GeoServer 2.23.6 release is now available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with this release issued to address an urgent bug or security vulnerability (see CVE-2024-36401 below).

This GeoServer 2.23.6 update is provided as a temporary measure. Rather plan to upgrade to a stable GeoServer 2.25.2 or maintenance GeoServer 2.24.4.

GeoServer 2.23.6 is made in conjunction with GeoTools 29.6, and GeoWebCache 1.23.5.

Thanks to Jody Garnett (GeoCat) for making this release on behalf of GeoCat customers.

Security Considerations

This release addresses security vulnerabilities and is considered an essential update for production systems.

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
• CVE-2024-24749 Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat (Moderate)

See project security policy for more information on how security vulnerabilities are managed.

Release notes

Improvement:

• GEOS-11327 Add warning about using embedded data directories
• GEOS-11347 STAC Landing Page links should include root link

Bug:

• GEOS-11331 OAuth2 can throw a “java.lang.RuntimeException: Never should reach this point”

Task:

• GEOS-11316 Update Spring version to 5.3.32
• GEOS-11318 Upgrade postgresql from 42.6.0 to 42.7.2

For the complete list see 2.23.6 release notes.

Community Updates

Community module development:

• GEOS-11348 JMS cluster does not allow to publish style via REST “2 step” approach
• GEOS-11358 Feature-Autopopulate Update operation does not apply the Update Element filter
• GEOS-11381 Error in OIDC plugin in combination with RoleService
• GEOS-11412 Remove reference to JDOM from JMS Cluster (as JDOM is no longer in use)

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

• GeoServer 2.23 User Manual
• Drop Java 8
• GUI CSS Cleanup
• Add the possibility to use fixed values in Capabilities for Dimension metadata
• State of GeoServer 2.23
• GeoServer Feature Frenzy 2023
• GeoServer used in fun and interesting ways
• GeoServer Orientation

Release notes: ( 2.23.6 | 2.23.5 | 2.23.4 | 2.23.3 | 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

How to Implement Basic Security in Geoserver

In this session, we want to discuss the Security section in GeoServer, Defining Users, Groups, and Roles, and Granting rights to created users. If you want to access the complete tutorial, simply click on the link.

Introduction

GeoServer has a robust security subsystem. Most of the security features are available through the Web Administration interface. In the Security panel, you can find links to set user properties and bind data to security rules. The basic idea is that you create users and roles, and then combine them with data rules to enable a specific set of access policies. You can also limit read and write access by role.

Defining users, groups, and roles

Security in GeoServer is based on a role system where each role defines a specific set of functions. You can assign roles to users and groups; that is, assign functions to real people using your system. To ensure data security, you must identify who is accessing your layers and services.

To organize your real users, GeoServer provides you with the user, group, and role concepts. With the first two, you can insert real people into the GeoServer security subsystem, and with roles, you can grant rights to real users.

User definition

In GeoServer, a user is someone entitled to use the system; it may be another software or a real person. When you add a user to the security system, GeoServer stores a username, uniquely identifying the user, a password, and a set of key/value pairs to store general information about it. You can disable a user at any time, preventing him from using the system.

Group definition

A group in GeoServer is a collection of users. It consists of a list of usernames that are part of the group, along with a unique group name that identifies it. Since GeoServer may have a large number of users, assigning roles to each individual user can be challenging. Therefore, groups can be created to simplify the process, allowing roles to be assigned based on the group membership of users.

Note. Considering that there are no dependencies between users, groups, and roles. A group can be disabled, but note that this only removes the roles deriving from the disabled group and does not disable the users belonging to the group.

Roles definition

GeoServer roles are associated with performing certain tasks or accessing particular resources. Roles are assigned to users and groups, authorizing them to perform the actions associated with the role.

Creating users and groups

To fully understand how security works in GeoServer, we will use a typical scenario. We want to restrict access to this data to only the organization’s members. Inside the organization, there are a few people editing data to create new data sets or to update existing ones, and many more members who need to read data to compose maps. There is also a need for an administrator to keep it all working. Lastly, we need to consider that our GeoServer site also contains data that should remain freely available. We will now create the security organization from an unsecured GeoServer as follows:

• In the Security section of the left pane, click the Users, Groups, and Roles link. This link shows you the User Group Services configured. You will find the default service shipped with GeoServer. Click on the Name to edit it.
• Select the Groups tab, then click on Add a new group.
• Enter group_readers as a group name and leave the group Enabled. Do not assign any role to the new group as we will create specific roles later. Press the Save button.
• Repeat the previous step to create the group_editors and group_admins groups. Your list should now show the three groups.
• Now switch to the Users tab. Obviously, it lists the only existing user, that is, admin, as shown in the screen.
• Click on the Add new user link, and add user_admin with a password of your choice, as Data Administrator.
• Add “user_admin” to the “group_admins”, then press the Save button.
• Repeat the previous step to create a user, user_editor as a member of the “group_editors” group, and user_reader as a “group_readers” group member. Your list now shows the three users.

