Spring 4 Upgrade

This page gathers together Spring 4 upgrade information and planning activities, see GSIP-142 for the discussion/decision around delaying the GeoServer 2.9 release (due to Spring 3 incompatibility with Java 8).

• Schedule

• Testing

  • Security Test

    • Default Security
    • Security Authentication
    • Security Authorization
    • Security LDAP

  • REST API Test

• Spring 4 Upgrade

  • GeoWebCache
  • Spring-Test Migration

Schedule

1. Start feature branch https://github.com/geoserver/geoserver/tree/spring4-upgrade
   • ✅ all core modules compile
   • ✅ merge spring-test work from aaime (https://github.com/aaime/geoserver/tree/mockrunner-spring)
2. ✅ Upgrade to Servlet 3.0
3. Migrate tests from mock runner to spring-test
   • ✅ core building
   • ✅ extension building
   • ✅ community modules (-PcommunityRelease) could not fix everything
4. GWC - also uses spring and will require update
   • ✅ Upgrade to Servlet 3.0
   • ✅ Migrate from Acegi 1.0.7 to Spring Security
5. GeoFence
   • ❔ status unknown
6. Extensions
   • ✅ security
   • ✅ security ldap
   • ✅ security cas - some feedback from christian (may not be ready in time for release)
7. community modules (-PcommunityRelease)
   • ✅ Migrate modules to spring4 and spring-test
   • ⚠️ geofence-server
   • ⚠️ geofence-server
8. ✅ merge feature branch
9. integration test geoserver security
   • ⚠️ note that digest is not expected to work
   • ⚠️ https://osgeo-org.atlassian.net/browse/GEOS-7482
   • ✅ define user/groups/roles
   • ✅ verify publication via getcapabilities
   • ✅ verify access via GetMap
10. integration test security jdbc

• ❔ define user/groups/roles

12. integration test security ldap
    • [NC] OpenLDAP
      • [NC] RoleService
      • [NC] AuthenticationProvider
      • [NC] verify publication via getcapabilities
      • [NC] verify access via GetMap
    • ❔ ActiveDirectory
      • ❔ define user/groups/roles
      • ❔ verify publication via getcapabilities
      • ❔ verify access via GetMap
13. integration test security cas
    • if available
14. integration test rest api
    • ❔ test rest api against docs
    • look at using gsconfig for bulk testing
    • look at gsmanager tests
15. release 2.9-beta2
16. release 2.9-RC1
17. 2.9.0 release

See headings below for research, notes, buglets and planning on specific topics.

Testing

Security Test

The security system has undergone extensive change, and requires manual testing. We will be pulling manual tests from both our user manual tutorials, and GeoSolutions geoserver security training if any instructions need clarification.

Default Security

1. Test web application login and logout with default admin/geoserver credentials.
2. Test web application login and logout with root password
3. Test Demo Requests application with default admin/geoserver credentials

Buglet:

• 👊 Login fails from layer preview page
• 👊 demo request page not fully functional

Security Authentication

1. Test Digest tutorial

   ⚠️ Apparently this was broken before the spring 5 upgrade and is not expected to work?

2. Public Key Infrastructure x.509 Certificate Authentication. This test requires a Tomcat environment, consider testing from an appropriate client such as QGIS.

3. Test HTTP Header Proxy Authentication

4. Test Authentication with CAS

Buglets:

• TBD

Security Authorization

Test Plan:

1. Security configuration:

   • Roles: Reader, Editor (with parent Reader)
   • Groups: Employees, Visitors
   • Users: Bob (Employee), Alice (Visitor)

2. Data security:

   • topp.* read ROLE_AUTHENTICATED

3. Service security:

   • wfs.* Reader, ADMIN
   • wfs.Transaction Editor, ADMIN

4. Test GetCapabilities to verify data authorization

5. Test GetMap to verify data authorization

6. Test DescribeFeatureType to verify service authorization

7. Test GetMap Transaction to verify service authorization

Buglets:

• TBD

Security LDAP

1. Tutorials provide adequate test, please test either:

   • LDAP; or
   • ActiveDirectory )

Buglets:

• TBD

REST API Test

The rest api has undergone significant modification and requires integration testing:

1. Integration test: run gsconfig tests - should cover the geonode project
2. Integration test: run qgis-geoserver-plugin tests
3. Test examples provided in the documentation

Buglets:

• TBD

Spring 4 Upgrade

Rough idea of scope (based on Justin's research in October):

• servlet api upgrade (at least 3.0)
• mock runner library does not go that high (spring has its own mock runner)
  • mechanical change, but not dropin replacing
• security
  • cas, ldap, security modules in general:
    • Andrea emphasis manual testing
    • EspeI wocially manual testing for CAS (it is a rewrite, not just an update)
• rest
  • restlet depends on servlet 2.5 (was able to get it working with exclusions)

What will be affected?

• Note jdbconfig / jdbcconfig disk quota are hit by this upgrade
• Q: How much will geofence rest be affected? due to use of spring rest api

Q: Upgrade to Servlet 3.0.

Only thing like to be tricky is additional security methods (login and logout).

Q: Anything else fun in Servlet 3.0? Use annotations rather than web.xml?

option to split web.xml into web-fragment.xml, use of of Asynchronous (see reference ).

GeoWebCache

• Also using Spring and needs to update it both to fix the Java8 ASM problem and to remain compatible with GeoServer
• Spring 3.1.1
• Very old predecessor to Spring Security: Acegi 1.0.7
• Spring JDBC
• Metastore Remover
• Rarely used (only when upgrading from versions <= 1.3
• No unit tests
• Diskquota JDBC

Spring-Test Migration

Migrating from Mock Runner to Spring-Test is likely to be the most lines of code changed, but very low risk.

• branch: https://github.com/aaime/geoserver/tree/mockrunner-spring

The plan was simple, use spring-test, which provides similar classes, by:

1. creating a set of mockrunner replacements that were simple subclases of the spring-test ones (put in the platform module, which everything depends on)

2. remove the mockrunner dependencies and replace them with spring-test in pom files

3. perform any adaptation necessary for method and behavior incompatibilities between the two sets of classes

4. refactor out the subclasses leaving the code using directly sprint-test

Progress:

• ✅ core building
• ✅ extension building
• community modules (-PcommunityRelease) could not fix everything

Initial work https://github.com/aaime/geoserver/tree/mockrunner-spring has now been merged:

• pom file modifications: https://github.com/aaime/geoserver/commit/144a178bd8618b0c6b96d1ef91ce3f83a8132ed3
• set up the sprint-test subclasses as mockrunner wannabes and work out the differences in API and behavior: https://github.com/aaime/geoserver/commit/7ad36b3e3d967b28b8c9d177705724be44e2b78a
• refactor away the mockrunner wannabe sublasses: https://github.com/aaime/geoserver/commit/2d5839e21aea1267533df2467e7b53cbcc630309

Planning:

• ✅ If we go for the Spring upgrade, see this as Andrea's contribution to the upgrade, and merge it soon

  This was merged to the feature branch.

• ❔ Continue work on community modules in -PcommunityRelease (script, rest-ext)