Release notes for Magnolia CMS 6.2.1
Magnolia CMS 6.2.1 is a bug-fixing and security release that also delivers the following improvements:
REST Client module refactored
A number of optimizations have been implemented in the
REST Client module
that improve the behavior of
the API, the
getWebTarget() method has been deprecated and the
following methods have been introduced:
register(name, component): allows registering a custom component on demand, such as response/request filters.
unregister(name): allows unregistering a custom component.
isClose(): allows checking whether a client is available for use.
close(): allows closing a client after its use. Note that if a client is retrieved from
RestClientFactory#createClientIfAbsent(), there is no need to close it manually.
REST-based $type aliases renamed
Framework REST Extensions module, the $type aliases for the fields that
handle offline data sources have been renamed to
Handling of missing
A warning is logged whenever a REST API does not return a
header. The REST Client
module comes with a new
responseContentType property that allows you
to set the header in case it is missing in a response.
Using custom query parameters in REST calls
Additional custom query parameters can be passed to and issued with a REST call without the need to configure the parameters in a YAML definition file.
Improvements in 6 UI framework
Additional complex field transformers ported to 6 UI framework
Two 5 UI complex field transformers have been ported to the Magnolia 6
MultiValueSubChildrenNodePropertiesTransformer. In the 6 UI, they are
both handled by
supportI18N property in
supportI18N property has only been introduced to support reading compatibility data from Magnolia 5 UI.
false is necessary in certain compatibility configurations (for example, when porting configurations
that use Magnolia 5 UI multi field transformers).
The property is otherwise scheduled for deprecation in a future release.
When you set the
supportI18N property of
all localized nodes of a field that uses
jcrChildNodeProvider will have a
single field entry that nests different localized child nodes.
root └── nodes ├── item1_de ├── item2_de ├── item1_fr └── item2_fr
When you do not change the default
true value of
supportI18N, each localized node of a field that
jcrChildNodeProvider will have its own field entry that nests respective localized child nodes.
root ├── nodes_de │ ├── item1_de │ └── item2_de └── nodes_fr ├── item1_fr └── item2_fr
Updates in Blossom module
We have fixed an issue in the Blossom module and adapted the module for use in Magnolia 6.2 and beyond. For more details, see our Blossom module release notes.
Content API removed from Solr module
In the Solr Search Provider
module, we have removed dependencies on the old
Content API that
prevented Magnolia from starting when the module was included in a
Third-party library updates
This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:
Hibernate Validator updated to 6.1.4.Final (BLOSSOM-264).
log4j-bom updated to 2.13.2 (BUILD-387).
Tika updated to 1.24.1 (BUILD-389).
We keep the details of security-related fixes private in line with our security policy. Contact our Support team if you need more information.
Notable bug fixes
In the Cache module,
CacheResponseWrapperdid not retrieve
In the Publishing module, nodes appeared in the wrong order after publishing a single page (PUBLISHING-79).
This fix, coming with version 1.2.1 of the Publishing module, reverts part of a previous commit that addressed the issue. It is therefore highly probable that there is no node order issue in version 1.2 of the module either, which you may keep using in Magnolia 6.2.1.
On the author instance, editors can move nodes to change the order in which they are stored in JCR. Since Magnolia does not track node order history, it is impossible to keep the same order of nodes on the public instance if you publish just one node that has been moved on the author instance. To make sure that the orders of nodes on both instances are aligned, always publish the parent node of any nodes you moved.
In the Magnolia Templating Essentials (MTE) module, images could not be displayed due to
In the Segments and Personas apps of the Personalization module and in the Pages app, column filtering was not available (MGNLUI-5671).
In the UI module:
LinkFieldDefinitiondid not extend
ComboBoxFieldDefinitionand could not use its properties (MGNLUI-5798).
Toolbar icons for some configuration properties such as alignment, color and fonts were not displayed in the rich text field. With this fix,
ckeditor.jshas been updated from version 4.13.0 to 4.14.0 (MGNLUI-4072).
Additional security improvements
Stateless protection against login CSRF attack
A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.
When requesting a Magnolia login page before a session is created after
authentication, a CSRF token is temporarily kept in a cookie in the
client browser. That token is generated with each
GET request before
login. When the login form is submitted to the server with a
request, the cookie token is matched against the value coming from the
To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.
MAGNOLIA-7660 (restricted access)
The improvements in this release generated a few API incompatibilities. For details, see the following links:
If you are upgrading from an earlier version, read the Upgrading to Magnolia 6.2.x page first and check the Known issues page.
Virtual URI mappings not working if too many are configured
To mitigate an issue caused by having more than 500 configured virtual
URI mappings in light modules, a WARN-level message is now logged when a
DirectoryWatcher overflow occurs
also recommend to keep the number of files in a single folder below 100
and to use folder hierarchies whenever possible. For the upcoming fix,
See the 6.2.1 changelog for all the changes.
Advance Cache 2.3.1
Community Edition 6.2.1
Content Dependencies 2.0.1
Content Tags 2.0.1
DX Core 6.2.1
Image Recognition 1.2.1
LDAP Connector 1.10.3
Password Manager 1.2.4
REST Client 2.0.1
REST Client UI 1.0.1
Solr Search Provider 5.2.3
Templating Essentials 1.5
Text Classification 1.1.1
Third-party library BOM 6.2.1
Usage Metrics 1.1.1
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Oliver Böhrs, Tytgat Christian, Kathrin Kaufleitner, Marvin Kerkhoff, Alex Plouff and Diana Racho.