Spring 4 Upgrade

Jody Garnett edited this page Apr 12, 2016 · 83 revisions

This page gathers together Spring 4 upgrade information and planning activities, see GSIP-142 for the discussion/decision around delaying the GeoServer 2.9 release (due to Spring 3 incompatibility with Java 8).


  1. Start feature branch spring4-upgrade
    • :white_check_mark: all core modules compile
    • :white_check_mark: merge spring-test work from aaime mockrunner-spring branch.
  2. :white_check_mark: Upgrade to Servlet 3.0
  3. Migrate tests from mock runner to spring-test
    • :white_check_mark: core building
    • :white_check_mark: extension building
    • :white_check_mark: community modules (-PcommunityRelease) could not fix everything
  4. GWC - also uses spring and will require update
    • :white_check_mark: Upgrade to Servlet 3.0
    • :white_check_mark: Migrate from Acegi 1.0.7 to Spring Security
  5. Extensions
    • :white_check_mark: security
    • :white_check_mark: security ldap
    • :white_check_mark: security cas - some feedback from christian (may not be ready in time for release)
  6. community modules (-PcommunityRelease)
    • :white_check_mark: migrate modules to spring4 and spring-test
  7. GeoFence Upgrade and community modules
    • :white_check_mark: [ET] upgraded on master, spring-4-upgrade available as 3.2-SNAPSHOT
    • :white_check_mark: [ET] geofence - gui missing DnD (known issue after wicket upgrade)
    • :white_check_mark: [ET] geofence-server
  8. :white_check_mark: merge feature branch to master
  9. integration test geoserver security
    • :warning: note that digest is not expected to work :point_left: why?
    • :white_check_mark: [??] define user/groups/roles
    • :white_check_mark: [??] verify publication via getcapabilities
    • :white_check_mark: [??] verify access via GetMap
  10. integration test security jdbc
  • :white_check_mark: [KS] define user/groups/roles
  1. integration test security ldap (OpenLDAP or ActiveDirectory)
    • :white_check_mark: [NC] OpenLDAP
      • :white_check_mark: [NC] RoleService
      • :warning: [NC] AuthenticationProvider (PR for fix pending)
      • :white_check_mark: [NC] verify publication via GetCapabilities
      • :white_check_mark: [NC] verify access via GetMap
    • :grey_question: [DG] ActiveDirectory
      • :white_check_mark: [DG] RoleService
      • :white_check_mark: [DG] AuthenticationProvider
      • verify publication via GetCapabilities
      • verify access via GetMap
  2. integration test security cas
    • if available
  3. integration test rest api
    • :white_check_mark: [NC] test rest api against docs
    • :white_check_mark: [LP] look at using gsconfig for bulk testing
    • :white_check_mark: [AP] manual and automated tests with QGIS GeoServer Explorer Plugin (latest master)
    • look at gsmanager tests
  4. [JG] release 2.9-beta2
  5. release 2.9-RC1
  6. 2.9.0 release

See headings below for research, notes, buglets and planning on specific topics.


Issues List

Security Test

The security system has undergone extensive change, and requires manual testing. We will be pulling manual tests from both our user manual tutorials, and GeoSolutions geoserver security training if any instructions need clarification.

Default Security

  1. Test web application login and logout with default admin/geoserver credentials.
  2. Test web application login and logout with root password
  3. Test Demo Requests application with default admin/geoserver credentials

Security Authentication

  1. Test Digest tutorial

    :warning: Apparently this was broken before the spring 5 upgrade and is not expected to work?

  2. Public Key Infrastructure x.509 Certificate Authentication. This test requires a Tomcat environment, consider testing from an appropriate client such as QGIS.

  3. Test HTTP Header Proxy Authentication

  4. Test Authentication with CAS

Security Authorization

Test Plan:

  1. Security configuration:

    • Roles: Reader, Editor (with parent Reader)
    • Groups: Employees, Visitors
    • Users: Bob (Employee), Alice (Visitor)
  2. Data security:

    • topp.* read ROLE_AUTHENTICATED
  3. Service security:

    • wfs.* Reader, ADMIN
    • wfs.Transaction Editor, ADMIN
  4. Test GetCapabilities to verify data authorization

  5. Test GetMap to verify data authorization

  6. Test DescribeFeatureType to verify service authorization

  7. Test GetMap Transaction to verify service authorization

Security LDAP

  1. Tutorials provide adequate test:


The rest api has undergone significant modification and requires integration testing:

  1. Integration test: run gsconfig tests - should cover the geonode project

    Luigi Pireli reports success testing gsconfig (needed to fix one of the tests - #143 )

  2. Integration test: run qgis-geoserver-plugin tests

    Alessandro Pasotti manual and automated tests pass.

  3. Test examples provided in the documentation

    Niels reports back success.

  4. Look at gsmanager tests

Spring 4 Upgrade

Rough idea of scope (based on Justin's research in October):

  • servlet api upgrade (at least 3.0)
  • mock runner library does not go that high (spring has its own mock runner)
    • mechanical change, but not dropin replacing
  • security
    • cas, ldap, security modules in general:
      • Andrea emphasis manual testing
      • EspeI wocially manual testing for CAS (it is a rewrite, not just an update)
  • rest
    • restlet depends on servlet 2.5 (was able to get it working with exclusions)

What will be affected?

  • Note jdbconfig / jdbcconfig disk quota are hit by this upgrade
    • Tested, no didn't encounter any problems.
  • Q: How much will geofence rest be affected? due to use of spring rest api

Q: Upgrade to Servlet 3.0.

Only thing like to be tricky is additional security methods (login and logout).

Q: Anything else fun in Servlet 3.0? Use annotations rather than web.xml?

option to split web.xml into web-fragment.xml, use of of Asynchronous (see reference ).

Extensions that build and have been tested.

  • :white_check_mark: JDBCConfig (High risk due to use of Spring JDBC)
  • :white_check_mark: hz-cluster
  • :white_check_mark: CSW
  • :white_check_mark: Importer


  • Also using Spring and needs to update it both to fix the Java8 ASM problem and to remain compatible with GeoServer
  • Spring 3.1.1
  • Very old predecessor to Spring Security: Acegi 1.0.7
  • Spring JDBC
  • Metastore Remover
  • Rarely used (only when upgrading from versions <= 1.3
  • No unit tests
  • Diskquota JDBC

Spring-Test Migration

Migrating from Mock Runner to Spring-Test is likely to be the most lines of code changed, but very low risk.

The plan was simple, use spring-test, which provides similar classes, by:

  1. creating a set of mockrunner replacements that were simple subclases of the spring-test ones (put in the platform module, which everything depends on)

  2. remove the mockrunner dependencies and replace them with spring-test in pom files

  3. perform any adaptation necessary for method and behavior incompatibilities between the two sets of classes

  4. refactor out the subclasses leaving the code using directly sprint-test


  • :white_check_mark: core building
  • :white_check_mark: extension building
  • community modules (-PcommunityRelease) could not fix everything

Initial work https://github.com/aaime/geoserver/tree/mockrunner-spring has now been merged:


  • :white_check_mark: If we go for the Spring upgrade, see this as Andrea's contribution to the upgrade, and merge it soon

    This was merged to the feature branch.

  • :grey_question: Continue work on community modules in -PcommunityRelease (script, rest-ext)

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.