      <ogc:Function name="strTrim">
        <ogc:PropertyName>SUB_REGION</ogc:PropertyName>
      </ogc:Function>
      <!-- Map of input to output values -->
      <ogc:Literal>N Eng</ogc:Literal>   <ogc:Literal>#6495ED</ogc:Literal>
      <ogc:Literal>Mid Atl</ogc:Literal> <ogc:Literal>#B0C4DE</ogc:Literal>
      <ogc:Literal>S Atl</ogc:Literal>   <ogc:Literal>#00FFFF</oac:Literal>
      <ogc:Literal>E N Cen</ogc:Literal> <ogc:Literal>#9ACD32</ogc:Literal>
      <ogc:Literal>E S Cen</ogc:Literal> <ogc:Literal>#00FA9A</ogc:Literal>
      <ogc:Literal>W N Cen</ogc:Literal> <ogc:Literal>#FFF8DC</ogc:Literal>
      <ogc:Literal>W S Cen</ogc:Literal> <ogc:Literal>#F5DEB3</ogc:Literal>
      <ogc:Literal>Mtn</ogc:Literal>     <ogc:Literal>#F4A460</ogc:Literal>
      <ogc:Literal>Pacific</ogc:Literal> <ogc:Literal>#87CEEB</ogc:Literal>
    </ogc:Function>
  </CssParameter>
</Fill>

Thanks to Andrea Aime (GeoSolutions) for this improvement on behalf of German Aerospace Center (DLR).

• GEOS-8002 LegendGraphic display using transformation functions (recode, interpolate, categorize)

Release notes

New Feature:

• GEOS-11911 Application property ROOT_LOGIN_ENABLED
• GEOS-11937 GSIP 234 - Advertise and Enforce Attribute Restrictions
• GEOS-11949 Support MS Excel download from WPS-download
• GEOS-8002 LegendGraphic display using transformation functions (recode, interpolate, categorize)

Improvement:

• GEOS-11867 Improve entity resolution
• GEOS-11892 Column mentioning user that performed last modification for layers and stores list UI
• GEOS-11914 Using namespaces parameter with virtual services does not work
• GEOS-11938 Add support for property selection in OGC API Features
• GEOS-11950 WMS cascade: fully respect ‘restrict to layer bounds’ flag on GetMap requests

Bug:

• GEOS-4159 Layer from SQL view feature type details not refreshing after editing sql query (and refreshing attributes there)
• GEOS-11896 WPS map download flips east/west coordinates
• GEOS-11900 CRS:XY syntax builds isolated CRSs that do not leverage the EPSG database transformation library
• GEOS-11902 More compact, easier to maintain conformance configuration UI
• GEOS-11910 JMS Cluster settings Section is not showing properly
• GEOS-11917 INSPIRE configuration does not get properly saved when OGC API module is included
• GEOS-11944 GetLegendGraphic Fails When Using RasterSymbolizer With Interval ColorMap And ENV variables
• GEOS-11946 DirectRasterRenderer may fail on creating AlphaBand from ROI using Lookup

Task:

• GEOS-11813 Create REST API For Security Providers
• GEOS-11814 Create a REST API for Filter Chains
• GEOS-11815 Create authentication filter REST API
• GEOS-11852 Remove master password info page
• GEOS-11853 Clarify keystore vs master vs root password
• GEOS-11854 Generation of security/masterpw.info no longer required
• GEOS-11869 Replace entity resolution setting with application property
• GEOS-11881 Update postgis-jdbc
• GEOS-11898 GeoFence: issues in evaluation of virtual layer services access
• GEOS-11956 Fix build server WfsCompatibilityTest failure (when testing against “local” GeoServer on port 8080)

For the complete list see 2.27.3 release notes.

