Child pages
  • 4.0.14
Skip to end of metadata
Go to start of metadata

Released: 11 June 2014

Download the release

You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.

uPortal 4.0.14 GA Announcement

Apereo is proud to announce uPortal 4.0.14, continuing in our regular patch releases of uPortal 4.0.

Human-readable release notes

uPortal 4.0.14 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship a slew of minor fixes that had accumulated in the 4.0-patches maintenance branch.  Prior to this release, portlet administration permissions are bugged such that

1) CVE-2014-3146 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and

2) CVE-2014-3147 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.


This release includes essential fixes for successfully implementing delegated portlet administration features.  This release attempts to root the portlet management group and category selection selector UI at a close-to-tree-root yet-selectable-by-the-user group or category, fixes JSON web service permission checks to succeed when they ought instead of always failing for non-super-users, and fixes the portlet publishing lifecycle stage step of the portlet publication workflow for non-super-users

This release also adds the Emergency Alert portlet to the guest view, which will be an important fix for adopters using guest views and emergency alerts, and drops the category from the default emergency-alert portlet definition to prevent users from adding it to odd places in their own layouts.

This release works with Tomcat 7.0.47 (and later?) whereas without this fix ending and upgrading user sessions was bugged.

The reset-password portlet had been bugged so as to be unusable, but this release includes a fix.  Guest user account detection is now case-insensitive.  Permissions administration principal selection is fixed..

This release fixes DLM ProfileEvaluator import to now successfully import the XML it exports.

Search over the portlet registry standardizes to lowercase and so should have more search hits that you'd expect.

The in-memory password encryption key is now conveniently configured in to encourage adopters to set it.  You have changed that encryption key from the default, if you're using in-memory passwords, right? 

Speaking of caching passwords in memory, CAS / ClearPass users should review the ClearPass cache update synchronicity configuration changes in this release.  This release includes out-of-the-box CAS / ClearPass configuration that's closer to ready-to-go more generally (but is still off-by-default).

In this release the calendar portlet's default US holiday data feed now draws (working) from Google, replacing a previous default configuration that went bad.

This release upgrades to  jquery and jqueryUI 1.8.24, jquery-mobile to 1.3.2 and tweaks Fluid to support jQuery 1.8disables UI scaling under muniversality, improves text shadows, fixes UI glitches in portlet-administration, in portlet titles, and in the hc and coal themes, and removes the (broken) Popular Portlets button from the Portlet Manager.  A new portlet preference governs whether the portal-activity portlet displays popular searches.

This release bumps the versions of some included portlets:


In under-the-hood tweaks, this release patches away some database resource leaksconfigures uPortal's ehcache to be sharedtweaks the environment filter setupdates Maven exclusions, and silences an extraneous hsql shutdown EOFException, and adds some null handling on the JSON web services accessing groups and in the person attribute group store.

The quickstart configuration in this release bumps the max memory to 500 mb.


On upgrade, you may want to:



Updating from 4.0.0-4.0.5

db-update will drop data

If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.

After configuring your uPortal 4.0.14 source run:

  • ant db-update


Release Notes: 
Maven Project Site:


These developers contributed commits to this release:



Full Release Notes Generated from JIRA:

Release Notes - uPortal - Version 4.0.14

Security Bugs Fixed

  • [UP-4105] - CVE-2014-3416 MANAGE[-*] permissions not enforced
  • [UP-4106] - CVE-2014-3417 Any user can Configure any portlet they can SUBSCRIBE

