GeoServer Blog
GeoServer 2.7.4 released
The GeoServer team is happy to announce the release of GeoServer 2.7.4. Download bundles are provided (zip, war, dmg and exe) along with documentation and extensions.
GeoServer 2.7.3 is a maintenance release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:
Bug
-
[GEOS-3228] - Empty filter causes IndexOutOfBoundsException
-
[GEOS-3432] - RESTConfig “styles” list does not get generated if a style is missing its associated sld file
-
[GEOS-4986] - Creating SQL Views via RESTConfig as JSON fails
-
[GEOS-6768] - externalGraphic with relative path and query parameters problem
-
[GEOS-7045] - Layer Security - Catalog Mode
-
[GEOS-7243] - Render (or transform) fails on Multipolygon but not on polygon
-
[GEOS-7256] - Maven Cobertura plugin does not work
-
[GEOS-7259] - JMS based cluster should use qualified names for Layers and Layergroups
-
[GEOS-7267] - JMS Clustering should prefix Styles names with workspace
-
[GEOS-7295] - OpenLayers preview does not work if authkey community module is enabled
-
[GEOS-7302] - Using on the fly meta tiling in WMS request may result in rendered images not being disposed of
-
[GEOS-7312] - RawDataPPIO does not close InputStreams it opens
-
[GEOS-7314] - GeoTiffPPIO can return the source file of a processed coverage
Improvement
-
[GEOS-4762] - WCS should force usage of imageread
-
[GEOS-7150] - Features counted twice for WFS queries with GeoJSON responses
For a full list, see the release notes.
Also, as a heads up for Oracle users, the Oracle store does not ship anymore with the JDBC driver (due to redistribution limitations imposed by Oracle). For details see the updated the oracle installation instructions here.
Thanks to Alessio Fabiani (GeoSolutions) for this release.
This release is made in conjunction with GeoTools 13.4 and GeoNode 2.4.
Remote Execution Vulnerability
GeoServer has encountered an remote execution vulnerability in the REST API (used for remote administration).
This vulnerability GEOS-7124 is addressed in the following scheduled releases:
-
GeoServer 2.8.0 - stable
-
GeoServer 2.7.3 - maintenance
-
GeoServer 2.6.5 - archived
Thanks to Andrea Aime (GeoSolutions) and Kevin Smith (Boundless) for both fixing this issue and back porting to the stable and maintenance series.
Users are encouraged to upgrade, keeping in mind exposure to this issue is limited to scripts using administrator credentials to access the REST API. Accounts making use of gsconfig (Python Library) also make use of these facilities.
About Remote Execution
For more information see redhat security article on remote code execution via serialized data.
Responsible Disclosure
Thanks to Matthias Kaiser for reporting this issue.
If you encounter a security vulnerability in GeoServer (or any other open source software) please take care to report the issue in a responsible fashion:
-
Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)
-
Be prepared to work with Project Steering Committee (PSC) members on a solution
-
Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.
GeoServer 2.7.3 released
The GeoServer team is happy to announce the release of GeoServer 2.7.3. Download bundles are provided (zip, war, dmg and exe) along with documentation and extensions.
GeoServer 2.7.3 is a maintenance release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:
-
Further fixes for the XXE vulnerability, along with a fix for a remote code execution vulnerability in the REST API (requires admin credentials to trigger it)
-
Some WCS 1.1 and 2.0 fixes
-
Some improvements in the management of style specific workspaces when modifying layer groups with the REST API
-
Optimized the size of DBF in the SHAPE-ZIP output format
-
A few improvements in the importer, including speeding up import setup by delaying layer bounds computation, and allowing to harvest granules in an empty mosaic previously setup via the REST API
-
For a full list, see the release notes.
Also, as a heads up for Oracle users, the Oracle store does not ship anymore with the JDBC driver (due to redistribution limitations imposed by Oracle). For details see the updated the oracle installation instructions here.
Thanks to Andrea (GeoSolutions) and Kevin (Boundless) for this release.
GeoServer 2.8.0 released
We are happy to announce the release of GeoServer 2.8.0. Downloads are available (zip, war, dmg and exe) along with docs and extensions.
What is new
GeoServer 2.8.0 is the culmination of our latest six month development cycle and contains several new features, along with fixes and security updates.
This blog post provides a breakdown by functional area, for more detail see the 2.8.0, 2.8-beta and 2.8-M0 release notes.
Data access and configuration
PostGIS curves and Oracle speedups
GeoServer 2.6.0, released one year ago, added read only support for Oracle curved geometries, along with all the necessary machinery to represent them in memory, draw them and encode them in WMS.
This release adds read and write support for curves in PostGIS instead, bringing our support for the famous open source spatial database to match and surpass (with write support) the Oracle one. PostGIS curves are supported in all OGC protocols, either via native support (e.g., GML) or on the fly linearization (e.g. shapefile output).
