GeoServer Blog
GeoServer About & Status - A Practical Guide
GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.
( YouTube | LinkedIn | Facebook | Reddit | X )
GeoServer About & Status along with practical guides
In this session, we would like to talk around the “About & Status” section of GeoServer. If you want to access the complete tutorial, simply click on the link
Introduction
The “About & Status” section of GeoServer provides information about runtime variables and how GeoServer is described to clients that connect to it. In other words, this section provides access to GeoServer diagnostic and configuration tools and can be particularly useful for debugging.
- “Server Status”: view server configuration and run-time status.
- “GeoServer Logs”: see GeoServer log output for error diagnosis.
- “Contact Information”: manage public contact details for WMS server.
- “About GeoServer”: access GeoServer docs, homepage, and bug tracker. You do not need to be logged into GeoServer to access this page.
Server Status
The “Server Status” page, gives you a summarized overview of the main configuration parameters and information about the current state of the GeoServer. It has three tabs:
- The “Status” tab, provides a summary of server configuration parameters and run-time status.
- The “Modules” tab, provides the status of the various modules installed on the server.
- The “System Status” tab, provides extra information about the system environment GeoServer is running in.
Status Field Descriptions
This page describes the current status indicators:
- Data directory: It shows the path to the GeoServer data directory. The procedure for setting the location of the GeoServer data directory is dependent on the type of GeoServer installation. When running a GeoServer Web Archive inside a servlet container, the data directory can be specified in several ways. The recommended method is to set a servlet context parameter. To specify the data directory using a servlet context parameter, create the “context-param” element in the “WEB-INF/web.xml” file for the GeoServer application. After you change the path of the data directory, log in to GeoServer again. Now you can see the new path of the data directory.
- Locks: When using Transactional Web Feature Service (WFS-T), clients can edit feature types. To prevent data corruption, GeoServer locks the data during transactions. If the number is greater than one, there are active transactions. Clicking “Free Locks” resets a hung editing session and removes any abandoned locks.
- Connections: This shows you the number of vector data store connections. Vector data stores are repositories configured for the persistence of features.
- Memory Usage: This shows you how much memory GeoServer is using. You can manually run the garbage collector by clicking the Free Memory button, so it cleans up memory marked for deletion.
- JVM Version: This is the version of the “Java Virtual Machine” that the GeoServer is using.
- Java Rendering Engine: It shows the rendering engine used for vector operations.
- Available Fonts: This is a list of the fonts seen by the GeoServer. Fonts are useful to render labels for spatial features. Selecting the link will show the full list. To add custom fonts to the GeoServer, first, you have to download your favorite fonts from the web, then copy them to the “Java installation folder\jre\lib\fonts”. After restarting the Apache Tomcat software, the new fonts will be added to the Available Fonts list.
In programming, to improve the speed and performance of the program, each of the various tasks and parts of the application can be assigned to a thread. The Thread Pool template helps conserve resources in a multithread application and also places parallel computations in a specific predefined framework. When using the Thread Pool, we can perform concurrent tasks in parallel form. Here are the titles of GeoServer’s ThreadPoolExecutor parameters: ThreadPoolExecutor Core Pool Size , ThreadPoolExecutor Max Pool Size , ThreadPoolExecutor Keep Alive Time(ms)
- Update Sequence: This option shows you how many times the server configuration has been updated.
- Resource cache: GeoServer does not cache data, but it does cache connection to stores, feature type definitions, external graphics, font definitions, and CRS definitions as well. The “Clear” button forces those caches to empty and makes GeoServer reopen the stores and re-read image and font information, as well as the custom CRS definitions stored in: ${GEOSERVER_DATA_DIR}/user_projections/epsg.properties
- Configuration and catalog: This option is very useful to update the configuration without having to restart the service. If the configuration on the disk becomes outdated due to external changes, you can refresh it by loading the latest data from the disk.
