This chapter contains all changes made in Release 7.5.22 of CoreMedia Digital Experience Platform 8.
Release 7.5.22 contains the following CoreMedia modules:
CoreMedia Blueprint
CoreMedia CMS
CoreMedia Studio
CoreMedia LiveContext for IBM WebSphere Commerce
CoreMedia Elastic Social
In addition, CoreMedia DXP 8 uses the following tooling:
Product | Key | Version |
---|---|---|
CoreMedia Application Maven Plug-in | APPPLUGIN | 2.7.9 |
CoreMedia Project Maven Extension | PROJEXT | 1.0.5 |
Table 2.24. Tooling of CoreMedia DXP 8
Features
Studio Single Sign On Integration
A new documented public API to integrate with external Single Sign On (SSO) solutions has been added to CoreMedia Studio. The feature allows the definition of a custom Spring Security context to replace the default authentication process. Please refer to the [Studio Developer Manual] for further details.
CoreMedia CMS Improvements
Spring Context Startup Accelerator
Due to the design of the Spring Framework and the CoreMedia CMS, it is necessary to declare many
<import/>
elements in Spring configuration files, often pointing to the same resource. This slows down the startup of the ApplicationContext.Unfortunately,
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
does not track imported XML files, so redundant<import/>
elements will lead to Spring parsing the same XML files over and over again (in most cases, those XML files will contain more<import/>
elements leading to even more parsing, ...) After moving to Servlet 3.0 resources, for each<import/>
, the Jar file containing the XML file has to be unpacked. Also, every time that an XML file is completely parsed, Spring reads all Bean declarations, creates neworg.springframework.beans.factory.config.BeanDefinition
instances, overwriting any existing BeanDefinitions for the same bean ID.This release introduces an optional system property
skip.redundant.spring.imports
that isfalse
by default. If set totrue
, the first<import/>
element will be used and all following, duplicate<import/>
elements pointing to the same resource will be ignored. The time saved depends on the number of duplicated<import/>
elements.Even though this setting is recommended, it may change the BeanDefinitions that are loaded. (As explained above, normally, BeanDefinitions may be overwritten by subsequent imports, depending on how
<import/>
elements are used in a webapp).
The
PlainTextSerializer
is used to strip all RichText-related XML tags from aMarkup
and only print out the character content. This character content in turn may be XML source code or any other kind of text, which is not interpreted by the CMS. When using thePlainTextSerializer
to print the content on an HTML page, the content is interpreted as HTML by the browser if not escaped. While this may be intentional in certain cases, this poses a security risk.For example, it was possible to write a
<script>
tag containing JavaScript into anyMarkup
property and have the browser execute this JavaScript. The Blueprint uses this feature in a controlled manner to allow users to add HTML content to the page (SeeCMHtml
/ScriptSerializer
/ScriptView
).The behavior was changed to be secure by default, the plain text returned is now escaped. So for example a
<
is returned as<
. To restore the old behaviour, usePlainTextSerializer#setEncode(false)
An option was added to cm serverexport for efficiently exporting content repositories that contain the same blob multiple times, which is then stored on disk only once. This is useful, for example, when multiple translations of a web site are present in the content repository, which contain copies of the same blobs (images etc.). Space requirements on export thereby correspond to space requirements in the content repository, where blobs are always deduplicated. The generated export format corresponds to that used to ship the blueprint example content.
For further details, please consult the section about
serverexport
in the CoreMedia Content Server Manual.
In addition to various bugfixes, the behaviour of the cm bulkpublish tool has changed slightly. When the --approve-versions option is given to the cm bulkpublish tool, it only approves the latest (checked-in) version. The tool used to also approve any other versions newer than the latest approved version, or in the case of new documents, all versions. This results in a performance improvement when dealing with large content repositories due to a simpler query and less approval operations.
Changes
Apache Solr has been updated to version 4.10.3.
The CoreMedia Search Engine index configuration has been separated into distinct configuration sets and cleaned up. The directory
<solr-home>/configsets
contains config set subdirectoriescontent
,cae
andelastic
for Content Feeder, CAE Feeder and Elastic Social indices. Each type of search index has its own index schema (schema.xml
) and index configuration (solrconfig.xml
). Index fields and settings that are only needed for Content Feeder indices have been removed from the config set for CAE Feeder indices, and vice versa.Unused field types have been removed from the
schema.xml
files to keep them simple and avoid unnecessary overhead.The index schema for Content Feeder indices defines all fields with attribute
stored="true"
to allow partial document updates. Note that this change leads to larger index files. You can change the definition of the largest fieldtextbody
back tostored="false"
in<solr-home>/configsets/content/conf/schema.xml
to reduce the index disk size, if needed.The actual index data files are no longer written to the directory configured with JVM system property
solr.data.dir
. Each Solr core has its own directory now below the Solr Home directory, which also contains the index files. For example, the data files for thestudio
index are written to<solr-home>/cores/studio/data
. The Solr web application needs write access to its Solr Home directory.The [CoreMedia Search Manual] describes the new configuration in section "Solr Home Directory" in more detail.