On the Oracle side, we improved the startup times for installation that are serving of Oracle layers by optimizing the table geometry type and metadata access.
Note: Due to license restrictions the oracle extension no longer includes an Oracle JDBC driver, see the user guide for manual install instructions.
Filtering layers during configuration
For all those that want to publish only a subset of the original data to the public we are now offering the configuration of a simple CQL filter that will be applied on data access, no matter what protocol is used. Think of it as a mini “sql view” that can be applied at ease against any data source, not just databases.
This is of course not meant to limit feature access for security reasons, for that use case you should really look into GeoFence.
Raster NODATA with JAI-Ext Library
You may now optionally use the JAI-Ext image processing operations when working with raster data. These operations directly support raster NODATA and footprints (reducing the amount of processing required when working with these datasets).
This feature is available in GeoServer 2.8 but is off by default - to enable start up with:
-Dorg.geotools.coverage.jaiext.enabled=true
REST API for Image Moasic Granule Management
Structured coverages have recently been added to GeoServer, you can now use the REST API to manage and update individual granules in an image mosaic.
Process raster data during import
Vector import has supported limited data processing during import for some time. GeoServer 2.8.0 provides the same functionality (allowing raster files to be processed using GDAL command line tools during import).
To reproject a raster:
{
"type": "GdalWarpTransform",
"options": [
"-t_srs", "EPSG:4326”
]
}
To transform the raster into a GeoTIFF:
{
“type”: “GdalTranslateTransform”,
“options”: [
“-co”, “TILED=YES”,
“-co”, “BLOCKXSIZE=512”,
“-co”, “BLOCKYSIZE=512”
]
}
To introduce GeoTIFF overviews:
{
"type": "GdalAddoTransform",
"options": [ "-r", "average"],
"levels" : [2, 4, 8, 16]
}
Mapping improvements
This release is full of big and small map rendering improvements for all. Here is an organized list.
Z ordering support
This new features extends SLD and CSS with vendor options allowing the style writer to control the painting order of features, either inside a single layer, or across layers: this allows proper map rendering of areas where a number of objects have below/above relationsthips, like this area in Germany, where a lot of roads and rails are crossing each other in a maze of underpasses, overpasses, and bridges:
This is achieved by specifying a “sortBy” vendor option at the FeatureTypeStyle level, with one or more sorting attributes, and in case multiple layers or FeatureTypeStyles are involved, by grouping them into a single “sortByGroup”. You can find more information, along with examples in CSS and SLD, in your user guide.
We would like to thank DLR for sponsoring this improvement.
Constrast enhancement improved
GeoServer has been supporting contrast enhancement for a while, within the limits of the SLD specification. Version 2.8.0 steps beyond the limits of the standard by adding vendor parameters to control the normalization sub-algorithm (stretch to min/max, clip to min/max, clip to zero), as well as its parameters. Here is an example of the syntax:
<ContrastEnhancement>
<Normalize>
<VendorOption name="algorithm">StretchToMinimumMaximum</VendorOption>
<VendorOption name="minValue">50</VendorOption>
<VendorOption name="maxValue">100</VendorOption>
</Normalize>
</ContrastEnhancement>
along with a visual example, before and after the contrast enhancement:
New arrow mark
Lots of map needs arrows… but every time is the same story, yes, the arrow is almost fine, but it should be longer, or thicker, or with a bigger head, and so on. Instead of having to re-invent a new arrow symbol each time, we created one whose proportions can be altered by changing parameters in its name.
Here is the general syntax of this new “well known mark”:
<WellKnownName>extshape://arrow?hr=[hrValue]&t=[tValue]&ab=[abValue]</WellKnownName>
and some examples varying its t (thickness) value between 0 and 1:
or changing the witdh the height ratio (hr):
So next time they ask you for a customized arrow, you can whip up your arrow mark, and give them something like this:
Multi-script maps made easier
GeoServer 2.8.0 improves its support for maps in multiple scripts, which can be a source of headaches. While it’s often easy to find support for most scripts in fonts, it’s hard to get one that would support, for example, western languages, arabic, corean, indi and simplified chinese in a single package. Especially for scripts like simplified chinese you have to resort to custom fonts.
Now, what happens if you are labelling a map that contains them all, and sometimes, contains more than one of them in a single label? Before GeoServer 2.8.0 we did not have a great answer to that, but now, you can simply specify multiple fonts in a TextSymbolizer, and the most suitable one will be chosen on the fly, eventually using multiple fonts in a single label in case there is no one able to handle the whole of it. Here is an example with mixed script labels:
We would like to thank DLR for sponsoring this improvement.
