JPlatform service packs usually deliver patches and small functional and technical evolutions.

JPlatform 10 SP5 is one of the biggest releases in the history of Jalios. It includes more than 260 bug fixes, more than 190 improvements and about 30 new features:

https://issues.jalios.com/browse/JCMS/fixforversion/14223

JPlatform 10 SP5 introduces a major UX/UI refreshment with new simplified, purified and more accessible interfaces.

This version also offers new features such as the trash, secure public links, reading confirmation, ...

Finally on JPlatform 10 SP5 also covers the more technical areas related to administration, operation, security and developments.

1. New interfaces

Providing an effective, efficient and satisfying experience for all users is a priority for Jalios. The challenge is great since JPlatform is highly customizable in terms of data structure, processing and interfaces.

JPlatform 10 SP5 continues in this direction and brings significant improvements to all interfaces.

1.1 Harmonization of the applications

Since JPlatform 10 was released in October 2017, applications have multiplied. There are now more than 40 available. The applications cover a wide range of uses: blogging, wiki, conversations, project management, watch, training, ..

The applications have a common layout structure. They consist of a header, a sidebar and a body.

Although this structure is common, over time and with increasing usage, variations have begun to emerge within its three main areas. Elements have appeared in some headers. The nature and organization of elements in the sidebars changed from one application to another. And in the center of the application, common elements such as tables or maps also began to diverge slightly between applications. A thorough work was therefore undertaken to harmonize all the applications.

Some changes, concerning the ergonomics (UX), must be made directly in the structure of the applications. For example, the tabs present in the header are reintegrated into the application body.

The harmonization also concerns the appearance. JPlatform offers a multitude of functions for many uses. The interfaces help to ensure that this richness of functionality does not create a feeling of confusion or complexity. Also, the style of the applications has been cleaned up, lightened and simplified.

JPlatform 10 SP5 marks a first important step in this harmonization. It concerns the applications delivered as standard by JPlatform (search, alerts and recommendations, application catalog, ...) and partly the module applications.

Example of application with cards :

Application catalog in 10 SP4:

 

Application Catalogue in 10 SP5:

As you can see, in 10 SP5, the header has been reduced, the sidebar is clearer, the application logo is in color and visually identical to the one in the application launcher. The background of the application is white. The ratio of vertical cards has been standardized.

Example of an application with a chart:

JDrive application in 10 SP4:

 

Application JDrive en 10 SP5 : 

 

On this second example, the presentation of the results and the table have been purified (less borders) and condensed in width. The action icons on each line have been grouped together in a menu accessible via the "..." icon.

Example on the search :

Search results in 10 SP4:

 

Search results in 10 SP5:

In the search, the rendering of the results has also been lightened and homogenized: white background, less border, visual area on the left always present. The tabs to search for people and spaces have been moved to the results bar.

These improvements will continue and will be progressively available as the modules offering applications are released. However, in order not to wait for these releases, JPlatform 10 SP5 comes with the RefreshUI 2.0 module, which applies the new style to module applications now.

1.2 Harmonization of interactions

The user interaction messages have been harmonized. Small recurring characters appear in the interfaces. They welcome the user when he identifies himself:

These characters are there to humanize the interfaces and give feedback to the user, as when the user is on-boarded in an application:

 

Or to give feedback to the user, for example when all the alerts have been read:

 

Or if there are no results in an application:

You can replace these different characters by overriding the following properties

icon.no-result:          icon: character-sorry
icon.character-hello:    images/jalios/characters/hello.png
icon.character-sorry:    images/jalios/characters/sorry.png
icon.character-question: images/jalios/characters/question.png
icon.character-perfect:  images/jalios/characters/perfect.png

1.3 Ergonomic improvements

Display the password during authentication

In the authentication test pattern and in all interfaces where password entries are expected, the user can click on the icon at the end of the field to check what he has typed.

Searching in drop-down menus

In interfaces with a drop-down menu, it is now possible to search through the options by typing text:

Step modal: direct access to a step

When you use a step modal to create or modify content, the steps are now clickable:

• When creating, you can go back to any step before the current one
• When updating, you can go directly to any step.

