Merge branch 'main' into HTM-1852_geotools-35.x

Author: mprins

.github/workflows/copilot-setup-steps.yml

@@ -32,7 +32,7 @@ jobs:
           maven-version: 3.9.12
 
       - name: 'Login to b3p.nl'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: docker.b3p.nl
           username: ${{ secrets.DOCKER_B3P_PULL_ACTOR }}

.github/workflows/qa.yml

@@ -47,7 +47,7 @@ jobs:
       - name: 'QA build with Maven'
         run: mvn -B -V -fae -DskipQA=false -Dspotless.action=check -Dpom.fmt.action=verify -Ddocker.skip=true -DskipTests -DskipITs clean install
 
-      - uses: lcollins/pmd-github-action@v3.1.0
+      - uses: lcollins/pmd-github-action@v3.2.0
         if: always()
         with:
           path: '**/pmd.xml'

.github/workflows/ubuntu-maven.yml

@@ -96,7 +96,7 @@ jobs:
           maven-version: ${{ env.MAVEN_VERSION }}
 
       - name: 'Login to b3p.nl'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: docker.b3p.nl
           username: ${{ secrets.DOCKER_B3P_PULL_ACTOR }}
@@ -204,7 +204,7 @@ jobs:
           maven-version: ${{ env.MAVEN_VERSION }}
 
       - name: 'Log in to GitHub container registry'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

build/ci/docker-compose.yml

@@ -123,7 +123,7 @@ services:
     environment:
       TZ: Europe/Amsterdam
       SOLR_OPTS: '$SOLR_OPTS -Dsolr.environment=dev,label=Tailormap+Development,color=#6236FF'
-      SOLR_DELETE_UNKNOWN_CORES: true
+      SOLR_CLOUD_STARTUP_DELETE_UNKNOWN_CORES_ENABLED: true
       SOLR_MODE: user-managed
     volumes:
       - solr-data:/var/solr

pom.xml

@@ -14,7 +14,7 @@ SPDX-License-Identifier: MIT
     </parent>
     <groupId>org.tailormap</groupId>
     <artifactId>tailormap-api</artifactId>
-    <version>12.5.1-SNAPSHOT</version>
+    <version>12.5.2-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>Tailormap API</name>
     <description>Tailormap API provides the backend for Tailormap</description>
@@ -65,7 +65,7 @@ SPDX-License-Identifier: MIT
     <scm>
         <connection>scm:git:git@github.com:Tailormap/tailormap-api.git</connection>
         <developerConnection>scm:git:git@github.com:Tailormap/tailormap-api.git</developerConnection>
-        <tag>tailormap-api-12.4.2</tag>
+        <tag>tailormap-api-12.5.1</tag>
         <url>https://github.com/Tailormap/tailormap-api/</url>
     </scm>
     <issueManagement>
@@ -101,7 +101,7 @@ SPDX-License-Identifier: MIT
         <maven.compiler.target>${java.version}</maven.compiler.target>
         <maven.compiler.release>${java.version}</maven.compiler.release>
         <maven-compiler-plugin.version>3.12.1</maven-compiler-plugin.version>
-        <project.build.outputTimestamp>2026-02-24T11:05:11Z</project.build.outputTimestamp>
+        <project.build.outputTimestamp>2026-03-06T10:33:43Z</project.build.outputTimestamp>
         <geotools.version>35-SNAPSHOT</geotools.version>
         <jts.version>1.20.0</jts.version>
         <okhttp.version>5.3.2</okhttp.version>
@@ -156,7 +156,7 @@ SPDX-License-Identifier: MIT
         <modernizer-maven-plugin.version>3.2.0</modernizer-maven-plugin.version>
         <maven-fluido-skin.version>2.1.0</maven-fluido-skin.version>
         <swagger-ui.version>5.32.0</swagger-ui.version>
-        <sentry.version>8.33.0</sentry.version>
+        <sentry.version>8.34.1</sentry.version>
         <errorProne.version>2.48.0</errorProne.version>
         <errorProneFlags>-XepDisableWarningsInGeneratedCode</errorProneFlags>
         <errorProneExcludePaths>${project.build.directory}/generated-sources/.*</errorProneExcludePaths>

src/main/java/org/tailormap/api/controller/GeoServiceProxyController.java

@@ -38,6 +38,7 @@
 import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
@@ -49,9 +50,11 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.InputStreamResource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
@@ -96,6 +99,12 @@ public class GeoServiceProxyController {
 
   public static final String TILES3D_DESCRIPTION_PATH = "tiles3dDescription";
 
+  @Value("${tailormap-api.proxy.passthrough.layerpatterns:}")
+  private Set<String> proxyLayerPassthroughPatterns = Set.of();
+
+  @Value("${tailormap-api.proxy.passthrough.hostnames:}")
+  private Set<String> proxyPassthroughHostNames = Set.of();
+
   public GeoServiceProxyController(AuthorisationService authorisationService) {
     this.authorisationService = authorisationService;
 
