Shortly after releasing Magnolia 6.2.4, we discovered two serious issues. This is why we decided to release Magnolia 6.2.5 earlier than planned.MGNLREST-289 - Getting issue details... STATUS
MGNLUI-6418 - Getting issue details... STATUS
Should you upgrade to Magnolia 6.2.4 or wait for Magnolia 6.2.5?
If you are not impacted by the above issues, that is you don't use the REST delivery endpoint and you don't mind that asset thumbnails are not showing correctly in the Assets app, upgrade to Magnolia 6.2.4 now. If you are impacted by the above issues and can wait a few days for the security fixes delivered in 6.2.4, then upgrade to Magnolia 6.2.5 when it becomes available.
We apologize for any inconvenience this might cause you.
Magnolia CMS 6.2.4 brings a number of improvements, bug fixes and security updates.
Support for OPTIONS method for CORS preflight requests
In this release, Magnolia brings two new filter implementations that handle CORS preflight requests:
When an OPTIONS HTTP request is received, Magnolia responds with headers that describe delivery capabilities based on the URI of the request and on active security and site configurations.
Developers can now configure CORS headers to be returned for such requests via either a site configuration or a configuration on the CORS filter.
Example configuration for a site called
Same configuration on the CORS filter:
Resolver of asset links in rich text fields
When configuring a Magnolia v2 delivery endpoint, you can use a reference resolver for asset links in rich text fields. The resolver converts UUID-based asset links to links with an absolute or relative URL. For the resolver properties, see Resolving asset links in rich text fields.
Example fragment of a REST response with the word "Kyoto" functioning as a link to an asset called
kyoto.jpg and with the UUID
A fragment showing the converted link:
Asset names numbered on duplication
If you duplicate an asset, a number will be appended to its name (left). Previously, with no such number, it was difficult to tell the original and the duplicate apart (right).
Timeout for locking mechanism
In addition, logging of publishing operations on the Receiver has been moved from the TRACE level to the DEBUG level.
Improved observation mechanism
When a new version of a content node is created in one workspace, the improved Magnolia observation mechanism (
info.magnolia.observation.*) makes sure that Magnolia does not react unnecessarily to any event that creates a node in
Better user experience in tree view
To improve column filtering in the tree view, the following has been implemented:
- When at least one column filter is active, the tree view uses a flat structure. This is similar to the Magnolia 5 UI search view, but now the views are not switched.
- When all column filters are empty, the tree view reverts to the default structure.
New API to configure default values in form fields
Default values must be applied to form fields explicitly. To facilitate this, the
EditorView#applyDefaults() API has been introduced.
A select field that uses an option list can now specify an option (string) as a default value, while a JCR select field can specify a UUID or path.
Deprecated upload field
As of this release, both UploadFieldDefinition and UploadViewDefinition are deprecated. In addition,
DamUploadFieldDefinition is no longer annotated as a field type.
New password field for Magnolia 6 UI
PasswordFieldDefinition renders a text field that masks input values when used only with custom actions. Note that passwords can be revealed in plain text when the field is used in dialogs with a standard
For more information, see Password field.
jcrChildNodeProvider used by default with JCR multi field
jcrChildNodeProvider is now the item provider used by default in JcrMultiFieldDefinition.
New availability rule to check depth of JCR item
jcrDepthRule action availability type returns
true if the item is within the specified depth range.
Clear node name behavior in content type apps
To avoid any confusion between the
- Apps generated from content types use
- The JCR Browser app shows only real node names regardless of whether
Support for Java 7 locale IDs
This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:
- HttpClient updated to 4.5.13 (BUILD-411).
- RESTEasy and Jackson updated to 4.5.8.Final and 2.11.1 respectively (BUILD-403).
- SmallRye updated to 1.6.2 (BUILD-409).
- Tomcat updated to 9.0.39 (MGNLTOMCAT-17).
Notable bug fixes
The following issues have been resolved where:
- In the Byte Buddy library,
ByteBuddyMutableWrapperHelperdid not properly cache the generated proxy classes (MAGNOLIA-7893).
- In the Content Translation Support module, exporting translation files failed when dialogs were defined using Magnolia 6 UI (MGNLCTS-116).
- In the link field (MGNLUI-6126):
- The chooser dialog failed to open after reconfiguring a field with existing content.
- An empty field was rendered after deleting the stored reference.
To solve performance issues when exporting large files, the
prettyPrint property in JcrExportCommand is now disabled by default in Java 11+ (MAGNOLIA-7890).
As part of a security fix,
HtmlColumnRenderer now supports only the
target attributes (MGNLUI-6380, restricted access).
We have fixed several security issues (including vulnerabilities to deserialization, SSRF and XSS attacks) with this release. We keep the details of those fixes private in line with our security policy. Contact our Support team if you need more information.
WebSphere, WildFly/EAP and WebLogic application servers in maintenance mode
As of this release, the compatibility modules for the following application servers are in maintenance mode:
- IBM WebSphere and WebSphere Liberty
- JBoss WildFly and EAP
- Oracle WebLogic
We provide support for these servers, but we do not proactively test them for future releases. In line with this change, we no longer provide the associated webapps:
All information about deploying Magnolia to these servers has been moved to the Deploying Magnolia as WAR file page of our Community Wiki.
Asset thumbnails missing
When you access AdminCentral without a context path, asset thumbnails are missing in the Assets app.
Example of no context path:
- With Safari, thumbnails are missing but asset names are not obstructed.
- In other browsers, asset names are obstructed.
- If possible, deploy your author instance with a context path such as:
- If redeploying is not possible, disable the thumbnails.
Documentation screenshot updates
Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.
See the 6.2.4 changelog for all the changes.
- Advanced Cache 2.3.2
- Barebones Tomcat Bundle 1.2.3
- Blossom 3.4.4
- Cache 5.9.2
- Community Edition 6.2.4
- Content Editor 1.3.4
- Content Tags 2.0.2
- Content Translation Support 2.5
- Content Types 1.2
- DAM 3.0.4
- Demo Projects 1.5.1
- DX Core 6.2.4
- Form 2.7.1
- Icons 24
- Language Bundles 1.1.2
- License 1.7.2
- Magnolia 6.2.4
- Pages 6.2.4
- Personalization 2.0.4
- Public User Registration 2.7.5
- Publishing 1.2.3
- Resources 3.0.2
- REST Framework 2.2.4
- Scheduler 2.3.5
- Site 1.4
- Soft Locking 3.0.1
- Solr Search Provider 5.5.1
- Third-party library BOM 6.2.4
- UI 6.2.4
- Vaadin Compatibility Addons 1.3.6
The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Matei "Mal" Badanoiu, Christopher Chard, Christoph Damm, Joerg von Frantzius, Alexander Hems, Marian-Razvan Ilisanu, Matthias Jakob, Philip Müller, Alex S. Plouff, Julius Rabe, Tom Wespi and Siegfried Zach.