Double confirmation

Before each deletion, JPlatform asks for a confirmation. This confirmation is now doubled

For more information on implementation, see https://docs.jalios.com/jplatform10/jcms/fr/front-end/javascript/double-confirmation-160820

New color picker

A new color picker has been integrated. It appears on the fields of type Color. It offers a palette with the 56 shades used by JPlatform. You can integrate your own palette

Saving playback progress on a video

When you watch a video, your progress is saved. So on long videos, if you stop and resume playback later you will automatically be repositioned where you were; and this is regardless of the browser used. You can start playing a video on your PC and then continue it on your smartphone.

The playback progress is recorded when :

• The video is paused.
• The user leaves the page while the video is playing.

The progress recording is deleted when the video is about to end (time remaining less than 5% of the total video time or if the video has 5s left). This can be set via the properties media.template.mejs-video.options.media-progression.

Search: uncategorized media no longer appear

When a search is performed (or a portlet searches for content), uncategorized media no longer appear. This allows you to avoid seeing images that have been copied and pasted or that are only intended to illustrate the publications.

This function is generalized for all searches involving Media (topbar, complete search, search in a collaborative space, Portlet List of publications, ...). There are only two search interfaces left in which uncategorized media appear: the workspace back-office and the media explorer.

Extended member search in the organization and locality

The text search for members now also includes organization, city and county/region. Each of these fields has a different relevance calculation to prioritize the information. The city and county fields have been reindexed in Lucene. A re-indexing of the members is necessary to benefit from it.

Creation from publication selector

In 10 SP4, the publication selector had been revised to be easier to use. But, following these evolutions, it was not possible any more to create a content or upload documents on the fly. JPlatform 10 SP5, fills this lack with the "Add" button:

 

1.4 Publication list portlet: selection of publications without editing the portal

The Publication List portlet can be configured for a dynamic display (according to search criteria) or to display a list of selected publications. In the latter case, until now, to update this list of publications you had to go to the portal edition, find the portlet, edit it, update the list of publications and save. In order to make this action accessible to the greatest number of people, the modification is now done by clicking on the "+" icon of the portlet and the modal listing the publications appears:

2. Accessibility

JPlatform aims to provide access adapted to each user, according to their context. Compliance with accessibility criteria is therefore an important issue for Jalios. In JPlatform 10 SP5, many improvements concerning accessibility have been introduced. We present the main new features in this section.

2.1 Support for subtitles in videos

You can now add subtitles to uploaded videos. These subtitles must be in SRT or VTT format. It is possible to upload a subtitle file for each language proposed on the platform. Once the subtitles are uploaded, the video player proposes to activate them by clicking on the "CC" icon.

2.1 Default language

JPlatform can be used in 16 languages. One of them, must be declared as main language. This is the language in which the mandatory fields must be filled in. And until now, when a content or any interface text was not available in the language of the user, JPlatform fell back on the main language. But when the main language is for example French, and a non-French speaking user browses the site, if content or interfaces are not translated in his language, it may be preferable to fall back on English.

This is now the case with JPlatform10 SP5. In addition to the main language, there is the default language (which is by default set to English). Content and interface elements not translated into the user's language are displayed in the default language, i.e. English.

2.3 Heading hierarchy

In a web page, content can be structured using headings from level 1 to level 6. Assistive technologies and browsers facilitate navigation by headings. Most screen readers provide a feature to jump to the next heading.

JPlatform 10 SP5 has therefore revised the management of the headings hierarchy to facilitate navigation within a page.

The site logo (and therefore the site name) is now surrounded by a level 1 heading (H1) except when :

• A publication is displayed in the page
• An application is displayed
• A collaborative space is displayed
• When the behavior is disabled by the property a11y.title-hierarchy.wrap-logo-with-h1

In portal pages, portlets use a title that can be disabled by the a11y.title-hierarchy.portlet.wrap-skin-title-with-h2property.

To respect the heading hierarchy, the rich text fields (wysiwyg) now propose the numbering of headings from level 2, level 1 being reserved for the heading of the displayed publication.

Please note! However, existing content is not rewritten and, if necessary, the headings must be renumbered.

2.4 Better management of keyboard navigation in the Topbar

When navigating in the Topbar, keyboard navigation was not blocked in an open component (Instant Search, Publish Menu / Administration / Alerts / Applications). Now when a menu opens, the keyboard remains in a loop in this component until it is closed.

