Jahia 8.2.3 Release Notes

Jahia 8.2.3 is a maintenance release, continuing the work that was started by the Jahia team in 8.2.0. 

Our in-context editing UI, Page Builder now offers feature parity with legacy Page Composer, and is considered ready to be used in production on a daily basis. Since jContent 3.4, we did some light but important improvements in our media management UI: 

• Display assets usages in views and pickers
• Change single-click select behavior to not start a multiselect in thumbnails view if Ctrl, Meta or Shift is not pressed
• Display mimetype in content editor header and cards (thumbnail views and pickers)
• Show thumbnails in list view when available
• Page Composer remains available to ensure a smooth transition for organizations

JavaScript modules engine v1.2 is shipped with 8.2.3. It's fully ready for production and several projects are successfully using this technology. It is also fully compatible with OpenJDK. The Jahia team remains dedicated to making this new capability successful. 

Other important changes include:

• Full rework of http headers for cache control, to optimize caching by browsers and CDNs, from assets to full pages
• A new Authentication service available in OSGi
• CSRF Guard is now disabled by default for unauthenticated users (guest)
• UI improvements in the tools
• Support for newer versions of databases

Updates to Jahia release artifacts

Jahia 8.2.4.0 is introducing a few changes to its release artifacts:

• Jahia source code can be downloaded directly from GitHub and is not be packaged separately anymore.
• Jahia ".exe" installer has been removed. Windows is still a fully supported platform, and customers are encouraged to launch the installer using the ".jar".
• Jahia Community is now available as a Docker image. The community installer and community SDK have been removed.

Changes listed in this section might be considered breaking depending of your usage, we recommend always reviewing this section of the release notes.

Deprecated TokenAuthValve, ContainerAuthValve and added a property to disable/enable TokenAuthValve

TokenAuthValve is now disabled by default.

This change deprecates the TokenAuthValveImpl and ContainerAuthValveImpl authentication valves. Token-based authentication is now disabled by default for improved security, and a new configuration property auth.token.enabled (default: false) has been introduced to control the TokenAuthValve. If you are unable to migrate your code to use the recommended Personal API Token (PAT) module before upgrading, you can temporarily restore the previous behavior by setting auth.token.enabled=true in your configuration. Note that container-based authentication is also deprecated and not recommended, as Jahia now handles authentication internally.

Commit: df46291

Implement clear restrictions for bundles that are not identified as Jahia modules in module management.

This change enforces that the Module Management Service and provisioning API now operate strictly on Jahia modules only. Previously, install, start, stop, and uninstall operations could be performed on any OSGi bundle; now, these are limited to bundles identified as valid Jahia modules. Install operations for non-modules are ignored with a warning log, while start, stop, and uninstall operations return a 500 error with a clear message. The following provisioning commands are now deprecated: installBundle, installAndStartBundle, installOrUpgradeBundle, startBundle, stopBundle, uninstallBundle. Use the new commands: installModule, installAndStartModule, installOrUpgradeModule, startModule, stopModule, uninstallModule. The old commands are subject to the same restrictions and will be removed in a future release.

Commits: 5431eec, 70bbda5, 164a9c3, 🔒 7ba332d, 🔒 386d60f, a3ad7c4

Replaced GraalVM with OpenJDK in Jahia Docker images

GraalVM has been removed from the Jahia Docker images and replaced with OpenJDK. This change aims to enhance compatibility across various environments. You are extremely unlikely to be impacted by this change, only customers using Docker images, AND a site built with javascript-modules-engine AND GraalVM-specific features will need to review their code.