We just created three users for the three groups and this may seem overkill to you. Consider them as templates for real users. In the real world, we do not want to have too many administrators; we will probably need several “user_readers” and “user_editors” processing the data. Now, we need to define what they can do on GeoServer.

Defining roles

A user or a group without any role assigned is useless. Now it is time to create roles and assign them to our users. Please refer to the following points:

• From the User, Groups, and Roles section, select the Roles tab. You will find that two roles already exist. They are the administrative roles assigned to the admin account, and they grant access to all GeoServer configurations. Click on the Edit link
• Switch to the Roles tab, then click on Add new role.
• Enter role_reader as a new role name. We do not need a Parent role. A child role inherits all the rights from the Parent role, making it useful when you want to extend a basic role with more rights. Indeed, we will do this in the next step.
• Press the Save button and then repeat the previous step to create the role_editor role. This time, select “role_reader” as the Parent role.
• Press the Save button and then repeat the previous step to create the role_admin role. This time, select “role_editor” as the Parent role.
• The final step is to associate a role to users or groups. Select the User, Groups, and Roles page from the left pane, then select the Groups list and click on the “group_readers” group to edit it. Add the “role_reader” role to the group and save it.
• Now click on the “group_editors” group and associate it with the role_editor role.
• Finally, associate the “group_admins” group to the “role_admin” role.

By defining roles and associating them to the users, we completed the definition of our organization. Now, we need to explore how data is bound to roles and users.

Accessing data and services

GeoServer supports access control at both the service level and at the per-layer or per-workspace level, allowing for restriction of service operations to authenticate users with specific roles. This helps in ensuring data security and controlling access to different layers or workspaces within the server. When working with layers, you can define rules that specify what a role can do on any specific layer.

The operations controlled are the view, write, and admin access. When granting read access on a layer, you enable a user to add it on a map; while granting write access you enable the user to update, create, and delete features contained in the layer. The admin access level enables the user to update the layer’s configuration.

Layer Security

We want to protect the dataset contained in the test workspace from unauthorized access while leaving the remaining layers freely available to all users. In this section, we will associate layers and roles:

• Navigate to the Data > Security page. The rules list shows the two shipped with the default GeoServer configuration. The *.*.r rule is associated with the * roles. This means that “any user”, including the anonymous one, can access “any layer” from “any workspace” configured on GeoServer. The general format of the rules is: workspace.layer.accessMode.
• Now click on the Add new rule link. In the rule editing page, select test as the Workspace and leave “*” as a Layer. Since we want to protect all layers in this workspace, the Access mode should be Read. Select the “role_reader” role and move it to the right list by clicking on the arrow. Press the Save button to create the reading rule.
• Repeat the previous step to create a writing rule. Select Write as the access mode and “role_editor” as the role.
• Repeat the previous step, then create the administration rule. In other words, select Admin as the Access mode and “role_admin” as the Role.
• Press the Save button, on the rule list page, and then log off from the GeoServer web interface. If you try to access the layer preview anonymously, you won’t see any layers from the test workspace while all the others are still listed.
• Now, log on as “user_reader”, with the password you assigned to him. Going back to the layer preview, you should see the test layers listed. Try the Open Layers preview page for the river layer. It works and you can use the data to compose maps.
• However, “user_reader” can’t edit the styles associated with the layer or any other property. He would need admin rights granted for it; can you guess who the proper user will be?
• Log on to GeoServer as “user_admin”. Now, the left pane is richer than it was when you were “user_reader”, but with fewer features than those visible to the GeoServer’s default admin role. Click on the Layer link; you will see only the layers belonging to the test workspace.
• If you go on Layer preview and select the rivers layer again, can you see the map? Of course, you can. Because of roles inheritance, which you set when creating the roles. So, “role_admin” inherits all the rights from “role_editor”, and hence from “role_reader”.

In this session, we took a brief journey through GeoServer security. we discussed the Security section, Defining Users, Groups, and Roles, and Granting rights to created users in GeoServer. If you want to access the complete tutorial, simply click on the link.