2.5 Landmarks

Landmarks management has been improved in the main display components of JPlatform, JPortal and applications:

• Added a <main> tag.
• If a publication is displayed, added an <article> tag.

2.6 Data tables

Tables have also been enhanced for better interpretation by screen readers

The tags <thead>, <tbody> and caption as well as the attributes scope have been added on all data tables in the JPlatform front office. The tables in the modules will be processed as new versions of these modules are released.

Finally, these table enrichment options are also available in the TinyMCE Wysiwyg editor (some of them require the activation of TinyMCE 5, see below).

2.7 Avoidance links

Avoidance links (also called internal navigation links) are navigation elements that allow you to bypass groups of links and thus access specific areas of the page more quickly.

They are found at the top of the page, if you use keyboard navigation:

It is possible to add global (and multilingual) avoidance links via the site properties, in the "Accessibility" tab:

In addition, it is possible and recommended to define contextual avoidance links.

JPlatform provides the following contextual links:

• Search: if the search bar is available in the topbar
• Navigation: if the navigation menu is unfolded
• Content: if a main content is available in the page, the display of a content in a portal is managed for example.

3. New features

3.1 Trash

Until now, deleting a publication was final. Even if it is possible to restore publications from the store, it creates a new publication with a new identifier. A confirmation is requested for each deletion. But this does not prevent some users from deleting content or documents by mistake.

From now on, the deletion of a content is no longer immediate. The deleted content is placed in the trash. It stays there for 2 weeks before being permanently deleted. During this period, the author of the deletion and the administrators of the content's space can restore the content by taking it out of the trash. Once restored, the content will return to its pre-deletion state.

Each time you delete a content, the confirmation modal tells you that it will be put in the trash :

 

To recover a content put in the trash, you just have to go in the Trash application which is available from your application launcher:

 

 The application lists all your deletions. If you have many you can search for deleted content by workspace, by date, by type of content or document and of course by typing text. The "..." icon at the end of each line of the table brings up a menu that allows you to either remove content from the trash or delete it permanently.

 

If you display a content placed in the trash, an insert reminds you when and by whom it was placed in the trash:

 

Technically the contents placed in the trash are put in a special workflow state, the "Trashed" state (which has the value 1884, in reference to the year the trash can was adopted by the Paris city council 😉 ). Contents in this state are then no longer visible in the front-office. Restoring a content therefore consists in restoring it to its previous state.

The retention time or the scope of the trash can be defined in the property editor :

To use the trash from the Explorer application, you must install version 4.3.2 of Explorer plugin.

3.2 Secure public links

For many versions, JPlatform has allowed you to distribute internal documents to external people by providing them with a "public link".

JPlatform 10 SP5 improves this functionality. It is now possible to :

• Create a public link on one or more documents
• Receive an alert when the recipient has downloaded the document
• Control the validity of the link
• Protect the download with an access code

Create a public link on a document

Creating a public link on a single document is done as before.

The creation interface has been revised. It now asks you to enter a text to identify the recipient (e.g. the name of the organization or the person you are going to give this link to). This free text will help you track downloads. It will not be visible to the recipients.

 

Once you have created the link, the window offers you to send it by mail or to simply copy the link.

Unlike the previous implementation, this link is saved. And so you can find it in the new Public Links application.

Create a public link with multiple documents

You can also create a public link containing several documents. The person who downloads the link will get a ZIP archive containing all the documents.

There are several ways to do this.

From the explorer

Select several documents in the explorer, and choose "Create a public link..." in the "Actions" menu. This menu is also available by right-clicking on one of the selected documents.

You can also add all the documents of a category, by choosing "Create a public link..." in the contextual menu of the category (right-click):

By selecting documents with the caddy

You can also use the caddy to populate your public link. Search for the documents you want to put in your public link and add them to the caddy. Then go to the Public Links application and click on the "Create a public link..." button, the list of documents will be pre-populated with the documents in the caddy.

By selecting documents by their name

Finally you can simply create a public link from a first document and add others. To do this, in the public link creation mode, click on the "Add an entry" link to display new Documents fields. Then select the desired documents.

The "Public Links" application

The Public Links application is accessible from the application launcher:

The application lists all the links you have created ("My public links"). If you have the rights (given by an ACL) you can also see all the public links present on the platform ("All public links").

