Release notes for Magnolia CMS 6.2.4
LTS release • Delivered on November 12, 2020 • Changelog: 11519
Magnolia CMS 6.2.4 brings a number of improvements, bug fixes and security updates.
Improvements
Support for OPTIONS method for CORS preflight requests
In this release, Magnolia brings two new filter implementations that handle CORS preflight requests:
-
info.magnolia.module.site.filters.SiteAwareCorsFilter
-
info.magnolia.cors.SelfConfiguredCorsFilter
When an OPTIONS HTTP request is received, Magnolia responds with headers that describe delivery capabilities based on the URI of the request and on active security and site configurations.
Developers can now configure CORS headers to be returned for such requests via either a site configuration or a configuration on the CORS filter.
Example configuration for a site called foo
:
/modules/multisite/config/sites/foo/cors.yaml
rest:
allowedHeaders:
- '*'
allowedMethods:
- GET
- POST
- OPTIONS
allowedOrigins:
- https://magnolia-cms.com
- https://example.com
uris:
rest:
patternString: /.rest/*
Same configuration on the CORS filter:
Resolver of asset links in rich text fields
When configuring a Magnolia v2 delivery endpoint, you can use a reference resolver for asset links in rich text fields. The resolver converts UUID-based asset links to links with an absolute or relative URL. For the resolver properties, see Resolving asset links in rich text fields.
Example fragment of a REST response with the word Kyoto
functioning
as a link to an asset called kyoto.jpg
and with the UUID
0a3bb34f-b49f-4e02-a9e9-e46cf860b612
:
<p>Experience the still beauty that permeates and surrounds <a href=\"${link:{uuid:{0a3bb34f-b49f-4e02-a9e9-e46cf860b612},repository:{dam},path:{/untitled}}}\">Kyoto</a>.</p>
A fragment showing the converted link:
<p>Experience the still beauty that permeates and surrounds <a href=\"http://localhost:8080/magnoliaAuthor/fallback/dam/jcr:0a3bb34f-b49f-4e02-a9e9-e46cf860b612/kyoto.jpg\">Kyoto</a>.</p>
Asset names numbered on duplication
If you duplicate an asset, a number will be appended to its name (left). Previously, with no such number, it was difficult to tell the original and the duplicate apart (right).
Timeout for locking mechanism
There is now a five-minute timeout for the locking mechanism to mitigate an issue where nodes are locked even after publishing. For more details about this issue, see EEPUBLISH-28.
In addition, logging of publishing operations on the Receiver has been moved from the TRACE level to the DEBUG level.
Improved observation mechanism
When a new version of a content node is created in one workspace, the
improved Magnolia observation mechanism (info.magnolia.observation.*
)
makes sure that Magnolia does not react unnecessarily to any event that
creates a node in /jcr:system
.
Better user experience in tree view
To improve column filtering in the tree view, the following has been implemented:
-
When at least one column filter is active, the tree view uses a flat structure. This is similar to the Magnolia 5 UI search view, but now the views are not switched.
-
When all column filters are empty, the tree view reverts to the default structure.
New API to configure default values in form fields
Default values must be applied to form fields explicitly. To facilitate
this, the EditorView#applyDefaults()
API has been introduced.
A select field that uses an option list can now specify an option (string) as a default value, while a JCR select field can specify a UUID or path.
Deprecated upload field
As of this release, both UploadFieldDefinition and UploadViewDefinition are deprecated. In addition, DamUploadFieldDefinition is no longer annotated as a field type.
Do not use
|
New password field for Magnolia 6 UI
PasswordFieldDefinition
renders a
text
field that masks input values when used only with custom actions. Note
that passwords can be revealed in plain text when the field is used in
dialogs with a standard commit
action.
For more information, see Password field.
jcrChildNodeProvider
used by default with JCR multi field
jcrChildNodeProvider
is now the
item
provider used by default in
info.magnolia.ui.field.JcrMultiFieldDefinition.
New availability rule to check depth of JCR item
The jcrDepthRule
action availability type returns true
if the item
is within the specified depth range.
