Hello everyone, @groldan and myself volunteered to do the GeoServer 2.27.0 release this month - and we could use your help
GeoServer stopped doing “release candidates” ahead of each major release instead relying on nightly builds for feedback.
Testing is the best way to ensure GeoServer works for you and your organization. This is “where we do the open source thing” and share risk, share work, and simply make better software. Reply to this thread with your feedback, and we will thank you in the release announcements.
Test with your Data Directory
Try a nightly build with your data directory.
This is an important point where we depend on the public for help. With large open source projects there is the Linus’s law “given enough eyeballs, all bugs are shallow”. Subjecting a problem to a lot of feedback helps find corner cases.
My variation, Jody’s law , is for smaller scientific projects like GeoSever: “given enough data, all bugs are shallow”. We do not need a lot of people testing, we need GeoServer exposed to a wider range of datasets than the development team has access to.
Please check for:
UI CSP: Browser “content security policy” restrictions are now in place, so let us know if you find any problems. The docs has information how to identify CSP issues, and turn off CSP if needed. For experts there is config screen if you need to relax CSP settings on a case by case basis.
UI Dialogs: As part of getting ready for GS3 we had to implement our own dialogs. If you run into any problems please let us know!
Catalog Loader: GeoServer startup has seen a lot of improvements and we are seeking feedback on how-much-faster your experience is (and ensure we avoid deadlocks).
OGC API - Features: Read the instructions and learn how to configure along side WFS output.
So I have now given it a try with Docker and my data directory. The layers appear as expected.
However, I cannot log in.
Firefox’s developer tools show: ‘Content-Security-Policy: The page settings have blocked the loading of a resource (form-action) on http://server:8080/geoserver/j_spring_security_check because it violates the following directive: “form-action ”self’’
This seems to be an intended result, but how do I get to the administration interface now?
I have already updated the page with Control-R and Control-Shift-R. Otherwise I don’t know what to do.
Following the identify CSP issues instructions there is a --env org.geoserver.web.csp.strict=false setting to “break in”.
However that it is not working in Firefox for you is unexpected - as I tested the instructions before posting.
Let me try again now … yeah it still works for me:
18-Mar-2025 10:40:30.403 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
18-Mar-2025 10:40:30.464 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [21697] milliseconds
Yeah your feedback is exactly what we are needing:
Can you tell me anything more about your setup?
Your message indicated server:8080 but are you usually accessing via https:server:80 with a proxy base url?
You can try clearing your browser cache completely or accessing in “privacy mode”
In the meantime those that actually run test found issues that got fixed…
it did not take hours to start up geoserver on a small number of data dirs, althought it was not trivial to ensure that it would not deadlock on startup, or lose all of the layer groups…
I’ve done some testing with the 2.27.x in combination with geoserver-sec-oauth2-openid-connect-plugin. The login/logout- buttons with this combinations is certainly influenced by the CSP settings.
My findings is that out of the box, without any configuration, clicking the login-button would make the browser hang with a message in the console:
After logging in with an admin account, I discovered the new Content Security Policy page. First impression was that it were too complicated. I entered the IAM domain into “Allowed sources for remote web resources”, and then tried to find a suitable place to add this url into a ‘form-action’ rule.
I ended up editing “other-requests”. That didn’t work. My changes was gone when logging out and trying to log in again.
Then I tried to do the changes manually in the csp.xml file. That worked and now I can use the Login / Logout-buttons with the CSP enabled.
The url of these two are: /j_spring_security_logout and /web/j_spring_oauth2_openid_connect_login. What would be the correct Rule to place this?
I wonder why it is an ordered list of Policy List. They seems to be independent of each other. It would also make sense to shorten the Rule List.
Maybe I’m already a bit further along.
I managed to connect to geoserver with an nginx proxy to reach the connection via https. I have adjusted the proxy address in the global.xml file in the data directory accordingly.
Now I can log in as admin.
So far so good, but apparently I still don’t have sufficient rights, because access to the settings is not displayed. Is there any other idea?
I installed the nightly build and unfortunately the GeoFence plugin doesn’t work anymore. I’m persisting the configuration into Oracle and I now used the H2 version of the plugin using the following configuration:
GeoServer fails to start an writes the following error to the logfile:
12:26:29 WARN [internal.JdbcEnvironmentInitiator] - HHH000342: Could not obtain connection to query metadata
org.hibernate.boot.registry.selector.spi.StrategySelectionException: Unable to resolve name [org.hibernatespatial.oracle.OracleSpatial10gDialect] as strategy [org.hibernate.dialect.Dialect]
Caused by: org.hibernate.boot.registry.classloading.spi.ClassLoadingException: Unable to load class [org.hibernatespatial.oracle.OracleSpatial10gDialect]
...
Caused by: java.lang.ClassNotFoundException: Could not load requested class : org.hibernatespatial.oracle.OracleSpatial10gDialect
...
13:34:55 ERROR [jpa.LocalContainerEntityManagerFactoryBean] - Failed to initialize JPA EntityManagerFactory: Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
I’m using the hibernate-spatial-oracle-1.1.3.2.jar. Could someone give me a hint what changed in GeoServer or the plugin or what I could do to fix the issue?
Hi @dcal, pls note that you need to edit your configuration file, since it is still referring to the package org.hibernatespatial.<...> while the new version (since 2.27) requires now org.hibernate.spatial.<...>. Please check the class name of the Oracle version you need in the “Direct known subclasses” at Dialect (Hibernate JavaDocs).
Also, hibernate-spatial-oracle-1.1.3.2.jar .is no longer needed, since all the hibernate spatial dialects are now already provided. You only need to add the oracle jdbc driver, since h2 and postgis are the only two provided by default.
Thanks for the head up, I’ll update the doc at Installing the GeoServer GeoFence Server extension — GeoServer 2.27.x User Manual related to using different DBMS.
Deleting the ‘security’ directory did not work. I was able to log in, but an error message was displayed instead of the layer list.
However, I used my geodata directory for testing on another computer. There was still a reference to a proxyBaseUrl in the settings.xml files in my workspace, as well as in the ‘global.xml’ file. I deleted this and now I can no longer detect any problems with access.
, is for smaller scientific projects like GeoSever: “given enough data, all bugs are shallow”. We do not need a lot of people testing, we need GeoServer exposed to a wider range of datasets than the development team has access to.