Module Field Descriptions
In GeoServer, a module can fall into one of three classes:
- Core, those modules that are visible by default in the Modules tab that GeoServer requires to function and are distributed with the main GeoServer distribution.
- Extension, those modules that add functionality to GeoServer. They are installed as add-ons to the base GeoServer installation. After you download and install these extensions, they are added to the Geoserver modules list. For example WPS extension
- Community, those modules that are generally considered experimental and are often under development. For that reason, Unlike the official extensions, these modules are not released and stored on SourceForge when an official GeoServer release is produced.
Every module added to GeoServer has its origin as a community module. If the module becomes stable enough it will eventually become part of the main GeoServer distribution either as a core module or as an extension.
System Status Field Descriptions
System Status adds some extra information about the system in the GeoServer status page in a tab named System Status and makes that info queryable through the GeoServer REST interface. This info should allow an administrator to get a quick understanding of the status of the GeoServer instance. If the System status tab is not present, it means that the plugin was not installed correctly. The System status tab content will be refreshed automatically every second.
GeoServer Logs
The “GeoServer Logs” page, lets you read the messages, warnings, and errors contained in the log file. According to the current logging settings, you can find more information about the requests clients send to GeoServer and how it processes them. You can only read the last 1,000 lines by default from the console. You can also change this setting, but if you need to access the entire log content, we would strongly suggest accessing it with a text editor.
You can use the “Download the full log file” link placed just under the text console, or access the log file directly from this path: “geoserver_data_dir/logs/geoserver.log”
Contact Information
The “Contact Information” page, is used in the Capabilities document of the WMS server and is publicly accessible. GeoServer provides an item to describe this information and metadata in different languages. By default, it’s disabled and can be enabled from the i18n checkbox. You can complete this form with the relevant information and press the Save button to save your information.
About GeoServer
The “About GeoServer” section, provides a brief description of geoserver and build information such as GeoServer Version, Git Revision, Build Date, GeoTools Version, and GeoWebCache Version. Also, this section provides links to the GeoServer Documentation, Wiki, and Issue Tracker. Remember that, You do not need to be logged into GeoServer to access this page.
GeoServer 2024 Roadmap Planning
Happy new year and welcome to 2024 from the GeoServer team!
The GeoServer team is doing something different this year: sharing our roadmap plans and asking our community for resources (participation and funding) to meet our 2024 goals.
The GeoServer project is supported and maintained thanks to the hard work of volunteers and the backing of companies providing professional support.
We are seeking a healthy balance in 2024 and request increased support in the following areas:
-
Maintenance: GeoServer was started in 2001 by a non-profit technology incubator. Subsequent years has seen the project supported by larger companies with investors and venture capital. This support is no longer available - and without this cushion we must rely on our community to play a greater role in sharing ongoing maintenance activities.
The team has provided a great response with increased use of automation, quality assurance tools, and dropping modules such as SAML that have not attracted participation. Keep in mind that participation, not popularity, determines what functionality is available each release.
However maintenance costs for software are increasing in 2024. Expectations for prompt response to security vulnerabilities have increased. This causes the components used by GeoServer to be updated more frequently, and with greater urgency.
Volunteers can answer questions on geoserver-user list, reproduce issues as they are reported, and verify fixes.
Developers are encouraged to get started by reviewing pull-requests to learn what is needed, and then move on to fixing issues.
Trusted volunteers can help mind geoserver-security email list, and help reproduce vulnerabilities as they are reported. We also seek developer capacity and funding to address confirmed vulnerabilities.
-
Testing: In 2023 we saw a greater response to our call for release-candidate testing. This was very much appreciated given the technical-challenge undertaken in 2023. However this response was largely taken up by downstream projects, where we could personally create a ticket in their issue trackers discussing the technical risk and asking for help.
Volunteers and service providers are asked to help test release-candidates in March 2024 and September 2024. The GeoServer team operates with a time-boxed release model so it is predictable when testing will be expected.
-
Sponsorship: In 2023 we made a deliberate effort to “get over being shy” and ask for financial support, setting up a sponsorship page, and listing sponsors on our home page.