GeoServer 2.25.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer recommended for production use. GeoServer 2.25.1 is made in conjunction with GeoTools 31.1, and GeoWebCache 1.25.1.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.25.1-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Raster Attribute Table Extension

A new extension is available that takes advantage of the GDAL Raster Attribute Table (RAT). This data structure provides a way to associate attribute information for individual pixel values within the raster. This provides a table that links each cell value in the raster to one or more attributes on the fly.

Thanks to Andrea Aime (GeoSolutions) for the development and NOAA for sponsoring this new capability. Please see the user guide Raster Attribute Table support for more information.

• GEOS-11376 Graduate Raster Attribute Table to extension

Release notes

New Feature:

• GEOS-11267 CSW ISO extension multiple mappings should also have multiple queryable mappings
• GEOS-11376 Graduate Raster Attribute Table to extension

Improvement:

• GEOS-11306 Java 17 does not support GetFeature lazy JDBC count(*)
• GEOS-11311 Show a full stack trace in the JVM stack dump panel
• GEOS-11342 STAC should exclude items when the collection in path is wrong
• GEOS-11359 Update MapML viewer to release 0.13.2

• GEOS-11369 Additional authentication options for cascaded WMS

  WMTS data stores

• GEOS-11377 RAT module: allow to reload/recompute the RAT
• GEOS-11400 About Page Layout and display of build information
• GEOS-11401 Introduce environmental variables for Module Status page

Bug:

• GEOS-11202 CAS extension doesn’t use global “proxy base URL” setting for service ticket
• GEOS-11236 WFS 2.0.0/GetFeature - Shapefile - “We have had issues trying to flip axis”
• GEOS-11331 OAuth2 can throw a “ java.lang.RuntimeException: Never should reach this point”
• GEOS-11332 Renaming style with uppercase/downcase empty the sld file
• GEOS-11382 The interceptor “CiteComplianceHack” never gets invoked by the Dispatcher Servlet
• GEOS-11385 Demo Requests functionality does not honour ENV variable PROXY_BASE_URL
• GEOS-11392 ConcurrentModificationException while using proxy-base-ext

Task:

• GEOS-11360 Upgrade Apache POI from 4.1.1 to 5.2.5
• GEOS-11362 Upgrade Spring libs from 5.3.32 to 5.3.33
• GEOS-11374 Upgrade Spring version from 5.3.33 to 5.3.34
• GEOS-11375 GSIP 224 - Individual contributor clarification
• GEOS-11388 Update ImageIO-EXT to 1.4.10
• GEOS-11393 Upgrade commons-io from 2.12.0 to 2.16.1
• GEOS-11395 Upgrade guava from 32.0.0 to 33.2.0
• GEOS-11397 App-Schema Includes fix Integration Tests
• GEOS-11402 Upgrade PostgreSQL driver from 42.7.2 to 42.7.3
• GEOS-11403 Upgrade commons-text from 1.10.0 to 1.12.0
• GEOS-11404 Upgrade commons-codec from 1.15 to 1.17.0

For the complete list see 2.25.1 release notes.

Community Updates

Community module development:

• GEOS-11040 Could not get a ServiceInfo for service Features thus could not check if the service is enabled
• GEOS-11330 OAuth2 kid verification should be optional
• GEOS-11339 Introducing the Features Autopopulate Community Plugin
• GEOS-11340 WFS Freemarker HTML Outputformat
• GEOS-11345 STAC Conformance URIs need to be updated to v1.0.0
• GEOS-11348 JMS cluster does not allow to publish style via REST “2 step” approach
• GEOS-11358 Feature-Autopopulate Update operation does not apply the Update Element filter
• GEOS-11381 Error in OIDC plugin in combination with RoleService
• GEOS-11394 OGC APIs cannot handle time extent when the source data type is java.sql.Date

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.25 Series

Additional information on GeoServer 2.25 series:

• GeoServer 2.25 User Manual
• GeoServer 2024 Roadmap Plannings
• Raster Attribute Table extension
• Individual contributor clarification

Release notes: ( 2.25.1 | 2.25.0 | 2.25-RC )

GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.

( YouTube | LinkedIn | Facebook | X )

How to create Tile Layers with GeoServer

In this session, we will explore “How to create Tile Layers with GeoServer”. If you want to access the complete tutorial, simply click on the link.

