additionalResponseHeaders:
"Content-Security-Policy": "default-src 'self'" Core: The Vert.x Handlebars engine dependency has been patched, to replace the vulnerable Apache commons-text dependency, targeting CVE-2022-42889.
Authentication: The authentication denial of a 3rd party auth provider is now better depicted in the logs.
Authentication, Documentation: Updated documentation about Keycloak configuration for newer Keycloak versions which use an RSA-OAEP key by default. Such keys are currently not supported by the underlying Vert.x framework and the respective key provider must be removed in the Keycloak admin console. For more information see the authentication documentation.
Core: Now all the redirections, including error pages, consider the source branch to pick up the correct content.
Templating: Now the tolerance of the errors in the templating engine can be configured in the portal config. Either a silent acceptance (status quo) or HTTP 500 throwing is possible.
Core: Fixes a dependency issue introduced with the update to Vert.x 4.5.0 which caused an error when reading the portal configuration.
| Vert.x dependency updated to 4.5.0. |
Handlebars: Fixes path resolving of template partials on Windows systems.
Core: Adds configuration option monitoring.startupCheckMode which determines the consequence of failed start-up checks: OFF meaning no checks will be performed, ABORT will abort the portal start-up immediatelly and UNREADY will cause the /health/live endpoint to respond that the portal is no longer live.
Core: Adds configuration option checkedQueries. A list of queries which should be checked for validity on portal startup-up. The possible values are LANGUAGES, LOAD_BY_PATH, NAVIGATION and SITEMAP. An empty list will cause the portal to check all queries.
Authentication: The authentication.useSessionCookies setting has been added. If set to true auth cookies generated by the portal from its communication with keycloak will be session cookies instead of using the given max-age from the original keycloak cookies.
Language Switch API: Improves error handling on unexpected url parameters.
Caching: Fixes error where no valid Cachekey could be generated if invalid characters were present in the URL.
| Vert.x dependency updated to 4.3.2. |
| The Vert.x update caused changes in the authentication API, so custom authentication handlers must be adapted. |
The OAuth2 access token validation checks if the token contains the client ID in the aud (audience) claim. Keycloak only adds account to that claim by default, and must be configured to add the portals client ID. For more details see the documentation: Authentication - Audience Claim.
|
Authentication: The authentication.keycloak.retryPeriodSeconds setting has been added, controlling the behavior of Keycloak handler initialization on Keycloak server being initially unreachable (retry / abort / ignore). Default value is 60 (seconds), that Portal retries setting the connection up in.
Search: A SearchHandler is back again, providing a possibility of performing the basic full text search over the content with help of Mesh Search plugin.
Core: Adds configuration option monitoring.startupCheckMode which determines the consequence of failed start-up checks: OFF meaning no checks will be performed, ABORT will abort the portal start-up immediatelly and UNREADY will cause the /health/live endpoint to respond that the portal is no longer live.
Core: Adds configuration option checkedQueries. A list of queries which should be checked for validity on portal startup-up. The possible values are LANGUAGES, LOAD_BY_PATH, NAVIGATION and SITEMAP. An empty list will cause the portal to check all queries.
Language Switch API: Improves error handling on unexpected url parameters.
Caching: Fixes error where no valid Cachekey could be generated if invalid characters were present in the URL.
Logging: Fixes error messages caused by non-existant pages.
Logging: Cleans up log messages. Responses with an HTTP status of 4xx no longer log explicit error messages, since they are already covered by warning messages of the logger handler.
Logging: Clean up DataProviderVerticle error logging. Mesh datasources which cannot be loaded will only be logged as errors during portal startup. Subsequent failures will be logged as warnings.
Authentication: The authentication.keycloak.retryPeriodSeconds setting has been added, controlling the behavior of Keycloak handler initialization on Keycloak server being initially unreachable (retry / abort / ignore). Default value is 60 (seconds), that Portal retries setting the connection up in.
Core: Makes sure that all idle connections in the Mesh REST client are closed when the eventbus connection is disrupted to prevent stale connections.
Plugin proxies: Fixes forwarding of authentication tokens, when security.encryptCookies is enabled.
Cookies are now filtered when requests are forwarded to Mesh plugins. The default configuration allows forwarding of the forms plugin cookies. Any cookies set by custom Mesh plugins must be added to the mesh.cookieForwardWhitelist setting.
|
Plugin proxies: Fixes a bug where the authentication cookie was not forwarded to Mesh.
Plugin proxies: Adds new setting mesh.authenticationMode to determine whether the Mesh API key should be sent via the Authorization HTTP header, the mesh.token cookie, or both (default is both).
Plugin proxies: Adds new setting mesh.cookieForwardWhitelist which defines which cookies will be forwarded to Mesh (default is forms-data and forms-voted).
Helpers: Fixes potential NullPointerException in breadcrumb helper.
Uploads: New boolean setting autoDeleteUploads: When set to true file uploads will automatically be deleted after the request is handled. Defaults to false for backward compatibility.
Core: Various possible connection leaks to Mesh have been fixed.
Updated Mesh REST client version to 1.6.34. The portal will still work with older Mesh versions.
The signature of the logout() method in the AuthenticationHandler interface has changed and now requires a handler for an AsyncResult<Boolean>. Custom AuthenticationHandler implementations must be adapted accordingly.
|
| The new RP-initiated logout setting only works with Keycloak 18.0 or later. |
Setting the new rpInitiatedLogout flag to true will add another authentication cookie for the users ID token.
|
Authentication: The new setting authentication.keycloak.rpInitiatedLogout can be set to true, to redirect the client to Keycloaks end_session_endpoint on logout after clearing the authentication cookies. The setting is disabled by default for backwards compatibility.
Authentication: Fixes authentication handling for requests to protected pages.
Core: Fixes the check whether webroot or webrootfield should be used for binary requests. This check did not work as expected for Mesh >= 1.8.0.
| The base for login redirect handlers has changed since the redirect cookie is no longer used. Custom redirect handlers will require adaption. |
Updates Vert.x dependency to 3.9.12
Authentication: Fixes a problem with redirects after logins when the redirect cookie was not set due to the SameSite strict cookie policy. The login redirect cookie is no longer used and has been replaced with authentication endpoints where the redirect information is in the URL.
Forms: Adds support for poll forms via the Mesh Forms plugin. The portal now forwards the forms-voted
cookie to the plugin if present. Also the
forms helper supports the
new optional parameters templateContext and showResults, which make it possible to use custom templates for
rendering and force rendering of the results respectively.
Logging: Fixes error messages caused by non-existant pages.
Logging: Cleans up log messages. Responses with an HTTP status of 4xx no longer log explicit error messages, since they are already covered by warning messages of the logger handler.
Logging: Clean up DataProviderVerticle error logging. Mesh datasources which cannot be loaded will only be logged as errors during portal startup. Subsequent failures will be logged as warnings.
Authentication: The authentication.keycloak.retryPeriodSeconds setting has been added, controlling the behavior of Keycloak handler initialization on Keycloak server being initially unreachable (retry / abort / ignore). Default value is 60 (seconds), that Portal retries setting the connection up in.
Core: Makes sure that all idle connections in the Mesh REST client are closed when the eventbus connection is disrupted to prevent stale connections.
Plugin proxies: Fixes forwarding of authentication tokens, when security.encryptCookies is enabled.
Cookies are now filtered when requests are forwarded to Mesh plugins. The default configuration allows forwarding of the forms plugin cookies. Any cookies set by custom Mesh plugins must be added to the mesh.cookieForwardWhitelist setting.
|
Plugin proxies: Fixes a bug where the authentication cookie was not forwarded to Mesh.
Plugin proxies: Adds new setting mesh.authenticationMode to determine whether the Mesh API key should be sent via the Authorization HTTP header, the mesh.token cookie, or both (default is both).
Plugin proxies: Adds new setting mesh.cookieForwardWhitelist which defines which cookies will be forwarded to Mesh (default is forms-data and forms-voted).
Helpers: Fixes potential NullPointerException in breadcrumb helper.
Uploads: New boolean setting autoDeleteUploads: When set to true file uploads will automatically be deleted after the request is handled. Defaults to false for backward compatibility.
