[Geoserver-devel] PRs to Update Spring and Spring Security

Hey All,
Just wanted to bring to your attention PRs for GeoServer ( https://github.com/geoserver/geoserver/pull/6515 ) and GWC ( https://github.com/GeoWebCache/geowebcache/pull/1111 ) that update Spring Core from 5.2.22 to 5.3.23 and Spring Security from 5.1.13 to 5.7.3.

These upgrades introduce changes and/or deprecations in a number of areas including:

Spring MVC Content Negotiation

ContentNegotiationConfigurer.favorPathExtension is deprecated (and no longer the default configuration) because Spring wants to discourage extensions in paths. Removing extensions would cause GeoServer REST API backwards compatibility issues that will have to be addressed in the future. For now, we are suppressing the deprecation warning and turning on this configuration option.Spring MVC returned Mimetypes now include the charset.

This change breaks many GeoServer tests. The solution is that we introduced a GeoServerSystemTestSupport method to parse the mimetype, returning only the base.Servlet API updated to 3.1

For ServletOutputStream and ServletInputStream implementations we had to add support for non-blocking IO calls.

SecurityContextPersistenceFilter is deprecated

Spring deprecated this because it is inflexible about the timing of when the context was saved. We replaced it with a OncePerRequestFilter that saves the context after GeoServer specific request attribute changes are made.

Serialized RMI invocation is deprecated

Geofence integration uses serialized RMI invocation. For now, we are suppressing the deprecation warning. This will have to be addressed in the future in the Geofence project and in the GeoServer extension.

Joe Miller

Hi Joseph,
thanks for sharing the progress. Some additions inline below

On Tue, Jan 17, 2023 at 10:31 PM Joseph Miller <millerjoseph@anonymised.com> wrote:

Spring MVC Content Negotiation

ContentNegotiationConfigurer.favorPathExtension is deprecated (and no longer the default configuration) because Spring wants to discourage extensions in paths. Removing extensions would cause GeoServer REST API backwards compatibility issues that will have to be addressed in the future. For now, we are suppressing the deprecation warning and turning on this configuration option.

Some references about content negotiation and the deprecation itself, for reference:

This issue affects the REST API, which uses a suffix match to decide about the response content. The OGC API module is currently not using such a convention, so it’s not affected.

Speaking of OGC APIs, we made it pass all tests and QA before the Spring upgrade, and it’s still
building with no test nor QA failures after the upgrade.

In addition to that, we’re looking into the OAuth modules, which may be affected by the upgrades as well.
Here we applied the same treatment as OGC API, but disabled the deprecation checks, making those modules
pass a full build with the following command:

mvn clean install -Dqa -nsu -Poauth2-all -Dlint=unchecked -T6

They have been recently broken again by the CSS overhaul, but the fix is easy, and then the modules do build.
However, automated tests are far from covering the full functionality, so we are looking into doing manual testing as well before the RC.

I have already reviewed the changes in both PRs before they were posted to the main repo so… anyone else wants to have a look?

Cheers
Andrea

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

On Wed, 18 Jan 2023 at 07:31, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Joseph,
thanks for sharing the progress. Some additions inline below

On Tue, Jan 17, 2023 at 10:31 PM Joseph Miller <millerjoseph@anonymised.com> wrote:

Spring MVC Content Negotiation

ContentNegotiationConfigurer.favorPathExtension is deprecated (and no longer the default configuration) because Spring wants to discourage extensions in paths. Removing extensions would cause GeoServer REST API backwards compatibility issues that will have to be addressed in the future. For now, we are suppressing the deprecation warning and turning on this configuration option.

Some references about content negotiation and the deprecation itself, for reference:

This issue affects the REST API, which uses a suffix match to decide about the response content. The OGC API module is currently not using such a convention, so it’s not affected.

Note we’ve already faced that problem in GeoServer Cloud, and fixed it with this:

https://github.com/geoserver/geoserver-cloud/commit/c9105e2d265ca89601157fcb58cd73ad2b750c82#diff-ce2a76336b064b1b6698bdbcacdde96f6635f31ed2ba982efb46ae4ba3f638f9R51

Basically:
ContentNegotiationConfigurer.favorPathExtension(true)

and
handlerMapping.setUseSuffixPatternMatch(true);