This page gathers together Spring 4 upgrade information and planning activities, see GSIP-142 for the discussion/decision around delaying the GeoServer 2.9 release (due to Spring 3 incompatibility with Java 8).

• Schedule

• Testing

  • Security Test

    • Default Security
    • Security Authentication
    • Security Authorization
    • Security LDAP

  • REST API Test

• Spring 4 Upgrade

  • GeoWebCache
  • Spring-Test Migration

1. Start feature branch spring4-upgrade
   • ✅ all core modules compile
   • ✅ merge spring-test work from aaime mockrunner-spring branch.
2. ✅ Upgrade to Servlet 3.0
3. Migrate tests from mock runner to spring-test
   • ✅ core building
   • ✅ extension building
   • ✅ community modules (-PcommunityRelease) could not fix everything
4. GWC - also uses spring and will require update
   • ✅ Upgrade to Servlet 3.0
   • ✅ Migrate from Acegi 1.0.7 to Spring Security
5. Extensions
   • ✅ security
   • ✅ security ldap
   • ✅ security cas - some feedback from christian (may not be ready in time for release)
6. community modules (-PcommunityRelease)
   • ✅ migrate modules to spring4 and spring-test
7. GeoFence Upgrade and community modules
   • ✅ [ET] upgraded on master, spring-4-upgrade available as 3.2-SNAPSHOT
   • ✅ [ET] geofence - gui missing DnD (known issue after wicket upgrade)
   • ✅ [ET] geofence-server
8. ✅ merge feature branch to master
9. integration test geoserver security
   • ⚠️ note that digest is not expected to work 👈 why?
   • ✅ [??] define user/groups/roles
   • ✅ [??] verify publication via getcapabilities
   • ✅ [??] verify access via GetMap
10. integration test security jdbc

• ✅ [KS] define user/groups/roles

12. integration test security ldap (OpenLDAP or ActiveDirectory)
    • ✅ [NC] OpenLDAP
      • ✅ [NC] RoleService
      • ⚠️ [NC] AuthenticationProvider (PR for fix pending)
      • ✅ [NC] verify publication via GetCapabilities
      • ✅ [NC] verify access via GetMap
    • ❔ [DG] ActiveDirectory
      • ✅ [DG] RoleService
      • ✅ [DG] AuthenticationProvider
      • verify publication via GetCapabilities
      • verify access via GetMap
13. integration test security cas
    • if available
14. integration test rest api
    • ✅ [NC] test rest api against docs
    • ✅ [LP] look at using gsconfig for bulk testing
    • ✅ [AP] manual and automated tests with QGIS GeoServer Explorer Plugin (latest master)
    • look at gsmanager tests
15. [JG] release 2.9-beta2
16. release 2.9-RC1
17. 2.9.0 release

See headings below for research, notes, buglets and planning on specific topics.

• ⚠️ GEOS 7404 Digest authentication is broken

• ⚠️ GEOS-7482 404 when logging in from /web/wicket pages

• 👊 Login fails from layer preview page
• 👊 demo request page not fully functional

The security system has undergone extensive change, and requires manual testing. We will be pulling manual tests from both our user manual tutorials, and GeoSolutions geoserver security training if any instructions need clarification.

1. Test web application login and logout with default admin/geoserver credentials.
2. Test web application login and logout with root password
3. Test Demo Requests application with default admin/geoserver credentials

1. Test Digest tutorial

   ⚠️ Apparently this was broken before the spring 5 upgrade and is not expected to work?

2. Public Key Infrastructure x.509 Certificate Authentication. This test requires a Tomcat environment, consider testing from an appropriate client such as QGIS.

3. Test HTTP Header Proxy Authentication

4. Test Authentication with CAS

Test Plan:

1. Security configuration:

   • Roles: Reader, Editor (with parent Reader)
   • Groups: Employees, Visitors
   • Users: Bob (Employee), Alice (Visitor)

2. Data security:

   • topp.* read ROLE_AUTHENTICATED

3. Service security:

   • wfs.* Reader, ADMIN
   • wfs.Transaction Editor, ADMIN

4. Test GetCapabilities to verify data authorization

5. Test GetMap to verify data authorization

6. Test DescribeFeatureType to verify service authorization

7. Test GetMap Transaction to verify service authorization

1. Tutorials provide adequate test:

   • LDAP; or
   • ActiveDirectory )

The rest api has undergone significant modification and requires integration testing:

1. Integration test: run gsconfig tests - should cover the geonode project

   Luigi Pireli reports success testing gsconfig (needed to fix one of the tests - #143 )

2. Integration test: run qgis-geoserver-plugin tests

   Alessandro Pasotti manual and automated tests pass.

3. Test examples provided in the documentation

   Niels reports back success.

4. Look at gsmanager tests

Rough idea of scope (based on Justin's research in October):

• servlet api upgrade (at least 3.0)
• mock runner library does not go that high (spring has its own mock runner)
  • mechanical change, but not dropin replacing
• security
  • cas, ldap, security modules in general:
    • Andrea emphasis manual testing
    • EspeI wocially manual testing for CAS (it is a rewrite, not just an update)
• rest
  • restlet depends on servlet 2.5 (was able to get it working with exclusions)

What will be affected?

• Note jdbconfig / jdbcconfig disk quota are hit by this upgrade
  • Tested, no didn't encounter any problems.
• Q: How much will geofence rest be affected? due to use of spring rest api

Q: Upgrade to Servlet 3.0.

Only thing like to be tricky is additional security methods (login and logout).

Q: Anything else fun in Servlet 3.0? Use annotations rather than web.xml?

option to split web.xml into web-fragment.xml, use of of Asynchronous (see reference ).

• ✅ JDBCConfig (High risk due to use of Spring JDBC)
• ✅ hz-cluster
• ✅ CSW
• ✅ Importer

• Also using Spring and needs to update it both to fix the Java8 ASM problem and to remain compatible with GeoServer
• Spring 3.1.1
• Very old predecessor to Spring Security: Acegi 1.0.7
• Spring JDBC
• Metastore Remover
• Rarely used (only when upgrading from versions <= 1.3
• No unit tests
• Diskquota JDBC

Migrating from Mock Runner to Spring-Test is likely to be the most lines of code changed, but very low risk.

• branch: https://github.com/aaime/geoserver/tree/mockrunner-spring

The plan was simple, use spring-test, which provides similar classes, by:

1. creating a set of mockrunner replacements that were simple subclases of the spring-test ones (put in the platform module, which everything depends on)

2. remove the mockrunner dependencies and replace them with spring-test in pom files

3. perform any adaptation necessary for method and behavior incompatibilities between the two sets of classes

4. refactor out the subclasses leaving the code using directly sprint-test

Progress:

• ✅ core building
• ✅ extension building
• community modules (-PcommunityRelease) could not fix everything

Initial work https://github.com/aaime/geoserver/tree/mockrunner-spring has now been merged:

• pom file modifications: https://github.com/aaime/geoserver/commit/144a178bd8618b0c6b96d1ef91ce3f83a8132ed3
• set up the sprint-test subclasses as mockrunner wannabes and work out the differences in API and behavior: https://github.com/aaime/geoserver/commit/7ad36b3e3d967b28b8c9d177705724be44e2b78a
• refactor away the mockrunner wannabe sublasses: https://github.com/aaime/geoserver/commit/2d5839e21aea1267533df2467e7b53cbcc630309

Planning:

• ✅ If we go for the Spring upgrade, see this as Andrea's contribution to the upgrade, and merge it soon

  This was merged to the feature branch.

• ❔ Continue work on community modules in -PcommunityRelease (script, rest-ext)