Core: Various possible connection leaks to Mesh have been fixed.
Updated Mesh REST client version to 1.6.34. The portal will still work with older Mesh versions.
The signature of the logout() method in the AuthenticationHandler interface has changed and now requires a handler for an AsyncResult<Boolean>. Custom AuthenticationHandler implementations must be adapted accordingly.
|
| The new RP-initiated logout setting only works with Keycloak 18.0 or later. |
Setting the new rpInitiatedLogout flag to true will add another authentication cookie for the users ID token.
|
Authentication: The new setting authentication.keycloak.rpInitiatedLogout can be set to true, to redirect the client to Keycloaks end_session_endpoint on logout after clearing the authentication cookies. The setting is disabled by default for backwards compatibility.
Authentication: Fixes authentication handling for requests to protected pages.
Core: Fixes the check whether webroot or webrootfield should be used for binary requests. This check did not work as expected for Mesh >= 1.8.0.
| The base for login redirect handlers has changed since the redirect cookie is no longer used. Custom redirect handlers will require adaption. |
Updates Vert.x dependency to 3.9.12
Authentication: Fixes a problem with redirects after logins when the redirect cookie was not set due to the SameSite strict cookie policy. The login redirect cookie is no longer used and has been replaced with authentication endpoints where the redirect information is in the URL.
Forms: Add the forms-voted cookie to requests to the Gentics Mesh forms plugin if present.
Authentication: Fixes possible authentication redirect loop. The login redirect cookie could get overwritten by the portal, causing an infinite redirect loop. The cookie is now only set during the post authentication process if it is not already present.
Language: Check the language cookie for every type of request (previously only GET requests).
Navigation: Fixes handler ordering issue which could cause navigation to be loaded in a different language than the rendered page.
Monitoring: Adds new setting monitoring.maxTimeouts which specifies how many continuous requests to Mesh
must yield a SocketException or SocketTimeoutException before the liveness probe /health/live will change into
an error state and return 503 Service Unavailable. A successfull request to Mesh will reset the counter.
Logging: Improves error logging for failed requests with the Mesh REST client.
Authentication: Fixes login redirect when the authentication process was triggered by the user navigating to a protected page.
Authentication: Fixes the ClientLoginRedirectHandler so that it does not delete the redirect cookie, before it could retrieve the value (due to SameSite policy).
Navigation: Fixes a router order problem, which could lead to the navigation data for anonymous users being cached for all users.
The default behavior of the portal changes for binaries loaded from Mesh unless the new setting caching.binaryMaxAge is set to 0. The new behavior will communicate to clients to use their local cache for images for one day (86400 seconds). See caching development guide
|
Add the caching.binaryMaxAge setting which controls the max-age value of the Cache-Control HTTP header
for binaries loaded from Mesh.
Authentication: Add new setting authentication.useUnauthorizedRedirect (default false), to specify
whether anonymous requests to protected resources should immediately start the authentication process (default
behaviour) or use the configured 401 Unauthorized redirect.
Helpers: Put the portal configuration in the routing context under gpj.config to make it accessible during rendering.
Caching: Make sure the language cookie is read before the caching handler determines the language for the request.
Caching: Add detected language to cache key to fix a caching problem for pages with language fallback like /.
Projects with custom loadByPath queries must ensure that loaded elements have breadcrumbs which include the UUID.
|
Authentication: The userInfo object put into the routing context now also contains the fields firstName, lastName, email,
and raw (which contains optional additional information from the concrete authenticator implementation).
Navigation: Fixes eachNavFromLevel helper for projects without path segments.
Content: Extends the default loadByPath GraphQL query to use language fallback for breadcrumb entries.
GenticsImageStore: Fixes GenticsImageStore requests for Mesh versions 1.6.9 and up.
Authentication: The route order for the Keycloak callback has been fixed, which prevents possible 404 Not Found errors during the login procedure.
A new entry in the BindModule is necessary for the LoginRedirectHandler. There are two implementations available out of the box: the ServerLoginRedirectHandler which will send a final redirect via 303 See Other (this is the same behavior as before), and the ClientLoginRedirectHandler which will send a minimal HTML response with a <meta http-equiv="refresh"> tag that will cause the browser to navigate to the path set in the AUTH_REDIRECT cookie.
|
Content: Fixed language detection in portal applications when no language cookie is present.
Core: The proxy handler will now no longer follow redirects itself, but will pass any redirect response back to the calling client.
FormsHandler: Rendering forms using the renderForm helper did not work and is fixed now.
Core: It is now possible to have an OkHttpClient instance injected, which will not follow redirects, by using the new qualifier @NoRedirect.
Authentication: After a successful login the portal will perform a redirect which can be configured in authentication.loginRedirect.path. The default value is /auth/loggedin and the provided LoginRedirectHandlers will cause the final redirect to the path set in the AUTH_REDIRECT cookie. This change is to cope with SameSite=STRICT restrictions on the authentication cookies.
Core: Added additional checks for finished requests which reduce the probability of The response has already been sent errors.
CookieProvider: Added optional possibility to configure Same-Site Attribute when creating Cookies
Authentication: It is now possible to control the SameSite-Attribute for the AUTH_REDIRECT Cookie. The defaultValue is still Strict but can be changed to None by setting the configuration authentication.redirectCookieSameSiteStrict to false. This can be necessary if the login flow uses a complete different domain.
Content: Language cookie was not read correctly when useHostCookiePrefix is activated.
The network timeout setting has been moved from mesh.networkTimeout to networkTimeout. Both settings work for
now, but mesh.networkTimeout is deprecated and will be removed in a future version.
|
Core: The network timeout setting now also applies to inbound requests, which will be terminated with a 503 Service Unavailable response if they take too long.
Updated Mesh REST client version to 1.6.9. The portal will still work with older Mesh versions, but the webroot fields request will only be used when Mesh is at least version 1.6.9.
Content: Binaries will now be loaded from Mesh via a webroot field request when the Mesh version is at least 1.6.9.
Authentication: Fixes possible authentication redirect loop. The login redirect cookie could get overwritten by the portal, causing an infinite redirect loop. The cookie is now only set during the post authentication process if it is not already present.
Navigation: Fixes handler ordering issue which could cause navigation to be loaded in a different language than the rendered page.
Monitoring: Adds new setting monitoring.maxTimeouts which specifies how many continuous requests to Mesh
must yield a SocketException or SocketTimeoutException before the liveness probe /health/live will change into
an error state and return 503 Service Unavailable. A successfull request to Mesh will reset the counter.
Logging: Improves error logging for failed requests with the Mesh REST client.
Authentication: Fixes login redirect when the authentication process was triggered by the user navigating to a protected page.
Caching: Add detected language to cache key to fix a caching problem for pages with language fallback like /.
Authentication: The route order for the Keycloak callback has been fixed, which prevents possible 404 Not Found errors during the login procedure.
A new entry in the BindModule is necessary for the LoginRedirectHandler. There are two implementations available out of the box: the ServerLoginRedirectHandler which will send a final redirect via 303 See Other (this is the same behavior as before), and the ClientLoginRedirectHandler which will send a minimal HTML response with a <meta http-equiv="refresh"> tag that will cause the browser to navigate to the path set in the AUTH_REDIRECT cookie.
|
Content: Fixed language detection in portal applications when no language cookie is present.
Core: The proxy handler will now no longer follow redirects itself, but will pass any redirect response back to the calling client.
Core: It is now possible to have an OkHttpClient instance injected, which will not follow redirects, by using the new qualifier @NoRedirect.
Authentication: After a successful login the portal will perform a redirect which can be configured in authentication.loginRedirect.path. The default value is /auth/loggedin and the provided LoginRedirectHandlers will cause the final redirect to the path set in the AUTH_REDIRECT cookie. This change is to cope with SameSite=STRICT restrictions on the authentication cookies.
Core: Added additional checks for finished requests which reduce the probability of The response has already been sent errors.
CookieProvider: Added optional possibility to configure Same-Site Attribute when creating Cookies
Authentication: It is now possible to control the SameSite-Attribute for the AUTH_REDIRECT Cookie. The defaultValue is still Strict but can be changed to None by setting the configuration authentication.redirectCookieSameSiteStrict to false. This can be necessary if the login flow uses a complete different domain.
