Magnolia 6.1 reached extended end of life on June 2, 2020. Support for this branch is limited, see End-of-life policy.

Page tree
Skip to end of metadata
Go to start of metadata

Magnolia CMS 6.1.6 provides bug fixes, security updates and several usability improvements. In line with our End-of-life policy, this release marks the beginning of the extended end-of-life period for the 6.1 branch of Magnolia. This period is intended to give users more freedom and flexibility when planning migration to a fully supported release. For availability of the most recent Magnolia release, see the Releases page.

Optimized scanning and pattern matching for resfn

In the Resources module, the ResourcesTemplatingFunctions#generate method used by resfn previously scanned:

  • All the files and directories of the resources directory
  • All the files in the classpath to match their path with the provided JS or CSS path (potential regex)

This recursive scanning resulted in significant CPU usage. To ensure that such scanning and pattern matching are no longer forced, compiled regular expressions have been optimized as follows:

private static final String GLOB_WILDCARD_CHARS = "\\*\\[\\{\\?";

// non-greedily matches anything that precedes a forward slash followed by string containing any of the glob-related
// characters (or the end of the string)
private static final Pattern PATH_BEFORE_GLOB = Pattern.compile(String.format("^glob:(?<root>[^%s]+?)(\\/[^\\/]*[%s$])",

 * Find out where in a String things start looking like a regex. Do this by matching
 * anything that doesn't seem to be a "normal" file name character:
 * alphanumeric, horizontal whitespace, underscore, dash and dot.
 * Will result in funky
 * but perfectly legal Unix paths being regarded as regex, e.g.
 * if they contain characters like squiggly brackets or square brackets.
 * This only means our heuristic optimization will not fully apply to such
 * funky path names, as the prefix path found will be shorter than possible,
 * while in 99,9% of cases it will be optimal.
private static final String NON_REGEX_WILDCARD_CHARS = "\\p{Alnum}\\h_\\-\\./";

private static final Pattern PATH_BEFORE_REGEX = Pattern.compile(String.format("^(?<root>[%s]+?)(\\/[^\\/]*[^%s$])",

 * Returns a glob or regex expression's leading directory before a first "*" or other special glob/regex character
 * that potentially ambiguates directories.
 * @param patternWithPathPrefix


Dependencies on Content API removed from Solr module

In the Solr Search Provider module, we have removed dependencies on the deprecated Content API that prevented Magnolia from starting when the module was included in a webapp.


Third-party library updates

This release comes with the following third-party library updates to fix some security and incompatibility issues:

We keep the details of security-related fixes private in line with our security policyContact our Support team if you need more information.

Notable bug fixes

The following issues have been resolved where:


If you are upgrading from an earlier version, read the Upgrading to Magnolia 6.1.x page first and check the Known issues page.

Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.

Additional security improvements

Stateless protection against login CSRF attack

A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.

When requesting a Magnolia login page before a session is created after authentication, a CSRF token is temporarily kept in a cookie in the client browser. That token is generated with each GET request before login. When the login form is submitted to the server with a POST request, the cookie token is matched against the value coming from the request.

To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.

MAGNOLIA-7660 (restricted access)

Known Issues

Virtual URI mappings not working if too many are configured

To mitigate an issue caused by having more than 500 configured virtual URI mappings in light modules, a WARN-level message is now logged when a DirectoryWatcher overflow occurs (MAGNOLIA-7762). We also recommend to keep the number of files in a single folder below 100 and to use folder hierarchies whenever possible. The issue will be fixed with MAGNOLIA-7798.

Site module inaccessible to non-DX Core users

Site 1.2.4, released with Magnolia 6.1.5, relies on artifacts in maintenance mode and is therefore inaccessible to non-DX Core users. To fix this, the recommended Site 1.3.1 is now available in our public Nexus repository and bundled with Magnolia 6.1.6.



See the 6.1.6 changelog for all the changes.

Updated modules

  • Backup 2.4.1
  • Blossom 3.3.2
  • Cache 5.8.3
  • Community Edition 6.1.6
  • Content Dependencies 1.9.2
  • Definitions App 2.0.1
  • Diff 2.1.1
  • DX Core 6.1.6
  • Image Recognition 1.1.1
  • Imaging 3.4.3
  • LDAP Connector 1.10.3
  • Magnolia 6.1.6
  • Mail 5.5.4
  • Password Manager 1.2.4
  • Publishing 1.2.1
  • Resources 2.7.1
  • Scheduler 2.3.4
  • Site 1.3.1
  • Solr Search Provider 5.2.3
  • Templating Essentials 1.4
  • Third-party library BOM 6.1.6
  • UI 6.1.6
  • Usage Metrics 1.1.1


The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Tytgat Christian, Mirek Ingr, Kathrin Kaufleitner, Philip Mundt, Alex Plouff, Diana Racho and Joerg von Frantzius.

  • No labels