We received $1000 USD. You might think of this as a poor response.
North River Geographic Systems Inc provided funding to thank Andrea Aime for speaking at an event with no clear expectation of sponsorship. How 2 Map sponsorship reflects Jody’s personal company being used for screen snaps on how to badge a github repository as supporting OSGeo.
With this in mind - no funds were directly raised in answer to our 2023 call for financial support. So this is actually a terrible response.
We ask for your financial assistance in 2024 (see bottom of page for recommendations).
The above priorities of maintenance, testing and sponsorship represent the normal operations of an open-source project. This post is provided as a reminder, and a call to action for our community.
Roadmap Planning
We have shared the following roadmap planning information in foss4g presentations in 2023, and it is time to share these goals with a wider audience as part of this blog post.
This is a brave step for the project: as we learned early on that placing a goal on a roadmap can be taken as an indication that funding is already secured. We even had a negative example where placing a goal on a roadmap resulted in the interested party withdrawing (as they understood that the community was now going to do the work instead!)
With this in mind here are our priorities for 2024:
-
Migrate to spring-framework-6 (Deadline December 2024)
GeoServer uses the spring-framework 5.3 which will reach end-of-life in December 2024. This provides motivation for all roadmap planning in calendar year 2024.
We are already getting concerned inquiries in response to CVE scans recommending upgrading to spring-framework 6. We look forward to your support of this activity.
In order to stay on a supported version of spring-framework we need to migrate to spring-framework 6 for December 2024.
-
Migrate to spring-security 6
The spring-security framework is used by GeoServer for integrating with a number of systems.
- Central Authentication Service (CAS)
- Lightweight Directory Access Protocol (LDAP)
Use of spring-framework 6 and above requires the use of spring-security 6.
-
Remove spring-security-oauth plugin
A number of popular community modules are built on spring-security-oauth plugin:
- OAuth2 google
- OAuth2 github
- OAuth2 geonode
- OAuth2 OpenID Connect
Support for OAuth2 in GeoServer is based on the deprecated spring-security-oauth library. The same functionality is now provided by spring-security itself, but exposing a different API, making the GeoServer plugin incompatible.
Our GeoServer security integrations will need to be rewritten to use the spring-security framework directly.
The good news is that this activity is available to be worked on immediately with spring-security 5.8 and then migrated to spring-security 6. Other projects such as GeoNetwork have already made the transition.
The use of spring-security 6 requires removing spring-security-oauth plugin.
-
Remove spring-security-keycloak plugin
A community module offering keycloak integration will need to be rewritten or replaced.
The Keycloak team has announced that their spring-security-keycloak plugin has reached end-of-life and will be removed from a future release of Keycloak. They recommend migrating to OAuth2/OpenID Connect support from spring-security 6.
We recommend those using the spring-security-keycloak plugin to join forces in development and testing of OAuth2/OpenID Connect integration.
The use of spring-security 6 requires removing spring-security-keycloak plugin.
-
Migrate to Jakarta Enterprise Edition
GeoServer is a Java Web Application comprised of a number of “servlets” that can be run by an application server. The specification of how these components work together is defined by the Java Enterprise Edition specification. This specification is now managed by the Eclipse Foundation as Jakarta Enterprise Edition.
With the change to Jakarta Enterprise Edition we expect a number of compatibility issues:
-
The charts extension is based on eastwood charts last updated in 2008.
This library is not compatible with Jakarta Enterprise Edition and will need to be replaced.
-
mapfish-print-v2
This library is not compatible with Jakarta Enterprise Edition and will need to be updated or replaced.
Application Servers that support Jakarta Enterprise Edition:
- Apache Tomcat 10.1 / Jakarta Enterprise Edition 10 / Servlet 6 / Java 17+
- Jetty 12.0 / Jakarta Enterprise Edition 10 / Servlet 6 / Java 17+
When ready we will need volunteers to test on the new application servers and update the binary release and documentation to reflect the new environment. Organizations operating in a managed environment may wish to pursue permission to operate Tomcat 10.1 ahead of this planned change.
