Page tree
Skip to end of metadata
Go to start of metadata

Magnolia CMS 6.2.4 brings a number of improvements, bug fixes and security updates.

Improvements

Support for OPTIONS method for CORS preflight requests

In this release, Magnolia brings two new filter implementations that handle CORS preflight requests:

  • info.magnolia.module.site.filters.SiteAwareCorsFilter
  • info.magnolia.cors.SelfConfiguredCorsFilter

When an OPTIONS HTTP request is received, Magnolia responds with headers that describe delivery capabilities based on the URI of the request and on active security and site configurations.

Developers can now configure CORS headers to be returned for such requests via either a site configuration or a configuration on the CORS filter.

Example configuration for a site called foo:

/modules/multisite/config/sites/foo/cors.yaml
rest:
  allowedHeaders:
    - *
  allowedMethods:
    - GET
    - POST
    - OPTIONS
  allowedOrigins:
    - https://magnolia-cms.com
    - https://example.com
  uris:
    rest:
      patternString: /.rest/*

Same configuration on the CORS filter:

MAGNOLIA-7215MGNLSITE-101

Resolver of asset links in rich text fields

When configuring a Magnolia v2 delivery endpoint, you can use a reference resolver for asset links in rich text fields. The resolver converts UUID-based asset links to links with an absolute or relative URL. For the resolver properties, see Resolving asset links in rich text fields.

Example fragment of a REST response with the word "Kyoto" functioning as a link to an asset called kyoto.jpg and with the UUID 0a3bb34f-b49f-4e02-a9e9-e46cf860b612:

<p>Experience the still beauty that permeates and surrounds <a href=\"${link:{uuid:{0a3bb34f-b49f-4e02-a9e9-e46cf860b612},repository:{dam},path:{/untitled}}}\">Kyoto</a>.</p>

A fragment showing the converted link:

<p>Experience the still beauty that permeates and surrounds <a href=\"http://localhost:8080/magnoliaAuthor/fallback/dam/jcr:0a3bb34f-b49f-4e02-a9e9-e46cf860b612/kyoto.jpg\">Kyoto</a>.</p>

MGNLREST-196

Asset names numbered on duplication

If you duplicate an asset, a number will be appended to its name (left). Previously, with no such number, it was difficult to tell the original and the duplicate apart (right).

MGNLDAM-817

Timeout for locking mechanism

There is now a five-minute timeout for the locking mechanism to mitigate an issue where nodes are locked even after publishing. For more details about this issue, see EEPUBLISH-28.

In addition, logging of publishing operations on the Receiver has been moved from the TRACE level to the DEBUG level.

PUBLISHING-90

Improved observation mechanism

When a new version of a content node is created in one workspace, the improved Magnolia observation mechanism (info.magnolia.observation.*) makes sure that Magnolia does not react unnecessarily to any event that creates a node in /jcr:system.

MAGNOLIA-7858

Better user experience in tree view

To improve column filtering in the tree view, the following has been implemented:

  • When at least one column filter is active, the tree view uses a flat structure. This is similar to the Magnolia 5 UI search view, but now the views are not switched.
  • When all column filters are empty, the tree view reverts to the default structure.

MGNLUI-6225

New API to configure default values in form fields

Default values must be applied to form fields explicitly. To facilitate this, the EditorView#applyDefaults() API has been introduced.

select field that uses an option list can now specify an option (string) as a default value, while a JCR select field can specify a UUID or path.

MGNLUI-5852

Deprecated upload field

As of this release, both UploadFieldDefinition and UploadViewDefinition are deprecated. In addition, DamUploadFieldDefinition is no longer annotated as a field type.

Do not use UploadFieldDefinition to upload assets directly to an app workspace. Instead, store your assets in the DAM workspace and link to them using a link field.

DamUploadFieldDefinition makes sense only in the context of the Magnolia Assets subapp. Do not use it generically in any other context.

MGNLUI-5886

New password field for Magnolia 6 UI

PasswordFieldDefinition renders a text field that masks input values when used only with custom actions. Note that passwords can be revealed in plain text when the field is used in dialogs with a standard  commit action.

For more information, see Password field.

MGNLUI-5537

jcrChildNodeProvider used by default with JCR multi field

jcrChildNodeProvider is now the item provider used by default in JcrMultiFieldDefinition.

MGNLUI-6221

New availability rule to check depth of JCR item

The jcrDepthRule action availability type returns true if the item is within the specified depth range.

MGNLUI-6192

Clear node name behavior in content type apps

To avoid any confusion between the name and jcrName properties:

  • Apps generated from content types use name instead of jcrName.
  • The JCR Browser app shows only real node names regardless of whether jcrName is configured.

MGNLUI-6334

Support for Java 7 locale IDs

From this release, you can use Java 8 or Java 7 locale IDs in configuration. To refer to the Dutch spoken in Belgium, for example, you may use either nl-BE or nl_BE.