@@ -112,7 +121,7 @@ public ResponseEntity<?> proxy3dtiles(
       @ModelAttribute GeoServiceLayer layer,
       HttpServletRequest request) {
 
-    checkRequestValidity(application, service, layer, GeoServiceProtocol.TILES3D);
+    checkRequestValidity(application, service, layer, GeoServiceProtocol.TILES3D, request);
 
     return doProxy(build3DTilesUrl(service, request), service, request);
   }
@@ -128,7 +137,7 @@ public ResponseEntity<?> proxy(
       @PathVariable("protocol") GeoServiceProtocol protocol,
       HttpServletRequest request) {
 
-    checkRequestValidity(application, service, layer, protocol);
+    checkRequestValidity(application, service, layer, protocol, request);
 
     switch (protocol) {
       case WMS, WMTS -> {
@@ -151,7 +160,11 @@ public ResponseEntity<?> proxy(
   }
 
   private void checkRequestValidity(
-      Application application, GeoService service, GeoServiceLayer layer, GeoServiceProtocol protocol) {
+      Application application,
+      GeoService service,
+      GeoServiceLayer layer,
+      GeoServiceProtocol protocol,
+      HttpServletRequest request) {
     if (service == null || layer == null) {
       throw new ResponseStatusException(HttpStatus.NOT_FOUND);
     }
@@ -168,6 +181,54 @@ private void checkRequestValidity(
       throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Proxy not enabled for requested service");
     }
 
+    int wmsLayerCount = request.getParameterMap().entrySet().stream()
+        .filter(entry -> "LAYERS".equalsIgnoreCase(entry.getKey()))
+        .mapToInt(entry -> entry.getValue().length)
+        .sum();
+    if (wmsLayerCount > 1) {
+      throw new ResponseStatusException(
+          HttpStatus.BAD_REQUEST, "Multiple layers in LAYERS parameter not supported");
+    }
+
+    // this can be null in case of requests that do not have a LAYERS parameter, such as GetCapabilities requests.
+    String layerNameParamValue = request.getParameterMap().entrySet().stream()
+        .filter(entry -> "LAYERS".equalsIgnoreCase(entry.getKey()))
+        .findFirst()
+        .map(entry -> entry.getValue()[0])
+        .orElse(null);
+
+    if (layerNameParamValue != null && !layer.getName().equals(layerNameParamValue)) {
+      // check if layer matches any passthrough pattern, if not throw bad request
+      if (proxyLayerPassthroughPatterns.stream().noneMatch(pattern -> {
+        String regex = String.format(pattern, Pattern.quote(layer.getName()));
+        return Pattern.compile(regex).matcher(layerNameParamValue).matches();
+      })) {
+        throw new ResponseStatusException(
+            HttpStatus.BAD_REQUEST, "Requested layer name does not match expected layer");
+      }
+
+      if (!proxyPassthroughHostNames.isEmpty()) {
+        // check if host matches any passthrough hostname, if not throw bad request
+        try {
+          String geoServiceHostName = new URI(service.getUrl()).getHost();
+          if (proxyPassthroughHostNames.stream()
+              .noneMatch(hostname -> hostname.equalsIgnoreCase(geoServiceHostName))) {
+            throw new ResponseStatusException(
+                HttpStatus.BAD_REQUEST,
+                "Requested service hostname does not match allowed hostnames for layer passthrough");
+          }
+        } catch (URISyntaxException e) {
+          logger.error(
+              "Invalid service URL \"{}\" for layer id {}: {}",
+              service.getUrl(),
+              layer.getId(),
+              e.getMessage());
+          throw new ResponseStatusException(
+              HttpStatus.INTERNAL_SERVER_ERROR, "Invalid service URL in configuration");
+        }
+      }
+    }
+
     if (authorisationService.mustDenyAccessForSecuredProxy(service)) {
       logger.debug(
           "Denying proxy for layer \"{}\" in app #{} (\"{}\") from secured service #{} (URL {}): user is not authenticated",

src/main/resources/application.properties

@@ -30,6 +30,14 @@ tailormap-api.feature.info.maxitems=30
 # Should match the list in tailormap-viewer class AttributeListExportService
 tailormap-api.export.allowed-outputformats=csv,text/csv,application/vnd.openxmlformats-officedocument.spreadsheetml.sheet,excel2007,application/vnd.shp,application/x-zipped-shp,SHAPE-ZIP,application/geopackage+sqlite3,application/x-gpkg,geopackage,geopkg,gpkg,application/geo+json,application/geojson,application/json,json,DXF-ZIP
 