Other Bugs fixed

  • [UP-3276] - Significant set of DB resource leaks in org.jasig.portal.layout.simple.RDBMUserLayoutStore
  • [UP-3786] - Remove the broken, extraneous 'Popular Portlets' button from the Portlet Manager
  • [UP-3864] - Manage permissions - cannot select principal in perms by category
  • [UP-3869] - Bamboo build failures with 'connection exception: connection failure:' on hsql shutdown
  • [UP-3870] - Fix Universality themes : add missing sass changes defined in css files ; add missing css changes defined in sass files ; add missing images
  • [UP-3873] - Fix error when tester is null on test method
  • [UP-3874] - Fix null group member entity
  • [UP-3881] - Maven goal (data-import) on project Announcements fails for Windows
  • [UP-3883] - StackOverflowError on Tomcat 7.0.47 whenever a session logs out
  • [UP-3895] - DLM's ProfileEvaluatorFactory fails to import the XML produced by the ProfileEvaluator on export
  • [UP-4013] - Search of Portlets fails to find portlets with uppercase in string that should match
  • [UP-4033] - Emergency Alert missing from guest view in 4.0.x
  • [UP-4054] - Bug in the reset-password flow that renders it unusable
  • [UP-4056] - Clustered CAS Clearpass Configuration not working
  • [UP-4057] - constructor args in wrong order
  • [UP-4058] - PortletCategoryRegistryLocator bean missing from locatorContext.xml
  • [UP-4092] - PortalPermissionEvaluator sends the wrong TARGET String for JsonEntityBean objects when it checks permissions for REST API calls
  • [UP-4115] - Trivial typos in documentation
  • [UP-4117] - Quickstart readme documents wrong portal.log file path

Improvements Realized

  • [UP-3867] - Update jQuery-Mobile to the last version : use jquery-mobile 1.3.2 instead of jquery-mobile 1.1.1
  • [UP-3868] - Fix zoom scale problems and bugs with fixed toolbars
  • [UP-3871] - Fix mistypes on messages and improve fr translations
  • [UP-3872] - Improve internationalization of Search Portlet and Directory Search Portlet
  • [UP-3875] - Add environment filters for cas context (/cas) and all params of email sending configuration
  • [UP-3876] - Update jQuery, jQuery-UI, Backbone, Underscore and others javascripts libs used by universality and muniversality skins
  • [UP-3877] - Improving text-shadows : fix bad blur effects on some buttons, lists, ui-li-dividers when a black text has a black text-shadow ; Removed any remaining blur on text shadows for better performance (@see jquery/jquery-mobile@7903171)
  • [UP-3898] - Replace Calendar portlet default holiday data feed to Google
  • [UP-3967] - Put password encryption value in
  • [UP-3970] - Configure uPortal's ehcache to be a shared cache
  • [UP-4037] - Include as much of ClearPass configuration as possible in standard configuration
  • [UP-4066] - Manage Portlets: Group and category selection use permissions to get forest root
  • [UP-4108] - Changes to allow CAS Clearpass to work in clustered uPortal environments
  • [UP-4113] - Update issue tracker URL in Quickstart readme
  • [UP-4114] - Update uPortal website URL in quickstart readme.
  • [UP-4116] - Remove reference to -dev quickstart
  • [UP-4118] - Add quickstart readme instruction re submitting security defect reports
  • [UP-4119] - Note bugs-affecting-version search embedded on release notes wiki page

New Features Added

  • [UP-3755] - Introduce the management of an alternative maximized link in portlet parameters
  • [UP-4034] - Add a portlet preference to the portal-activity portlet to toggle display of popular searches

Stories Told

  • [UP-3885] - Update resource-server exclusions in 4.0.x to exclude slf4j
  • [UP-4024] - Maven build fails on a new machine due to CalendarPortlet dependency on xalan:serializer, which is in offline 3rd-party repo

Tasks Completed

  • [UP-3889] - Change memberOf to deepMemberOf for most DLM fragments

-Andrew Petro


Deployer Notes

  • Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5.  You probably actually want a recent Tomcat 7.
  • Requires JDK 1.6.0_26 or newer.  Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work.  JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
  • Data export and import is required when upgrading from a version earlier than 4.0.0.  Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.

Issues addressed in uPortal 4.0.14

Key Summary T Created Updated Due Assignee Reporter P Status Resolution

Bugs known to afflict uPortal 4.0.14

(Note that this is only as good as the affects-version metadata on JIRA issues).

Key Summary T Created Updated Due Assignee Reporter P Status Resolution