Written by The Jahia Team
 
Developers
Sysadmins
   Estimated reading time:
Release notes correction
The previous version of the page incorrectly indicated that the Jahia 8.0.1.0 installer included Tomcat 9.0.34. The correct version is Tomcat 9.0.37.

What's new?

Jahia 8.0.1 is a maintenance release that includes various bug fixes and some notable improvements to Jahia 8:

Actions

Security

Jahia 8.0.1 introduces two security improvements for actions:

  1. Jahia 8.0.1 improves the security of actions by preventing the execution of actions based on GET by default and allowing only actions using POST. If you are using such actions, you need to explicitly authorize them by adding requiredMethods="GET,POST" in the Spring action files (see example). This has been applied to the following core actions:
    • checkClipboard.do
    • getWorkflowTasks.do
    • languagesCount.do
    • matchingTags.do
    • generateEventIcs.do
    • getLinkCheckingResults.do
  2. Jahia 8.0.1 introduces a new module, the CSRF Guard, and automatically adds a CSRF token protection on all calls to a Jahia Action from a Jahia page/context. Actions called outside of a Jahia context will not go through as they will be missing the required CSRF token. In such cases, and to allow their execution, you need to explicitly exclude the actions from the CSRF Guard protection. This knowledge-base article explains how to do so.

 

In summary, when upgrading to Jahia 8.0.1 you must do the following with actions:

  • POST actions executed from a Jahia page/context: no changes to make
  • POST actions executed outside of Jahia and missing the CSRF token: you need to exclude them from the CSRF Guard protection (see point 2)
  • GET actions executed from a Jahia page/context: you can either
    • refactor your code to use POST (recommended)
    • explicitly authorize the GET method (see point 1)
  • GET actions executed outside of Jahia and missing the CSRF token: you need to address both points 1 and 2.

 

Deprecated actions

The following actions are deprecated in Jahia 8.0.1:

  • commentTask.do
  • executeTask.do
  • lock.do
  • lockEditableFile.do
  • move.do
  • startPublicationWorkflow.do
  • startWorkflow.do
  • unlock.do
  • addMemberToAcl.do
  • addMemberToGroup.do
  • addPrincipalsInRoles.do
  • autoPublication.do
  • checkClipboard.do
  • cleanClipboard.do
  • createBoard.do
  • getWorkflowTasks.do
  • multipleCopy.do
  • multipleCut.do
  • multipleDelete.do
  • multiplePaste.do
  • multiplePublish.do
  • publish.do
  • adminCreateSite.do
  • adminDeleteSite.do
  • adminEditSite.do

EL 3 support

  • Jahia 8 includes an upgraded version of pax-web-jsp (for compatibility reasons with the upgraded version of Karaf provided with Jahia 8) which contains an embedded version of Jasper (JSP engine) and EL 3.0.
  • Static fields and methods reference support in EL 3.0 are disabled by default on new installations. If you are migrating from a previous version, you can disable it by adding -Djavax.el.class-resolution.disableOnLowerCase=true in the start options of Jahia. Note that if you do not disable it, the DEBUG logs will show which JSPs to update.
  • Some of our JSPs have been updated to optimize EL resolutions like in the news and the search modules.

Jahia tools

  • Jahia tools are now accessible with Jahia users instead of a single dedicated user. Find out more.

Jahia 8.0.0.0 >> 8.0.1.0 - Changelog

Security

  • Improved protection on actions against CSRF attacks

Core

  • Improved browsing performance by optimizing some EL statements
  • Set org.atmosphere.interceptor.HeartbeatInterceptor.heartbeatFrequencyInSeconds via a variable in jahia.properties
  • Disabled EL3 feature by default (support of Static Field and Method Reference)
  • Addressed an issue with session expiry
  • Added CSRF tokens to secure the Core actions
  • Fixed known issue preventing Jahia from restarting with SQL Server
  • Fixed session handling used for API calls
  • Added ability to set id attribute in login and search forms
  • Fixed issue when starting a bundle in the default cluster group by preventing module operations from failing when state cannot be persisted
  • Fixed issue with openJDK 1.8_262 by upgrading icu4j
  • Fixed random infinite loading after login on a site with a server name
  • Fixed dependentProperties on choiceList selection

Page Composer

  • Fixed issue with Live button after renaming the system name for a page
  • Fixed access to backend to users with apostrophe in name
  • Fixed the broken navigation after switching between sites in additional accordion
  • Fixed issue on site node when debug log is activated
  • Fixed issue in default infinite pager by updating the js scroll condition to greater than or equal to instead of absolute equality
  • Removed duplicate fields on inherited mixin

Page Model

  • Fixed issue with template field when using a page model in Content Editor

Module Management

  • Added a work in progress panel while uploading module

Rendering

  • Improved the logging to trace issues with template resolution

Studio

  • Fixed the default groupID of new module/templates to use org.foo.modules
  • Fixed issue with node types editing
  • Fixed issue with copy/pasting primary nodetype definition in Studio

Jahia Tools

  • Made /tools accessible to Jahia users instead of a single dedicated user

User Dashboard

  • Fixed workflow with LDAP users

Anthracite Theme

  • Fixed display of headline in the publication review screen
  • Fixed a missing scrollbar in edit engine screens on Chrome

Installer

  • Upgraded the Tomcat version provided by the installer to 9.0.37
  • Fixed links to the Academy in the installer

Docker

  • Removed the /tools credentials in Docker images

Modules - Changelog

App Shell (2.1.0)

  • Fixed browser cache issue with js bundle files
  • Removed Jahia-Deploy-On-Site tag as it could lead to an issue with languages during a remote publication

Bootstrap3 (4.1.0)

  • Fixed broken links in bootstrap3-tabs

CKEditor (4.13.1)

  • Fixed empty macros menu by adding back jQuery in CKEditor

Distributed Sessions (3.1.0)

  • Improve reliability of distributed-sessions in jahia 8

GraphQL (2.1.0)

  • Added a GraphQL endpoint to create JCR nodes without saving them

Jahia UI modules (1.1.0)

  • Removed Jahia-Deploy-On-Site tag as it could lead to an issue with languages during a remote publication

JAX-RS OSGi Extender (3.1.0)

  • Fixed API call issue by avoiding embedding JARs into bundle provided by jax-rs jahia feature

jContent (2.1.0)

  • Fixed issue with empty accordion when editing system name and publishing
  • Updated the "unpublication" icon in jContent menu
  • Fixed missing label while deleting a folder
  • Fixed size of icons in contextual menus
  • Fixed secondary action-menu
  • Fixed issue with contextual menu
  • Fixed deletion of a multi-selection
  • Fixed issue with deletion of a non published folder that had published content
  • Restricted Jahia-Deploy-On-Site tag to system-site as it could lead to an issue with languages during a remote publication

LDAP Connector (4.1.0)

  • Fixed NonSerializableException while failing to create LDAP connection

Macros (8.1.0)

  • Replace Spring by OSGi

Rating (3.1.0)

  • Replace Spring by OSGi

Remote Publication (9.1.0)

  • Fixed journal inconsistency in remote publication with AB test on a page

Roles and Permissions (8.1.0)

  • Fixed labels in the Roles and Permissions tab
  • Updated the LDAP documentation link to the correct Academy page

Maven archetypes (4.2)

  • Updated the archetype for template sets to work with V8