uPortal 4.2.1

This version of uPortal is a maintenance/bug-fix release of the 4.2 minor version. t includes 21 bug fixes and enhancements in total, but the primary motivation for this new patch release is updating to the new Java Portlet API 2.1 specification.

See also

• The 4.2.1 wiki page, which includes macros listing known defects in this release and the issues resolved for this release.

Notable fixes in this release

• Update portlet api to 2.1
• Fragment-admin-exit portlet needs to be integrated with the Respondr skinning process
• uPortal builds failing with org.codehaus.staxmate:staxmate:jar:2.0.1 due to codehaus repo termination
• Add caching to two DB PAGS methods
• PortalPermissionEvaluator doesn't support unauthenticated users
• uPortal may not work with Oracle 12
• Add the search-launcher to the guest experience
• Poor SQL Performance for DB-based PAGS
• Improve performance of the Marketplace subsystem by REMOVING the (additonal) permissions check for MANAGE and by creating far fewer AuthorizationPrincipal objects

uPortal 4.2.0

uPortal 4.2.0 Final
Released: 24 April 2015

Summary

This version of uPortal is a general audience (GA) release of the next uPortal minor version. It provides several new and exciting features that are not in the 4.1.x line, as well as all the maintenance updates – primarily bug & security fixes – that are included in the 4.1.x line. This release includes some modest changes to default configuration settings. (See Developer Notes below.) In upgrading to uPortal 4.2 from version 4.1, you are free to continue with the configurations you have; but you should review these changes and strongly consider making them locally. These changes offer better alignment with planned future enhancements.

Highlights

The following enhancements or bug fixes are especially noteworthy.

• Hover chrome, which provides access to chrome-based functions (e.g. Minimize, Maximize, Remove, etc.) for portlets with showChrome=false
• Numerous enhancements and fixes to uPortal's Multi-Tenancy features
• The Portlet Manager UI has been greatly improved & simplified
• A client-side session timeout warning message, with the option to continue the session, has been added
• A 6-column layout option has been added; works gorgeously with small portlets like the App Launcher
• The Portlet Marketplace UI has been greatly improved & simplified
• Added MAINTENANCE portlet lifecycle state (accessible from the Portlet Manager), which displays a user-friendly message when a portlet is out-of-service
• Added support for the Experience ("Tin Can") API
• Added Transient Layout Node support for unauthenticated (guest) users; this enhancement means that guest users can access – provided they have the proper permissions -- portlets that are not on the guest layout

Notes on Deploying & Upgrading:

• Requires Servlet API 3.0 to run. Tomcat 7.0 supports this version. Choose the most recent Tomcat 7.
• Requires Java 7 ("JDK 1.7"). Java 8 ("JDK 1.8") is not yet supported.
• Data export and import is required when upgrading from uPortal 4.0.x or earlier. (It's also worth considering if you're upgrading from uPortal 4.1.x, depending on how much is changing.)
• The default PAGS implementation has been switched from XML file-based (legacy) to database-based (JPA); the legacy configuration still works, but you may want to make the switch (some future administrative tools may require the JPA strategy); there is a Groovy script for migrating
• The BROWSE permission now exclusively governs whether a portlet is available to a user in the Customize Gallery, Search results, and the /api/portletList API (used by Customize Gallery). The behavior of /api/portletList, moreover, has changed to include portlets with no categories. This change will require uPortal 4.1 and prior to review their data entities to add BROWSE permissions when migrating portlet definitions to uPortal 4.2.0. Without the BROWSE permission, users will not see portlets in these interfaces.
• The Universality theme has been retired; Respondr is now the only theme for non-mobile devices

uPortal 4.2.0 Milestone 1

A first milestone release towards uPortal 4.2.0. Not a general audience release or even a release candidate. Not intended for production adoption.