Introduction

GeoWebCache is a tiling server that acts as a proxy between a map client and map server, caching tiles to save processing time. It is integrated with GeoServer and can significantly improve the responsiveness and reliability of the server. These settings can be accessed from the left side of the screen under the Tile Caching heading. They include:

• Tile Layers: This section lists all cached layers for review and parameter modification.
• Caching Defaults: Caching Defaults is the entry point for these.
• Gridsets: This option allows you to create new tiling schemes or modify the existing ones.
• Disk Quota: The Disk Quota and BlobStores options allow you to set predefined amounts of disk space for each layer.

Tile Layers

The tile layers menu shows a listing of all of the layers known to the integrated GeoWebCache. It is similar to the Layer Preview for GeoWebCache, with many of the same options that you can review the status and the main parameters for each layer. For each layer cached by GeoWebCache, the following information is available:

• Type and Layer Name: These columns display the type of layer and the name value of each.
• Disk Quota: The maximum amount of disk space that can be used for this layer. This feature cannot be configured in GeoServer as in the GeoWebCache standalone version, so you can only see the N/A value here.
• Disk Used: The current disk space being used by tiles for this particular layer. This counter will only be updated if disk quotas are enabled.
• Enabled: Indicates whether tile caching is enabled for this layer. It is possible to have a layer definition here but not to have tile caching enabled (set in the layer properties).
• Preview: Similar to Layer Preview, this will generate a simple OpenLayers application populated with tiles from one of the available gridset/image format combinations.
• Actions: Actions have two options, Seed/Truncate and Empty link.
• Seed/Truncate: Opens the GeoWebCache page for automatically seeding and truncating the tile cache. Use this if you want to pre-populate some of your cache.
• Empty: This removes all saved tiles from the cache and is identical to a full truncate operation for the layer.
• Empty All: This link lets you clear the entire cache for all layers, gridsets and filter parameter combinations. Note that, This will truncate all layers in GeoWebCache.

Adding or removing cached layers

We have used the GeoWebCache to store tiles generated by user requests, but you can also precompute tiles for a layer to avoid delays for some users. The process of pre-computing tiles is called seeding. This section will help you understand how it works:

• Navigate to the Tile Caching > Tile Layers page and click on the Seed/Truncate link for your desired layer.
• Scroll to the Create a new task section and set the parameters for seeding. For the number of parallel processes (threads) that will request maps from GeoServer, it’s best to select a number of threads equal to “50” percent of the available cores on your server.
• From the Operation Type you have a few options: Seed, Reseed and Truncate. Select Seed to generate missing tiles or Reseed to regenerate all tiles. Truncate allows you to select specific zoom levels to remove, unlike the Clear operation, which removes all tiles.
• You must select a gridset and an image format to seed. If you want to precompute cache for more than one gridset and/or image format, you can start another operation immediately after this one.
• To start seeding, select a subset of the gridset, specify a level range and an area. If no specific area is needed, leave the Bounding Box empty. Select Zoom Start and Zoom Stop, then press Submit to start seeding.
• The web interface displays a list of running tasks, which can be filtered by layer and stopped if necessary. Refreshing the list shows the number of tiles completed, time elapsed, and time remaining. Seeding multiple layers can be resource intensive and time consuming.
• When tasks are completed, check for an empty list. Return to the Tile Layers page to see a significant increase in the amount of disk space allocated for your layer’s tiles. Seeding your layers can greatly improve performance, as map requests will now hit the cache in the precomputed layer range. Expect a 10- to 90-fold increase in performance.

Tiles can be generated by GeoWebCache in two ways: on-demand during map viewing, or by seeding in advance. On-demand caching speeds up subsequent views, but reduces the quality of the user experience. Seeding improves the user experience but is time and disk consuming. Typically, a combination of both methods is used, with popular areas or zoom levels seeded and less frequently viewed tiles left uncached.

Disk Quota

The Disk Quotas page lets you manage disk usage for cached tiles and set a global disk quota. By default, disk usage for cached tiles is unlimited, but setting a quota can prevent disk capacity issues, especially with Direct WMS integration. This is important for serving large areas with terabytes of tile cache on disk. The following information is displayed on the Disk Quota page:

• Enable disk quota: When enabled, the disk quota will be set according to the options listed below. The setting is disabled by default.
• Disk quota check frequency: This setting determines how often the cache is polled for any overage. Smaller values (more frequent polling) will slightly increase disk activity, but larger values (less frequent polling) may cause the disk quota to be temporarily exceeded. The default is 10 seconds.
• Maximum tile cache size: The maximum size for the cache. When this value is exceeded and the cache is polled, tiles will be removed according to the policy. Note that the unit options are MegaBytes, GigaBytes and TeraBytes. The default is 500 MiB.
• Tile removal policy: When disk quota is exceeded, choose between Least Frequently Used or Least Recently Used policy to delete tiles based on access frequency or date last accessed. Optimal configuration varies based on data and server usage.
• Disk quota store type: GeoServer uses the H2 database for disk quotas by default, with the option to configure an external database. You can choose an in-process database with a local H2 database or an external database with H2, PostgreSQL or Oracle. Don’t forget to press Submit after making changes.