Index schema changes make it necessary to reindex Content Feeder and CAE Feeder indices.
The class
com.coremedia.cap.user.CapAuthenticationProvider.CapUserAuthority
has been removed in the course of the new SSO integration feature.
CoreMedia Studio Improvements
A Content Security Policy is introduced in order to mitigate Cross-Site Scripting vulnerabilities. The default policy header considers existing preview configuration and includes frame-src whitelisting values accordingly.
The applied policy can be customized or disabled via a set of
studio.security.csp.*
properties in theapplication.properties
file. For further details please refer to the security chapter of the Studio developer manual.The wildcard format of the
studio.previewUrlWhitelist
property in the inapplication.properties
has changed. All URLs must be valid Content Security Policy source values.Existing Studio blueprint code was adjusted to comply with Content Security Policy.
The following blueprint classes were changed:
com.coremedia.blueprint.studio.topicpages.administration.TopicsPanel
com.coremedia.blueprint.studio.topicpages.administration.TopicsPanelBase
com.coremedia.blueprint.studio.taxonomy.chooser.LetterListPanelBase
com.coremedia.blueprint.studio.taxonomy.rendering.LinkListRenderer
com.coremedia.blueprint.studio.taxonomy.rendering.SelectionListRenderer
com.coremedia.blueprint.studio.taxonomy.rendering.SingleSelectionListRenderer
The following files were removed from the taxonomy-studio-plugin:
taxonomy-mouse-handler.js
The cspHeaderFilter was added to the
studio-webapp
web.xml
.The blueprint
jangaroo-libs
version was bumped to2.0.10
.
The
SimpleSearchWidget
restricts its searches to the preferred site now. This default can be overridden by setting the the config optionpreferredSite
tofalse
.The
PreferencesUtil
class no longer tries to store undefined values as a substruct. The undefined property is cleared instead.
The method
com.coremedia.cms.editor.sdk.IEditorContext#setAfterLogoutHandler()
has been removed in the course of the new SSO integration feature.The second (optional) parameter of the method
com.coremedia.cap.common.CapLoginService#retrieveSession()
has been removed in the course of the new SSO integration feature.
CoreMedia Elastic Social Improvements
Changes
Elastic Social uses Apache Solr as search engine for users and comments now. A separate ElasticSearch installation is no longer required and ElasticSearch is not supported as search engine anymore.
Users and comments are indexed into separate Solr indices. In the Blueprint, Solr maintains indices
blueprint_helios_comments
andblueprint_helios_users
for comments and users of the tenanthelios
.Elastic Core applications connect to Apache Solr as configured with property
elastic.solr.url
. See the [CoreMedia Elastic Social Manual] for configuration options.Elastic Social content needs to be reindexed into Apache Solr. See the [CoreMedia Search Engine Manual], section "Reindexing Elastic Social indices" for necessary steps.
Determining the current tenant for Studio and CAE applications is now based on
TenantLookupStrategies
. See below for changes in the default Blueprint behavior.
CoreMedia LiveContext for IBM WebSphere Commerce Improvements
The e-Commerce API was prepared to support multiple shop systems simultaneously with a single CoreMedia system. Such shop systems can even come from different manufacturers. In principle a concept of a commerce connection was introduced similar to the UAPI CAP connection that is used to connect to the CoreMedia content server. A commerce connection can be defined per site and it describes a certain shop connection endpoint. The connection details are vendor specific (an IBM WebSphere Commerce Server system has obviously other connection properties than a system from another vendor). From the connection you will get all vendor specific service implementations, like the
CatalogService
.The module and the package structure of the e-Commerce API were changed. A new introduced base module gathers various classes that can be reused to implement the API against another shop system vendor. The new package structure is more "service driven", that means there is a new package
pricing
where all pricing related service interfaces and classes are gathered together.All API service calls have no more context parameters (store context and user context). The commerce contexts will be initialized together with the connection and used for all service calls in that session (within a request).
All API service calls that use external or technical identifier were removed. You will use the long version of the IDs instead consistently. To produce such an ID a
CommerceIdProvider
can be obtained from the connection.