See also:

• The uPortal 4.2.0-m1 release page and news item on www.apereo.org
• The uPortal 4.2.0-m1 page in the Confluence wiki, which includes reports from the issue tracker.
• A blog post detailing what’s in this release

uPortal 4.2 is uPortal 4.1 except better.

• Better Marketplace, something much closer to feature-complete than that shipping in uPortal 4.1. You might even be willing to put this Marketplace in front of real users.
• Better APIs. Especially JSON web service APIs. Also improvements to Java APIs modeling users and to plugin points in the rendering pipeline and for user profile selection.
• Better experiences. A user-facing dialog inviting session extension when session timeout expires. Better messaging to users when portlets are taken out of service for maintenance.
• Better tools. A much more attractive Portlet Manager and Permissions Manager. Command line conveniences and a better command line build implementation.
• Better logging for better troubleshooting.

Pull requests that were merged for inclusion in this release:

• Marketplace with asynchronous cache population, layout adding, enforcement of BROWSE permission on related portlets and client-side screenshot validation.
• A much nicer Portlet Manager, with tooltips in the UI and better documentation to disambiguate portlet names, titles, and fnames. Other administrative UIs got better too. And a new Maintenance portlet lifecycle state.
• Fixed Google Analytics integration.
• A session timeout dialog
• Inline portlet configuration
• Better search results for Simple Content portlets.
• App Launcher portlet type with a handy six column layout to place them in.
• Better JSON APIs including fnames. Better IPerson API.
• Better handling of access to portlets not in one’s layout, also for unauthenticated users in transient layouts no less
• Filters Respondr regions out of mUniversality and adds Google Analytics in.
• Handy administrative access to dynamic skin configuration
• Saving a layout change as one AJAX call rather than two
• Updated PostgreSQL dependency
• A SmartLdap group store that’s less weird. Still smart.
• Use of CSS animation rather than jQuery animation, with the added bonus of working. Better showchrome = false styling, again with the workings.
• Sticky profile selections, in transactions, with a fancy createOrUpdate DAO API, but not for the guest user, and with graceful failure and logging.
• MarketplaceEntry, MarketplacePortletDefinition, and PortletDefinitionImpl nicities, with keywords, launching better URLS to specified target windows.
• Better portlet failure logging and logging on DLM fragment audience determination.
• Better tools for schema update generation and deploying XSLT and LESS files, and you can even run them under Ant 1.9.3+
• Rendering pipeline tricks to conditionally terminate in a redirect.
• Better Groovy compilation implementation in a build process without focus stealing
• Unit testing that respondr.xsl compiles, now that everyone is adopting it.
• Updated guidance for contributing. You should.

uPortal 4.1.2

This version of uPortal is a maintenance/bug-fix release of the 4.1 minor version. It corrects some build issues, some potential Javascript issues, some visual issues in admin UIs, and improves some caching behavior.

See also

• The 4.1.2 wiki page, which includes macros listing known defects in this release and the issues resolved for this release.

Notable fixes in this release

• Additional improvements to ant build issues with downloaded artifacts having 301 Moved Permanently html content
• Implement effective caching for Marketplace entities
• Fix for Google Analytics CONFIG mode

uPortal 4.1.1

uPortal 4.1.1 is a patch release of uPortal 4.1 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.1-patches maintenance branch.

See also

• The 4.1.1 wiki page, which includes macros listing known defects in this release and the issues resolved for this release.

Important security fixes in this release

Prior to this release, uPortal CAS integration was bugged such that

• CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
• CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.

This release addresses these vulnerabilities by

• Shipping a corrected default, example security.properties configuration, and
• Shipping a fixed CAS-integration uPortal SecurityContext implementation that fails safe even when the incorrect security.properties configuration is applied, and
• Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.

Other fixes in this release

• Ant targets in the build process do less needless work
• The Statistics Portlet no longer fails under Respondr
• The Google Analytics integration no longer generates stack trace noise when the guest user accesses the portal
• The GoogleAnalytics init.jsp is no longer missing an important semicolon
• The Activity portlet now uses the uPortal-provided jQuery

uPortal 4.0.15

uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, uPortal CAS integration was bugged such that

• CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
• CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.