Community Updates

Community module development:

• GEOS-11885 Smart Data Loader does not support postgresql UUID data type
• GEOS-11887 Features Templating does not returns content type and charset header on OGC-API
• GEOS-11888 Features Templating does not support CQL2 new syntax
• GEOS-11961 OSEO layer management: Support creation of image mosaics in CRS other than 4326

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.27 Series

Additional information on GeoServer 2.27 series:

• GeoServer 2.27 User Manual
• CITE Certification achieved
• GeoServer 2025 Q2 Developer Update
• GeoServer 2025 Roadmap
• Content-Security-Policy Headers
• OGCAPI Features Extension
• File system access isolation
• Promote data dir catalog loader to core
• Advertise and Enforce Attribute Restrictions

GeoServer is an Open Source Geospatial Foundation project supported by a mix of volunteer and service provider activity. We reply on sponsorship to fund activities beyond the reach of individual contributors.

Release notes: ( 2.27.3 | 2.27.2 | 2.27.1 | 2.27.0 )

GeoServer 2.28.0 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer, recommended for production use. GeoServer 2.28.0 is made in conjunction with GeoTools 34.0, GeoWebCache 1.28.0, ImageIO-Ext 2.0.0, and ImageN 0.9.0.

Thanks to Jody Garnett (GeoCat) for making this release. Thanks to Daniel Calliess, Sören Kalesse and Gabriel Roldan for providing feedback and testing of the 2.28-M0 milestone release.

Security Considerations

This release addresses security vulnerabilities and is considered an important upgrade for production systems.

• GEOS-11921 - CVE-2025-21621 - Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format (Moderate)
• GEOS-11922 - CVE-2025-58360 - Unauthenticated XXE via WMS GetMap (High)

The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts.

See project security policy for more information on how security vulnerabilities are managed.

Upgrade instructions

Please take note of the Upgrade Instructions, specifically:

• This release requires Java 17 LTS minimum, Java 11 is no longer supported.

  GeoServer is tested with Long Term Support releases: Java 17 LTS and Java 21 LTS. For more information see Java Considerations in the user manual.

• The global setting Unrestricted XML External Entity Resolution has been replaced with the ENTITY_RESOLUTION_UNRESTRICTED application property.

  This change primarily affects application schema users that have not yet adopted ENTITY_RESOLUTION_ALLOWLIST. See update instructions for details.

• Due to a user interface change, it is no longer necessary to generate a masterpw.info when upgrading an older data directory.

  If this file is present from an earlier upgrade, it is still considered a security warning and is noted on the welcome page.

Image Processing Engine updated

Updating the image processing engine used by GeoServer to be Java 17 compatible is one of the first major objectives of the GeoServer 3 crowdfunding activity. We are pleased to provide the upgrade from Java Advanced Imaging 1.1.3 to Eclipse ImageN 0.9.0 as part of the GeoServer 2.28.0 release.

Eclipse ImageN 0.9.0 is a stable release of two established codebases (Java Advanced Imaging and JAI-Ext) combined together into a single project. ImageN 1.0.0 will be released once the team has had an opportunity to increase the test coverage and update the user manual, over the course of the GeoServer 3.0 series.

Thanks to Jody (GeoCat), Andrea and Daniele (GeoSolutions) for this work and GeoServer 3 Crowdfunding for accomplishing this key objective for the future of GeoServer. We would also like to thank the Eclipse Foundation for working with Oracle to finally make this Sun Microsystems technology open source, alongside OpenJDK.

For more information see Eclipse ImageN and updated Wikipedia Entry for Java Advanced Imaging.

Attribute Restrictions

Layer Feature Type Details has received a major improvement with an Edit attribute dialog making it easier to define the attribute name, description, type, nillability and for the first time restrictions. Attribute restrictions are used limit data values and are included in DescribeFeatureType.

Two types of restrictions are available:

• Options: Used to restrict set of numeric or string values to a provided set.
• Range: Used to restrict numeric values between a minimum inclusive and maximum inclusive limit.

Thanks to Alessandro Ricchiuti (GeoSolutions) for this powerful improvement.