The spring-framework version 6 uses the newer Jakarta Enterprise Edition specification.
-
-
Upgrade to Apache Wicket 10
Apache Wicket user-interface framework is used for the GeoServer Admin console screens.
Brad Hards has started this activity by going to the intermediate goal of Wicket 9, and will require a fleet of testers to perform A/B testing of each screen. This is an impressive undertaking, in 2016 we did an entire round of fundraising to assemble a team sprint when updating from Apache Wicket 1.4. to Wicket 7.x
Volunteers can help Brad test Wicket 9 now, and when the transition to Wicket 10 is complete a second round of A/B testing will be scheduled
The use of Jakarta Enterprise Edition requires the use of Apache Wicket 10.
-
Upgrade to Java 17
GeoServer is presently compiled with Java 11 LTS, with the result tested on Java 11 LTS, Java 17 LTS, and soon Java 21 LTS.
With the change to Java 17 we expect a number of libraries we use to require updating or replacing.
GeoServer is presently building on Java 17, however documentation will need to be updated when Java 11 support is dropped. Organizations may wish to pursue permission to operate Java 17 LTS ahead of this planned change.
The spring-framework 6 and Jakarta Enterprise Edition application servers require Java 17 as a minimum.
-
Migrate to ImageN 1.0
The Java Advanced Imaging library is used as the engine for our image and raster processing capabilities. This library reached end-of-life with the last JAI 1.1.3 release in 2005.
This library has received considerable investment from our community with GeoSolutions heading up the JAI-EXT project to better work with geospatial datasets, operations and analysis including recent support for hyperspectral imagery.
We have been planning for this migration for some time:
- Boundless worked with LocationTech to outline the creation of a new “Raster Processing Engine” library (with estimate of $150k). This library was planned after assessing alternatives in the Java ecosystem (nothing matched JAI on-demand capabilities required for geospatial content).
- LocationTech was able to contact Oracle, resulting in the source code being donated to the Eclipse Foundation as the ImageN project (consider that a $100k savings)
- Jody has worked on this project as a background activity when unemployed and the source code now compiles in a modern environment with documentation migrated to markdown (consider that at $25k savings)
- However test cases were not provided with the code donation (estimate $25k work remaining)
Once this library is ready:
- Migrate JAI-EXT project to ImageN 1.0 baseline (or merge for ImageN 1.1)
- GeoTools migration to ImageN 1.0 and integration testing
This activity is suitable for Java developers interested in Image Processing and will require coordination between ImageN, JAI-EXT and GeoTools projects.
Compiling with Java 17 requires migrating to ImageN library
This roadmap outlines goals that we wish to accomplish - we are seeking resources (funding, developers, testers, documentation writers) before work can be scheduled.
Further reading:
Service Providers
Service providers help bring GeoServer technology to a wider audience. We recognize core-contributors who take on an ongoing responsibility for the GeoServer project on our home page, along with a listing of commercial support on our website. We encourage service providers offering GeoServer support to be added to this list.
Helping meet project roadmap planning goals and objectives is a good way for service providers to gain experience with the project and represent their customers in our community. We recognize service providers that contribute to the sustainability of GeoServer as experienced providers.
We encourage service providers to directly take project maintenance and testing activities, and financially support the project if they do not have capacity to participate directly.
Sponsorship Opportunities
The GeoServer project steering committee uses your financial support to fund maintenance activities, code sprints, and research and development that is beyond the reach of an individual contributor.
GeoServer recognizes your financial support on our home page, sponsorship page and in release notes and presentations. GeoServer is part of the Open Source Geospatial Foundation and your financial support of the project is reflected on the OSGeo sponsorship page.
Recommendations:
- Individuals can use Donate via GitHub Sponsors to have their repository badged as supporting OSGeo.