MAGNOLIA-7897

Library updates

This release comes with third-party library updates to fix some security and compatibility issues as well as improve performance. The following are the most notable updates:

  • HttpClient updated to 4.5.13 (BUILD-411).
  • RESTEasy and Jackson updated to 4.5.8.Final and 2.11.1 respectively (BUILD-403).
  • SmallRye updated to 1.6.2 (BUILD-409).
  • Tomcat updated to 9.0.39 (MGNLTOMCAT-17).

We keep the details of security-related fixes private in line with our security policyContact our Support team if you need more information.

Notable bug fixes

The following issues have been resolved where:

  • In the Byte Buddy library, ByteBuddyMutableWrapperHelper did not properly cache the generated proxy classes (MAGNOLIA-7893).
  • In the Content Translation Support module, exporting translation files failed when dialogs were defined using Magnolia 6 UI (MGNLCTS-116).
  • In the link field (MGNLUI-6126):
    • The chooser dialog failed to open after reconfiguring a field with existing content.
    • An empty field was rendered after deleting the stored reference.

To solve performance issues when exporting large files, the prettyPrint property in JcrExportCommand is now disabled by default in Java 11+ (MAGNOLIA-7890).

As part of a security fix, HtmlColumnRenderer now supports only the class, title, style and target attributes (MGNLUI-6380, restricted access).

Security advisory

We have fixed several security issues (including vulnerabilities to deserialization, SSRF and XSS attacks) with this release. We keep the details of those fixes private in line with our security policyContact our Support team if you need more information.

MAGNOLIA-7914, MAGNOLIA-7915MAGNOLIA-7933MGNLCTS-120, MGNLCTS-121, MGNLPUR-197, MGNLUI-6380 (restricted access)

Others

WebSphere, WildFly/EAP and WebLogic application servers in maintenance mode

As of this release, the compatibility modules for the following application servers are in maintenance mode:

  • IBM WebSphere and WebSphere Liberty
  • JBoss WildFly and EAP
  • Oracle WebLogic

We provide support for these servers, but we do not proactively test them for future releases. In line with this change, we no longer provide the associated webapps:

  • magnolia-dx-core-websphere-webapp
  • magnolia-dx-core-wildfly-webapp
  • magnolia-dx-core-weblogic-webapp

All information about deploying Magnolia to these servers has been moved to the Deploying Magnolia as WAR file page of our Community Wiki.

MGNLEE-626

Known issues

If you are upgrading from an earlier version, read the Upgrading to Magnolia 6.2.x page first and check the Known issues page.

Asset thumbnails missing

When you access AdminCentral without a context path, asset thumbnails are missing in the Assets app.

Example of no context path: http://localhost:8080/.magnolia/admincentral#app:dam:jcrBrowser;/travel-demo/social-icons/google-plus.png::

  • With Safari, thumbnails are missing but asset names are not obstructed. 
  • In other browsers, asset names are obstructed.

Workarounds:

  • If possible, deploy your author instance with a context path such as: http://localhost:8080/<magnoliaAuthor>/.magnolia/admincentral#app:dam:jcrBrowser;/travel-demo/social-icons/google-plus.png::
  • If redeploying is not possible, disable the thumbnails.

 MGNLUI-6418 

Documentation screenshot updates

Some of the screenshots in the documentation still show the legacy Magnolia 5 UI. Please bear with us as we work to update them.

Changelog

See the 6.2.4 changelog for all the changes.

Updated modules

  • Advanced Cache 2.3.2
  • Barebones Tomcat Bundle 1.2.3
  • Blossom 3.4.4
  • Cache 5.9.2
  • Community Edition 6.2.4
  • Content Editor 1.3.4
  • Content Tags 2.0.2
  • Content Translation Support 2.5
  • Content Types 1.2
  • DAM 3.0.4
  • Demo Projects 1.5.1
  • DX Core 6.2.4
  • Form 2.7.1
  • Icons 24
  • Language Bundles 1.1.2
  • License 1.7.2
  • Magnolia 6.2.4
  • Pages 6.2.4
  • Personalization 2.0.4
  • Public User Registration 2.7.5
  • Publishing 1.2.3
  • Resources 3.0.2
  • REST Framework 2.2.4
  • Scheduler 2.3.5
  • Site 1.4
  • Soft Locking 3.0.1
  • Solr Search Provider 5.5.1
  • Third-party library BOM 6.2.4
  • UI 6.2.4
  • Vaadin Compatibility Addons 1.3.6

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Matei "Mal" Badanoiu, Christopher Chard, Christoph Damm, Joerg von Frantzius, Alexander Hems, Marian-Razvan Ilisanu, Matthias Jakob, Philip Müller, Alex S. Plouff, Julius Rabe, Tom Wespi and Siegfried Zach.

  • No labels