Content: Language cookie was not read correctly when useHostCookiePrefix is activated.
The network timeout setting has been moved from mesh.networkTimeout to networkTimeout. Both settings work for
now, but mesh.networkTimeout is deprecated and will be removed in a future version.
|
Core: The network timeout setting now also applies to inbound requests, which will be terminated with a 503 Service Unavailable response if they take too long.
Monitoring: The new setting monitoring.conservativePortalState (default value false) can be enabled to
set the portal state to NETWORK_ERROR as soon as a GraphQL request to Mesh fails due to a SocketException or
SocketTimeoutException. This will cause the following requests to the /health/ready monitoring endpoint to respond
with 503 Service Unavailable.
Core: The new authentication settings can be used to enable encryption of authentication cookies:
* security.encryptCookies: whether authentication cookies should be encrypted
* security.encryptionMode: one of DISABLED, PASSWORD_ONLY_KEY or AUTO_GENERATED_KEY to determine whether no encryption should be used, the cookie should be encrypted with security.encryptionPassword, or with an auto-generated secret key respectively
* security.encryptionPassword: the password to use as an encryption key when security.encryptionMode is set to PASSWORD_ONLY_KEY
Content: Fixes the check whether a language variant for a given URL can be loaded.
Navigation: A potentiall IndexOutOfBoundsException when processing navigation entries has been fixed.
Core: New util method to rethrow HTTP errors from Mesh REST client to the Portal | Java callers.
Monitoring: Additional metrics for outgoing requests will now be collected.
Configuration: The new settings mesh.maxRequests and mesh.maxRequestsPerHost
allow better control over the connection between the portal and Mesh.
Core: The proxy handler for forwarding requests to Mesh plugins using the OkHttp HTTP
client has been optimized to stream POSTed data to Mesh, which reduces the overall memory consumption.
The new configuration setting mesh.writeQueueMaxSize allows control over the memory consumption per
request while streaming POSTed data.
Core: A timeout for requests using the Vert.x or OkHttp HTTP clients
(as well as the Mesh REST client) can now be set via the mesh.networkTimeout
setting.
Core: The new HandlerProvider#pluginProxy() method creates a
proxy handler for forwarding requests to Mesh plugins using the OkHttp HTTP
client. The HandlerProvider#proxy() method using the Ver.x HTTP client is
still available but has been deprecated.
Core: The new setting mesh.proxyHeaderWhitelist can be set to
a list of HTTP header names that are allowed to be forwarded, from the client
to a Mesh plugin. Other headers will be removed. The following headers will
always be added automatically to that whitelist:
Accept
Accept-Encoding
Authorization
Content-Encoding
Content-Length
Content-Type
Cookie
The authentication redirect cookie is now a session cookie by default
instead of having a max-age of one minute.
|
Authentication: The authentication redirect cookie is a session cookie by default, and the authentication process will redirect to / if the cookie got deleted during the login process to prevent infinite redirect loops.
Core: Loading of the GraphQL queries on Windows has been improved.
Core: The mandatory GraphQL queries are now checked for syntax and Mesh schemas consistency, at Portal startup.
GenticsImageStore: Now correctly processing filenames with umlauts and other allowed special characters.
Core: Requests to non-existent binaries no longer cause empty 404 responses, but will reroute to the 404 error page if it is configured.
The change in the base URL used for the sitemap generator depends on
the serverUrl setting being correct in the portal configuration.
|
Sitemap: The configured serverUrl is used as base URL for the
sitemap generator.
Helpers: Formhelper can now be injected.
Core: A scheduler problem in the NavigationHandler which caused _Response has already been written and other follow up errors has been fixed.
Content: The portal reroutes a request to a folder to its startpage if available.
The new setting mesh.requiredPlugins can be used to set the plugins that
must be in state REGISTERED before the portal starts up.
|
The /health/ready monitoring endpoint can now check if Mesh is also
ready by setting monitoring.ignoreMeshReady to false. For backwards
compatibility this value is true by default, so only the portal status itself
is checked. For the Mesh ready check to work, the mesh.monitoringPort setting
must be set to the Mesh monitoring port.
|
Core: The portal waits for Mesh to be ready before starting up. Ready means Mesh is reachable and all plugins have the status REGISTERED.
Monitoring: The /health/ready endpoint can also check if Mesh is
ready.
The new compatibility.mapNodeResponse setting is enabled by default
which alters the default behavior of the preview. Implementations which used
NodeResponse field names (e.g. parentNode instead of parent) in preview
mode will no longer work, unless this setting explicitly disabled.
|
Preview: The new setting compatibility.mapNodeResponse controls
whether the data sent to the /api/preview endpoint will be processed so that
the JSON will correspond to the structure of a GraphQL response.
Helpers: Fixes the default navigation helper profile for the
eachNav helper. This should be unwrapped but has been default.
When the new configuration item security.useHostCookiePrefix is
enabled, the authentication cookie names may change, and after the update users
might no longer be logged in.
|
The current field of the result of the eachBc helper is now
deprecated and currentFolderStartpage should be used instead.
|
The new CookieProvider should be used to set and delete
cookies to ensure consistent settings for all cookies the portal sets.
|
Updated Vert.x dependency to version 3.9.0.
Cookies: The SameSite attribute for cookies is now set to Strict
for all cookies that the portal sets.
Authentication: when the new setting security.useHostCookiePrefix
is set to true (default is false), and the serverUrl uses HTTPS, all
cookies set by the portal will have the __Host- prefix.
Preview: Fixes a missing route for preview handling which would
cause internal server errors for the /api/preview endpoint.
Helpers: Fixes a bug in the eachBc helper which caused that the
url field of the last entry was not available when the currently displayed
page was not the folders startpage.
Helpers: The current field in the result of the eachBc helper
has been renamed to currentFolderStartpage for clarity. The current field
is deprecated and will be removed a future version.
| Some classes in the API package have been moved to different packages. This will very likely break existing implementations, but should be easy to fix, since the class names stayed the same. |
The authentication handler is no longer added automatically but has
to be initialized in the projects BootstrapInitializer. Have a look at the
documentation
for further information.
|
| The cookie names have changed, so some users might no longer be logged in after an update of the Gentics Portal | java. |
| Some configuration items have been moved (see below). The old entries will still work (including setting them via environment variables where applicable), but are deprecated and will cause a warning message during portal startup. Where possible the settings in the old format will be propagated to the new setting. |
| The portal API key is no longer a mandatory configuration item. When neither the allowed IPs nor the API key are configured, all requests to the API endpoints will be forbidden. |
Authentication: The authentication process has been reworked to provide more flexibility for custom handlers as well as the option to implement custom authentication handlers.
API: GET requests to /api/version or /api/preview will respond
with a JSON object containing the name of the product, and the version.
Security: The API endpoints /api/version, /api/preview, and
/api/clearCache are now protected by the
SecurityHandler
which will check if the request comes from an allowed IP address and if it
contains the correct portal API key.
Configuration: The following configuration items are now obsolete or have been moved:
portalAPIKey: moved to security.apiKey
additionalResponseHeaders: moved to security.additionalResponseHeaders
authentication.notAuthorisedPage: obsolete, configure a 403 redirect instead
authentication.checkEndpoint: obsolete
authentication.maxTemporaryEntries: obsolete
authentication.callbackHost: obsolete
authentication.callbackEndpoint: moved to authentication.keycloak.callbackPath
Navigation: The new navigation transformer MultipleRootNavigationTransformer
is now available for injection in the BindModule. This transformer will behave
the same way as the BasicNavigationTransformer with the exception that it will
never skip the root node of the navigation tree, regardless of whether Project
per Node is active or not.
Caching: Add detected language to cache key to fix a caching problem for pages with language fallback like /.
A new entry in the BindModule is necessary for the LoginRedirectHandler. There are two implementations available out of the box: the ServerLoginRedirectHandler which will send a final redirect via 303 See Other (this is the same behavior as before), and the ClientLoginRedirectHandler which will send a minimal HTML response with a <meta http-equiv="refresh"> tag that will cause the browser to navigate to the path set in the AUTH_REDIRECT cookie.
|
Content: Fixed language detection in portal applications when no language cookie is present.