- Individuals who offer GeoServer services should consider $50 USD a month to be listed as a bronze Sponsor on the OSGeo website.
- Organisations using GeoServer are encouraged to sponsor $50 USD a month to be listed as a bronze sponsor on the OSGeo website.
- Organisations that offer GeoServer services should consider $250 a month to be listed as a silver sponsor on the OSGeo website.
For instructions on sponsorship see how to Sponsor via Open Source Geospatial Foundation.
Further reading:
GeoServer 2.23.4 Release
GeoServer 2.23.4 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.23.4 is made in conjunction with GeoTools 29.4, and GeoWebCache 1.23.3.
Thanks to Peter Smythe (AfriGIS) for making this release.
Security Considerations
This release addresses security vulnerabilities and is considered an essential update for production systems.
- CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
- CVE-2023-41877 GeoServer log file path traversal vulnerability (High).
- CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
- CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
- CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).
- CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API (Moderate).
See project security policy for more information on how security vulnerabilities are managed.
Release notes
Improvement:
- GEOS-11152 Improve handling special characters in the Simple SVG Renderer
- GEOS-11154 Improve handling special characters in the MapML HTML Page
- GEOS-11176 Add validation to file wrapper resource paths
- GEOS-11188 Let DownloadProcess handle download requests whose pixel size is larger than integer limits
- GEOS-11189 Add an option to throw a service exception when nearest match “allowed interval” is exceeded
- GEOS-11193 Add an option to throw an exception when the time nearest match does not fall within search limits
- GEOS-11219 Upgrade mail and activation libraries
Bug:
- GEOS-9757 Return a service exception when client provided WMS dimensions are not a match
- GEOS-11074 GeoFence may not load property file at boot
- GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
- GEOS-11190 GeoFence: align log4j2 deps
- GEOS-11196 NPE in VectorDownload if ROI not defined
- GEOS-11200 GetFeatureInfo can fail on rendering transformations that generate a different raster
- GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
- GEOS-11206 Throw nearest match mismatch exceptions only for WMS
- GEOS-11223 Layer not visible in preview/capabilities if security closes the workspace, but allows access to the layer
- GEOS-11224 Platform independent binary doesn’t start properly with default data directory
For the complete list see 2.23.4 release notes.
Community Updates
Community module development:
- GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
- GEOS-11212 OIDC accessToken verification using only JWKs URI
Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you please contact the module developer to offer assistance.
About GeoServer 2.23 Series
Additional information on GeoServer 2.23 series:
- GeoServer 2.23 User Manual
- Drop Java 8
- GUI CSS Cleanup
- Add the possibility to use fixed values in Capabilities for Dimension metadata
- State of GeoServer 2.23
- GeoServer Feature Frenzy 2023
- GeoServer used in fun and interesting ways
- GeoServer Orientation
Release notes: ( 2.23.4 | 2.23.3 | 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )
GeoServer installation methods on Windows
GeoSpatial Techno is a startup focused on geospatial information that is providing e-learning courses to enhance the knowledge of geospatial information users, students, and other startups. The main approach of this startup is providing quality, valid specialized training in the field of geospatial information.
( YouTube | LinkedIn | Facebook | Reddit | X )
GeoServer installation methods: “Windows Installer” and “Web Archive”
GeoServer installation methods: “Windows Installer” and “Web Archive” In this session, we will talk about how to install GeoServer software by two common methods in Windows. If you want to access the complete tutorial, simply click on the link.
Introduction
GeoServer can be installed on different operating systems, since it’s a Java based application. You can run it on any kind of operating system for which exists a Java virtual machine. GeoServer’s speed depends a lot on the chosen Java Runtime Environment (JRE). The latest versions of GeoServer are tested with both OracleJRE and OpenJDK. These versions are:
- Java 17 for GeoServer 2.23 and above
- Java 11 for GeoServer 2.15 and above
- Java 8 for GeoServer 2.9 to GeoServer 2.22
- Java 7 for GeoServer 2.6 to GeoServer 2.8
- Java 6 for GeoServer 2.3 to GeoServer 2.5
- Java 5 for GeoServer 2.2 and earlier
But remember that the older versions are unsupported and won’t receive fixes nor security updates, and contain well-known security vulnerabilities that have not been patched, so use at own risk. That is true for both GeoServer and Java itself.