By default the application displays all your public links. A filter in the sidebar allows you to filter the table by displaying only active links or only expired links.

For each public link, the table displays :

• The presence of the access code ("Key" icon)
• The corresponding document(s). If there are several documents, the Zip icon appears and by clicking on the small triangle you can display the list of documents
• The number of downloads that have taken place
• The receipient you gave to the public link
• The creation date
• The expiration date (in green if the link is valid and in red if it has expired)
• An action menu accessible via the "..." icon

You can modify the settings of a public link by clicking on "Edit" in the actions menu.

Be careful! If a public link has already been uploaded, only part of the information can be modified.

Duplicate a public link

If you need to send the same document (or documents) several times to several recipients, it is recommended to create several links to have a better follow-up. Once the first link is created, you can duplicate it.

Information about a public link

By clicking on the Information menu, you will find all the information about the public link, in particular its access URL and its access code if there is one.

The "Send by mail..." button allows you to prepare a mail as when you created the link.

Download tracking

When someone downloads your public link, you are notified by an alert (Public Links > New download). With this alert, you know which link has been downloaded. If you put the name of the person or organization in the "Recipient" field, you will know exactly who downloaded it.

 

In the Public Link application table, a counter shows you the number of downloads. Click on this counter to have the download details (date and IP address).

Protecting the public link with an access code

To ensure that your public link will not be reused by anyone, you can add an access code. This code will be displayed when you save the public link.

As the text specifies, it is recommended that you provide this access code by another means of communication than the one you used for the document. So do not put this access code in the email you send to the recipient. Communicate it to them by SMS, phone call, ...

When the recipient clicks on the public link, he will arrive on a page asking him to enter the access code. If the code is correct, the file will be downloaded. By default, it is limited to 5 attempts.

Other options for creating a public link

 

Choice of format

As in the previous version, you can choose whether to download the original document or the PDF version of the document (when it exists)

Choice of the version

You can now choose which version will be downloaded: the last existing version at the time of downloading or the version that existed when you created the public link.

Be careful! This assumes that if you make updates after having created the public link you preserve the previous versions.

Note that it is not possible to select the PDF export if you choose the version existing at the time of the link creation.

Number of downloads

By default, a public link can only be downloaded 5 times. You can change this value if you wish.

Be careful, each download counts! If you give the same link to several people, if one person downloads the document several times, this will reduce the number of downloads available for the other people.

Expiration date

By default, a public link is valid for 30 days. However, you can change the expiration date for each link you create.

3.3 Reading confirmation

This new feature allows you to ask readers of content to confirm that they have read it. When this option is enabled, a message appears below the content asking for confirmation of reading.

Once confirmed, the message reminds the reader of the date of the confirmation.

If a major update is made on the content, then readers will be asked for a new read confirmation.

This feature is supported by a reader tracking enhancement. This enhancement must be enabled when you enable read confirmation. The reader tracking interface also tracks the date of the read confirmation and the version of the content.

3.4 Browsing with category

Until now, clicking on one of the categories in a search result map or in the content display start a global search with that category.

In some cases, we'd like it to not always be the global search, but opening the application managing that category.

For example:

• On a document: open the Explorer app
• On a Wiki page: open the Wiki App
• On a web page: open the JMag App
• In a collaborative space: search within this space

JPlatform 10 SP5 allows you to choose which functionality to use to search this category. The options available depend on the modules installed, the type of content and the category itself.

Each module can provide a search context for the category branches it offers in navigation.

Example of rendering:

Currently the proposed research contexts are :

• Global search
• Search in the current space
  • If the Collaborative Spaces module 7.4.1 or higher is active
  • If the display is done from a collaborative space
• Search in the explorer
  • If the module Explorer 4.3.2 or more is active
  • If it is a category of this explorer
• Search in the blog
  • If the Blog module 9.3.1 or higher is active
  • If it is a blog post
  • If it is a category of the blog to which this post is linked
• Search in Wiki
  • If the Wiki module 7.5.1 or higher is active
  • If it is a wiki page
  • If it is a category belonging to the Wiki tree of the associated collaborative space
• Search in JMag
  • If the JMag 5.3.2 module or more is active
  • If it is a Web Page
  • If it is a category belonging to the keyword tree
• Search in JLearn
  • If the JLearn 3.5 module or higher is active
  • If it is a Knowledge, Path or Course
  • If it is a category belonging to one of the JLearn tree structures (theme, level, keywords, content type, ...)

