Page tree
Skip to end of metadata
Go to start of metadata

Magnolia 5.4.5 delivers a number of key fixes and enhancements. It is an important and recommended update for all Magnolia 5.4.x users as it fixes a cross-site scripting (XSS) vulnerability. 

What has changed?

  • The Content-Type header is no longer set by ContentTypeFilter. The MIME type was previously incorrectly set according to the request extension. It is now the responsibility of renderers/servlets, for example FreemarkerRenderer and JspRenderer, to set the correct content type. [MAGNOLIA-6478]
  • ResponseContentTypeVoter is deprecated and replaced by RequestExtensionVoter to better reflect its function. The content type is still resolved only from the extension of the request.  [MAGNOLIA-6480]

  • Reloading of resources on the classpath while developing with an IDE such as IntelliJ or Eclipse has been improved and works fine now. See Classpath resources in development mode. [MAGNOLIA-6523]

  • The optional dam-preview module now uses Apache PDFBox instead of Pdf-renderer to render PDFpreviews. [MGNLDAM-559]
  • The option group field OptionGroupFieldDefinition now supports a layout property for radio buttons. Layout can be horizontal or vertical. Default is vertical. [MGNLUI-3770]
  • Changes to Groovy model classes defined on the JCR are now picked up properly. [MGNLGROOVY-68]
  • The Content translation support module now automatically detects the correct file format while importing. The XLIFF importer implementation was changed to UnzippedXliffTranslationBundleUpdateReader which only parses .xlf files.
    The old XliffTranslationBundleUpdateReader class is deprecated. The importer for a file is chosen automatically by comparing the extension property set for importer with the file extension. [MGNLCTS-77]
  • In the CAS Connector module the casServiceURL property can now be used in the casLougoutUR property and it will be resolved correctly. For example, when setting casServiceURL= http://localhost:8080/magnoliaAuthor  and casLogoutURL= https://localhost:8443/cas/logout?url=${casServiceURL }, the resolved logout URL will be  https://localhost:8443/cas/logout?url=http://localhost:8080/magnoliaAuthor .  [MGNLCAS-16]  

  • Implementing a site aware renderer for custom renderers is no longer necessary. You can now use info.magnolia.module.site.renderer.SiteAwareRendererWrapper with the name of the custom renderer set in the wrappedRendererType property. Site aware renderers for FreeMarker (site) and JSP (site-jsp) are included in the Site module. See Making your renderer site aware

  • i18n key generating for template definitions has been improved. There is no longer a need to use i18nBasename, title and description properties in template definitions. Keys for title and description are auto generated. For example, for a template with ID: moduleName:templates/pages/pageName, keys with the templates.pages.pageName, moduleName.templates.pages.pageName pattern are generated: . [MAGNOLIA-6488]

  • The list of excluded resource directories set in FileSystemResourceOrigin can now be configured with the magnolia property: magnolia.resources.filesystem.observation.excludedDirectories.
    By default, the magnolia property is not set and the following folders are excluded: META-INFWEB-INF, cache, docroot, logs, repositories, tmp. [MAGNOLIA-6434]

  • New template scripts added to the classpath are now recognized and loaded properly. (This requires development mode to be set in Magnolia properties). [MAGNOLIA-6338]
  • The MTK module has a new basic page template and an image component. [MTE-48MTE-49]

  • New Virtual URI mapping folders are now loaded without system restart. You can create the folders by hand or import them with JCR XML. Virtual URI mappings inside in the folder are available immediately. [MAGNOLIA-4090]

  • Improvement on content app views: When adding a new item within a view (list, tree or thumbnail) the new added item remains selected and visible. [MGNLUI-2919]
  • Page editor now provides the ability to duplicate an existing component within the same area. When selecting an existing component, a new action "Duplicate component" appears. [PAGES-49]
  • In page editor, when adding a component to an area with only one available, you do not have to choose anymore, instead you get to the dialog of the component directly. [PAGES-58]

 

An aggregated change log for 5.4.5 contains all the changes.

This release is a recommended update for all users of Magnolia 5.