For more information see Feature Type Details in the User Manual.

• GSIP-234 Advertise and Enforce Attribute Restrictions
• GEOS-11937 GSIP 234 - Advertise and Enforce Attribute Restrictions

Legend: Symbology Encoding Functions

This release includes a long-awaited improvement for legend graphic generation - creating a legend graphic when the Symbology Encoding Recode, Interpolate and Categorize functions are used.

<Fill>
  <CssParameter name="fill">
    <ogc:Function name="Recode">
      <!-- Value to Transform -->
      <ogc:Function name="strTrim">
        <ogc:PropertyName>SUB_REGION</ogc:PropertyName>
      </ogc:Function>
      <!-- Map of input to output values -->
      <ogc:Literal>N Eng</ogc:Literal>   <ogc:Literal>#6495ED</ogc:Literal>
      <ogc:Literal>Mid Atl</ogc:Literal> <ogc:Literal>#B0C4DE</ogc:Literal>
      <ogc:Literal>S Atl</ogc:Literal>   <ogc:Literal>#00FFFF</oac:Literal>
      <ogc:Literal>E N Cen</ogc:Literal> <ogc:Literal>#9ACD32</ogc:Literal>
      <ogc:Literal>E S Cen</ogc:Literal> <ogc:Literal>#00FA9A</ogc:Literal>
      <ogc:Literal>W N Cen</ogc:Literal> <ogc:Literal>#FFF8DC</ogc:Literal>
      <ogc:Literal>W S Cen</ogc:Literal> <ogc:Literal>#F5DEB3</ogc:Literal>
      <ogc:Literal>Mtn</ogc:Literal>     <ogc:Literal>#F4A460</ogc:Literal>
      <ogc:Literal>Pacific</ogc:Literal> <ogc:Literal>#87CEEB</ogc:Literal>
    </ogc:Function>
  </CssParameter>
</Fill>

Thanks to Andrea Aime (GeoSolutions) for this improvement on behalf of German Aerospace Center (DLR).

• GEOS-8002 LegendGraphic display using transformation functions (recode, interpolate, categorize)

OAuth2 OpenID Connect community modules

A new community module sec-oidc is now available based directly on Spring Security Core. This new community module is intended as a direct replacement for the existing sec-oauth2-geonode, sec-oauth2-github, sec-oauth2-google, and sec-oauth2-openid-connectplugins which have reached end of life.

For more information see OAUTH2 OIDC in the user manual. Extensive information (and notes) are provided for working with Google, GitHub, Microsoft Azure, and Keycloak. We are really pleased that the new OIDC community plugin is available alongside the existing OAuth2 implementations for comparison and testing.

The initial work was performed by Andreas Watermeyer (ITS Digital Solutions), and completed for GeoServer 2.28.0 by David Blasby (GeoCat), Ian Turton, and Alessio Fabiani (GeoSolutions). Thanks to the GeoServer 3 Crowdfunding sponsors for supporting this important development.

Developer Updates

A number of significant changes affect developers working on the GeoServer codebase:

• The change to Java 17 LTS minimum brings new language features to the codebase

• Java 17 build improvements

• Maven bill-of-materials import to manage both GeoTools library modules and syncrhonize third-party dependencies with the GeoTools project.

Thanks to Gabriel Roldan (Camptocamp) for working on these activities on behalf of GeoServer 3 sponsors.