Note : some of these modules will be released a little after JPlatform 10 SP5.

3.5 TinyMCE 5

JPlatform uses the TinyMCE wysiwyg editor for Rich Text fields. In JPlatform 10 SP5 it is still version 4 that is enabled by default, but version 5.7.1 is also available. TinyMCE 4 support ends in December 2020. It is therefore recommended to switch to version 5. If you have not made any particular configuration of TinyMCE or added TinyMCE plugins, the switch to this new version will be transparent.

To switch to TinyMCE 5, set the wysiwyg.version property to tinymce5 (instead of tinymce4).

If you activate TinyMCE 5 and you use the JTranslate module, you must install version 1.1.

TinyMCE 5 features a refreshed interface, more complete accessibility support, and many new activatable features. In the standard JPlatform 10 SP5 configuration, the same features as TinyMCE 4 are offered.

3.6 Portlets

Indicator portlet

The Indicator portlet (from JReady/JCloud) is now part of JPlatform. As its name indicates, this portlet displays an indicator entered manually or from a calculation. Two display templates are available: card and donut (for ratio or percentage indicators)

A quick edition interface of the indicator allows to change the values (for a manual indicator), the information and the presentation.

A dynamic indicator based on a content count is proposed as standard. And it is possible to propose other dynamic indicators, from JPlatform or external data. For more details, see the documentation https://docs.jalios.com/jplatform10/jcms/fr/front-end/composants/indicator-158570

 

Skip content already displayed in the page

In some cases, a portal page can have 2 portlets displaying the same content. For example, a Carousel portlet displays the heading news, while a Publication List portlet displays the other news. An heading news, already displayed in the first portlet, must not be displayed by the second portlet. Up to now, it was necessary to make a specific development to manage this case.

JPlatform 10 SP5 introduces a new option in the Publications List Portlets to ignore content displayed by other Publications List portlets that have been previously processed in the page. So in the example above, you would need to enable this option on the second portlet.

See More Pagination

The Publication List Portlets feature the new "See More" pagination mode. With this pagination, a "See more" button allows to load the following contents.

It is possible to modify the label of the "See more" button with the "Pager label" field.

Wysiwyg portlet

Wysiwyg portlets now offer in-context editing, which avoids having to edit the portlet (see the JPortal) to modify the content. Moreover, the icon bar of the Wysiwyg editor has been enriched with 3 new menus:

• The choice of the font
• The choice of the font size
• The control of the line spacing (only with TinyMCE 5)

4. Administration

4.1 Member filtering

In the member management interface in the back office, new filters are available:

• Enabled/disabled members
• Members whose usage is Acount or Contact

4.2 Importing members

If the guest account functionality of the collaborative spaces module is activated, the member import allows you to import guest accounts.

This saves the administrator or member manager from having to do this in several steps (importing standard members, putting them in the basket, adding them to the guest group, etc.)

 

In addition, during the import phase, it is possible to select transverse groups.

4.3 Rights

Restrictive update rights on publications

Until now, update rights on a publication were additive: that is, they allowed adding people who could modify the publication in addition to the people already authorized.

There was a request to be able to have restrictive rights: that is, to be able to explicitly choose the members and groups authorized to modify the publication.

Now in the "Update rights" tab, a menu allows you to choose between these two modes:

• Extending update rights (as before)
• Restricting update rights (new)

Category management right

The category management right allows you to define on a category who can modify, delete, create subcategories and move subcategories. Until now, this right was only defined at the group or member level.

For more convenience, it is now possible to set this right at the category level itself. Please note that this new right does not replace the old one which still exists. The 2 rights are cumulative.

4.4 Data

Sorting by publication date in Lucene

To improve the search performance and the quality of the proposed results, a sorting by publication date (pdate) is available during the textual search.

To benefit from this feature, a re-indexing of the publications is necessary.

Forcing null values to be the last when sorting by base

When sorting downwards in the database, publications with null values were displayed first.