In this session, we explored “How to create Tile Layers with GeoServer”. If you want to access the complete tutorial, simply click on the link.

GeoServer 2.24.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.24.3 is made in conjunction with GeoTools 30.3, and GeoWebCache 1.24.3.

Thanks to Andrea Aime (GeoSolutions) for making this release.

Security Considerations

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.24.3-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Release notes

New Feature:

• GEOS-11077 Implement Requirement Class “Search” from OGC API - Features Part 5 proposal
• GEOS-11225 [AuthKey] AuthKey synchronize the user/group automatically
• GEOS-11267 csw-iso: multiple mappings should also have multiple queryable mappings
• GEOS-11279 metadata: allow same field on multiple tabs

Improvement:

• GEOS-11260 JNDI tutorial uses outdated syntax
• GEOS-11276 Use style_body to define CSS style for a layer
• GEOS-11288 Improve input validation in ClasspathPublisher
• GEOS-11306 Java 17 does not support GetFeature lazy JDBC count(*)
• GEOS-11327 Add warning about using embedded data directories
• GEOS-11329 Update MapML viewer to release 0.13.0
• GEOS-11334 Update MapML viewer to release 0.13.1
• GEOS-11342 STAC should exclude items when the collection in path is wrong
• GEOS-11347 STAC Landing Page links should include root link
• GEOS-11359 Update MapML viewer to release 0.13.2

Bug:

• GEOS-11174 GWC rest api returns erroneous truncated response when gzip http encoding is enabled
• GEOS-11205 Layer page: style image fails if it is in isolated workspace
• GEOS-11236 WFS 2.0.0/GetFeature - Shapefile - “We have had issues trying to flip axis”
• GEOS-11256 Cannot retrieve LegendGraphic from a PostGIS datastore with ‘hideEmptyRules’ and ‘Support on the fly geometry simplification’ enabled
• GEOS-11263 hideEmptyRules not working in JSON LegendGraphic
• GEOS-11266 csw-iso: missing fields in summary response
• GEOS-11278 metadata: only selected tab is submitted
• GEOS-11285 GWC REST Content-Encoding gzip returns broken response
• GEOS-11290 With Oauth enabled, anon users get random auth requests
• GEOS-11291 GeoFence: Cleanup stale log4j references
• GEOS-11299 Performance regression in GeoJSON output generated in EPSG:900913
• GEOS-11312 Inconsistent Memory Units in Legend Image Creation
• GEOS-11335 A layer in an authority other than EPSG may fail to reload after restart

Task:

• GEOS-11307 Update apache-commons-lang3 to version 3.14.0 for Java 17 and Java 21 support
• GEOS-11316 Update Spring version to 5.3.32
• GEOS-11360 Upgrade Apache POI from 4.1.1 to 5.2.5
• GEOS-11362 Upgrade Spring libs from 5.3.32 to 5.3.33

For the complete list see 2.24.3 release notes.

Community Updates

Community module development:

• GEOS-11305 Add layer information in the models backing STAC
• GEOS-11330 OAuth2 kid verification should be optional
• GEOS-11339 Introducing the Features Autopopulate Community Plugin
• GEOS-11340 WFS Freemarker HTML Outputformat
• GEOS-11345 STAC Conformance URIs need to be updated to v1.0.0
• GEOS-11348 JMS cluster does not allow to publish style via REST “2 step” approach
• GEOS-11358 Feature-Autopopulate Update operation does not apply the Update Element filter

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.

About GeoServer 2.24 Series

Additional information on GeoServer 2.24 series:

• GeoServer 2.24 User Manual
• Control remote HTTP requests sent by GeoTools/GeoServer
• State of GeoServer 2.24.1 (foss4g-asia presentation)
• Multiple CRS authority support, planetary CRS
• Extensive GeoServer Printing improvements
• Upgraded security policy

Release notes: ( 2.24.3 | 2.24.2 | 2.24.1 | 2.24.0 | 2.24-RC )