Release notes

New Feature:

• GEOS-11937 GSIP 234 - Advertise and Enforce Attribute Restrictions
• GEOS-11949 Support MS Excel download from WPS-download
• GEOS-11800 Implement GeoServer WPS SpatioTemporalZonalStatistics process
• GEOS-11911 Application property ROOT_LOGIN_ENABLED
• GEOS-8002 LegendGraphic display using transformation functions (recode, interpolate, categorize)

Improvement:

• GEOS-11934 Image processing tile cache: better logging and deeper cleanups
• GEOS-11788 Apply feedback from CSP testing
• GEOS-11833 Unnecessary antiCache parameter on some GUI images
• GEOS-11837 MapML Support for LayerGroups
• GEOS-11867 Improve entity resolution
• GEOS-11892 Column mentioning user that performed last modification for layers and stores list UI
• GEOS-11938 Add support for property selection in OGC API Features

Bug:

• GEOS-11823 Quality Degradation in Scanned Map Rendering (GeoServer 2.25.3 onward)
• GEOS-11944 GetLegendGraphic Fails When Using RasterSymbolizer With Interval ColorMap And ENV variables
• GEOS-11946 DirectRasterRenderer may fail on creating AlphaBand from ROI using Lookup
• GEOS-11957 Cannot logout due remember-me cookie with oidc
• GEOS-10728 Cannot download GeoPackage if the source data contains UUID types
• GEOS-11274 Cannot get a JSON legend with an external reference to a non published directory
• GEOS-11620 Smart Data Loader plugin for GeoServer 2.26 produces a Mapping file data source definition and tries to establish a connection pool, but fails
• GEOS-11688 After restart unable to load External Style SLD when requesting multiple tiles
• GEOS-11708 STAC breadcrumbs rendering as plain text
• GEOS-11751 Symbolizer URL in GetLegendGraphic JSON Request is Broken
• GEOS-11808 Attribute names containing characters the XML Encoder can’t handle are accepted for input, causing errors
• GEOS-11832 count=0 service exception for some formats
• GEOS-11857 Random NPE In LocalWorkspaceCallback
• GEOS-11860 MapML does not match raster rendering geometry simplification behavior
• GEOS-11862 Layer Preview and Tile Layers page dropdown links broken after updating table
• GEOS-11863 Use GetTile or GetMap requests in for cached raster coverages where appropriate
• GEOS-11865 MapDownloadProcess washes out 1 band gray images when transparency is on
• GEOS-11866 Prevent requests setting variables that should only be set by GeoServer
• GEOS-11879 Xalan causes a java.lang.NoClassDefFoundError
• GEOS-11902 More compact, easier to maintain conformance configuration UI
• GEOS-11910 JMS Cluster settings Section is not showing properly
• GEOS-11917 INSPIRE configuration does not get properly saved when OGC API module is included
• GEOS-11931 GeoServer binary package fails to start after Jetty 9.x to 10.0.25 upgrade

Task:

• GEOS-11848 Migrate use of JAITools to JAI-Ext
• GEOS-11956 Fix build server WfsCompatibilityTest failure (when testing against “local” GeoServer on port 8080)
• GEOS-11813 Create REST API For Security Providers
• GEOS-11814 Create a REST API for Filter Chains
• GEOS-11815 Create authentication filter REST API
• GEOS-11831 OseoDispatcherCallback improvements
• GEOS-11852 Remove master password info page
• GEOS-11853 Clarify keystore vs master vs root password
• GEOS-11854 Generation of security/masterpw.info no longer required
• GEOS-11855 global settings cog warning in release data directory
• GEOS-11869 Replace entity resolution setting with application property
• GEOS-11881 Update postgis-jdbc
• GEOS-11882 Cleanup postgis-jdbc dependencies
• GEOS-11932 Upgrade Oracle JDBC driver to Java 17

For the complete list see 2.28.0 release notes.