Updated modules

This release includes the following new module versions:

  • Activation 5.4.3
  • Admininterface Legacy 5.3.1
  • CAS 1.3
  • Categorization 2.4.2
  • Community Edition 5.4.5
  • Content Translation Support 2.1.3
  • DAM 2.1.4
  • Demo 0.10
  • Form 2.3.4
  • Google Sitemap Module 2.3.3
  • Groovy 2.4.3
  • Imaging 3.2.5
  • Magnolia 5.4.5
  • Magnolia Templating Essentials 0.9
  • Multisite 1.2.3
  • Pages 5.4.4
  • Personalization 1.2.4
  • Public User Registration 2.5.2
  • Resources 2.4.4
  • Site 1.0.5
  • SiteMesh 1.0.2
  • Task Management 1.1.1
  • UI 5.4.5

The Magnolia team would also like to thank everyone who reported issues, contributed patches, or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to:  Michel Chamberland, Hans Ardon, Nils Breunese, Jordie Diepeveen, Robert Foggia, Soisik Froger, Fabrizio Giustina, Vincent Gombert, Charles Jones, Grégory Joseph, Marvin Kerkhoff, Haaris Mohammed, Luis Moreno, Radu Toader, Richard Unger, Bence Vass, Edgar Vonk, Tom Wespi and Nickolaus Wing.

How to update from earlier versions

Changes from 5.4.x 

magnolia.properties file

Add the following lines:

magnolia.resources.dir = ${magnolia.home}
magnolia.resources.classpath.observation.pattern=.*\\.(ftl|yaml)$

Important changes for Magnolia 5.2 and 5.3 users

If you had STK installed

If you continue to work with STK, use the new magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.

Jackrabbit configuration

In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two <param/> directives within your <SearchIndex> block.

<SearchIndex>
  <!-- more params here -->

  <!-- needed to highlight the searched term -->
  <param name="supportHighlighting" value="true"/>
  <!-- custom provider for getting an HTML excerpt in a query result with rep:excerpt() -->
  <param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/>
</SearchIndex>

log4j.xml addition

Add the log configuration for org.reflections

...
 <category name="org.apache.jackrabbit">
    <priority value="WARN" />
  </category>
 <!-- Reflections library spoils logs with hundreds of harmless warnings; tries to look into native libs but none of its DefaultUrlTypes can handle them. -->
  <category name="org.reflections">
    <priority value="ERROR" />
  </category>
  <category name="com">
    <priority value="WARN" />
  </category>
...

How to update from Magnolia 5.2 and earlier

To update your project, follow the standard update procedure, then make the following changes:

  1. Update your content apps with the content app upgrade task. It automatically takes care of the following:
    • Using the content connector.

    • Updating configuration of availability rules and default rule classes

    • Updating selected action definitions with node-type based availability

  2. If you used the DAM: 
    • Replace DamManager with AssetProviderRegistry.
    • See DAM and the STK and DAM templating on how to use assets in your templates.
    • The DAM changes have no impact on the STK. There is no need to modify Freemarker scripts because the new DAM API is abstracted from STK.
  3. If you have a custom jBPM workflow:
    • In the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#completeWorkItem method, checking for present parameters is obsolete and refers to publication related workitems. The method is no longer used for completing a workitem in the new human task context. It is still valid in the context of completing service tasks, however.
    • Stop using the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#getWorkItem method. It was used to complete a work item for human tasks. Furthermore, the wrapper we initialize only holds the mgnlData map.

    • The previously hardcoded mgnlData parameter is now configurable in /modules/workflow/commands/workflow/activate/activate/parameterMapName.

  4. If you have custom widgets or Vaadin add-ons:
    • Magnolia's default widgetset was relocated to info.magnolia.widgetset.MagnoliaWidgetSet.
    • Update your webapps's magnolia.properties file.
    • Otherwise Magnolia will automatically fall back to the new widgetset but will issue warnings during upgrade, and whenever a user logs in to Magnolia.

How to update from Magnolia 4.5 and earlier

Are you running on Magnolia 4.5 or earlier? It’s time to move to 5. Contact us for migration support and look at the migration process.

Known issues

Allocate more JVM memory

Magnolia 5.4.2 ee-bundle may require you to allocate more memory the Java Virtual Machine (JVM). If you see a java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher amount such as 1024M. We are working on uncovering the root cause for the increased memory need.

See: Java out of memory

Processed Resources app conflict

If you upgrade to Magnolia 5.4.5 from 5.4.2 or earlier then you will experience UUID conflict if you try to also install the new Processed Resources app during the upgrade.

java.lang.RuntimeException: Error importing config.modules.processed-resources-app.dialogs: a node with uuid a53f308a-0d6a-4bb9-a5f8-6f11ff68504d already exists!

To workaround this issue complete the upgrade before installing the Processed Resources app.