diff --git a/.dockerignore b/.dockerignore
index 567609b..9f878ab 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1 +1,2 @@
 build/
+postgis/
diff --git a/.gitignore b/.gitignore
index 92bc551..99ff525 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 *.iml
 *.idea
-
+postgis/
diff --git a/Dockerfile b/Dockerfile
index 360253a..fa3aa7b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM tomcat:9.0.85-jdk11-temurin-jammy
+FROM tomcat:9.0.90-jdk11-temurin-jammy
 LABEL vendor="osgeo.org"
 
 # Build arguments
@@ -61,7 +61,7 @@ WORKDIR /tmp
 RUN set -eux \
     && export DEBIAN_FRONTEND=noninteractive \
     && apt-get update \
-    && apt-get install -y --no-install-recommends openssl unzip curl gettext \
+    && apt-get install -y --no-install-recommends openssl unzip curl locales gettext \
     && apt-get clean \
     && rm -rf /var/cache/apt/* \
     && rm -rf /var/lib/apt/lists/* \
@@ -112,12 +112,13 @@ RUN apt purge -y  \
 
 # GeoServer user => restrict access to $CATALINA_HOME and GeoServer directories
 # See also CIS Docker benchmark and docker best practices
-RUN chmod +x /opt/*.sh
+
+RUN chmod +x /opt/*.sh && sed -i 's/\r$//' /opt/startup.sh
+
+ENTRYPOINT ["bash", "/opt/startup.sh"]
 
 WORKDIR /opt
 
-ENTRYPOINT ["/opt/startup.sh"]
-
 EXPOSE 8080
 
 HEALTHCHECK --interval=1m --timeout=20s --retries=3 \
diff --git a/README.md b/README.md
index 9d4bd62..843d589 100644
--- a/README.md
+++ b/README.md
@@ -7,10 +7,12 @@ This Dockerfile can be used to create images for all geoserver versions since 2.
   * JRE11 (eclipse temurin)
   * Ubuntu Jammy (22.04 LTS)
 * GeoServer installation is configurable and supports
-  * dynamic installation of extensions
-  * custom fonts (e.g. for SLD styling)
+  * Dynamic installation of extensions
+  * Custom fonts (e.g. for SLD styling)
   * CORS
-  * additional libraries
+  * Additional libraries
+  * PostgreSQL JNDI
+  * HTTPS
 
 This README.md file covers use of official docker image, additional [build](BUILD.md) and [release](RELEASE.md) instructions are available.
 
@@ -19,20 +21,20 @@ This README.md file covers use of official docker image, additional [build](BUIL
 To pull an official image use ``docker.osgeo.org/geoserver:{{VERSION}}``, e.g.:
 
 ```shell
-docker pull docker.osgeo.org/geoserver:2.24.2
+docker pull docker.osgeo.org/geoserver:2.25.2
 ```
 All the images can be found at: [https://repo.osgeo.org](https://repo.osgeo.org/#browse/browse:geoserver-docker:v2/geoserver/tags) and the latest stable and maintenance version numbers can be obtained from [https://geoserver.org/download/](https://geoserver.org/download/)
 
 Afterwards you can run the pulled image locally with:
 
 ```shell
-docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.24.2
+docker run -it -p 80:8080 docker.osgeo.org/geoserver:2.25.2
 ```
 
 Or if you want to start the container daemonized, use e.g.:
 
 ```shell
-docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.24.2
+docker run -d -p 80:8080 docker.osgeo.org/geoserver:2.25.2
 ```
 