Community Updates

Community module development:

• GEOS-11951 Add PMTiles DataStore community module for reading Protomaps vector tiles
• GEOS-11816 Features templating OGC API fetch by ID fails
• GEOS-11819 Make smart data loader skip unsupported column types
• GEOS-11822 OGC API procesess basic implementation
• GEOS-11829 Features templating ability to override schema
• GEOS-11839 New Community Module for WPS Download in NetCDF output format for spatiotemporal coverages
• GEOS-11870 Singlestore(MemSql) datastore community module
• GEOS-11885 Smart Data Loader does not support postgresql UUID data type
• GEOS-11887 Features Templating does not returns content type and charset header on OGC-API

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

Developer updates

• GEOS-11845 GSIP-232 Upgrade GeoServer and GeoWebCache Build to Java 17
• GEOS-11943 remove PDF generation of manual from build process
• GEOS-11952 GeoServer 2.28.0 Release cleanup
• GEOS-11836 Upgrade ErrorProne to 2.31.0
• GEOS-11843 Use Spring framework BOM to manage Spring and Spring Security dependencies
• GEOS-11851 Remove unnecessary javac lint suppressions
• GEOS-11858 Update to PMD 7.14 and enable unnecessary suppression rule

About GeoServer 2.28 Series

Additional information on GeoServer 2.28 series:

• GeoServer 2.28 User Manual
• Advertise and Enforce Attribute Restrictions
• GeoServer 2025 Q4 Developer Update

GeoServer is an Open Source Geospatial Foundation project supported by a mix of volunteer and service provider activity. We reply on sponsorship to fund activities beyond the reach of individual contributors.

Release notes: ( 2.28.0 | 2.28-M0 )

The GeoServer team is making great progress on our 2025 roadmap plans, with CITE Certification Achieved, and GeoServer 3 underway, the project is going well.

Thanks to GeoServer 2025 sponsors:

CITE Certification

We are really happy to the see the CITE Certified banner restored to the main GeoServer website for calendar year 2025. Andrea continues to work on certifying the new OGCAPI services:

• OGCAPI - Tiles: Passing tests on Team Engine 2.0 Engine

• OGCAPI - Process: Making progress on certification

A reminder that if CITE Certification is valuable to you GeoServer will need to pay OGC each year - which requires sponsorship. We are certified for calendar year 2025 thanks to the prior sponsorship. We find that many organizations assume GeoServer is certified, this is not be the case without your financial support.

Thanks to Gaia3D and OSGeo:UK for sponsoring 2025 CITE Certification.

Security

We continue to be in need of resources, both developer resources and funding, to address the expectations placed on open source projects. If you are in a position to support this activity, please contact us at geoserver-security@lists.osgeo.org .

GeoServer 3

The big news is the completion of Milestone 1 : Preparation with the release of GeoServer 2.28.0, allowing the Milestone 2 : Migration activities to proceed as scheduled.

For more information on GeoServer 3 development, review the project plan and GeoServer 3 Crowdfunding FAQ.

GeoServer 3 Milestone 1 Completed

The release of GeoServer 2.28.0 represents the end of Milestone 1: Preparation:

• Upgrade from Java Advanced Imaging 1.1.3 to Eclipse ImageN 0.9.0.

• Java 17 LTS minimum, ending support for Java 11.

• Lots of build improvements, with the highlight being a bill-of-materials “geotools” pom.xml file to manage versions across GeoTools, GeoWebCache, and GeoServer.

• A new community module, gs-sec-oidc-plugin, replacing gs-oauth2 plugins.

GeoServer 3 Milestone 2 Underway

GeoServer 3 Milestone 2: Migration is underway:

• Friday 17 October: Code Freeze

  We will be freezing the main branches of the related projects on Friday 17 Oct 2025, in preparation for the Milestone 2 code sprint. Please follow the announcement on Discourse.

• Monday 20 October: Code Sprint

  With the branches frozen, the GeoServer 3 team is assembling for an intensive code sprint to start the migration to Spring Framework 3.

Crowdfunding

Thanks to sponsors for supporting GeoServer 3 crowdfunding, we hope you are pleased with the progress thus far and look forward to sharing GeoServer 3 with you in the months ahead.

GeoServer 3 is supported by the following organisation:

Individual donations: Abhijit Gujar, Hennessy Becerra, Ivana Ivanova, John Bryant, Jason Horning, Peter Smythe, Sajjadul Islam, Sebastiano Meier, Stefan Overkamp.