Commits: e18eb7e, 350c5c1, d875b3d, 8d3089b, eab36a0

Updated Apache Tika from 2.9.3 to 3.2.3

Depending of your usage, it might be necessary to extend the range of Tika versions in the pom.xml of your modules. You can see an example of such a change here. If you are not impacted by the breaking changes listed below, updating from org.apache.tika;version="[1.27,3)" to org.apache.tika;version="[1.27,4)" will make your module compatible with both Tika 2 and Tika 3 (up to Tika 4, excluded).
Although most users are not expected to be impacted, but please review the following upstream changes:

• Convenience methods for XML readers were moved from ParseContext to XMLReaderUtils (TIKA-4259).
• The boilerpipe handler has been moved to the tika-handler-boiler-pipe package (TIKA-4138).
• HTML parsing now uses JSoup instead of TagSoup. If you have a custom configuration on the HTMLParser, you'll need to update it to use o.a.t.p.html.JSoupParser (TIKA-1599).

Commits: 980d508, 6658ed5, aabd777, acfe4c1, f548ca1, a4395f4, c546617, 🔒 4e7b529

Updated javascript-modules-engine from 0.3.0 to 1.2.0

Strong breaking changes are present between Javascript Modules Engine 0.3.0 and 1.2.0. Please refer to the module changelog on Jahia Store for more details. If you are using Javascript Modules in your project, be sure to first update javascript-modules-engine in your running instance of Jahia before attempting to upgrade Jahia to this version. Customers not using javascript-modules-engine or already running javascript-modules-engine 1.0.0 or later are not impacted by this breaking change.

Commits: aac8c7a, da762d3, 4da91df, 339f691, e386217, 23ed8c9, a347ab2

The advanced-visibility module was removed from the build following its merge with the visibility module.

Other notable libraries changes

• ✨ Removed embeded graalvm libraries which are now provided by javascript-modules-engine (Commit: 0e47150)
  Were removed from the core: org.graalvm.sdk, org.graalvm.truffle, org.graalvm.js, org.graalvm.regex

Jahia 8.2.3.0

Deprecations

Features deprecated in this release are expected to be removed alongsider the release of Jahia 8.3

• 📦 Added deprecation mark/log on old XSS filtering mechanisms and promoted the new html-filtering module as alternative. (Commit: fb7f8e2)

• ♻️ Deprecated the HtmlExternalizationService (Commit: 40befdc)

  The legacy HtmlExternalizationService is now deprecated. It is only used in the legacy newsletter app and is not exposed as an OSGI service (usable only from Spring). A new implementation for externalized HTML generation will be required in the future.

• ♻️ Deprecated the sha1DigestLegacy method in EncryptionUtils (Commit: 811e0ab)

  The legacy sha1DigestLegacy method in EncryptionUtils is now marked as @deprecated (since 7.1.0.1) and its documentation updated to clarify it is retained only for backward compatibility. Newer versions use PBKDF2 for password hashing. This change improves security and clarifies future direction.

• ♻️ Deprecated the SsoValve (Commit: 2e22307)

  The SsoValve has been deprecated in favor of the jahia-authentication module, which provides SSO capabilities and a more modular SSOValve inner implementation. You can find more details about authentication in a dedicated documentation section on the Jahia Academy

Core

• ✨ Added git OSGI manifest headers to bundles (Commit: ab21bdb)

  With this change, you can now identify, via the Jahia Tools, the Git commit hash and branch from which a bundle was built. This enhancement aids in debugging and tracking the source of deployed bundles.

• ✨ Created a new ChoiceListInitializer to list the properties of given node types with custom filtering. (Commits: baa5428, 1eb00f5, 🔒 9372783, 🔒 f17097b)
• ✨ Introduced debug logs in scheduler to facilitate troubleshooting (Commit: 2259161)
• 🐛 Allow percent-encoded curly braces in URLInterceptor (e.g. %7bmode%7d instead of {mode}) (Commits: f0d637b, b0fa284, 8ce7a29)
• 🐛 Corrected a log message that should only be displayed when running JDK11 (Commit: ce9822e)
• 🐛 Corrected French language (and typos) in various parts of the application (Commits: 1b6b1b4, ba43fc4)
• 🐛 Correctly compute the context path when setting cookies from GraphQL (Commit: ef4ea24)
• 🐛 Excluded ck5 CSS class ck-form in global reset, to avoid conflicts with Jahia admin styles. (Commit: 11bc6d4)
• 🐛 Fallback to root node if user lacks jcr:read_default on site in GWT controller (Commits: 12f25fe, 3985770)
• 🐛 Fixed a NPE when richtext property does not exists in GWT translate engine, causing issues when translating content. (Commit: bd7d765)
• 🐛 Fixed a NPE when using Karaf command jahia:servlets (Commit: b8aa18c)
• 🐛 Fixed a situation in which specific payloads could lead to increased log filing (Commits: 891aa97, f1d57ab, 198a9e3, 2e63f97, 7be7ebd)