 Check <http://localhost/geoserver> to see the geoserver page,
@@ -49,7 +51,7 @@ To use an external folder as your geoserver data directory.
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/absolute/path/on/host",target=/opt/geoserver_data/,type=bind \
-  docker.osgeo.org/geoserver:2.24.2
+  docker.osgeo.org/geoserver:2.25.2
 ```
 
 An empty data directory will be populated on first use. You can easily update GeoServer while
@@ -64,7 +66,7 @@ The environment variable `SKIP_DEMO_DATA` can be set to `true` to create an empt
 ```shell
 docker run -it -p 80:8080 \
   --env SKIP_DEMO_DATA=true \
-  docker.osgeo.org/geoserver:2.24.2
+  docker.osgeo.org/geoserver:2.25.2
 ```
 
 ## How to issue a redirect from the root ("/") to GeoServer web interface ("/geoserver/web")?
@@ -85,8 +87,8 @@ The ``startup.sh`` script allows some customization on startup:
   * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)**
 * ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``.
 
-The CORS variables customize tomcat's `web.xml` file. If you need more customization, 
-you can provide your own customized `web.xml` file to tomcat by mounting it into the container 
+The CORS variables customize tomcat's `web.xml` file. If you need more customization,
+you can provide your own customized `web.xml` file to tomcat by mounting it into the container
 at `/opt/config_overrides/web.xml`.
 
 Example installing wps and ysld extensions:
@@ -94,7 +96,7 @@ Example installing wps and ysld extensions:
 ```shell
 docker run -it -p 80:8080 \
   --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS="wps,ysld" \
-  docker.osgeo.org/geoserver:2.24.2
+  docker.osgeo.org/geoserver:2.25.2
 ```
 
 The list of extensions (taken from SourceForge download page):
@@ -119,7 +121,7 @@ If you want to add geoserver extensions/libs, place the respective jar files in
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/libs/on/host",target=/opt/additional_libs,type=bind \
-  docker.osgeo.org/geoserver:2.24.2
+  docker.osgeo.org/geoserver:2.25.2
 ```
 
 ## How to add additional fonts to the docker image (e.g. for SLD styling)?
@@ -129,7 +131,7 @@ If you want to add custom fonts (the base image only contains 26 fonts) by using
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/dir/with/fonts/on/host",target=/opt/additional_fonts,type=bind \
-  docker.osgeo.org/geoserver:2.24.2
+  docker.osgeo.org/geoserver:2.25.2
 ```
 
 **Note:** Do not change the target value!
@@ -164,9 +166,19 @@ Example:
 ```shell
 docker run -it -p 80:8080 \
   --mount src="/path/to/my/server.xml",target=/opt/config_overrides/server.xml,type=bind \
-  docker.osgeo.org/geoserver:2.24.1
+  docker.osgeo.org/geoserver:2.25.1
 ```
 
+## How to enable HTTPS?
+
+To enable HTTPS, mount a JKS file to the container (ex. `/opt/keystore.jks`) and provide the following environment 
+variables:
+
+* ``HTTPS_ENABLED`` to `true`
+* ``HTTPS_KEYSTORE_FILE`` (defaults to `/opt/keystore.jks`)
+* ``HTTPS_KEYSTORE_PASSWORD`` (defaults to `changeit`)
+* ``HTTPS_KEY_ALIAS`` (defaults to `server`)
+
 ## How to use the docker-compose demo?
 
 The ``docker-compose-demo.yml`` to build with your own data directory and extensions.
@@ -205,6 +217,8 @@ Following is the list of the all the environment variables that can be passed do
 | SKIP_DEMO_DATA | Indicates whether to skip the installation of demo data provided by GeoServer | `false` |
 | ROOT_WEBAPP_REDIRECT | Indicates whether to issue a permanent redirect to the web interface | `false` |
 | HEALTHCHECK_URL | URL to the resource / endpoint used for `docker` health checks | `http://localhost:8080/geoserver/web/wicket/resource/org.geoserver.web.GeoServerBasePage/img/logo.png` |
+| GEOSERVER_ADMIN_USER | Admin username |   |
+| GEOSERVER_ADMIN_PASSWORD | Admin password |  |
 
 The following values cannot really be safely changed (as they are used to download extensions and community modules as the docker image first starts up).
 | VAR NAME | DESCRIPTION | SAMPLE VALUE |
diff --git a/RELEASE.md b/RELEASE.md
index 5acf0ec..849ceb9 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -7,7 +7,7 @@ OSGeo maintains geoserver-docker.osgeo.org repository for publishing. The result
 Build locally:
 
 ```shell
-docker build -t geoserver-docker.osgeo.org/geoserver:2.24.2 .
+docker build -t geoserver-docker.osgeo.org/geoserver:2.25.2 .
 ```
 
 Login using with osgeo user id:
@@ -19,7 +19,7 @@ docker login geoserver-docker.osgeo.org
 Push to osgeo repository:
 
