Magnolia 5.4 reached end of life on November 15, 2018. This branch is no longer supported, see End-of-life policy.

Page tree
Skip to end of metadata
Go to start of metadata

Magnolia 5.4.12 fixes a cross-site scripting (XSS) vulnerability and delivers the following changes and improvements:

Changes for authors

Personalize pages and components at the same time

Page and component personalization are no longer mutually exclusive. You can now personalize a page and its components at the same time to create detailed personalization scenarios. The feature is disabled by default but you can enable it in personalization-components module configuration. Component personalization is an EE Pro feature.


Visitor trait values are simplified

Values in the Visitor trait are now simplified: NewReturning or Logged in. Previously this trait allowed a combination of multiple values through checkboxes which lead to confusion about the actual status of the visitor. The trait now allows only values that are mutually exclusive via a radio button.

Also, we replaced the Registered visitor value with Returning visitor. Targeting a returning user is very common use case, much more common than a registered user who has not yet logged in. With this change we hope the visitor trait matches typical personalization scenarios better out of the box. You can add the old Registered option (radio button) back in the UI with configuration if you rely on this value. The underlying functionality still exists to process the option.

Old values (error)New values (tick)


A new maxAge property specifies how long a visitor is considered new before being assigned the status of a returning visitor.  You can set the property in /server/filters/visitor/visitorCookies/new/maxAge. The default value is 86400 seconds (24 hours).


Change template in a personalized component variant

It is now easy to change the template in a component variant. This allows you to show a text component to one audience, an image to another audience or a video to a third audience. Select the component variant and change its template to one you think works best for the target audience. A video may work best for visitors who have previously watched videos, for example.


Component variant icon displayed

Magnolia now displays the variant icon on any page variants that contain further component variants in the Pages app. This makes it easier to see where both levels of personalization are used.


Changes for developers

Translation exports can include composite fields

You can configure the Content Translation Support module to include s ubfields of a  composite field  in a translation export file.

Subfields are included if:

  • info.magnolia.ui.form.field.definition.CompositeFieldDefinition is registered as a control type to export.
  • The subfields have an i18n property set to true

See Registering additional field types for more.


Fixed an exception thrown after downloading a translation file

The PathNotFound exception bound to the downloadTranslationFile command in the Content Translation Support module no longer shows up after downloading a translation file. The correct path is specified by the formPath property of the new contentTransporter node in the module.


Node type change for personalization component variants

The parent node type of component variant nodes was changed from mgnl:variants to mgnl:componentVariants. This change fixes a bug where re-publishing the original page deleted all variants from public instances. 

An update task migrates content in your website workspace automatically. You must update any existing bootstrap files yourself to be able to publish component variants.

To see an example in the demo, look at the node /travel/main/0/variants in the JCR browser.


Security-related and other changes

  • Fixed a cross-site scripting (XSS) vulnerability.
  • Restored page editing capabilities and elements of the UI on hybrid devices running Firefox 52/Chrome 57.  PAGES-129
  • The MVCServlet and related classes were moved to a separate module and unusable legacy apps removed from the App launcher. You can re-enable legacy apps in a secure environment by:
    1. Installing info.magnolia:magnolia-core-compatibility:5.5.4.
    2. Setting the given servlet's enabled property to true , e.g. /server/filters/servlets/PageServlet .
    3. Adding them back to the App launcher.
  • Users are warned when deleting a node with modified children. MGNLUI-3242

This release also comes with a number of bug fixes and several security improvements. It is an important and recommended update for all Magnolia 5.4.x users.

An aggregated changelog for 5.4.12 contains all the changes.

Updated modules

This release includes the following new module versions:

  • Activation 5.4.6

  • Admininterface Legacy 5.3.4

  • Community Edition 5.4.12
  • Contacts 1.4.3
  • Content Dependencies 1.6.4
  • Content Translation Support 2.1.8
  • DAM 2.1.9
  • Demo Projects 1.0.1
  • Enterprise Edition 5.4.12
  • Language Bundles 1.0.10
  • Magnolia 5.4.12
  • Pages 5.4.11
  • Personalization 1.3.3
  • UI 5.4.12
  • Workflow 5.5.4

How to update from earlier versions

Change for 5.4.x

The following change only applies to users running Magnolia 5.4 (major release) and maintenance releases 5.4.1 to 5.4.3. file

Add the following lines:

magnolia.resources.dir = ${magnolia.home}

Important changes for Magnolia 5.2 and 5.3 users

If you had STK installed

If you continue to work with STK, use the new magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.

