Magnolia 5.3 reached end of life on June 30, 2017. This branch is no longer supported, see End-of-life policy.

Page tree
Skip to end of metadata
Go to start of metadata

Magnolia 5.3.16 fixes a JCR Query bug, potential security vulnerabilities and introduces the ability to disable drag and drop by configuration. Maven dependency management has also been improved.

What has changed?

An aggregated changelog for 5.3.16 contains all the changes. 

This release is a recommended update for all users of Magnolia 5.3.

Drag and drop can be disabled

You can disable drag and drop operations in workbenches. 

To control drag and drop operations in an app, the dragAndDrop property has been added to the class  info.magnolia.ui.workbench.definition.ConfiguredWorkbenchDefinition . The default value is true, set it to false to disable drag and drop.


Maven dependency management for 3rd party libraries improved

Maven dependency management for some 3rd party libraries such as commons-lang libraries has been cleaned up and improved. The 3rd-party module version has not changed. However, since we had to change the POM files on Magnolia modules, some modules got a new version and are part of this release.

Magnolia CAS module dependency updated 

Magnolia CAS module now comes with org.jasig.cas.client:cas-client-core:3.4.1 . This update provides the correction for a critical security vulnerability in several Jasig CAS clients that allows URL parameter injection due to improper URL encoding at the back-channel ticket validation step of the CAS protocol.  MGNLCAS-22.

Bug fixes

  • Fixed a JCR query bug connected with escaping HTML in the legacy JCR Queries app of the admininterface-legacy module. MGNLADMLEG-65
  • For Irish surnames like Ó Súilleabháin, their anglicized forms (i.e. O'Sullivan) are now correctly escaped in user names. MAGNOLIA-6696
  • Anonymous users are now denied access to to legacy ckEditor resources closing a potential DOS vulnerability in the CK Editor upload field. MGNLADMLEG-67.      

Updated modules

This release includes the following new module versions: 


  • Activation 5.3.6
  • AdminInterface (Legacy) 5.2.6
  • CAS Connector 1.3.1
  • Community Edition 5.3.16
  • Enterprise Edition 5.3.16
  • LDAP 1.7
  • Magnolia 5.3.16
  • Observation 2.0.5
  • Personalization 1.1.6
  • REST 1.1.2
  • REST Client 1.0.9
  • Transactional Activation 2.2.4
  • UI 5.3.16
  • Workflow 5.4.9

The Magnolia team would also like to thank everyone who reported issues, contributed patches, translated modules or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to: Thim Anneessens, Nils Breunese, Patrick Lötscher, Michaël Van Der Mark Frank Sommer.

How to update from earlier versions 

Important changes for Magnolia 5.2 and 5.3 users

If you had STK installed

If you continue to work with STK, use the new magnolia-enterprise-pro-stk-bundle as a basis for your project. It includes Enterprise Pro, STK and the old demo project. You get all STK functionality out of the box. Exclude the demo-project if it's in your way.

Jackrabbit configuration

In order to enable getting an HTML excerpt in a query result, you should update the configuration files of your Jackrabbit instances. Add the two <param/> directives within your <SearchIndex> block.

  <!-- more params here -->

  <!-- needed to highlight the searched term -->
  <param name="supportHighlighting" value="true"/>
  <!-- custom provider for getting an HTML excerpt in a query result with rep:excerpt() -->
  <param name="excerptProviderClass" value="info.magnolia.jackrabbit.lucene.SearchHTMLExcerpt"/>

log4j.xml addition

Add the log configuration for org.reflections

 <category name="org.apache.jackrabbit">
    <priority value="WARN" />
 <!-- Reflections library spoils logs with hundreds of harmless warnings; tries to look into native libs but none of its DefaultUrlTypes can handle them. -->
  <category name="org.reflections">
    <priority value="ERROR" />
  <category name="com">
    <priority value="WARN" />

How to update from Magnolia 5.2 and earlier

Unable to render {include} The included page could not be found.

How to update from Magnolia 4.5 and earlier

Unable to render {include} The included page could not be found.

Known issues

Memory consumption

Magnolia 5.3.16 ee-bundle may require you to allocate more memory the Java Virtual Machine (JVM). If you see a java.lang.OutOfMemoryError in the startup log or the system stops responding during installation, increase the Java heap size. The default maximum heap size is 512M. Try a higher amount such as 1024M. We are working on uncovering the root cause for the increased memory need; see Java out of memory.

This release – and the imaging module in particular – is know to have some issues with image generation depending on the java version used (e.g. Mac OS X and Java 8 or Linux and OpenJDK 1.7). We therefore provide version 3.1.5-java7 of the imaging module with this release. As it is not binary compatible to previous versions it is not bundled by default.  

Imaging module version incompatibilities with some OS / Java version combinations

Magnolia 5.3.16 contains Imaging module version 3.1.5. This module version has known issues in certain OS and Java environments. For example, if you use it on OSX with Java 8 the module creates images with wrong colors.

Use a special version of the Imaging module: 3.1.5-java7 if you are on:

  • Java 8 on OS X
  • Java 7 OpenJDK on Linux. (Java 7 from Oracle on Linux can use the regular imaging-module)

For further information please see:

Installing magnolia-module-imaging 3.1.5-java7

magnolia-module-imaging 3.1.5-java7 is not bundled by default. You have to install it manually.

Option 1: Maven

Maven is the easiest way to install the module. Add the following dependency to your bundle:


Option 2: Download and install the files

Pre-built jars are also available for download. 

For further information please see installing a module.

  • No labels