Magnolia CORE 5.7.11 is a bug-fixing and security release that delivers the following:
GET disabled by default
Logging in with query parameters using the
GET method is now disabled by default. Trying to do so results in a 401 Unauthorized error.
GET or other HTTP methods, add them as a list to
info.magnolia.cms.security.auth.login.FormLogin#allowedMethods. See this configuration as an example.
MAGNOLIA-8120 (restricted access)
Default path-based locking in Publishing module
With Publishing module 1.1.10, path-based locking has become the default locking mechanism. Previously, publishing occasionally failed while nodes remained locked on the public instance (EEPUBLISH-28).
Node-based locking is still available for compatibility reasons. See Known issues: Cannot publish content with path-based locking.
Third-party library updates
This release comes with the following third-party library updates to fix some security and compatibility issues:
- PDFBox updated to 2.0.24 (BUILD-475).
Preflight and XmpBox (two subprojects of PDFBox) updated to 2.0.24 (BUILD-476).
- RESTEasy, Jackson Databind and JAXB Runtime updated to 3.15.1.Final, 2.11.1 and 2.3.3-b02 respectively (BUILD-464).
- Tika updated to 1.26 (BUILD-450).
- XStream updated to 1.4.17 (BUILD-470).
Notable bug fixes
All siblings of a published node now appear in the same order as on the author instance at the time of approving publication. To disable such ordering of sibling nodes, set
This default behavior does not take into account the order at any other point in time (such as the time of creating the published version).
- Synchronization no longer fails when you move or rename a node. Instead, synchronization is completed before a log warning displays all nodes that could not be synchronized (MGNLSYNC-58).
- To better handle dependency problems and runtime exceptions (MAGNOLIA-6442):
Injectorfor null before retrieving an explicit binding key.
info.magnolia.objectfactory.guice.GuiceComponentProviderBuilder, the log error triggered when a module configuration fails to load now catches
- When you restore a previous version of a page, you also restore that version’s activation status (MAGNOLIA-7975).
See the 5.7.11 changelog for all the changes.
- Community Edition 5.7.11
- Enterprise Edition 5.7.11
- Magnolia 5.7.11
- Publishing 1.1.10
- Publishing Transactional 1.1
- REST Framework 2.1.7
- Synchronization 1.9.2
- Third-party library BOM 5.7.10
- UI 5.7.11
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Thomas Duffey, Fabrizio Giustina, Thomas Martin, CysNET Software, Frank Sommer and Simon Tourville.