Jahia 8.0.1 Release Notes

Release notes correction
The previous version of the page incorrectly indicated that the Jahia 8.0.1.0 installer included Tomcat 9.0.34. The correct version is Tomcat 9.0.37.

What's new?

Jahia 8.0.1 is a maintenance release that includes various bug fixes and some notable improvements to Jahia 8:

Content Editor 3.0.0 - Changelog
- Synchronization between title and system name
- Support for dynamic fields and dependent properties. For more information, see Creating dynamic forms in Content Editor.
- Automatic ordering of content. For end-user information, see Automatically changing the order of content. For developer information, see Setting manual and automatic ordering of subcontent.
- Support for custom selector types. For more information, see Creating custom selector types for Content Editor.
Enhanced protection against CSRF attacks
Please refer to the Upgrading from a previous version section.
New permission that allows Jahia users to access the /tools section and the Karaf console
This replaces the Jahia Tool Manager user, which has been removed. For more information on the new System role that allows access to /tools, see Managing roles and permissions.

Upgrading from a previous version?

Actions

Security

Jahia 8.0.1 introduces two security improvements for actions:

Jahia 8.0.1 improves the security of actions by preventing the execution of actions based on GET by default and allowing only actions using POST. If you are using such actions, you need to explicitly authorize them by adding requiredMethods="GET,POST" in the Spring action files (see example). This has been applied to the following core actions:
- checkClipboard.do
- getWorkflowTasks.do
- languagesCount.do
- matchingTags.do
- generateEventIcs.do
- getLinkCheckingResults.do
Jahia 8.0.1 introduces a new module, the CSRF Guard, and automatically adds a CSRF token protection on all calls to a Jahia Action from a Jahia page/context. Actions called outside of a Jahia context will not go through as they will be missing the required CSRF token. In such cases, and to allow their execution, you need to explicitly exclude the actions from the CSRF Guard protection. This knowledge-base article explains how to do so.

In summary, when upgrading to Jahia 8.0.1 you must do the following with actions:

POST actions executed from a Jahia page/context: no changes to make
POST actions executed outside of Jahia and missing the CSRF token: you need to exclude them from the CSRF Guard protection (see point 2)
GET actions executed from a Jahia page/context: you can either
- refactor your code to use POST (recommended)
- explicitly authorize the GET method (see point 1)
GET actions executed outside of Jahia and missing the CSRF token: you need to address both points 1 and 2.

Deprecated actions

The following actions are deprecated in Jahia 8.0.1:

commentTask.do
executeTask.do
lock.do
lockEditableFile.do
move.do
startPublicationWorkflow.do
startWorkflow.do
unlock.do
addMemberToAcl.do
addMemberToGroup.do
addPrincipalsInRoles.do
autoPublication.do
checkClipboard.do
cleanClipboard.do
createBoard.do
getWorkflowTasks.do
multipleCopy.do
multipleCut.do
multipleDelete.do
multiplePaste.do
multiplePublish.do
publish.do
adminCreateSite.do
adminDeleteSite.do
adminEditSite.do

EL 3 support

Jahia 8 includes an upgraded version of pax-web-jsp (for compatibility reasons with the upgraded version of Karaf provided with Jahia 8) which contains an embedded version of Jasper (JSP engine) and EL 3.0.
Static fields and methods reference support in EL 3.0 are disabled by default on new installations. If you are migrating from a previous version, you can disable it by adding -Djavax.el.class-resolution.disableOnLowerCase=true in the start options of Jahia. Note that if you do not disable it, the DEBUG logs will show which JSPs to update.
Some of our JSPs have been updated to optimize EL resolutions like in the news and the search modules.

Jahia tools

Jahia tools are now accessible with Jahia users instead of a single dedicated user. Find out more.

Jahia 8.0.0.0 >> 8.0.1.0 - Changelog

Security

Improved protection on actions against CSRF attacks

Core

Improved browsing performance by optimizing some EL statements
Set org.atmosphere.interceptor.HeartbeatInterceptor.heartbeatFrequencyInSeconds via a variable in jahia.properties
Disabled EL3 feature by default (support of Static Field and Method Reference)
Addressed an issue with session expiry
Added CSRF tokens to secure the Core actions
Fixed known issue preventing Jahia from restarting with SQL Server
Fixed session handling used for API calls
Added ability to set id attribute in login and search forms
Fixed issue when starting a bundle in the default cluster group by preventing module operations from failing when state cannot be persisted
Fixed issue with openJDK 1.8_262 by upgrading icu4j
Fixed random infinite loading after login on a site with a server name
Fixed dependentProperties on choiceList selection

Page Composer

Fixed issue with Live button after renaming the system name for a page
Fixed access to backend to users with apostrophe in name
Fixed the broken navigation after switching between sites in additional accordion
Fixed issue on site node when debug log is activated
Fixed issue in default infinite pager by updating the js scroll condition to greater than or equal to instead of absolute equality
Removed duplicate fields on inherited mixin

Page Model

Fixed issue with template field when using a page model in Content Editor

Module Management

Added a work in progress panel while uploading module

Rendering

Improved the logging to trace issues with template resolution

Studio

Fixed the default groupID of new module/templates to use org.foo.modules
Fixed issue with node types editing
Fixed issue with copy/pasting primary nodetype definition in Studio

Jahia Tools

Made /tools accessible to Jahia users instead of a single dedicated user

User Dashboard

Fixed workflow with LDAP users

Anthracite Theme

Fixed display of headline in the publication review screen
Fixed a missing scrollbar in edit engine screens on Chrome

Installer

Upgraded the Tomcat version provided by the installer to 9.0.37
Fixed links to the Academy in the installer

Docker

Removed the /tools credentials in Docker images

Modules - Changelog

App Shell (2.1.0)

Fixed browser cache issue with js bundle files
Removed Jahia-Deploy-On-Site tag as it could lead to an issue with languages during a remote publication

Bootstrap3 (4.1.0)

Fixed broken links in bootstrap3-tabs

CKEditor (4.13.1)

Fixed empty macros menu by adding back jQuery in CKEditor

Distributed Sessions (3.1.0)

Improve reliability of distributed-sessions in jahia 8

GraphQL (2.1.0)

Added a GraphQL endpoint to create JCR nodes without saving them

Jahia UI modules (1.1.0)

Removed Jahia-Deploy-On-Site tag as it could lead to an issue with languages during a remote publication

JAX-RS OSGi Extender (3.1.0)

Fixed API call issue by avoiding embedding JARs into bundle provided by jax-rs jahia feature

jContent (2.1.0)

Fixed issue with empty accordion when editing system name and publishing
Updated the "unpublication" icon in jContent menu
Fixed missing label while deleting a folder
Fixed size of icons in contextual menus
Fixed secondary action-menu
Fixed issue with contextual menu
Fixed deletion of a multi-selection
Fixed issue with deletion of a non published folder that had published content
Restricted Jahia-Deploy-On-Site tag to system-site as it could lead to an issue with languages during a remote publication

LDAP Connector (4.1.0)

Fixed NonSerializableException while failing to create LDAP connection

Macros (8.1.0)

Replace Spring by OSGi

Rating (3.1.0)

Replace Spring by OSGi

Remote Publication (9.1.0)

Fixed journal inconsistency in remote publication with AB test on a page

Roles and Permissions (8.1.0)

Fixed labels in the Roles and Permissions tab
Updated the LDAP documentation link to the correct Academy page

Maven archetypes (4.2)

Updated the archetype for template sets to work with V8