Release notes for Magnolia CMS 6.2.1
Magnolia CMS 6.2.1 is a bug-fixing and security release that also delivers the following improvements:
A number of optimizations have been implemented in the
REST Client module
that improve the behavior of
the API, the
getWebTarget() method has been deprecated and the
following methods have been introduced:
register(name, component): allows registering a custom component on demand, such as response/request filters.
unregister(name): allows unregistering a custom component.
isClose(): allows checking whether a client is available for use.
close(): allows closing a client after its use. Note that if a client is retrieved from
RestClientFactory#createClientIfAbsent(), there is no need to close it manually.
Framework REST Extensions module, the $type aliases for the fields that
handle offline data sources have been renamed to
A warning is logged whenever a REST API does not return a
header. The REST Client
module comes with a new
responseContentType property that allows you
to set the header in case it is missing in a response.
Additional custom query parameters can be passed to and issued with a REST call without the need to configure the parameters in a YAML definition file.
Two 5 UI complex field transformers have been ported to the Magnolia 6
MultiValueSubChildrenNodePropertiesTransformer. In the 6 UI, they are
both handled by
supportI18N property has only been introduced to support reading compatibility data from Magnolia 5 UI.
false is necessary in certain compatibility configurations (for example, when porting configurations
that use Magnolia 5 UI multi field transformers).
The property is otherwise scheduled for deprecation in a future release.
When you set the
supportI18N property of
all localized nodes of a field that uses
jcrChildNodeProvider will have a
single field entry that nests different localized child nodes.
root └── nodes ├── item1_de ├── item2_de ├── item1_fr └── item2_fr
When you do not change the default
true value of
supportI18N, each localized node of a field that
jcrChildNodeProvider will have its own field entry that nests respective localized child nodes.
root ├── nodes_de │ ├── item1_de │ └── item2_de └── nodes_fr ├── item1_fr └── item2_fr
This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:
This fix, coming with version 1.2.1 of the Publishing module, reverts part of a previous commit that addressed the issue. It is therefore highly probable that there is no node order issue in version 1.2 of the module either, which you may keep using in Magnolia 6.2.1.
On the author instance, editors can move nodes to change the order in
which they are stored in JCR. Since Magnolia does not track node order
history, it is impossible to keep the same order of nodes on the public
instance if you publish just one node that has been moved on the author
instance. To make sure that the orders of nodes on both instances are
aligned, always publish the parent node of any nodes you moved.
* In the Magnolia Templating
Essentials (MTE) module, images could not be displayed due to
* In the Segments and Personas apps of the
module and in the Pages app, column
filtering was not available.
* In the UI module:
LinkFieldDefinition did not extend
could not use its properties.
Toolbar icons for some configuration properties such as alignment,
color and fonts were not displayed in the
text field. With this fix,
ckeditor.js has been updated from version
4.13.0 to 4.14.0.
A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.
When requesting a Magnolia login page before a session is created after
authentication, a CSRF token is temporarily kept in a cookie in the
client browser. That token is generated with each
GET request before
login. When the login form is submitted to the server with a
request, the cookie token is matched against the value coming from the
To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.
MAGNOLIA-7660 (restricted access)
The improvements in this release generated a few API incompatibilities. For details, see the following links:
To mitigate an issue caused by having more than 500 configured virtual
URI mappings in light modules, a WARN-level message is now logged when a
DirectoryWatcher overflow occurs
also recommend to keep the number of files in a single folder below 100
and to use folder hierarchies whenever possible. For the upcoming fix,
See the 6.2.1 changelog for all the changes.
Advance Cache 2.3.1
Community Edition 6.2.1
Content Dependencies 2.0.1
Content Tags 2.0.1
DX Core 6.2.1
Image Recognition 1.2.1
LDAP Connector 1.10.3
Password Manager 1.2.4
REST Client 2.0.1
REST Client UI 1.0.1
Solr Search Provider 5.2.3
Templating Essentials 1.5
Text Classification 1.1.1
Third-party library BOM 6.2.1
Usage Metrics 1.1.1
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Oliver Böhrs, Tytgat Christian, Kathrin Kaufleitner, Marvin Kerkhoff, Alex Plouff and Diana Racho.