Core: The proxy handler will now no longer follow redirects itself, but will pass any redirect response back to the calling client.
Core: It is now possible to have an OkHttpClient instance injected, which will not follow redirects, by using the new qualifier @NoRedirect.
Authentication: After a successful login the portal will perform a redirect which can be configured in authentication.loginRedirect.path. The default value is /auth/loggedin and the provided LoginRedirectHandlers will cause the final redirect to the path set in the AUTH_REDIRECT cookie. This change is to cope with SameSite=STRICT restrictions on the authentication cookies.
Core: Added additional checks for finished requests which reduce the probability of The response has already been sent errors.
CookieProvider: Added optional possibility to configure Same-Site Attribute when creating Cookies
Authentication: It is now possible to control the SameSite-Attribute for the AUTH_REDIRECT Cookie. The defaultValue is still Strict but can be changed to None by setting the configuration authentication.redirectCookieSameSiteStrict to false. This can be necessary if the login flow uses a complete different domain.
Content: Language cookie was not read correctly when useHostCookiePrefix is activated.
The network timeout setting has been moved from mesh.networkTimeout to networkTimeout. Both settings work for
now, but mesh.networkTimeout is deprecated and will be removed in a future version.
|
Core: The network timeout setting now also applies to inbound requests, which will be terminated with a 503 Service Unavailable response if they take too long.
Monitoring: The new setting monitoring.conservativePortalState (default value false) can be enabled to
set the portal state to NETWORK_ERROR as soon as a GraphQL request to Mesh fails due to a SocketException or
SocketTimeoutException. This will cause the following requests to the /health/ready monitoring endpoint to respond
with 503 Service Unavailable.
Core: The new authentication settings can be used to enable encryption of authentication cookies:
* authentication.encryptCookies: whether AUTH and AUTH_REFRESH cookies should be encrypted
* authentication.encryptionMode: one of DISABLED, PASSWORD_ONLY_KEY or AUTO_GENERATED_KEY to determine whether no encryption should be used, the cookie should be encrypted with authentication.encryptionPassword, or with an auto-generated secret key respectively
* authentication.encryptionPassword: the password to use as an encryption key when authentication.encryptionMode is set to PASSWORD_ONLY_KEY
Content: Fixes the check whether a language variant for a given URL can be loaded.
Navigation: A potentiall IndexOutOfBoundsException when processing navigation entries has been fixed.
Core: New util method to rethrow HTTP errors from Mesh REST client to the Portal | Java callers.
Monitoring: Additional metrics for outgoing requests will now be collected.
Configuration: The new settings mesh.maxRequests and mesh.maxRequestsPerHost
allow better control over the connection between the portal and Mesh.
Core: The proxy handler for forwarding requests to Mesh plugins using the OkHttp HTTP
client has been optimized to stream POSTed data to Mesh, which reduces the overall memory consumption.
The new configuration setting mesh.writeQueueMaxSize allows control over the memory consumption per
request while streaming POSTed data.
Core: A timeout for requests using the Vert.x or OkHttp HTTP clients
(as well as the Mesh REST client) can now be set via the mesh.networkTimeout
setting.
Core: The new HandlerProvider#pluginProxy() method creates a
proxy handler for forwarding requests to Mesh plugins using the OkHttp HTTP
client. The HandlerProvider#proxy() method using the Ver.x HTTP client is
still available but has been deprecated.
Core: The new setting mesh.proxyHeaderWhitelist can be set to
a list of HTTP header names that are allowed to be forwarded, from the client
to a Mesh plugin. Other headers will be removed. The following headers will
always be added automatically to that whitelist:
Accept
Accept-Encoding
Authorization
Content-Encoding
Content-Length
Content-Type
Cookie
Core: Fixes wrong fetched Cookies. This cookies are now extracted via CookieProvider.
The authentication redirect cookie is now a session cookie by default
instead of having a max-age of one minute.
|
Authentication: The authentication redirect cookie is a session cookie by default, and the authentication process will redirect to / if the cookie got deleted during the login process to prevent infinite redirect loops.
Core: Loading of the GraphQL queries on Windows has been improved.
Core: The mandatory GraphQL queries are now checked for syntax and Mesh schemas consistency, at Portal startup.
GenticsImageStore: Now correctly processing filenames with umlauts and other allowed special characters.
Core: Requests to non-existent binaries no longer cause empty 404 responses, but will reroute to the 404 error page if it is configured.
The change in the base URL used for the sitemap generator depends on
the serverUrl setting being correct in the portal configuration.
|
Sitemap: The configured serverUrl is used as base URL for the
sitemap generator.
Helpers: Formhelper can now be injected.
Core: A scheduler problem in the NavigationHandler which caused _Response has already been written and other follow up errors has been fixed.
Content: The portal reroutes a request to a folder to its startpage if available.
The new setting mesh.requiredPlugins can be used to set the plugins that
must be in state REGISTERED before the portal starts up.
|
The /health/ready monitoring endpoint can now check if Mesh is also
ready by setting monitoring.ignoreMeshReady to false. For backwards
compatibility this value is true by default, so only the portal status itself
is checked. For the Mesh ready check to work, the mesh.monitoringPort setting
must be set to the Mesh monitoring port.
|
Core: The portal waits for Mesh to be ready before starting up. Ready means Mesh is reachable and all plugins have the status REGISTERED.
Monitoring: The /health/ready endpoint can also check if Mesh is
ready.
The new compatibility.mapNodeResponse setting is enabled by default
which alters the default behavior of the preview. Implementations which used
NodeResponse field names (e.g. parentNode instead of parent) in preview
mode will no longer work, unless this setting explicitly disabled.
|
Preview: The new setting compatibility.mapNodeResponse controls
whether the data sent to the /api/preview endpoint will be processed so that
the JSON will correspond to the structure of a GraphQL response.
Helpers: Fixes the default navigation helper profile for the
eachNav helper. This should be unwrapped but has been default.
The current field of the result of the eachBc helper is now
deprecated and currentFolderStartpage should be used instead.
|
Helpers: Fixes a bug in the eachBc helper which caused that the
url field of the last entry was not available when the currently displayed
page was not the folders startpage.
Helpers: The current field in the result of the eachBc helper
has been renamed to currentFolderStartpage for clarity. The current field
is deprecated and will be removed a future version.
Preview: Fixes a missing route for preview handling which would
cause internal server errors for the /api/preview endpoint.
When the new configuration item authentication.useHostCookiePrefix is
enabled, the authentication cookie names may change, and after the update users
might no longer be logged in.
|
The new CookieProvider should be used to set and delete
cookies to ensure consistent settings for all cookies the portal sets.
|
Updated Vert.x dependency to version 3.9.0.
Cookies: The SameSite attribute for cookies is now set to Strict
for all cookies that the portal sets.
Authentication: when the new setting authentication.useHostCookiePrefix
is set to true (default is false), and the serverUrl uses HTTPS, all
cookies set by the portal will have the __Host- prefix.
Navigation: The navigation helpers no longer remove the startpage
information loaded by the navigation GraphQL query. The startpage information
(with optional language fallback) is now available in this.startpage.
Caching: Now clears content cache when any node in the configured project has been created, deleted or updated. Before that, only CMS folders, pages and files caused a cache clear.
Sitemap: Generated links are not forcefully lowercased anymore.
Authentication: When there is a configured logout redirect, the portal will now try to do a language fallback for the current language when redirecting there.
Core: Authentication and caching handlers now have their dedicated
route orders RouteOrder.AUTHENTICATION_ROUTES and RouteOrder.CACHING_ROUTES,
which will both be handled before the RouteOrder.BEFORE_API_ROUTES
reduces ordering problems for user specific redirection handlers.
Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
Core: Fixes the nice URL path resolving
Core: Internal code cleanup
The internal values of the RouteOrder enum have changed, so that they
are no longer consecutive but increment in steps of ten. This has no effect on
existing implementations as long as the values from RouteOrder are used as
is, but offers more flexibility for future implementations.
|
Core: Cookies will now set the secure flag, when the configured serverUrl uses HTTPS.
