Magnolia CMS 6.2.1 is a bug-fixing and security release that also delivers the following improvements:
REST Client module refactored
A number of optimizations have been implemented in the REST Client module that improve the behavior of
RestClientFactory. In the API, the
getWebTarget() method has been deprecated and the following methods have been introduced:
register(name, component): allows registering a custom component on demand, such as response/request filters.
unregister(name): allows unregistering a custom component.
isClose(): allows checking whether a client is available for use.
close(): allows closing a client after its use. Note that if a client is retrieved from
RestClientFactory#createClientIfAbsent(), there is no need to close it manually.
REST-based type aliases renamed
In the UI Framework REST Extensions module, the type aliases for the fields that handle offline data sources have been renamed to
Handling of missing
A warning is logged whenever a REST API does not return a
Content-Type header. The REST Client module comes with a new
responseContentType property that allows you to set the header in case it is missing in a response.
Using custom query parameters in REST calls
Additional custom query parameters can be passed to and issued with a REST call without the need to configure the parameters in a YAML definition file.
Improvements in 6 UI framework
Additional complex field transformers ported to 6 UI framework
Two 5 UI complex field transformers have been ported to the Magnolia 6 UI framework,
MultiValueSubChildrenNodePropertiesTransformer. In the 6 UI, they are both handled by
New supportI18N property in
JcrChildNodeProvider allowed creating subnodes that were always localized. Example structure:
en locale exists by default and therefore the
_en suffixes are omitted.)
This release adds the
supportI18N property, which allows you to create non-localized subnodes:
Updates in Blossom module
Content API removed from Solr module
In the Solr Search Provider module, we have removed dependencies on the old
Content API that prevented Magnolia from starting when the module was included in a webapp.
Third-party library updates
This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:
- Hibernate Validator updated to 6.1.4.Final (BLOSSOM-264).
- log4j-bom updated to 2.13.2 (BUILD-387).
- Tika updated to 1.24.1 (BUILD-389).
Notable bug fixes
- In the Cache module,
CacheResponseWrapperdid not retrieve
This fix, coming with version 1.2.1 of the Publishing module, reverts part of a previous commit that addressed the issue. It is therefore highly probable that there is no node order issue in version 1.2 of the module either, which you may keep using in Magnolia 6.2.1.
On the author instance, editors can move nodes to change the order in which they are stored in JCR. Since Magnolia does not track node order history, it is impossible to keep the same order of nodes on the public instance if you publish just one node that has been moved on the author instance. To make sure that the orders of nodes on both instances are aligned, always publish the parent node of any nodes you moved.
- In the Segments and Personas apps of the Personalization module and in the Pages app, column filtering was not available. (MGNLUI-5671)
- In the UI module:
LinkFieldDefinitiondid not extend
ComboBoxFieldDefinitionand could not use its properties. (MGNLUI-5798)
- Toolbar icons for some configuration properties such as alignment, color and fonts were not displayed in the rich text field. With this fix,
ckeditor.jshas been updated from version 4.13.0 to 4.14.0. (MGNLUI-4072)
Additional security improvements
Stateless protection against login CSRF attack
A stateless technique is now used to protect against any login CSRF attack. See Double Submit Cookie for more information.
When requesting a Magnolia login page before a session is created after authentication, a CSRF token is temporarily kept in a cookie in the client browser. That token is generated with each
GET request before login. When the login form is submitted to the server with a
POST request, the cookie token is matched against the value coming from the request.
To improve security, a salted hash is used for the cookie so that an attacker will not be able to re-create the cookie value from the plain token without knowledge of the server secrets.
MAGNOLIA-7660 (restricted access)
The improvements in this release generated a few API incompatibilities. For details, see the following links:
Virtual URI mappings not working if too many are configured
To mitigate an issue caused by having more than 500 configured virtual URI mappings in light modules, a WARN-level message is now logged when a
DirectoryWatcher overflow occurs (MAGNOLIA-7762). We also recommend to keep the number of files in a single folder below 100 and to use folder hierarchies whenever possible. For the upcoming fix, see MAGNOLIA-7798.
Documentation screenshot updates
Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.
See the 6.2.1 changelog for all the changes.
- Advance Cache 2.3.1
- Backup 2.4.1
- Blossom 3.4
- Cache 5.9.1
- Community Edition 6.2.1
- Content Dependencies 2.0.1
- Content Tags 2.0.1
- DAM 3.0.1
- Diff 2.2.1
- DX Core 6.2.1
- Image Recognition 1.2.1
- Imaging 3.4.3
- LDAP Connector 1.10.3
- Magnolia 6.2.1
- Mail 5.5.4
- Multisite 2.1.1
- Pages 6.2.1
- Password Manager 1.2.4
- Periscope 1.2.1
- Personalization 2.0.1
- Publishing 1.2.1
- Resources 3.0.1
- REST Client 2.0.1
- REST Client UI 1.0.1
- Scheduler 2.3.4
- Site 1.3.1
- Solr Search Provider 5.2.3
- Templating Essentials 1.5
- Text Classification 1.1.1
- Third-party library BOM 6.2.1
- UI 6.2.1
- Usage Metrics 1.1.1
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Le Bao Duy, Oliver Böhrs, Tytgat Christian, Kathrin Kaufleitner, Marvin Kerkhoff, Alex Plouff and Diana Racho.