There are many ways to install GeoServer on your system. This tutorial will cover the two most commonly used installation methods on Windows.
- Windows Installer
- Web Archive
Windows installer
The Windows installer provides an easy way to set up GeoServer on your system, as it requires no configuration files to be edited or command line settings.
Installation
- GeoServer requires a Java environment (JRE) to be installed on your system, available from Adoptium for Windows Installer, or provided by your OS distribution. For more information, please refer to this link: https://docs.geoserver.org/latest/en/user/installation/index.html#installation
Consider the operating system architecture and memory requirements when selecting a JRE installer. 32-bit Java version is restricted to 2 GB memory, while the 64-bit version is recommended for optimal server memory. Utilizing JAI with the 32-bit JRE can enhance performance for WMS output generation and raster operations.
- Install JRE by following the default settings and successfully complete the installation.
- Navigate to the GeoServer.org and download the desired version of GeoServer.
- Launch the GeoServer installer and agree to the license.
- Enter the path to the JRE installation and proceed with the installation. The installer will attempt to automatically populate this box with a JRE if it is found, but otherwise you will have to enter this path manually.
- Provide necessary details like the GeoServer data directory, administration credentials, and port configuration.
- Review the selections, install GeoServer, and start it either manually or as a service.
- Finally, navigate to localhost:8080/geoserver (or wherever you installed GeoServer) to access the GeoServer Web administration interface.
Uninstallation
GeoServer can be uninstalled in two ways:
- By running the uninstall.exe file in the directory where GeoServer was installed
- By standard Windows program removal
Web Archive
GeoServer is packaged as a web-archive (WAR) for use with an application server such as Apache Tomcat or Jetty. It has been mostly tested using Tomcat, and so is the recommended application server. There are reasons for installing it such as it is widely used, well-documented, and relatively simple to configure. GeoServer requires a newer version of Tomcat (7.0.65 or later) that implements Servlet 3 and annotation processing. Other application servers have been known to work, but are not guaranteed.
Installation
- Make sure you have a JRE installed on your system, then download Apache Tomcat from its website(https://tomcat.apache.org). For the Windows installation package, scroll down and choose the 32bit/64bit Windows Service Installer option.
- Configure Tomcat by selecting components, setting up a username and password, and specifying memory settings. So, before start the Tomcat service, you have to configure the memory settings that will use for Java VM. To do it, open the Tomcat9w from the bin folder, then click on the Java tab. This tab allows for configuration of memory settings, including initial and maximum memory pool sizes. Recommended values are 512MB for the initial memory pool and 1024MB for the maximum memory pool.
- Start Tomcat service and verify its functionality, then navigate to localhost:8080, and get the Tomcat9 web page.
- Navigate to the GeoServer.org and Download page. Select Web Archive on the download page from the version of GeoServer that you wish to download.
- Deploy the GeoServer web archive as you would normally. Often, all that is necessary is to copy the GeoServer.war file to the Tomcat’s webapps directory, then the application will be deployed automatically.
- Now to access the Web administration interface, open a browser and navigate to localhost:8080 and press Manager App button. Enter the username and password of apache tomcat. Click on the start button for the GeoServer. Once it has started, click the GeoServer link. This will take you to the GeoServer web page.
Uninstallation
Stop the container application. Remove the GeoServer webapp from the container application’s webapps directory. This will usually include the GeoServer.war file as well as a GeoServer directory.
Difference between GEOSERVER.war and GEOSERVER.exe?