Jackrabbit configuration

In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two <param/> directives within your <SearchIndex> block.

  <!-- more params here -->

  <!-- needed to highlight the searched term -->
  <param name="supportHighlighting" value="true"/>
  <!-- custom provider for getting an HTML excerpt in a query result with rep:excerpt() -->
  <param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/>

log4j.xml addition

Add the log configuration for org.reflections

 <category name="org.apache.jackrabbit">
    <priority value="WARN" />
 <!-- Reflections library spoils logs with hundreds of harmless warnings; tries to look into native libs but none of its DefaultUrlTypes can handle them. -->
  <category name="org.reflections">
    <priority value="ERROR" />
  <category name="com">
    <priority value="WARN" />

How to update from Magnolia 5.2 and earlier

To update your project, follow the standard update procedure, then make the following changes:

  1. Update your content apps with the content app upgrade task. It automatically takes care of the following:
    • Using the content connector.

    • Updating configuration of availability rules and default rule classes

    • Updating selected action definitions with node-type based availability

  2. If you used the DAM: 
    • Replace DamManager with AssetProviderRegistry.
    • See DAM and the STK and DAM templating on how to use assets in your templates.
    • The DAM changes have no impact on the STK. There is no need to modify Freemarker scripts because the new DAM API is abstracted from STK.
  3. If you have a custom jBPM workflow:
    • In the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#completeWorkItem method, checking for present parameters is obsolete and refers to publication related workitems. The method is no longer used for completing a workitem in the new human task context. It is still valid in the context of completing service tasks, however.
    • Stop using the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#getWorkItem method. It was used to complete a work item for human tasks. Furthermore, the wrapper we initialize only holds the mgnlData map.

    • The previously hardcoded mgnlData parameter is now configurable in /modules/workflow/commands/workflow/activate/activate/parameterMapName.

  4. If you have custom widgets or Vaadin add-ons:
    • Magnolia's default widgetset was relocated to info.magnolia.widgetset.MagnoliaWidgetSet.
    • Update your webapps's file.
    • Otherwise Magnolia will automatically fall back to the new widgetset but will issue warnings during upgrade, and whenever a user logs in to Magnolia.

How to update from Magnolia 4.5 and earlier

Are you running on Magnolia 4.5 or earlier? It’s time to move to 5. Contact us for migration support and look at the migration process.

Known issues

Allocate more JVM memory

Magnolia 5.4.12 ee-bundle may require you to allocate more memory to the Java Virtual Machine (JVM). If you see a java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher value such as 1024M. We are working on uncovering the root cause for the increased memory need.

See: Java out of memory

Processed Resources app conflict

If you upgrade to Magnolia 5.4.12 from 5.4.2 or earlier then you will experience UUID conflict if you try to also install the new Processed Resources app during the upgrade.

java.lang.RuntimeException: Error importing config.modules.processed-resources-app.dialogs: a node with uuid a53f308a-0d6a-4bb9-a5f8-6f11ff68504d already exists!

To work around this issue complete the upgrade before installing the Processed Resources app.


The Magnolia team would also like to thank everyone who reported issues, contributed patches, or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to: Nils Breunese, Marcus Büttner, Andrea Castelli, Marcus Käppi, Karsten Martin, Tobias Mattsson, Federico Navarro, Sathyaprakash Rao, Frank Sommer, Vivian Steller, Richard Unger, Nickolaus Wing and Fadi Wissa.

  • No labels

1 Comment

  1. Hi, I would like to upgrade a production site running the 5.4.8 version because the users experienced this bug:

    The issue should have been solved in version 5.4.11 but I cannot download any of the CE bundle of versions greater than 5.4.10. I always get an access denied response.

    Where can I download the versions from 5.4.11 to 5.4.13?