Released: 11 June 2014
Download the release
You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.
uPortal 4.0.14 GA Announcement
Apereo is proud to announce uPortal 4.0.14, continuing in our regular patch releases of uPortal 4.0.
Human-readable release notes
uPortal 4.0.14 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship a slew of minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, portlet administration permissions are bugged such that
1) CVE-2014-3146 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
2) CVE-2014-3147 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.
This release includes essential fixes for successfully implementing delegated portlet administration features. This release attempts to root the portlet management group and category selection selector UI at a close-to-tree-root yet-selectable-by-the-user group or category, fixes JSON web service permission checks to succeed when they ought instead of always failing for non-super-users, and fixes the portlet publishing lifecycle stage step of the portlet publication workflow for non-super-users.
This release also adds the Emergency Alert portlet to the guest view, which will be an important fix for adopters using guest views and emergency alerts, and drops the category from the default emergency-alert portlet definition to prevent users from adding it to odd places in their own layouts.
This release works with Tomcat 7.0.47 (and later?) whereas without this fix ending and upgrading user sessions was bugged.
The reset-password portlet had been bugged so as to be unusable, but this release includes a fix. Guest user account detection is now case-insensitive. Permissions administration principal selection is fixed..
This release fixes DLM ProfileEvaluator import to now successfully import the XML it exports.
Search over the portlet registry standardizes to lowercase and so should have more search hits that you'd expect.
The in-memory password encryption key is now conveniently configured in portal.properties to encourage adopters to set it. You have changed that encryption key from the default, if you're using in-memory passwords, right?
Speaking of caching passwords in memory, CAS / ClearPass users should review the ClearPass cache update synchronicity configuration changes in this release. This release includes out-of-the-box CAS / ClearPass configuration that's closer to ready-to-go more generally (but is still off-by-default).
In this release the calendar portlet's default US holiday data feed now draws (working) from Google, replacing a previous default configuration that went bad.
This release upgrades to jquery and jqueryUI 1.8.24, jquery-mobile to 1.3.2 and tweaks Fluid to support jQuery 1.8, disables UI scaling under muniversality, improves text shadows, fixes UI glitches in portlet-administration, in portlet titles, and in the hc and coal themes, and removes the (broken) Popular Portlets button from the Portlet Manager. A new portlet preference governs whether the portal-activity portlet displays popular searches.
This release bumps the versions of some included portlets:
- calendar portlet bumps to 2.1.3-M4 , and excludes an unneeded volatile Maven dependency.
- email-preview portlet bumps to 2.1.1-M1
- jasig-widget-portlets bumps to 2.0.1
In under-the-hood tweaks, this release patches away some database resource leaks, configures uPortal's ehcache to be shared, tweaks the environment filter set, updates Maven exclusions, and silences an extraneous hsql shutdown EOFException, and adds some null handling on the JSON web services accessing groups and in the person attribute group store.
On upgrade, you may want to:
- Update your message bundle to localize new messages for the search and directory search portlets.
Updating from 4.0.0-4.0.5
db-update will drop data
If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.