This release addresses these vulnerabilities by

• Shipping a corrected default, example security.properties configuration, and
• Shipping a fixed CAS-integration uPortal SecurityContext implementation that fails safe even when the incorrect security.properties configuration is applied, and
• Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.

You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.

In locally upgrading to this version of uPortal, if your portal was affected by these vulnerabilities, it is essential that you apply the provided change to your web.xml. The provided change to your security.properties is a good idea, but it isn't necessary in order to get safe so long as you apply the provided CasAssertionSecurityContext code change in your upgrade.

uPortal 4.0.15 rolls back an introduction of an acceptAnyProxy configuration that had been introduced in the 4.0 line for 4.0.14. acceptAnyProxy tells the Java CAS Client to accept proxy tickets regardless of what application is proxying them. While this is convenient for demoing, it would be unfortunate for that configuration to inadvertently slip into production in any uPortal environments, and this change makes the out of the box configuration a little further from that.

The Attachments component of e.g. the SimpleContentPortlet had been inadvertently using a Hibernate-internal not-for-production-use connection pool. This release fixes that configuration.

This release turns on Travis-CI continuous integration testing for the uPortal 4.0-patches branch. This provides an additional safety net and feedback mechanism for uPortal product development on this maintenance branch and also provides you the adopter with a better starting point for using Travis-CI for continuous integration testing of your local uPortal implementation.

This release no longer looks for dependencies in remote Maven snapshot repositories it probably shouldn't have been using.

uPortal 4.1.0

uPortal 4.1.0 Release Description

Binaries linked at the bottom of this release page.

uPortal 4.1 is a "big" "minor" uPortal release including a bunch of features. This document steps through some of the changes in this release, linking to selected JIRA issues and to the relevant uPortal manual wiki pages. Much more detail is available in the under-continued-development uPortal 4.1 manual wiki space, in the full issue-tracker-generated release notes, and in the source control logs.

Security fixes

uPortal 4.1 includes several important security fixes (most of which were previously addressed in 4.0 patch releases).

These fixes are detailed in an appendix at the end of this document.

Supported Runtime Environment

uPortal 4.1 supports and runs in Java 7 and Tomcat 7, including later Tomcat 7 versions.

Feature ports to achieve Tomcat 7 compatibility include updated URL rewriting disabling configuration, and adjustment to comport with under-zealous scanning for taglib descriptors.

See also Requirements in the uPortal 4.1 manual wiki.

Respondr

uPortal 4.1 ships with a new responsive-design theme transform and skin named Respondr, complete with a login profile such that now Universality, mUniversality, and Respondr each have a login profile and Respondr is the default for all uses including for mobile devices.

Respondr includes popular Universality theme features, many of which re-implemented into layout management configuration of Regions and portlets placed into those regions.

Respondr uses Bootstrap (3) with the Paypal accessibility plugin.

See also Respondr in the uPortal 4.1 manual wiki.

mUniversality

uPortal 4.1 maintains mUniversality, with headers and footers now rendering and the JSON representation of layout now includes portlets in special areas of the page, besides just those within traditional tabs and columns.

Theme support

Respondr is in part built on better support for building themes in uPortal 4.1.

Specifically, uPortal permission checks are now available in XSL transforms (access to the Customize menu and to the Add Tab control is now permissions-based) and some JavaScript is now common between skins across themes, easing theme development and maintenance.

That said, please don't go build a whole new theme without first trying to improve Respondr to meet your needs!

Multi-tenant

uPortal 4.1 includes support for multi-tenancy with bootstrapping of tenant admin accounts via email.