It is now possible to add additional headers to all responses. Add entries to the additionalResponseHeaders configuration to make use of this. Here is an example:
Caching: Fixes handler order to prevent problems with caching.
AuthenticationHandler: Fixes the redirect after the login or check endpoint. If the redirect cookie is set, this will be used as a redirect, otherwise the referer will be used.
additionalResponseHeaders:
"Content-Security-Policy": "default-src 'self'" Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
Handlers: Fixed the RouteOrder the BasicPluginHandler uses to fix a problem with forwarded requests with bodies.
| The GraphQL query for loading the sitemap has been changed. If you are using your own query for loading the sitemap nodes, you have to replace it to fit the new structure. Take a look at the new default query for an example. |
| The maven repository for the artifacts has been changed. Please make sure to include the commercial repository in your project build configuration. |
<project>
...
<repositories>
<repository>
<id>maven.gentics.com</id>
<name>Gentics Maven Repository</name>
<url>https://maven.gentics.com/maven2/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
<repository>
<id>gtx-commercial</id>
<name>Gentics Commercial Maven Repository</name>
<url>https://maven.gentics.com/maven2-commercial/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<project>
...Access to the commercial repository is restricted and thus a credential set has to be specified in your maven configuration.
<settings>
...
<servers>
<server>
<id>gtx-commercial</id>
<username>gtx-customer-xyz</username>
<password>****************</password>
</server>
</servers>
...
</settings>Uploading files (e.g. when uploading files to the form generator plugin) now requires less memory.
It is now possible to add additional headers to all responses. Add entries to the additionalResponseHeaders configuration to make use of this. Here is an example:
additionalResponseHeaders:
"Content-Security-Policy": "default-src 'self'"
The PortalServerComponent setup has been altered. Instead of using DaggerPortalServerComponent::create
the configuration has to be loaded before, and passed to the components builder. This means the main entry point of
a portal starter class has to be adapted.
|
Old:
PortalStarter.start(DaggerPortalServerComponent::create);New:
LoggingConfigurator.init(); PortalConfig config = PortalConfigLoader.createOrLoadOptions(); PortalStarter.start(() -> DaggerPortalServerComponent.builder().configuration(config).build());
The HandlerProvider must now be injected in the BootstrapInitializer implementation and passed along to the AbstractBootstrapInitializer.
|
The class MicrometerModule.class has to be added to the @Component annotation in your PortalServerComponent class.
|
Helpers: The evaluate helper will now cache generated templates.
Caching: The CachingHandler will now also cache authenticated requests based on the users roles in Mesh.
Caching: The CachingHandler will now also cache ETags of binaries downloaded from Mesh. The portal will respond to requests for binaries containing a If-None-Match header with a 304 Not Modified response, if the ETag is found in the cache.
Caching: Disk backed JCS caches can now be created by the CacheBuilder by specifying the diskCacheRegion(). This requires a cache.ccf configuration file. Detailed information can be found in the documentation.
Update Mesh dependency to 1.0.2. The portal will still work with older Mesh versions.
Monitoring: The following additional metrics are now collected by the metrics service:
Content cache hits and misses
Duration of requests to Mesh for loading content, binary files, GIS requests and loading the navigation
The time needed for rendering content pages
Content: The template for rendering folder contents can now be configured with the folderTemplateName setting in the portal config.
Core: The communication between Gentics Mesh Server and portal has been optimized.
Core: Various enhancements have been made to improve portal performance. Native libraries will now be used to handle connections. Caching performance has been increased. Binary handling has been optimized.
Monitoring: The prometheus metrics format has changed. The internal metrics library has been replaced with micrometer.
Caching: It is now possible to use a faster memory-based caching system for the content cache. The caching.diskCacheRegionName setting can be used to set the used name for the cache region. When set to null the in-memory cache system will be used.
Updated Vert.x dependency to version 3.8.4.
The maven artifacts will now be signed via GPG.
Core: Loading of the GraphQL queries on Windows has been improved.
GenticsImageStore: Now correctly processing filenames with umlauts and other allowed special characters.
Core: Requests to non-existent binaries no longer cause empty 404 responses, but will reroute to the 404 error page if it is configured.
The change in the base URL used for the sitemap generator depends on
the serverUrl setting being correct in the portal configuration.
|
Sitemap: The configured serverUrl is used as base URL for the
sitemap generator.
Helpers: Formhelper can now be injected.
Content: The portal reroutes a request to a folder to its startpage if available.
The new compatibility.mapNodeResponse setting is enabled by default
which alters the default behavior of the preview. Implementations which used
NodeResponse field names (e.g. parentNode instead of parent) in preview
mode will no longer work, unless this setting explicitly disabled.
|
Preview: The new setting compatibility.mapNodeResponse controls
whether the data sent to the /api/preview endpoint will be processed so that
the JSON will correspond to the structure of a GraphQL response.
Helpers: Fixes the default navigation helper profile for the
eachNav helper. This should be unwrapped but has been default.
Navigation: The navigation helpers no longer remove the startpage
information loaded by the navigation GraphQL query. The startpage information
(with optional language fallback) is now available in this.startpage.
Sitemap: Generated links are not forcefully lowercased anymore.
Caching: Now clears content cache when any node in the configured project has been created, deleted or updated. Before that, only CMS folders, pages and files caused a cache clear.
Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
The internal values of the RouteOrder enum have changed, so that they
are no longer consecutive but increment in steps of ten. This has no effect on
existing implementations as long as the values from RouteOrder are used as
is, but offers more flexibility for future implementations.
|
Caching: Fixes handler order to prevent problems with caching.
AuthenticationHandler: Fixes the redirect after the login or check endpoint. If the redirect cookie is set, this will be used as a redirect, otherwise the referer will be used.
Core: Cookies will now set the secure flag, when the configured serverUrl uses HTTPS.
It is now possible to add additional headers to all responses. Add entries to the additionalResponseHeaders configuration to make use of this. Here is an example:
additionalResponseHeaders:
"Content-Security-Policy": "default-src 'self'" Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
Authentication: The handling of the redirect cookie has been improved.
Core: The host IP address the portal binds to can now be configured via the serverHost setting.
Redirects: Fixed a bug that caused redirects for URLs without query parameters to fail.
Updated Mesh dependency to 0.40.0. The portal will still work with older Mesh versions, but the modes for GenticsImageStore URLs mentioned below will be ignored.
GenticsImageStore: The mode parameter for GenticsImageStore URLs now properly forwards the modes smart, prop and force to Mesh.
The navigation and breadcrumb helpers have been overhauled. The helpers from the NavigationHelper and BreadcrumbHelper as well as the one from OverviewHelper have been moved to the ExtraHelper class, which is not registered automatically. If you wish to continue using the helpers, you have to register them in the BootstrapInitializer. Note that switching to the new helpers is highly recommended.
|
The result of postprocessing navigation data with the BasicNavigationTransformer has a slightly different structure now. The raw data navigation in the routing context should no longer be used directly, but only via the new navigation helpers.
|
The default GraphQL queries for loadByPath and loadNavigation have changed. Unless both queries where overridden anyways in the project, the query fragments are likely to need adaptions.
|
Helpers: The new helpers eachNav, eachNavFromLevel, eachNavFromFixedLevel, eachNavFromFolder, eachBc and eachBcRaw have been added to facilitate rendering navigation and breadcrumbs respectivley.
Preview: Preview will now load the breadcrumbs of the corresponding folder, and provide minimal breadcrumb entry for the previed page.
Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
AuthenticationHandler: Fixes the redirect after the login or check endpoint. If the redirect cookie is set, this will be used as a redirect, otherwise the referer will be used.
Core: Cookies will now set the secure flag, when the configured serverUrl uses HTTPS.
It is now possible to add additional headers to all responses. Add entries to the additionalResponseHeaders configuration to make use of this. Here is an example:
additionalResponseHeaders:
"Content-Security-Policy": "default-src 'self'" Content: The handling of the redirect parameter of the /api/language endpoint has been improved.
Authentication: The handling of the redirect cookie has been improved.
Core: The host IP address the portal binds to can now be configured via the serverHost setting.