• 🐛 Fixed an error when restoring a node with jnt:referenceInField child nodes (Commit: 138c11f)

  This fix impacted restoring a nodes that has both orderable child nodes and the mixin jmix:referencesInField with child nodes of types jnt:referenceInField

• 🐛 Fixed an issue causing a mismatch in the number of documents returned by a JCR-SQL2 query executed on different cluster nodes (Commit: a293355)
• 🐛 Fixed an issue causing nodetype icons to not be rendered when redeploying a module with new icons, requiring a server restart. (Commits: b64c424, d822b94, b4ac59f)
• 🐛 Fixed an issue preventing the use of a proxy with JDK 17 (Commit: f3c90d2)
• 🐛 Fixed an issue preventing visibility rule to work in customized preview (Commits: d7ac317, 08f0cfd)
• 🐛 Fixed an issue when moving a node between providers breaks references to this node (Commits: 5890ba0, 61bf6a3)
• 🐛 Fixed an issue with SiteKey resolution when a vanity is matching, previously causing issue with the resolution of custome error pages. (Commit: 89624eb)
• 🐛 Fixed an issue with template priority across multiple template resolvers, causing issues when templates exists in both .jsp and .tsx resolvers (Commit: cc14a23)
• 🐛 Fixed source files with incorrect file encoding (Commits: 3e29033, 5aab996)
• 🐛 Use textarea instead of an input field for nt:query edition ui to improve user experience when editing JCR-SQL2 queries (Commit: f717230)
• 🐛 When using the fixApplier prevent the installation of javascript-modules-engine if running JDK11 (Commit: 18f5db0)
• 📚 Added comments in 02-jahia-nodetypes.cnd to explain the usage of Jmix:isAreaList (Commit: 41b5e04)
• 📚 Added comments/java doc to LastModifiedListener (Commit: 5b237c6)
• 📚 Updated labels in the version comparison component for improved clarity (Commit: 781c3fa)
• 📦 Cleanup and refactoring of Jahia Templating system (Commits: 5ef0917, 9505ac9, c51f053, 16eb3c1, 26f5603, 0f43f1f)

• 📦 Converted migration scripts from graphql to groovy (Commits: 496144c, d3cefa1)

  Migration scripts written in GraphQL could be a source of flakiness depending on the startup time of the graphql-dxm-provider module. These scripts have been converted to Groovy and it is recommended to not continue creating migration scripts in GraphQL but to prefer Groovy instead.

• 📦 Improved efficiency of LoginConfig when searching for a custom URL (Commit: 6f1e237)
• 📦 Refactored the OSGI system packages to ensure, at build time, that OSGi system packages configuration stays in sync with project dependencies, preventing configuration drift. (Commit: 93f4e1f)
• 📦 Removed GWT dependency from the core (Commits: 3a5aa8a, 12d5fe3, 23c3bea, 7249860)

• 🛠 Compile, package and deploy with JDK 17 instead of JDK 11 (Commit: 66c8487)

  This allows developers to use JDK17 when building Jahia while still being compatible with JDK11 at runtime.

• ♻️ Added logging details when DB is not initialized at Jahia startup (Commit: 15716e9)
• ♻️ Correct role node naming for system administrator in JCR after editing permissions (Commits: 3503c89, ae8f662)
• ♻️ Removed a Java file that was entirely commented out (Commit: f523909)

• ♻️ Removed categorySelector tag <ui:categorySelector> (Commit: caa4881)

  The tag was already not usable as it associated page did not exist anymore, this removal will not break any existing functionality.