Access to publish particular portlet publishing types is now gated by a SELECT_PORTLET_TYPE permission useful for tailoring the access of tenant administrators. The entire select portlet type step is skipped if a user has but one viable choice.

uPortal 4.1 tries to use permissions to determine a sensible group and category selection tree root in launching the group selection UI, addressing a use case where a tenant administrator might have permission to publish to only a portion of the user groups tree or in only a portion of the portlet category tree.

Skins in this release can be compiled and included more dynamically via the DynamicRespondrSkin portlet.

See also Multi-tenancy in the uPortal 4.1 manual wiki.

APIs

Initial progress towards a platform JSON web services API offers groups and permissions query support.

Deep linking

Deep linking is now better supported with support for tab externalId and uPortal no longer loses track of request parameters under certain login paths.

See also consistent uPortal URLs in the uPortal 4.1 manual wiki.

Marketplace

uPortal 4.1.0 includes a first pass at a Marketplace portlet as an alternative to the Customize Drawer for enabling discovering and selecting portlets. It supports rating portlets and displaying back to users aggregated ratings.

Marketplace is best understood as a pre-release preview of new navigation in development at the University of Wisconsin-Madison. It has significant rough edges in the initial 4.1.0 release.

Favorites

uPortal 4.1 ships with a Favorites portlet.

Favorites is best understood as a pre-release preview of new navigation in development at the University of Wisconsin-Madison. It has significant rough edges in the initial 4.1.0 release.

JPA-backed PAGS

uPortal 4.1 introduces an optional JPA-backed (in the database) configuration of PAGS (the Person Attribute Group Store) intended to obviate the XML-file-backed PAGS configuration of prior uPortal releases (and still available in this release). Both XML-backed and database-backed PAGS have a new eager regex tester available that behaves more like what you may have thought the existing regex tester did and PAGS is enhanced as regards its ability to use property values.

See also Person Attribute Group Store in the uPortal 4.1 manual wiki.

Notifications

A Notification Icon portlet is now included in the header with an indication of the current count of notifications.

Search

Search now features auto-complete, hides tabs if so configured, and doesn't require case matching where you wouldn't expect it to.

Layout Management

Most DLM fragments shipping in uPortal now target groups using deepMemberOf rather than (shallow) memberOf. This yields applying fragments to members of sub-groups and demonstrates the preferred practice.

The Fragment Administration portlet now saves edit permission changes properly and supports publishing links into the sidebar from a DLM fragment.

Comments in fragment-layout.xml files no longer cause parts of layouts not to be imported and the Audit DLM Fragments portlet no longer fails when the audited DLM fragment references an unrecognized portlet fname.

Import/Export

uPortal now (optionally) runs db-update when it detects this is needed.

DLM ProfileEvaluator export and import round-trip now works properly and the export flag on db-update and db-init Ant tasks is now properly honored.

Entity file archives can now be imported and values within entity exports are now consistently ordered.

JAXB importer, exporter, deleter, and upgrader provisioning failures no longer fail the entire portal initialization.

See Import-Export in the uPortal 4.1 manual wiki.

CSS, styling, and skinning

Users can now select a background image.

The DETACHED window state now provides an optional sticky header.

Styling details are improved throughout, including in Person Lookup and User and Group Permission pages. Text shadows are improved. Zoom scale problems and fixed toolbar bugs are addressed.

Tables in the uPortal UI are updated to use Datatables instead of Fluid.

Unchecked console.log usages in JavaScript are resolved.

Users and Attributes

The USER_NAME column in the uPortal database is widened to 100 characters.

Username-keyed user attribute caches are now purged on login so that attribute values will be freshly determined for the logging in user. Suggestions and example configuration for user attribute gathering are clarified, include a caching example, and the [example LDAP configuration is...

uPortal 4.0.14

See the release notes page in the wiki for this release.

uPortal 4.0.13.1

Security fix release patching uPortal 4.0.13 to resolve two important security defects.

See the release notes in the wiki.

uPortal 4.1.0 RC2

Release candidate 2 of uPortal 4.1.0.