+# proxy passthrough regex patterns for layer names, when empty no additional layers are allowed to be proxied
+# eg. use vw_t_gi_%s_[a-fA-F0-9]{32} to match `vw_t_gi_layername_70cae9814c6144808f1c9bb921099794` as a sub-layer of layername
+# %s is replaced with the layer name from the configuration (this uses String.format() syntax, so be aware of the escaping rules for % and \)
+# for regex help see eg: https://regex101.com/ or https://www.regexplanet.com/advanced/java/index.html or https://regexr.com/
+tailormap-api.proxy.passthrough.layerpatterns=
+## list of allowed host names eg. test.com,localhost (no spaces) to validate the layer name patterns, can be empty to allow any host name
+tailormap-api.proxy.passthrough.hostnames=
+
 # whether the API should use GeoTools "Unique Collection" (use DISTINCT in SQL statements) or just
 # retrieve all values when calculating the unique values for a property.
 # There might be a performance difference between the two, depending on the data

src/test/java/org/tailormap/api/controller/GeoServiceProxyControllerDefaultProxyConfigIntegrationTest.java

@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2026 B3Partners B.V.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+package org.tailormap.api.controller;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.tailormap.api.TestRequestProcessor.setServletPath;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.http.MediaType;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+import org.tailormap.api.annotation.PostgresIntegrationTest;
+
+@PostgresIntegrationTest
+@AutoConfigureMockMvc
+@Execution(ExecutionMode.CONCURRENT)
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@TestPropertySource(
+    properties = {
+      // Use the default proxy configuration, which denies layer patterns,
+      // to test the default configuration of the GeoServiceProxyController
+      "tailormap-api.proxy.passthrough.hostnames=",
+      "tailormap-api.proxy.passthrough.layerpatterns="
+    })
+class GeoServiceProxyControllerDefaultProxyConfigIntegrationTest {
+  private final String begroeidterreindeelUrl =
+      "/app/default/layer/lyr:snapshot-geoserver-proxied:postgis:begroeidterreindeel/proxy/wms";
+
+  @Autowired
+  private WebApplicationContext context;
+
+  private MockMvc mockMvc;
+
+  @Value("${tailormap-api.base-path}")
+  private String apiBasePath;
+
+  @BeforeAll
+  void initialize() {
+    mockMvc = MockMvcBuilders.webAppContextSetup(context).build();
+  }
+
+  @Test
+  void post_request() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("VERSION", "1.3.0")
+            .param("FORMAT", "image/png")
+            .param("STYLES", "")
+            .param("TRANSPARENT", "TRUE")
+            .param("LAYERS", "postgis:begroeidterreindeel")
+            .param("WIDTH", "2775")
+            .param("HEIGHT", "1002")
+            .param("CRS", "EPSG:28992")
+            .param("BBOX", "130574.85495843932,457818.25613033347,133951.6192003861,459037.5418133715")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isOk());
+  }
+
+  @Test
+  void get_request() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(get(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("VERSION", "1.3.0")
+            .param("FORMAT", "image/png")
+            .param("STYLES", "")
+            .param("TRANSPARENT", "TRUE")
+            .param("LAYERS", "postgis:begroeidterreindeel")
+            .param("WIDTH", "2775")
+            .param("HEIGHT", "1002")
+            .param("CRS", "EPSG:28992")
+            .param("BBOX", "130574.85495843932,457818.25613033347,133951.6192003861,459037.5418133715")
+            .with(setServletPath(path)))
+        .andExpect(status().isOk());
+  }
+
+  @Test
+  void disallow_invalid_layer_name_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("LAYERS", "postgis:invalid_layer_name")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isBadRequest());
+  }
+
+  @Test
+  void disallow_two_layer_names_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("LAYERS", "postgis:invalid_layer_name,postgis:begroeidterreindeel")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isBadRequest());
+  }
+}

src/test/java/org/tailormap/api/controller/GeoServiceProxyControllerIntegrationTest.java

@@ -207,6 +207,56 @@ void large_http_post() throws Exception {
         .andExpect(status().isOk());
   }
 
+  @Test
+  void disallow_invalid_layer_name_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("LAYERS", "postgis:invalid_layer_name")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isBadRequest());
+  }
+
+  @Test
+  void disallow_two_layer_names_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("LAYERS", "postgis:invalid_layer_name,postgis:begroeidterreindeel")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isBadRequest());
+  }
+
+  @Test
+  void disallow_comma_separated_layer_names_matching_pattern_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param(
+                "LAYERS",
+                "vw_t_gi_postgis:begroeidterreindeel_70cae9814c6144808f1c9bb921099794,other_layer")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isBadRequest());
+  }
+
+  @Test
+  void allow_valid_layer_name_pattern_param() throws Exception {
+    final String path = apiBasePath + begroeidterreindeelUrl;
+    mockMvc.perform(post(path)
+            .param("REQUEST", "GetMap")
+            .param("SERVICE", "WMS")
+            .param("LAYERS", "vw_t_gi_postgis:begroeidterreindeel_70cae9814c6144808f1c9bb921099794")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .with(setServletPath(path)))
+        .andExpect(status().isOk());
+  }
+
   @Test
   void allow_http_get() throws Exception {
     final String path = apiBasePath + begroeidterreindeelUrl;