Redirects: Fixed a bug that caused redirects for URLs without query parameters to fail.
Sitemapgenerator: The portal now comes with a default loadAllForSitemap.graphql query. The fields to be loaded can be fine tuned in the sitemapContentFields fragment.
Sitemapgenerator: Fixed a bug that caused folders to appear in the sitemap.
Redirects: Query parameters of requests that will cause a custom redirect are now retained.
Content: The /api/laguage endpoint now accepts the query parameter redirect. Additionally to setting or deleting the language cookie, the response will redirect to the specified URL (normally the version of the current page in the desired language).
Content: The {{ i18n }} helper will now correctly translate to the detected portal language if no language parameter is specified.
The search handler has been removed from the portal, and is now available as a Mesh plugin. All search related configuration items have become invalid. The new BasicPluginHandler can be used in the BootstrapInitializer to enable search. Alternatively the search and autocomplete handlers can be created by the CompatibilityHandlerProvider.
|
| Since the search Mesh plugin depends on the new plugin system, this portal version can only be used with Mesh 0.37.0 or higher unless search is not needed. |
Some keys for values stored in the routing context have been changes. Check the PortalFlags class for the new values.
|
Updated Mesh dependency to version 0.39.2. The portal will still work with Mesh versions 0.37.0 or higher.
Updated Vert.x dependency to version 3.8.0. This will resolve SUP-7610.
Plugins: The generic BasicPluginHandler can be used to forward requests to Mesh plugins.
Content: The portal now determines the language to be used in this order:
The value of the mesh.portal.language cookie
The language of the currently requested page
The Accept-Language HTTP header field
The language can be changed by a request to /api/language with the desired language in the lang query parameter.
Content: Before rerouting to a configured status page, or the configured start page, the portal will try to determine the path to the correct language and reroute there.
Content: The framework now comes with a default loadByPath GraphQL query which has the correct structure. The concrete fields to load should be defined in the fragment contentFields (placed in $queryPath/fragments/contentFields.graphql)
Redirects: Fixed a bug that caused redirects for URLs without query parameters to fail.
Sitemapgenerator: The portal now comes with a default loadAllForSitemap.graphql query. The fields to be loaded can be fine tuned in the sitemapContentFields fragment.
Sitemapgenerator: Fixed a bug that caused folders to appear in the sitemap.
Redirects: Query parameters of requests that will cause a custom redirect are now retained.
| A core library has been updated to a new version, special care should be taken to ensure projects still build an behave as expected. |
Updated Vert.x dependency to version 3.8.0. This will resolve SUP-7610.
Preview: The new setting compatibiliy.preview (default value is false) can be set to true to make sure that the {{# renderMode 'preview' }} helper will behave correctly when the renderMode parameter is missing.
Content: When a page is loaded via the /api/preview endpoint the concrete preview mode will be determined by the renderMode query parameter. The {{ getRenderMode }} and {{# renderMode 'mode' }} now distinguish the modes.
PREVIEW
EDIT, and
PUBLISH
Formgenerator: File uploads for forms can now be downloaded via the portal, but the UUID of the form data is necessary for that.
The NavigationTransformer now receives a RoutingContext instance as parameter as well.
The Method Signature has therefore been updated from JsonArray transform(JsonObject) to JsonArray transform(JsonObject, RoutingContext).
Updated Gentics Mesh dependency to version 0.31.6.
This version of the portal can still be used with Mesh servers version 0.31.0 and up, as long as the new processJob()
method and the Schema REST model are not used in custom implementations.
Core: The Mesh REST client update fixes a problem, that caused problems with the eventbus which in turn
caused problems with cache invalidation.
Core: The Host header will no longer be forwarded by the portal because this can cause problems with certain proxy setups.
Core: Additional logging has been added to facilitate debugging.
Handler: The new logoutAll endpoint allows the user to Log out from all the portals defined in the configuration.
Authentication: Improved authentication cookie handling.
For example
singleSignOut:
singleSignOutPath: /link
externalPortals:
- http://portal1/
- http://portal2/
- http://portal3/This handler will start a chain of sign-out requests starting from the requesting portal, and going through each of the portals defined in the config.
Note the Server URL must also be included in the external portals list.
Also note all the external portals must be configured with the same order in each portal.
Core: The Authorization and Cookie HTTP headers will no longer be forwarded to Mesh requests, since this is handled by the Mesh REST client itself.
Core: The portal will handle Mesh responses with non 200 status codes more gracefully.
Handler: The comment handler has been added which enabled the use of the Mesh comment plugin.
Authentication: Updated the handling of the "AUTH_REDIRECT" cookie to get updated to the most recent URI, instead of sticking to the first one.
Core: Requests forwared to Mesh via the proxy handler now forward the authentication cookie correctly.
Search: The Mesh schema prefix can now be specified for cross project searches by adding :SCHEMA_NAME to the name of a searchable project. This is necessary when projects have the Project per Node feature enabled.
For example
search:
projects:
- pr1
- My_Other_Project:pr2specified that search results from project pr1 just have the project name as schema prefix (i.e. pr1_), while results from My_Other_Project use the schema prefix pr2_.
Note that no whitespace is allowed around the :.
Also note that when using the wildcard * all project must use the same schema.
The way to check for preview mode in a Handlebars template has changed. You can use the new helper {{# renderMode 'preview' }} to render a block only in preview mode. This remedies an unintended breaking change in 0.4.0 where is_preview was renamed.
|
Templates: The new helpers {{ getRenderMode }} and {{# renderMode 'mode' }} help to distinguish different rendering modes. As of now the only supported modes are preview and publish.
Caching: Fixed a bug that caused data to be cached under the wrong key.
Navigation: Fixed a bug that caused the navigation to be unavailable in preview/edit mode.
Content: Fixed a bug in BinaryHandling if path is not part of the GraphQL-Response
Caching: Fixed a bug that caused error pages to be cached, resulting in responses with status code 200 instead of the correct error code.
Configuration: Fixed a bug in the authentication configuration that would prevent the portal from starting when a protected endpoint was configured in the server.yml but not in the server.local.yml.
Content: HTTP headers for range requests are now forwarded correctly from and to Mesh. Also responses to requests with the Range header will now have the correct response status code 206.
Monitoring: The monitoring verticle now provides metrics for Prometheus.
Configuration: Portal configuration entries are now correctly overridden by environment variables.
StaticHandler: Change the route order of the static handler, so it will be called before loading the content.
Authentication: The cookie handling has been improved.
Core: Added logging for eventbus errors.
Core: Added missing dependency injection for Vertx.
Metrics
This version of Gentics Portal | java introduces the __Monitoring feature__. The portal will bind the monitoring server to port `3001` by default. New configuration settings have been added to allow configuration of this server. NOTE: The monitoring API should not be exposed publically and will by default only bind to `localhost`.
Download Handler: A NPE in the download handler which could happen if the targeted path does not return a binary was fixed.
Search: The language field from the GraphQL query result is now added automatically to search results, before handing them to the HitTransformer.
Monitoring: The MonitoringServiceVerticle can now be deployed by a BootstrapInitializer, to provide endpoints to monitor the status of the portal.
Configuration: The Vert.x worker and event loop pool sizes can now be configured via vertx.workerPoolSize and vertx.eventPoolSize respectively.
The portal search now expects that the GraphQL query to load result details loads the languages field of all elements.
|
Search: Fixed a bug when an Elastic search query found the same elements in different languages.
Search: Fixed a bug that caused that total hits for a search to be wrong.
Rendering the page has been moved to RouteOrder.RENDER_ROUTES, so that custom handlers can perform actions during the RouteOrder.CONTENT_ROUTES which are needed for rendering.
The caching configuration has changed, and the old caching: true|false and customCacheKeyParameters entries will no longer work. Also the CookieDisclaimerAccepted will no longer
be added automatically to caching.customParameters.
|
The navigation now uses a NavigationTransformer to customize navigation data. This NavigationTransformer must be bound in a bind module. The default implementation is BasicNavigationTransformer.
|
The BasicNavigationTransformer will filter elements which have the navhidden flag set, so Handlebars templates can possibly be optimized by removing respective checks.