Clear node name behavior in content type apps
To avoid any confusion between the name
and jcrName
properties:
-
Apps generated from content types use
name
instead ofjcrName
. -
The JCR Browser app shows only real node names regardless of whether
jcrName
is configured.
Library updates
This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:
-
HttpClient updated to 4.5.13 (BUILD-411).
-
RESTEasy and Jackson updated to 4.5.8.Final and 2.11.1 respectively (BUILD-403).
-
SmallRye updated to 1.6.2 (BUILD-409).
-
Tomcat updated to 9.0.39 (MGNLTOMCAT-17).
We keep the details of security-related fixes private in line with our security policy. Contact our Support team if you need more information.
Notable bug fixes
The following issues have been resolved where:
-
In the Byte Buddy library,
ByteBuddyMutableWrapperHelper
did not properly cache the generated proxy classes (MAGNOLIA-7893). -
In the Content Translation Support module, exporting translation files failed when dialogs were defined using Magnolia 6 UI (MGNLCTS-116).
-
In the link field (MGNLUI-6126):
-
The chooser dialog failed to open after reconfiguring a field with existing content.
-
An empty field was rendered after deleting the stored reference.
-
To solve performance issues when exporting large files, the
prettyPrint
property in
JcrExportCommand is
now disabled by default in Java 11+
(MAGNOLIA-7890).
As part of a security fix, HtmlColumnRenderer
now supports only the
class
, title
, style
and target
attributes
(MGNLUI-6380,
restricted access).
Security advisory
We have fixed several security issues (including vulnerabilities to deserialization, SSRF and XSS attacks) with this release. We keep the details of those fixes private in line with our security policy. Contact our Support team if you need more information.
MAGNOLIA-7914, MAGNOLIA-7915, MAGNOLIA-7933, MGNLCTS-120, MGNLCTS-121, MGNLPUR-197, MGNLUI-6380 (restricted access)
Others
WebSphere, WildFly/EAP and WebLogic application servers in maintenance mode
As of this release, the compatibility modules for the following application servers are in maintenance mode:
-
IBM WebSphere and WebSphere Liberty
-
JBoss WildFly and EAP
-
Oracle WebLogic
We provide support for these servers, but we do not proactively test them for future releases. In line with this change, we no longer provide the associated webapps:
-
magnolia-dx-core-websphere-webapp
-
magnolia-dx-core-wildfly-webapp
-
magnolia-dx-core-weblogic-webapp
All information about deploying Magnolia to these servers has been moved to the Deploying Magnolia as WAR file page of our Community Wiki.
Known issues
If you are upgrading from an earlier version, read the Upgrading to Magnolia 6.2.x page first and check the Known issues page.
Updated modules
-
Advanced Cache 2.3.2
-
Barebones Tomcat Bundle 1.2.3
-
Blossom 3.4.4
-
Cache 5.9.2
-
Community Edition 6.2.4
-
Content Editor 1.3.4
-
Content Tags 2.0.2
-
Content Translation Support 2.5
-
Content Types 1.2
-
DAM 3.0.4
-
Demo Projects 1.5.1
-
DX Core 6.2.4
-
Form 2.7.1
-
Icons 24
-
Language Bundles 1.1.2
-
License 1.7.2
-
Magnolia 6.2.4
-
Pages 6.2.4
-
Personalization 2.0.4
-
Public User Registration 2.7.5
-
Publishing 1.2.3
-
Resources 3.0.2
-
REST Framework 2.2.4
-
Scheduler 2.3.5
-
Site 1.4
-
Soft Locking 3.0.1
-
Solr Search Provider 5.5.1
-
Third-party library BOM 6.2.4
-
UI 6.2.4
-
Vaadin Compatibility Addons 1.3.6
Acknowledgements
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Matei "Mal" Badanoiu, Christopher Chard, Christoph Damm, Joerg von Frantzius, Alexander Hems, Marian-Razvan Ilisanu, Matthias Jakob, Philip Müller, Alex S. Plouff, Julius Rabe, Tom Wespi and Siegfried Zach.