Improved labeling density
Before GeoServer 2.8.0 labelling dense road networks with lots of diagonal and curved labels might have left the impression that more labels could have fit the map… and that was not just an impression! Indeed, the previous label algorithm was reserving a busy area for the bounding box containing the label, which as you may see, is a lot more space than the actual label occupancy:
The French National Institute for geographic information provided a patch that makes the single chars of diagonal or curved labels be reserved instead, resulting in maps with quite a bit more labelled items per square inch:
WMS/WMTS protocol and configuration improvements
Creating new styles from templates
It’s now possible to create new styles starting from the built-in templates, and the style will be encoded in the desired style language (SLD, or CSS, or even something else, if you created your own styling language extension point):
GeoWebCache filter parameters GUI improved
It’s now possible to configure integer parameters in the caching section of a layer configuration.
GeoWebCache Storage
GeoWebCache can now store cached tiles on a perlayer basis - including Amazon S3.
Request parameter support in Freemaker templates
Freemarker GetFeatureInfo templates can now access to the request parameter, as well as the Java process environment variables, in order to customize their response. For example, it’s now possible to expand the following variables in the template:
> > ${request.LAYERS} > ${request.ENV.PROPERTY} > ${environment.GEOSERVER_DATA_DIR} > ${environment.WEB_SITE_URL} > >
Controlling interpolation on a layer by layer basis
You can now control layer interpolation via GetMap, and specify a different interpolation policy on different layers. This is great if you are serving multiple raster maps, and maybe you want to have your classified raster use nearest neighbor, while showing the ozone density layer with bilinear interpolation.
Inspire configuration improved
Security
REST API for access control
Their is now a REST API for configuring security access control - see the user guide for details.
About GeoServer 2.8
Articles, blog posts and presentations:
-
State of GeoServer 2015 (FOSS4G)
-
XEE Vunerability (GeoServer)
-
Z ordering features within and across feature types and layers (User Manual)
-
JAI-Ext, the Open Source replacement for Oracle JAI (GeoSolutions)
-
Customizable arrow in GeoServer (GeoSolutions)
-
PostGIS Curve Support (GeoSolutions)
-
Improved NetCDF/GRIB support in GeoServer (GeoSolutions)
-
GeoServer 2.8-RC1, GeoServer 2.8-beta and GeoServer 2.8-M0 announcements
For additional details see the 2.8.0, 2.8-beta and 2.8-M0 release notes.
GeoServer Community
GeoServer Community modules provide an area for ideas and experimentation:
-
WCS and WPS output formats based on gdal_translate to provide a greater range of output formats
-
Gabriel has created a community module for vector tiles experimentation
-
Embedded GeoFence server, REST API and GUI is the result of a productive collaboration between GeoSolutions and Boundless offering greater rule-based control of GeoServer security
-
MongoDB DataStore enabling GeoServer to publish from this popular JSON based document database (no zip packaging, needs volunteer)
Community modules should be considered a work-in-progress and are subject to quality assurance, documentation IP checks and a maintainer before being considered ready for release.
New repository and release delay
A quick message for all those who have been asking - I have started the GeoServer 2.8 release process but have run into a snag. The repo.boundlessgeo.com maven repository has been slowed down due to increased network traffic. We are setting up a replacement (cloud hosted which will allow allow more developers to manage).
What I would like to ask is for developers to try it out by adding the following to maven settings.xml:
<mirrors>
<mirror>
<id>boundlessgeo</id>
<name>Boundless Cloud Repository</name>
<url>https://boundless.artifactoryonline.com/boundless/main</url>
<mirrorOf>boundless</mirrorOf>
</mirror>
</mirrors>
Please try the above and report back to geoserver-devel, and we can cut over to the new repository tomorrow.
Thank you for your assistance, and please accept our apologies for the delay in releasing 2.8.0.
Update: We have now migrated to the new repository.
Maven Developers
For developers using maven to depend on geoserver jars (for those running a custom geoserver build) please note that we have now migrated to the new repository.
The repository details have not changed:
<repository>
<id>boundless</id>
<name>Boundless Maven Repository</name>
<url>http://repo.boundlessgeo.com/main/</url>
</repository>
The exception is for projects (such as GeoWebCache, GeoFence, GeoScript) that deploy artifacts. We ask you to change your distributionManagement section to the following:
<distributionManagement>
<repository>
<id>boundless</id>
<name>Boundless Release Repository</name>
<url>https://boundless.artifactoryonline.com/boundless/release/</url>
<uniqueVersion>false</uniqueVersion>
</repository>
<snapshotRepository>
<id>boundless</id>
<uniqueVersion>false</uniqueVersion>
<name>Boundless Snapshot Repository</name>
<url>https://boundless.artifactoryonline.com/boundless/snapshot/</url>
</snapshotRepository>
</distributionManagement>
Contact geoserver-devel if you have any questions.