 ```shell
-docker push geoserver-docker.osgeo.org/geoserver:2.24.2
+docker push geoserver-docker.osgeo.org/geoserver:2.25.2
 ```
 
 ## How to automate release?
@@ -34,10 +34,10 @@ The third, optional, is used to supply the jenkins build number - triggering a n
 
 Examples:
 
-`./release.sh build 2.24.2`
+`./release.sh build 2.25.2`
 
-`./release.sh publish 2.24.2`
+`./release.sh publish 2.25.2`
 
-`./release.sh buildandpublish 2.24.2`
+`./release.sh buildandpublish 2.25.2`
 
-`./release.sh buildandpublish 2.24-SNAPSHOT 1234`
+`./release.sh buildandpublish 2.25-SNAPSHOT 1234`
diff --git a/build/release.sh b/build/release.sh
index 52ac2e6..1728f1f 100755
--- a/build/release.sh
+++ b/build/release.sh
@@ -9,7 +9,7 @@ function usage() {
   echo "$0 <mode> <version> [<build>]"
   echo ""
   echo " mode : The mode. Choose one of 'build', 'publish' or 'buildandpublish'"
-  echo " version : The released version to build an docker image for (eg: 2.24.2, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
+  echo " version : The released version to build an docker image for (eg: 2.25.2, ${MAIN}-SNAPSHOT, ${MAIN}-RC)"
   echo " build : Build number (optional)"
 }
 
diff --git a/config/server-https.xml b/config/server-https.xml
new file mode 100644
index 0000000..23c84cf
--- /dev/null
+++ b/config/server-https.xml
@@ -0,0 +1,181 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!-- APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    -->
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
+
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true"
+               maxParameterCount="1000"
+               >
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="${HTTPS_KEYSTORE_FILE}"
+                         certificateKeystorePassword="${HTTPS_KEYSTORE_PASSWORD}"
+                         certificateKeyAlias="${HTTPS_KEY_ALIAS}"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true"
+               maxParameterCount="1000"
+               >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <!--
+    <Connector protocol="AJP/1.3"
+               address="::1"
+               port="8009"
+               redirectPort="8443"
+               maxParameterCount="1000"
+               />
+    -->
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+
+      </Host>
+    </Engine>
+  </Service>
+</Server>
diff --git a/docker-compose-demo.yml b/docker-compose-demo.yml
index c7cf0f8..4816c18 100644
--- a/docker-compose-demo.yml
+++ b/docker-compose-demo.yml
@@ -4,7 +4,7 @@ services:
     build:
       context: .
       args:
-        - GEOSERVER_VERSION=2.24.2
+        - GEOSERVER_VERSION=2.25.2
         - CORS_ENABLED=true
         - CORS_ALLOWED_METHODS=GET,POST,PUT,HEAD,OPTIONS
     ports:
diff --git a/startup.sh b/startup.sh
index 5e76d30..5eae9dd 100755
--- a/startup.sh
+++ b/startup.sh
@@ -132,6 +132,15 @@ if [ -d "${CONFIG_OVERRIDES_DIR}" ] && [ -f "${CONFIG_OVERRIDES_DIR}/web.xml" ];
   envsubst < "${CONFIG_OVERRIDES_DIR}"/web.xml > "${CATALINA_HOME}/webapps/geoserver/WEB-INF/web.xml"
 fi
 
+if [ "${HTTPS_ENABLED}" = "true" ]; then
+  if [ ! -f "${HTTPS_KEYSTORE_FILE}" ]; then
+    echo "ERROR: HTTPS was enabled but keystore file was not mounted to container [${HTTPS_KEYSTORE_FILE}]"
+    exit 1
+  fi
+  echo "Installing [${CATALINA_HOME}/conf/server.xml] with HTTPS support using substituted environment variables"
