Dynamic Include Implementation was removed from Blueprint

The Dynamic Include implementation was moved from package com.coremedia.blueprint.cae.view of module com.coremedia.blueprint:cae-base-lib to package com.coremedia.objectserver.view.dynamic provided by com.coremedia.cms:cae-viewservices . The Blueprint implementation still uses com.coremedia.blueprint.cae.view.DynamicInclude for backward compatibility of themes/templates.

Follow Section, “Dynamic Include Implementation was removed from Blueprint” for upgrade information.

(CMS-17689)

Introduced Central Cache Control Strategy

The newly introduced CacheControlStrategy interface enables CAE apps to apply cache control information to HTTP responses. The default implementation records the instant at which a requested resource expires and also provides access to the app's static cache control configuration. The CacheControlStrategy bean is used by a Spring MVC handler interceptor to send Cache-Control headers. The cache control information then may be used subsequently by CDNs or other HTTP caching proxy infrastructure.

Follow Section, “Introduced Central Cache Control Strategy” for upgrade information.

(CMS-17307)

Calista via Commerce Hub

Calista now is integrated via Commerce Hub. In order to switch to the integration via Commerce Hub, you need to configure the commerce adapter endpoint in the LiveContext Settings document of the Calista site. The former HCL specific code in the Blueprint below path "blueprint/modules/extensions/ecommerce-ibm" is not used anymore for Calista (IBM/HCL content led integration scenarios).

(CMS-16446)

Change Spring Security Configuration for CAE from XML to Java

The Spring Security configuration for the CAE has been changed from XML configuration to Java configuration. This applies to default CAE security configuration and Elastic Social security configuration. As Java and XML configuration cannot be mixed, projects must change all custom http://www.springframework.org/schema/security namespace XML configurations to Java configurations.

Follow Section, “Change Spring Security Configuration for CAE from XML to Java” for upgrade information.

(CMS-15656)

Changed implementation of security headers for CAE

The class com.coremedia.blueprint.cae.filter.SecurityHeadersFilter has been removed, the security headers for the CAE are now configured in com.coremedia.cae.security.CaeWebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>) . It configures the same security headers that were formally set by the com.coremedia.blueprint.cae.filter.SecurityHeadersFilter . To set the same security headers, the default configuration provided by the org.springframework.security.config.annotation.web.configurers.HeadersConfigurer is used, but for the preview CAE, the X-Frame-Options header is (still) disabled.

Follow Section, “Changed implementation of security headers for CAE” for upgrade information.

(CMS-13278)

CAE configuration properties consolidated and renamed

All default values for CAE configuration properties are now defined as @ConfigurationProperties annotated classes, as proposed by Spring Boot. There are three new classes:

Follow Section, “CAE configuration properties consolidated and renamed” for upgrade information.

(CMS-13101)

Remove custom CSRF implementation for CAE

The custom implementation for CSRF protection for the CAE has been removed. The CAE now uses and configures the CSRF protection provided by Spring Security. See new documentation Content Application Developer Manual - Protecting against Cross Site Request Forgery .

Follow Section, “Remove custom CSRF implementation for CAE” for upgrade information.

(CMS-7305)

New hashing strategy for securing blob transformation

The DefaultSecureHashCodeGeneratorStrategy used for securing blob transformation is considered vulnerable to possible DoS attacks. Therefore a new MD5SecureHashCodeGeneratorStrategy was introduced and is used as default hashing strategy. It includes a server side secret which should be configured via cae.hashing.secret . Otherwise, it will newly be generated after each CAE restart. This could lead to problems with caching and multi-CAE settings.

Follow Section, “New hashing strategy for securing blob transformation” for upgrade information.

(CMS-17396)

Added configuration options for CAE 'HttpFirewall' bean

The HttpFirewall configuration for the CAE can now be configured using the configuration properties cae.http-firewall.allow-* . For more information see Content Application Developer Manual - Spring Security

Follow Section, “Added configuration options for CAE 'HttpFirewall' bean” for upgrade information.

(CMS-17381)

New External Preview

The external preview has been reimplemented. It does not require any Spring properties for configuration anymore. It can be accessed via the new "Share" menu on the preview toolbar inside CoreMedia Studio. The new external preview can be opened in a new browser tab or via QR code on mobile devices.

(CMS-15991)