After configuring your uPortal 4.0.14 source run:
Release Notes: https://wiki.jasig.org/display/UPC/4.0.14
Maven Project Site: http://developer.jasig.org/projects/uportal/4.0.14/
These developers contributed commits to this release:
- Ludovic Auxepaules
- Shawn Connolly
- Aaron Grant
- Julien Gribonvald
- Tim Levett
- Andrew Petro
- James Wennmacher
- Drew Wills
Full Release Notes Generated from JIRA:
Release Notes - uPortal - Version 4.0.14
Security Bugs Fixed
- [UP-4105] - CVE-2014-3416 MANAGE[-*] permissions not enforced
- [UP-4106] - CVE-2014-3417 Any user can Configure any portlet they can SUBSCRIBE
Other Bugs fixed
- [UP-3276] - Significant set of DB resource leaks in org.jasig.portal.layout.simple.RDBMUserLayoutStore
- [UP-3786] - Remove the broken, extraneous 'Popular Portlets' button from the Portlet Manager
- [UP-3864] - Manage permissions - cannot select principal in perms by category
- [UP-3869] - Bamboo build failures with 'connection exception: connection failure: java.io.EOFException' on hsql shutdown
- [UP-3870] - Fix Universality themes : add missing sass changes defined in css files ; add missing css changes defined in sass files ; add missing images
- [UP-3873] - Fix error when tester is null on PersonAttributesGroupStore.java test method
- [UP-3874] - Fix null group member entity
- [UP-3881] - Maven goal (data-import) on project Announcements fails for Windows
- [UP-3883] - StackOverflowError on Tomcat 7.0.47 whenever a session logs out
- [UP-3895] - DLM's ProfileEvaluatorFactory fails to import the XML produced by the ProfileEvaluator on export
- [UP-4013] - Search of Portlets fails to find portlets with uppercase in string that should match
- [UP-4033] - Emergency Alert missing from guest view in 4.0.x
- [UP-4054] - Bug in the reset-password flow that renders it unusable
- [UP-4056] - Clustered CAS Clearpass Configuration not working
- [UP-4057] - AuthorizableActivity.java constructor args in wrong order
- [UP-4058] - PortletCategoryRegistryLocator bean missing from locatorContext.xml
- [UP-4092] - PortalPermissionEvaluator sends the wrong TARGET String for JsonEntityBean objects when it checks permissions for REST API calls
- [UP-4115] - Trivial typos in documentation
- [UP-4117] - Quickstart readme documents wrong portal.log file path
- [UP-3867] - Update jQuery-Mobile to the last version : use jquery-mobile 1.3.2 instead of jquery-mobile 1.1.1
- [UP-3868] - Fix zoom scale problems and bugs with fixed toolbars
- [UP-3871] - Fix mistypes on messages and improve fr translations
- [UP-3872] - Improve internationalization of Search Portlet and Directory Search Portlet
- [UP-3875] - Add environment filters for cas context (/cas) and all params of email sending configuration
- [UP-3877] - Improving text-shadows : fix bad blur effects on some buttons, lists, ui-li-dividers when a black text has a black text-shadow ; Removed any remaining blur on text shadows for better performance (@see jquery/jquery-mobile@7903171)
- [UP-3898] - Replace Calendar portlet default holiday data feed to Google
- [UP-3967] - Put password encryption value in portal.properties
- [UP-3970] - Configure uPortal's ehcache to be a shared cache
- [UP-4037] - Include as much of ClearPass configuration as possible in standard configuration
- [UP-4066] - Manage Portlets: Group and category selection use permissions to get forest root
- [UP-4108] - Changes to allow CAS Clearpass to work in clustered uPortal environments
- [UP-4113] - Update issue tracker URL in Quickstart readme
- [UP-4114] - Update uPortal website URL in quickstart readme.
- [UP-4116] - Remove reference to -dev quickstart
- [UP-4118] - Add quickstart readme instruction re submitting security defect reports
- [UP-4119] - Note bugs-affecting-version search embedded on release notes wiki page
New Features Added
- [UP-3755] - Introduce the management of an alternative maximized link in portlet parameters
- [UP-4034] - Add a portlet preference to the portal-activity portlet to toggle display of popular searches
- [UP-3885] - Update resource-server exclusions in 4.0.x to exclude slf4j
- [UP-4024] - Maven build fails on a new machine due to CalendarPortlet dependency on xalan:serializer, which is in offline 3rd-party repo
- [UP-3889] - Change memberOf to deepMemberOf for most DLM fragments
- Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5. You probably actually want a recent Tomcat 7.
- Requires JDK 1.6.0_26 or newer. Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work. JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
- Data export and import is required when upgrading from a version earlier than 4.0.0. Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.
Issues addressed in uPortal 4.0.14
Bugs known to afflict uPortal 4.0.14
(Note that this is only as good as the affects-version metadata on JIRA issues).