Update Gentics Mesh dependency to version 0.31.0.
Caching: The caching configuration now looks like this:
caching.enabled (boolean): Whether caching should be enabled
caching.customParameters (list of strings): Additional data from the routing context that should be added to cache keys
Caching: Custom caches can now be created by the CachingProvider.
Navigation: The navigation handler can be configured now:
navigation.sortOrderField (string): The field which should be used to sort elements
navigation.hiddenField (string): The field which indicates whether an element should be hidden
navigation.expireTime (integer): How many seconds the navigation should be cached
Navigation: The navigation is now loaded independently from the displayed page. Any fields in the loadByPath queries that are used to construct the navigation can be removed. The navigation entries are available in Handlebars templates under the key navigation.
QueryStore: GraphQL queries can now be split up. A query is scanned for undefined fragments, and the QueryStore tries to load these from $queryPath/fragments/fragmentName.graphql.
Core: The Authorization HTTP header will no longer be forwared to Mesh requests, since this is handled by the Mesh REST client itself.
Core: The portal will fail requests more gracefully when Mesh responds with an unexpected status code.
Authentication: Updated the handling of the "AUTH_REDIRECT" cookie to get updated to the most recent URI, instead of sticking to the first one.
Caching: Fixed a bug that caused error pages to be cached, resulting in responses with status code 200 instead of the correct error code.
Configuration: Fixed a bug in the authentication configuration that would prevent the portal from starting when a protected endpoint was configured in the server.yml but not in the server.local.yml.
Configuration: Portal configuration entries are now correctly overriden by environment variables.
StaticHandler: Change the route order of the static handler, so it will be called before loading the content.
Authentication: The cookie handling has been improved.
Core: Added missing dependency injection for Vertx.
Download Handler: A NPE in the download handler which could happen if the targeted path does not return a binary was fixed.
Search: The language field from the GraphQL query result is now added automatically to search results, before handing them to the HitTransformer.
Monitoring: The MonitoringServiceVerticle can now be deployed by a BootstrapInitializer, to provide endpoints to monitor the status of the portal.
Configuration: The Vert.x worker and event loop pool sizes can now be configured via vertx.workerPoolSize and vertx.eventPoolSize respectively.
The portal search now expects that the GraphQL query to load result details loads the languages field of all elements.
|
Search: Fixed a bug that caused that total hits for a search to be wrong.
Search: Fixed a bug when an Elastic search query found the same elements in different languages.
Rendering the page has been moved to RouteOrder.RENDER_ROUTES, so that custom handlers can perform actions during the RouteOrder.CONTENT_ROUTES which are needed for rendering.
Search: Fixed a bug that could cause did-you-mean suggestions for which no search hits exist in the searched projects.
Search: Fixed the BasicSearchQueryBuilder which did not use the legacySearchParameterProvider to add custom parameters.
Search: Special characters will now be removed from the search query parameter by the BasicSearchQueryBuilder.
| The version of the Mesh REST client has been updated, and implementations using the client will likely need adaptions. |
The BranchProvider is now provided by the PortalModule and no longer needs to be bound in a custom BindModule. This was an unintentional change in 0.2.5.
|
The way search results are loaded has changed, so searchResultItem queries need to be changed to use the nodes field with a list of UUIDs and a language parameter instead of a node field with a single UUID. Custom HitTransformers will also need to be adapted.
|
The %size% and %from% placeholders in Elasticsearch queries are no longer supported, because those fields will be inserted automatically.
|
Updated Gentics Mesh dependency to version 0.30.1.
Configuration: The new configuration entry defaultLanguage will be used by search queries without an explicit language parameter.
Search: The search handlers offer more configuration possibilities now:
search.enabled (boolean): Whether the search endpoint should be enabled
search.pageSize (integer): The number of hits to show per page
search.projects (list of strings): The searchable projects
search.resultQuery (string): The name of the search result query
search.searchPath (string): The endpoint for search queries
search.autocompletePath (string): The endpoint for autocomplete queries
search.didYouMeanThreshold (integer): How many hits are required to skip the did-you-mean-suggestions
When no resultQuery is configured the HitTransformer will get the raw Elasticsearch results. Note that the old searchableProjects configuration has been replaced by search.projects and is now deprecated.
Binary files: Fixed a bug which could cause wrong MIME types for image and file responses.
Sitemapgenerator: Fixed a bug, where urls were rendered with a port ':-1' when no port was set in the hostname of a Mesh branch.
Search: Fixed a bug that could cause a search request to fail when the query parameter contained special characters.
Search: Search performance has been improved by reducing the number of GraphQL queries to load additional information.
Search: Fixed a bug that prevented search hits from a different project.
Authentication: Updated the handling of the "AUTH_REDIRECT" cookie to get updated to the most recent URI, instead of sticking to the first one.
Caching: Fixed a bug that caused error pages to be cached, resulting in responses with status code 200 instead of the correct error code.
Configuration: Fixed a bug in the authentication configuration that would prevent the portal from starting when a protected endpoint was configured in the server.yml but not in the server.local.yml.
Configuration: Portal configuration entries are now correctly overriden by environment variables.
StaticHandler: Change the route order of the static handler, so it will be called before loading the content.
Authentication: The cookie handling has been improved.
Monitoring: The MonitoringServiceVerticle can now be deployed by a BootstrapInitializer, to provide endpoints to monitor the status of the portal.
Configuration: The Vert.x worker and event loop pool sizes can now be configured via vertx.workerPoolSize and vertx.eventPoolSize respectively.
Sitemapgenerator: Fix a bug, where urls were rendered with a port ':-1' when no port was set in the hostname of a mesh branch.
GenticsImageStore: Fixed a bug that SVG images were not served with the correct MIME type.
Duplicate data provider keys will now be ignored, or even prevent startup when dataProvider.preventStartupOnError is enabled.
|
DataProvider: Data provider entries are now prefilled with empty JSON object during initialization.
DataProvider: When dataProvider.retryOnError is set to false a failed refresh of a Mesh data source
will no longer be removed completely (there will be no more tries to refresh it however). This was always the behavior for
web datasources.
DataProvider: The timestamp of the last successful refresh of a datasource has been fixed. It is available in
the routing context with the key DATASOURCEKEY_ts.
DataProvider: Fixed a bug that only the first post processor was created even when the configuration contained multiple ones.
DataProvider: Fixed a bug that caused loading a web datasource to fail when the Content-Type header was missing.
Authentication: improve handling of the auth redirect cookie and make the cookie’s max age configurable so that it won’t be deleted during longer login processes.
When posting a node for preview to folder path that was not found in Mesh, rendering the preview caused an internal server error. This is fixed now, the preview will now be rendered with empty navigation and breadcrumb.
Handling of errors while rendering or preview of content has been improved.
The serverUrl configuration entry is now required.
|
When the configured serverUrl did not explicitly set the port, the respective hostname in the projects default branch in Mesh was not set correctly. This has been fixed.
The maximum number of shown breadcrumb entries can now be configured via breadcrumbsLevel (defaults is no limit)
Adapt breadcrumb handling to the changes in Mesh 0.23.0
The required version of Gentics Mesh introduced changes to the paging and breadcrumb mechanism. The new eachBreadcrumb handlebars helper should now be used to iterate over breadcrumbs instead of the eachReversed helper.
|
Updated Gentics Mesh dependency to version 0.27.0.
The concept of releases have been changed to branches. See Gentics Mesh Changelog 0.24.0/0.23.0 for more details.
|
Portal Servers can now load Mesh data from different branches. The branch selection mechanism can be plugged in by adding a BranchSelectorHandler instance to
all routes. Branch selection can be based on hostname or path of the request (which is matched against hostname and pathPrefix stored in the Mesh branch) and an optionally configured implementationVersion.
DataProviderVerticle: When loading data from Mesh, it is now possible to configure multiple URLs as list for every data key.
Authentication: Updated the handling of the "AUTH_REDIRECT" cookie to get updated to the most recent URI, instead of sticking to the first one.
Caching: Fixed a bug that caused error pages to be cached, resulting in responses with status code 200 instead of the correct error code.
