Page tree
Skip to end of metadata
Go to start of metadata

This Magnolia release fixes mainly cross-site scripting vulnerabilities in the Standard Templating Kit (STK).

While you can still run STK-based projects in the Magnolia 5.5 branch by including the STK module in your project, STK was deprecated on September 15, 2017. Apart from providing security fixes we no longer maintain the STK module. For your new projects use the Magnolia Templating Kit (MTK) instead and upgrade to the latest release of Magnolia.

In addition to the security fixes, this release also brings:

Changes for developers

New server filter for adding HTTP headers

The new info.magnolia.cms.filters.AddHeadersFilter implementation class allows you to configure a filter for adding HTTP headers to enable, for example, Cross-origin resource sharing (CORS).


YAML configuration restored after publishing a deletion of a hotfixed version

When you publish a deletion of a YAML configuration file hotfix, the original configuration is now correctly reloaded at YamlConfigurationSource#loadAndRegister.


Changes for administrators

Separate indexing configuration files

The search improvements we implemented for the website workspace (MAGNOLIA-6188) affect the indexing performance of all workspaces. Therefore, the generic indexing configuration used for all workspaces /info/magnolia/jackrabbit/indexing_configuration.xml has been deprecated.

The default indexing configuration is now stored in /info/magnolia/jackrabbit/indexing_configuration_default.xml. The website workspace has its own separate configuration in /info/magnolia/jackrabbit/indexing_configuration_website.xml.

If you are updating to Magnolia 5.5.9, we recommend that you set the indexing configuration in the workspace.xml configuration file by specifying the workspace name(s) in the indexingConfiguration parameter: 

<param name="indexingConfiguration" value="/info/magnolia/jackrabbit/indexing_configuration_${}.xml"/>


Specify a location when creating compressed backups

When creating a compressed ZIP backup using the backup script in command line, you must now specify where you want to create the zip backup file.

To do so, you must use -z with the new -zp ( --zipPath ) flag with a path to the zip backup file as the argument.



For all the changes in this release, see the 5.5.9 changelog.

 How to update from earlier versions

Updating to 5.5.x from any pre-5.5 version

  • (warning) Please be aware that depending on the number of versions in the version workspace, the update to 5.5.x from any version below 5.5 may take from 1 to 2 hours since all of the versions have to migrated to a new structure.
  • Since the default JCR persistency layer in our bundles has changed to H2 Database Engine with the 5.5 release, please make sure that you keep the magnolia.repositories.jackrabbit.config property in the file set to the database you used before updating. For example, for Derby set the property as follows:

Generally, follow the standard update procedure.

Changes for 5.4.x users

The following changes apply only to the users running Magnolia 5.4 (major release) and maintenance releases 5.4.1 to 5.4.3. file

CE and EE users

Add the following lines in your file. They configure a directory for loading file system resources and the file types Magnolia should observe in the classpath and reload on-change:


If you had EE Pro 5.4.x or previous and are installing EE Pro 5.5.9

Due to component personalization bringing in new features to the page editor, you must replace the widgetset in the file. Either replace or add (depending on the update path):


Derby vs. H2

If you used a previous version of Magnolia with an Apache Derby database, make sure you keep your magnolia.repositories.jackrabbit.config setting in your file.

Magnolia bundles now ship with the following default setting:

This setting may not be compatible with your setup.

Important changes for Magnolia 5.2 and 5.3 users

If you had STK installed

If you continue to work with STK, use the new magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.

Jackrabbit configuration

In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two <param/> directives within your <SearchIndex> block.

  <!-- more params here -->

  <!-- needed to highlight the searched term -->
  <param name="supportHighlighting" value="true"/>
  <!-- custom provider for getting an HTML excerpt in a query result with rep:excerpt() -->
  <param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/>
log4j.xml addition

Add the log configuration for org.reflections

 <category name="org.apache.jackrabbit">
    <priority value="WARN" />
 <!-- Reflections library spoils logs with hundreds of harmless warnings; tries to look into native libs but none of its DefaultUrlTypes can handle them. -->
  <category name="org.reflections">
    <priority value="ERROR" />
  <category name="com">
    <priority value="WARN" />

How to update from Magnolia 5.2 and earlier

To update your project, follow the standard update procedure, then make the following changes:

  1. Update your content apps with the content app upgrade task. It automatically takes care of the following:
    • Using the content connector.

    • Updating configuration of availability rules and default rule classes

    • Updating selected action definitions with node-type based availability

  2. If you used the DAM: 
    • Replace DamManager with AssetProviderRegistry.
    • See DAM and the STK and DAM templating on how to use assets in your templates.
    • The DAM changes have no impact on the STK. There is no need to modify Freemarker scripts because the new DAM API is abstracted from STK.
  3. If you have a custom jBPM workflow:
    • In the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#completeWorkItem method, checking for present parameters is obsolete and refers to publication related workitems. The method is no longer used for completing a workitem in the new human task context. It is still valid in the context of completing service tasks, however.
    • Stop using the info.magnolia.module.workflow.jbpm.JbpmWorkflowManager#getWorkItem method. It was used to complete a work item for human tasks. Furthermore, the wrapper we initialize only holds the mgnlData map.

    • The previously hardcoded mgnlData parameter is now configurable in /modules/workflow/commands/workflow/activate/activate/parameterMapName.

  4. If you have custom widgets or Vaadin add-ons:
    • Magnolia's default widgetset was relocated to info.magnolia.widgetset.MagnoliaWidgetSet.
    • Update your webapps's file.
    • Otherwise Magnolia will automatically fall back to the new widgetset but will issue warnings during upgrade, and whenever a user logs in to Magnolia.

How to update from Magnolia 4.5 and earlier

Are you running on Magnolia 4.5 or earlier? It’s time to move to 5. Contact us for migration support and look at the migration process.

 Known issues

H2 does not accept more than one connection

Our default configuration does not use server mode. Therefore, if you try to initiate a backup call using CLI or REST, it fails because H2 does not allow more than one connection at a time. This is a new issue in Magnolia (most likely due to H2 or Jackrabbit updates).

A temporary workaround is to make H2 run in server mode and adding AUTO_SERVER=TRUE in the URL parameters: 

<param name="url" value="jdbc:h2:${wsp.home}/db;AUTO_SERVER=TRUE" />

<param name="url" value="jdbc:h2:${rep.home}/version/db;AUTO_SERVER=TRUE" />

The Show action in the Configuration app doesn't open the correct location

When selecting properties in a definition that are actually extended from another node in the config workspace, opening the definition in the Configuration app will not work correctly, as the underlying node/property doesn't exist. For example,

points to config:/modules/site-app/apps/site/subApps/browser/actions/addFolder/icon
but all the actions are inherited from /modules/ui-admincentral/apps/configuration/subApps/browser via extends.

Allocate more JVM memory

Magnolia 5.5.9 ee-bundle may require you to allocate more memory the Java Virtual Machine (JVM). If you see a java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher amount such as 1024M. We are working on uncovering the root cause for the increased memory need.

See: Java out of memory

 Updated modules
  • Community Edition 5.5.9
  • Content Editor 1.0.8
  • Demo Projects 1.1.7
  • Enterprise Edition 5.5.9
  • Jackrabbit Backup 2.1.3
  • Magnolia 5.5.9
  • Standard Templating Kit 3.0.3
  • UI 5.5.9


The Magnolia team would also like to thank everyone who reported issues, contributed patches, or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Thomas Duffey.

  • No labels