• ♻️ Removed outdated Maven site and GWT plugin configurations and docs (Commit: e7cbfdd)
• ♻️ Replaced deprecated ${parent.version} Maven variable with ${project.parent.version} (Commit: 4679297)

Security

• ✨ Implemented hashing for session ids in logs (Commit: 908968a)
• ✨ Introduced secure handling for files in multipart requests targeting Jahia rendering/actions (Commits: f78e60b, 🔒 4c5f5b0)
• ✨ Introduced the ability to configure EncryptionUtils encryptor with jahia.properties (Commit: 78bf5b7)
• 🐛 Escape JCR properties HTML content in Repository Explorer (Commit: 37c6bfa)
• 🐛 Escape titles in workflow dashboards (Commit: ad856c4)
• 🐛 Strengthen the password change request, change also present in Jahia 8.2.2.1 (Commits: 8e11fec, d782fc1, 17a0259, 1bc0622, e471fd5)
• 🛠 Updated the build process to support multiple suppression files (suppressionFiles parameter - plural) (Commits: fafb8bd, 72e1539, 🔒 d05fb33)
• ♻️ Extended customer OWASP dependency-check suppressions (Commits: 28de4f4, 🔒 78bdfe6, 35ac49d, cb884ed, 6879b97)

Authentication

• ✨ Implemented a mechanism to invalidate active HTTP sessions for a given user (Commits: a57fac9, 🔒 7ba2469, 3b56830, 🔒 c3c3994, 457cf0e, 5636518)
• ✨ Implemented a new OSGI authenticationService, updated core valves (Commits: d6610fc, ea57969, 37565ac, c222c3c, 09f0d74, 63e9e77, 0a2ab1d, e039ca3, 6ad713b, f56efa6, a8198da)

• ✨ Provide initial url when redirected to a custom login page (Commits: 16ce8fd, 🔒 57ce072)

  This change makes it possible to redirect the user to the original URL after a successful login when they were initially redirected to a custom login page due to insufficient permissions.

• 🐛 Filter out LoginUrlProvider that support a custom login URL to only keep non null URLs (Commit: c968d3e)
• 🐛 Fixed incorrect character encoding when rendering the login page preventing login with special characters (Commits: abb277b, 🔒 58ebc34)
• 🐛 Prevent the usage of a JCRUserNode on which the linked JCR session may have been closed when the HTTP session got invalidated. (Commit: ab56178)

Search

• ✨ Introduced a new dual analyzer for full text search (Commits: 8ad2576, 🔒 ed5e965, 4f5f7b5)

  This change enables the use of both a standard analyzer and an optional i18n analyzer for full-text search queries. By default, the behavior remains unchanged, using only the standard analyzer. If compatibility with both non-i18n and i18n properties is required, a secondary i18nAnalyzer can be provided. The resulting query will be dual-analyzed, combining results from both analyzers to improve search accuracy across multilingual content.

• ✨ Restrict value attribute of nodeType tag file (Commits: f3adf03, 9adc951)

  If a custom node type is provided (using the <s:nodeType value=.../> tag), the system ensures the value is a registered node type. This implicitly validates that a single-value is used (jnt:page,jnt:bigText is a not a valid node type, even if both jnt:page and jnt:bigText are registered node types).

• 🐛 Fixed a stack overflow issue when search results where too large (Commit: a82e85a)

Workflow

• 🐛 Adjust visibility workflow panel (CSS) (Commit: 0ee85b4)
• 🐛 Enhances workflow permissions by ensuring that sub‐roles inherit permissions from their parent roles. (Commit: ee254b7)

Cache

• ✨ Updated URL Rewrite rules to generate better "cache-control" header (Commit: 958c474)

  The URL Rewrite rules for cache control header have been removed. Instead, a new Jahia feature called client-cache-control
  has been introduced to manage the cache control header more effectively, in particular to make it possible to better tweak cache usages in CDNs.
  Documentation is available on Jahia Academy