Configuration: Fixed a bug in the authentication configuration that would prevent the portal from starting when a protected endpoint was configured in the server.yml but not in the server.local.yml.
Configuration: Portal configuration entries are now correctly overriden by environment variables.
Authentication: The cookie handling has been improved.
Monitoring: The MonitoringServiceVerticle can now be deployed by a BootstrapInitializer, to provide endpoints to monitor the status of the portal.
Configuration: The Vert.x worker and event loop pool sizes can now be configured via vertx.workerPoolSize and vertx.eventPoolSize respectively.
The way search results are loaded has changed, so searchResultItem queries need to be changed to use the nodes field with a list of UUIDs instead of a node field with a single UUID and a language parameter. Custom HitTransformers will also need to be adapted.
|
Implementations of SearchQueryBuilder must now provide did-you-mean queries.
|
The %size% and %from% placeholders in Elasticsearch queries are no longer supported, because those fields will be inserted automatically.
|
Updated Gentics Mesh dependency to version 0.22.11.
Configuration: The new configuration entry defaultLanguage will be used by search queries without an explicit language parameter.
Search: The search handlers offer more configuration possibilities now:
search.enabled (boolean): Whether the search endpoint should be enabled
search.pageSize (integer): The number of hits to show per page
search.projects (list of strings): The searchable projects
search.resultQuery (string): The name of the search result query
search.searchPath (string): The endpoint for search queries
search.autocompletePath (string): The endpoint for autocomplete queries
search.didYouMeanThreshold (integer): How many hits are required to skip the did-you-mean-suggestions
When no resultQuery is configured the HitTransformer will get the raw Elasticsearch results. Note that the old searchableProjects configuration has been replaced by search.projects and is now deprecated.
Search: Fixed a bug that could cause a search request to fail when the query parameter contained special characters.
Search: Search performance has been improved by reducing the number of GraphQL queries to load additional information.
Search: Fixed a bug that prevented search hits from a different project.
Sitemapgenerator: Fixed a bug, where urls were rendered with a port ':-1' when no port was set in the hostname of a mesh branch.
GenticsImageStore: Fixed a bug that SVG images were not served with the correct MIME type.
Duplicate data provider keys will now be ignored, or even prevent startup when dataProvider.preventStartupOnError is enabled.
|
DataProvider: Data provider entries are now prefilled with empty JSON object during initialization.
DataProvider: Fixed a bug which could cause inserted data to be empty, when refreshing of the datasource failed at least once.
DataProvider: When dataProvider.retryOnError is set to false a failed refresh of a Mesh data source
will no longer be removed completely (there will be no more tries to refresh it however). This was always the behavior for
web datasources.
DataProvider: The timestamp of the last successful refresh of a datasource has been fixed. It is available in
the routing context with the key DATASOURCEKEY_ts.
DataProvider: Fixed a bug that only the first post processor was created even when the configuration contained multiple ones.
DataProvider: Fixed a bug that caused loading a web datasource to fail when the Content-Type header was missing.
Authentication: improve handling of the auth redirect cookie and make the cookie’s max age configurable so that it won’t be deleted during longer login processes.
When posting a node for preview to folder path that was not found in Mesh, rendering the preview caused an internal server error. This is fixed now, the preview will now be rendered with empty navigation and breadcrumb.
Handling of errors while rendering or preview of content has been improved.
The serverUrl configuration entry is now required.
|
When the configured serverUrl did not explicitly set the port, the respective hostname in the projects default release in Mesh was not set correctly. This has been fixed.
When using the UserClientHandler for forwarding the JWT token to Mesh, search requests were always done with the anonymous user, which has been fixed now.
Fixed NPE in Handlebars #equals helper.
Fix SERVER_URL environment variable not overriding config value.
Make authentication options overridable with environment variables.
| It is required to add the following binding in your portal dagger configuration. |
@Binds
abstract SearchQueryBuilder searchQueryBuilder(BasicSearchQueryBuilder e); It is now possible to dynamically generate search queries using SearchQueryBuilder implementations. The SearchParameterProvider has been deprecated in favour of this new interface.
Check for null Portal Server URL before using in the redirect.
After logout the user will be redirected to the URL defined in Config (logoutRedirect). If there is a the placeholder {URL} present it will be replaced with the HTTP referer before redirecting.
Instances of the static handler were shared between verticles, which could lead to threading problems, e.g. when caching of static files was activated. This has been fixed now, each verticle will now use its own instance of the static handler.
It is now possible to enable caching of static files using the entries static.caching and static.maxAge in the server.yml. Also the path to static files should now be configured using static.path instead of staticPath.
When the authentication token was expired and no refresh token available (or token refreshing failed, because no realm secret key was configured), an error occurred. This has been fixed now, the user will be logged out and the request will be handled as anonymous request.
When the SSO idle timeout of Keycloak tokens was shorter than the lifespan of the access tokens, the authentication handler would throw a NullPointerException. This has been fixed, and the handling of refreshing access tokens has been improved.
Improved binary file serving performance for videos, audio files and pdfs. Prior to this only images did receive this treatment.
Update used Mesh Version to 0.22.2 - this adresses a bug with duplicated http request headers.
Fixed potential NullPointerExceptions in the search and auto-complete handlers and improved error logging.
Search did fail on projects with prefixed indices (single Elasticsearch instance for multiple projects). This is fixed now.
A dedicated error handler which logs errors has been added to the default failure handlers.
Fixed a potential NullPointerException in the CachingHandler.
Project names will no longer be converted to lower case when filtering an elastic search query by project.
Added support for SSL connections to the Gentics Mesh server. The MESH_SSL environment variable and mesh.ssl property in the server.yml has been added in order to enable SSL connections. By default SSL connections are disabled.
The MESH_SCHEMA_PREFIX environment variable and meshSchemaPrefix property in the server.yml has been added to support implementations, where the schema prefix is not identical to the Mesh project name.
Added environment variable handling to server. It is now possible to override most settings via environment variables. The old environment variables mesh.port, mesh.host, server.port have been removed.
The rendering of HandlebarTemplates is now executed in a Worker instead of blocking the EventLoop
It is now possible to have a request handled by multiple PortalApplications (keys must be separated by comma in the field).
Updated Vert.x dependency to version 3.5.3.
Updated Gentics Mesh dependency to version 0.22.0.
It is now possible to add resource bundles (as YAML files) in the folder configured as i18nPath (which defaults to data/i18n). The entries from the resource bundles can then be used in templates via {{{i18n [key] [language] [bundle]}}} (where [language] is optional and defaults to the rendered Node’s language and [bundle] is optional and defaults to portal).
Handling of requests to secured contents has been improved: Anonymous requests to secured contents will be redirected to the login page (if oauth is configured). Logged in requests with insufficient permissions on the requests contents will get a 403 answer.
Redirection to status pages has been fixed: If the configured status page does not exist, the response will not always have status code 404, but will have the original status code.
The configuration entry authentication.callbackURL has been removed and authentication.callbackEndpoint
has been readded. The callback URL for the authentication process will now be constructed from the serverUrl and
authentication.callbackEndpoint entries.
|
Portal implementations can now add the UserClientHandler to forward JWT access tokens to calls to Mesh.
When updating host information for Mesh project releases, the port is now also added to the hostname.
The portal will no longer fail to start, without an authentication section in the configuration, even
though authentication was not needed.
The keycloak configuration read from keycloak.json can now be exteded with configuration options read from the optional file keycloak.local.json.
Fixed incorrect URL escaping when loading binary data via webroot.
The config entries authentication.callbackHost and authentication.callbackEndpoint from AuthenticationConfig were deleted and replaced by a new parameter named callbackURL. It should contain a full callback URL (e.g. https://localhost/auth/callback)
|
Logout endpoint and a redirect page after logout can now be configured
The access token stored in the routing context is no longer encoded in Base64 but the decoded JSON object
Search results can now be filtered by supplying tags in the query parameter t. Multiple tags can be
specified by passing the parameter multiple times or by specifying the tags as a comma separated list in
a single parameter.
Portal applications are now added via injection by providing a custom PortalApplicationRegistry
|
The applications entry has been removed from the configuration. Configuration for portal applications
must now be provided by a custom module.
|