As for other document types it is possible to create External Pages with a special "Create Content" dialog within the favorite bar. Additionally it is added in menubars and context menus in the e-Commerce library if a category is selected. The category link is then pre-filled with the currently selected shop category. The default location to store the new document is the
Navigation/Categories
folder of the site.
Settings of the CoreMedia Content Connector running in the IBM WCS can now be loaded from a properties file (the path is specified in the web.xml file). Previously it was only possible to load these settings in the web.xml file directly. This approach is more flexible when using the same application archive for different systems (eg. for test, staging and production). The web.xml file can remain unchanged.
CoreMedia Project Improvements
CoreMedia Blueprint Improvements
The view type property field is hidden when there are no applicable view types for the document that is being edited. This makes it easier to provide reusable document forms that adapt to the settings of the current site. This behavior has been enabled in the
ViewTypeSelectorForm
by setting the config optionhideForSingleChoice
of theViewTypePropertyField
.
The previous solution of determining the tenant based on prefixes of the server URL is no longer recommended. Instead, the default strategy for the Blueprint relies on the context settings for Elastic Social. For each Site's root channel, the
tenant
property needs to be set. For more details, we refer to the sectionConfiguring Elastic Social
of the [CoreMedia Elastic Social Manual].
When developing templates, developers start a local Tomcat. Up until now, templates would only be read from the workspace if no templates were uploaded to the ContentServer. Now, the CAE will use the Spring property
cae.use.local.resources
to determine whether to read templates from the workspace or (potentially) read them from the ContentServer.A new customizer
addRepositoryTemplateLocationPattern
was added toblueprint-views.xml
that can be enabled by settingcae.use.local.resources
to false.The cae-preview-webapp module will read templates from the workspace by default because
cae.use.local.resources
is set totrue
. Deployed webapps will read templates from the ContentServer by default becausecae.use.local.resources
is set tofalse
.
Promotion to Core API
The Blueprint classes
ReferrerListPanel
andReferrerListPanelBase
have been moved into the packagecom.coremedia.cms.editor.sdk.premular
of the Studio core moduleeditor-components
. They are public API now.
The Blueprint class
SiteUtil
has been moved into the packagecom.coremedia.cms.editor.sdk.util
of the Studio core moduleeditor-components
. It is public API now.
Deployment and Virtualization
Cookbooks are now managed with Berkshelf. As a result, the cookbooks apt, aws, build-essential, chef_handler, java, mongodb, mysql, openssl, postgresql, sql_server, ulimit, windows and yum have been removed from the workspace. The versions are managed in the
boxes/chef/chef-repo/Berksfile
.As a result of the above change it is now required to have Berkshelf and the vagrant-berkshelf plugin installed. To install Berkshelf it is recommended to install the latest Chef Development Kit. To install the vagrant-berkshelf plugin execute
vagrant plugin install vagrant-berkshelf
.
Updated Chef client in Vagrant setup to
11.16.4
.Please use at least Vagrant 1.6.5 and VirtualBox 4.3.18.
New CentOS 6.6 coremedia/base box 1.15.0 in Vagrant Cloud
CentOS 6.6 including kernel 2.6.32-504.el6.x86_64
openssl-1.0.1e-30.el6_6.2
bash 4.1.2-29.el6
VirtualBox guest additions 4.3.18 (r96516)
VMware tools 9.8.4.39977 (build-2202052)
OpenJDK 1.7.0_71
The deployment properties
SOLR_MASTER_DATA_DIR
andSOLR_SLAVE_DATA_DIR
have been removed. The actual index data files are no longer written to the directory configured with JVM system propertysolr.data.dir
but to the Solr Home directory.
Known Issues
The Blueprint packages
solr-master-tomcat
andsolr-slave-tomcat
are not correctly set up for Solr replication. Nothing gets replicated with the default configuration.The
solrconfig.xml
files in the config set directoriescontent
,cae
andelastic
in<solr-home>/configsets
use the following variables in the configuration of the ReplicationHander which are not correctly resolved:${enable.master:false}
,${enable.slave:false}
and${solr.master.url:http://localhost/solr}
.As workaround these properties can be specified as JVM system properties. For the Solr Master Tomcat use
-Denable.master=true -Denable.slave=false
. For the Solr Slave Tomcat use-Denable.master=false -Denable.slave=true -Dsolr.master.url=http://<master-host>:<master-port>/solr
with<master-host>
and<master-port>
set to hostname and port of the Solr Master Tomcat. Alternatively you can just replace the mentioned${...}
placeholders in allsolrconfig.xml
files.