Release Notes / Version 12.2406.1
Table Of ContentsReworked CAE security configuration API
Reworked CAE security configuration API. Turned
com.coremedia.cae.security.CaeHttpSecurityConfigurer
into an abstract class and removed the former
caeHttpSecurityConfigurer
bean of type
com.coremedia.cae.security.CaeHttpSecurityConfigurer
.
The aspects formerly configured by that bean are now configured along
with the securityFilterChain
bean.
(CMS-24585)
Remove RequestRejectedExceptionFilter
The
com.coremedia.blueprint.cae.filter.RequestRejectedExceptionFilter
has been removed. It was a workaround for the issue
RequestRejectedException
should be 400 by default #7568 that has been fixed with Spring
6.
(CMS-24219)
Remove Commerce Context Interceptors
Class
com.coremedia.blueprint.livecontext.ecommerce.filter.CommerceConnectionFilter
now incorporates the concerns that were previously scattered amongst
the commerce context interceptors. It resolves the requested site,
performs a commerce connection lookup and then initializes the
commerce contexts. The filter uses site lookup functions with
signature
Function<ServletRequest, Optional<Site>>
to resolve the requested site and provides the interface
com.coremedia.blueprint.livecontext.ecommerce.filter.CommerceContextsInitializer
for initialization or post processing of commerce contexts. The former
commerce context interceptor code concerned with initialization of
store context and user context has been moved to
com.coremedia.livecontext.handler.FragmentCommerceContextsInitializer
.
The following classes have been removed:
com.coremedia.blueprint.ecommerce.cae.config.ECommerceCaeConfiguration
com.coremedia.blueprint.ecommerce.cae.AbstractCommerceContextInterceptor
com.coremedia.blueprint.ecommerce.cae.WebCommerceContextInterceptor
com.coremedia.livecontext.config.LcCaeInterceptorsConfiguration
com.coremedia.livecontext.handler.FragmentCommerceContextInterceptor
com.coremedia.livecontext.handler.RestCommerceContextInterceptor
com.coremedia.livecontext.p13n.handler.FragmentCommerceP13nContextInterceptor
com.coremedia.livecontext.preview.config.LcPreviewCaeInterceptorsConfiguration
com.coremedia.livecontext.preview.PreferredSitePreviewCommerceContextInterceptor
com.coremedia.livecontext.preview.PreviewCommerceContextInterceptor
The moduleec-cae-lib
was removed from the blueprint workspace.
(CMS-24213)
Transformed Blob Cache Requires Writeable Base Directory
The bean transformedBlobCache
of type
com.coremedia.transform.impl.TransformedBlobCache
now validates the configured base path (configuration option
com.coremedia.transform.blobCache.basePath
) and
throws an exception if it finds that the base path is not a writeable
directory in which it can cache and rotate temporary files holding the
transformed blob data.
(CMS-24132)
Configured Content Security Policy for Live CAE
CAE HTTP security now supports configuration of the
Content-Security-Policy
response header via
cae.http-headers.csp.directives
. It has been set to
a same-origin-only policy as recommended by the
OWASP
CSP cheat sheet. The Spring dev
profile
configures report-only mode for Live CAE and disables CSP for the
Preview CAE.
Follow Section, “Configured Content Security Policy for Live CAE” for upgrade information.
(CMS-23644)
Changed Site Resolution of Requests
SiteFilter now matches request paths against configurable patterns to
derive the requested site. This is much more efficient than the
previous strategy which simply checked every path segment if it
matched one of the segments of the known site root navigations. The
new strategy is to take a list of patterns to check if the current
request URI paths contains a site segment, then check the first path
segment after the dispatcher servlet segment if it is site segment but
exclude a list of known prefixes. The list of path patterns that have
a site segment in it is configured via
cae.site.patterns
and the list of known non-site
path prefixes is configured via
cae.site.ignore-prefix-patterns
. The former
SiteFilter behavior can be restored by setting both properties to
empty values. Configure
cae.site.collect-non-matching-paths=true
to collect
non matching paths to support debugging your SiteFilter config. This
setting is enabled in the dev
profile for your
convenience.
(CMS-23583)