+  envsubst < "${CONFIG_DIR}"/server-https.xml > "${CATALINA_HOME}/conf/server.xml"
+fi
+
 # start the tomcat
 # CIS - Tomcat Benchmark recommendations:
 # * Turn off session facade recycling
@@ -142,4 +151,8 @@ if [ ! "${ENABLE_DEFAULT_SHUTDOWN}" = "true" ]; then
   REPLACEMENT=
 fi
 
+if [ -n "$GEOSERVER_ADMIN_PASSWORD" ] && [ -n "$GEOSERVER_ADMIN_USER" ]; then
+    /bin/sh /opt/update_credentials.sh
+fi
+
 exec $CATALINA_HOME/bin/catalina.sh run -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
diff --git a/update_credentials.sh b/update_credentials.sh
new file mode 100644
index 0000000..2f22081
--- /dev/null
+++ b/update_credentials.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Credits to https://github.com/meggsimum/geoserver-docker/ and https://github.com/kartoza/docker-geoserver
+
+echo "Updating GeoServer Credentials ..."
+
+if [ ${DEBUG} ]; then
+  set -e
+  set -x
+fi;
+
+# copy over default security folder to data dir (if not existing)
+if [ ! -d "${GEOSERVER_DATA_DIR}security" ]; then
+  cp -r ${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security" ${GEOSERVER_DATA_DIR}
+fi
+
+GEOSERVER_ADMIN_USER=${GEOSERVER_ADMIN_USER:-admin}
+GEOSERVER_ADMIN_PASSWORD=${GEOSERVER_ADMIN_PASSWORD:-geoserver}
+
+# templates to use as base for replacement
+USERS_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/usergroup/default/users.xml"
+echo "USING USERS XML ORIGINAL:" $USERS_XML_ORIG
+ROLES_XML_ORIG=${CATALINA_HOME}"/webapps/"$APP_PATH_PREFIX"geoserver/data/security/role/default/roles.xml"
+echo "USING ROLES XML ORIGINAL:" $ROLES_XML_ORIG
+
+# final users.xml file GeoServer data dir
+USERS_XML=${USERS_XML:-${GEOSERVER_DATA_DIR}security/usergroup/default/users.xml}
+echo "SETTING USERS XML:" $USERS_XML
+# final roles.xml file GeoServer data dir
+ROLES_XML=${ROLES_XML:-${GEOSERVER_DATA_DIR}security/role/default/roles.xml}
+echo "SETTING ROLES XML:" . $ROLES_XML
+
+CLASSPATH=$CATALINA_HOME/webapps/$APP_PATH_PREFIX"geoserver/WEB-INF/lib/"
+
+# tmp files
+TMP_USERS=/tmp/users.xml
+TMP_ROLES=/tmp/roles.xml
+
+make_hash(){
+  NEW_PASSWORD=$1
+  (echo "digest1:" && java -classpath $(find $CLASSPATH -regex ".*jasypt-[0-9]\.[0-9]\.[0-9].*jar") org.jasypt.intf.cli.JasyptStringDigestCLI digest.sh algorithm=SHA-256 saltSizeBytes=16 iterations=100000 input="$NEW_PASSWORD" verbose=0) | tr -d '\n'
+}
+
+# create PW hash for given password
+PWD_HASH=$(make_hash $GEOSERVER_ADMIN_PASSWORD)
+
+# USERS.XML SETUP
+# <user enabled="true" name="admin" password="digest1:D9miJH/hVgfxZJscMafEtbtliG0ROxhLfsznyWfG38X2pda2JOSV4POi55PQI4tw"/>
+cat $USERS_XML_ORIG | sed -e "s/ name=\".*\" / name=\"${GEOSERVER_ADMIN_USER}\" /" | sed -e "s|password=\".*\"/|password=\"${PWD_HASH}\"\/|" > $TMP_USERS
+if [ $? -eq 0 ]
+then
+    mv $TMP_USERS $USERS_XML
+    echo "Successfully replaced $USERS_XML"
+else
+    echo "CAUTION: Abort update_credentials.sh due to error while creating users.xml. File at $USERS_XML keeps untouched"
+    exit
+fi
+
+# ROLES.XML SETUP
+# <userRoles username="admin">
+cat $ROLES_XML_ORIG | sed -e "s/ username=\".*\"/ username=\"${GEOSERVER_ADMIN_USER}\"/" > $TMP_ROLES
+if [ $? -eq 0 ]
+then
+    mv $TMP_ROLES $ROLES_XML
+    echo "Successfully replaced $ROLES_XML"
+else
+    echo "CAUTION: Abort update_credentials.sh due to error while creating roles.xml. File at $ROLES_XML keeps untouched"
+    exit
+fi
+
+echo "... DONE updating GeoServer Credentials ..."