- The ‘GeoServer.exe’ NSIS installer registers GeoServer as a Windows Service, which uses the Jetty application server to run GeoServer. The ‘GeoServer.war’ is a platform independent web-archive package to be deployed in your own application server (we recommend Apache Tomcat). Using the ‘GeoServer.exe’ installer is a reliable way to setup GeoServer as a windows background service. The downside is the included Jetty application server is managed using text files (jetty.ini) once installed.
- Use of ‘GeoServer.war’ web-archive is provided to install into your own application server (we recommend Apache Tomcat as the market leader, with excellent documentation and integration options). A single application server may support several web application allowing GeoServer to be run alongside your own java web application.
GeoServer 2.24.1 Release
GeoServer 2.24.1 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of GeoServer recommended for production use. GeoServer 2.24.1 is made in conjunction with GeoTools 30.1, and GeoWebCache 1.24.1.
Thanks to Jody Garnett (GeoCat) for making this release.
Security Considerations
This release addresses security vulnerabilities and is considered an essential upgrade for production systems.
- CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
- CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
- CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format (Moderate).
- CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
- CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).
- CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).
See project security policy for more information on how security vulnerabilities are managed.
Release notes
Improvement:
- GEOS-11152 Improve handling special characters in the Simple SVG Renderer
- GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
- GEOS-11154 Improve handling special characters in the MapML HTML Page
- GEOS-11155 Add the X-Content-Type-Options header
- GEOS-11173 Default to using HttpOnly session cookies
- GEOS-11176 Add validation to file wrapper resource paths
- GEOS-11188 Let DownloadProcess handle download requests whose pixel size is larger than integer limits
- GEOS-11189 Add an option to throw a service exception when nearest match “allowed interval” is exceeded
- GEOS-11193 Add an option to throw an exception when the time nearest match does not fall within search limits
Bug:
- GEOS-11074 GeoFence may not load property file at boot
- GEOS-11166 OGC API Maps HTML representation fail without datetime parameter
- GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
- GEOS-11190 GeoFence: align log4j2 deps
- GEOS-11196 NPE in VectorDownload if ROI not defined
- GEOS-11200 GetFeatureInfo can fail on rendering transformations that generate a different raster
- GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
- GEOS-11206 Throw nearest match mismatch exceptions only for WMS
For the complete list see 2.24.1 release notes.
Community Module Updates
OAuth2 OpenID-Connect improvements
Two improvements have been made to the community module for OAuth2 OpenID-Connect authentication:
- GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
- GEOS-11212 OIDC accessToken verification using only JWKs URI
In addition the module includes an OIDC_LOGGING
profile and updated documentation covering new settings and troubleshooting guidance.
Thanks Jody Garnett for these improvements on behalf of GeoBeyond.
note: Over the course of 2024 the OAuth2 plugins will need to be rewritten for spring-framework 6. Interested parties are encouraged to reach out to geoserver-devel email list; ideally we would like to see this functionality implemented and included as part of GeoServer.
About GeoServer 2.24 Series
Additional information on GeoServer 2.24 series:
- GeoServer 2.24 User Manual
- State of GeoServer 2.24 (foss4g-na presentation)
- Control remote HTTP requests sent by GeoTools/GeoServer
- Multiple CRS authority support, planetary CRS
- Extensive GeoServer Printing improvements
- Upgraded security policy
Release notes: ( 2.24.1 | 2.24.0 | 2.24-RC )
GeoServer is an Open Source Geospatial Foundation project supported by a mix of volunteer and service provider activity. We reply on sponsorship to fund activities beyond the reach of individual contributors.
Tutorials
- Powerful SLD Styles & Filters in GeoServer
- Using Logical Operators in GeoServer Filters
- Exploring CQL/ECQL Filtering in GeoServer
- Using Spatial Operators in GeoServer Filters
- Using Value Comparison Operators in GeoServer Filters
- Using Binary Comparison Operators in GeoServer Filters
- Utilizing the Demo Section in Geoserver
- How to Implement Basic Security in Geoserver
- How to create Tile Layers with GeoServer
- How to style layers using GeoServer and QGIS