• 🐛 Fixed an an issue with the skip.aggregation property not being properly handled (Commits: a6bf7ef, d9456fe, 🔒 d8b49ea)
• 🐛 Fixed an issue with cache key part not correctly handled, causing performance issues when using javascript modules and page personalization (Commits: 1dcbfbf, 39018f8, 15755aa)
• 🐛 Fixed ETag headers that were not RFC-compliant, they are now surrounded by double quotes. (Commit: 44223e6)
• 🐛 Introduction of an optimization for AclCacheKeyPartGenerator targetting site users under /sites/*/users, improving performances for environments with a very large number of site users. (Commits: f334a00, 119bee2)
• 🐛 Reduced log verbosity for client cache policy (Commit: 8a08c3a)

• 🐛 Use preset Cache-Control header in StaticFileServlet even if resetting the response (Commit: 464af9b)

  In StaticCacheFilter, response is reset and preset headers were incorrectly removed causing client-cache-control to miss it's preset value.

Docker

• ✨ Introduced support for specifying a custom Catalina context in Docker (Variable: CATALINA_CONTEXT) (Commits: f9f251c, 🔒 84527af, 🔒 47b137f)
• ✨ Simplify jahia configuration at startup to use configurators instead of maven goal (Commit: d4037b1)
• 🐛 Add a new path: /var/jahia/config-overrides to tomcat common loader making it possible to persist custom configurations upon redeployments (Commit: e142868)
• 🐛 Fixed an issue causing trailing spaces to be added to jahia.node.properties during parsing of docker configuration JAHIA_CONFIGURE_OPTS (Commit: 06becce)
• 🐛 Improved usage of dependencies in jahia-configuration (Commits: d3674f2, e4791e3, 275539c)
• 📚 Added comments in Docker pom.xml to explain usage of Maven profiles for local Docker builds (Commit: 97aa481)
• 📚 Added instruction about development docker images and their location on GitHub Packages registry (internal) (Commit: 🔒 67b92b0)
• 📚 Created README aimed at being displayed on Docker Hub for Jahia Discovery docker image (Commit: 🔒 ead5cf6)
• 📦 Cleanup Jahia base DockerFile and reduce the size of the image by removing unecessary folders/files (Commit: 7f04693)
• 🛠 Fixed an issue when building AMD64 images from ARM machines (Commit: 653124b)
• ⚙️ Migrated from Docker Hub to GitHub Container Registry for Development images (Commits: f09268f, 🔒 6e2a2a6, 🔒 c90f340, 🔒 1bf8942, dcdc506, 🔒 35ca070, de3dd36, 21d00cd, 7dc6888, caa8582, 🔒 82eac4e)
• ⚙️ Refactored the build process of Jahia Discovery image to address multi-arch builds and race conditions with luxe (Commits: 🔒 b517930)
• ♻️ Move JVM module access flags from CATALINA_OPTS to JDK_JAVA_OPTIONS for proper startup configuration (Commits: e9355d7, 6099c59, 🔒 dfc9d2b)
• ♻️ Updated yourkit binary from 2023.9 to 2025.3 (only retrieved when YOURKIT_ACTIVATED variable is used) (Commit: cd2ea55)

Installer

• 📦 Removal of the "exe" installer following compatibility issues with JDK 17. The "jar" installer can fully be used on Windows (and other supported platforms) using java -jar Jahia-EnterpriseDistribution-8.x.x.x.jar.

Legend (icons): ✨ Improvements & new features, 🐛 Bugs, 📚 Documentation, 📦 Packaging, 🛠 Change to Jahia build, ⚙️ Changes to CI, ♻️ chores

Jahia upgrade procedures are detailed in this Academy page.

If you are using Jahia installed, you can also download the fixAppliers here:

• How to upgrade from 8.2.2.1
• How to upgrade from 8.2.2.0
• How to upgrade from 8.1.9.1
• How to upgrade from 8.1.9.0