For databases that support the NULLS LAST instruction (SQL:99), a workaround can be activated by setting the workaround.hibernate.nulls-last property to false.

Choosing default or custom categories

Following the example of what exists since JPlatform 10 SP4 for the choice of read rights / update rights, the category selection interface has been revised by offering :

• the default choice (the default categories of the type will then be used)
• the explicit choice (the filled categories will replace those by default of the type)

The interfaces concerned are :

• Any publication editing form (when creating)
• The upload interface
• Unified document insertion

Shortcut: the icon field is no longer mandatory

The icon field of a shortcut is no longer mandatory.

A default image will be used if it is empty.

Workflow: choice of the report color

By default, Workflow reports (except special reports) are given a color according to their visibility. It was also possible to recolor the states with CSS rules.

It is now possible to choose the color of a state directly in the workflow management interface. This option is not available for special reports (scheduled, published, expired, archived, trashed)

5. Operation

5.1 Replication (JSync)

Replication of properties in a JSync cluster

Until now in a JSync cluster, when we had to modify a property to the whole cluster, we had to do this operation manually on each node of the cluster.

JPlatform 10 SP5 makes this operation transparent by replicating the modified properties to the whole cluster.

Not all properties are replicated because some are unique to each replica (e.g., the URID).

In the case where the property is a virtualID that references a data item in the store, that data item may not have arrived on all replicas yet when the property is replicated. In this case, JPlatform forces the replication of the store data before triggering the replication of the properties. So when the property arrives, the data will already be present and it can be correctly interpreted.

Hot activation / deactivation of a module in a JSync cluster

Since JPlatform 10, it is possible to hot enable or disable a module. However, in the case of a JSync cluster the activation/deactivation had to be done manually on each replica.

JPlatform 10 SP5 makes the activation or deactivation of a module in a JSync cluster transparent.

The very first activation of a module must be done on the leader. This is because the leader can create data when it is started (with a ChannelListener) and cause properties (including Virtual IDs) to be updated. Many ChannelListener also check that they are on the leader before generating their data.

However, since there is no guarantee that the user who needs to activate a module can address the leader directly, an activation request must be able to be issued from any of the replicas. This request will be processed by the leader and we are back to the case of a module activation on the leader. Once the request has been processed, the leader propagates it to all replicas, which in turn activate the module concerned.

Similarly, the deactivation of a module will be processed in a similar way (immediate on the leader and request on the replicas).

This system is activated by default. It can be deactivated by setting the plugin-sync.enabled property to false.

Incremental indexing of created/modified content

When JPlatform 10 SP5 starts, a partial re-indexing of content created or modified since the last Lucene index update takes place.

This change simplifies the implementation of the following scenarios:

• Adding a node to a JSync cluster
• Recipe environment
• Continuous webapp deployment

Indeed, if it is possible to copy JStore and JcmsDB data to be up to date with the reference environments, it is more delicate for Lucene indexes which cannot be copied on the fly.

This improvment allows to reindex only the necessary contents in a webapp on which all the data are up to date but not the indexes (thus avoiding a costly complete reindexing).

This new behavior can be disabled by setting the search-engine.auto-indexing-data-modified property to false.

5.2 Lazy loading of images

Lazy Loading is a web page optimization technique that loads visible content on the page but delays the downloading and display of content that is outside the visible part of the page.

This optimization is applied by default to image thumbnails (generated by the <jalios:thumbnail>tag). Images inserted in Rich Text fields (wysiwyg) also benefit from it.

It is possible to deactivate this optimization in these 2 cases of use with the properties tag.thumbnail.lazy-loading.enabled and wysiwyg.medias.lazy-load-images.

5.3 Cleaning up files after deleting the document

In order not to consume storage space unnecessarily, it is desirable that after the deletion of a document, the file, the files of previous versions, as well as all their associated files and directories are deleted.

Until now, if the file-document.remove-file property was set to false, the files were not deleted when the document was deleted.

With JPlatform 10 SP5 the deletion is automatic whatever the value of this property.

However, it is possible to disable this new behavior by setting the file-document.remove-all-files-on-delete property to false.

5.4 LDAP - Possible disabling of certificate authentication

You can disable the retrieval and sending of client certificates when connecting to an LDAP server that requests them. This may be necessary if your LDAP server offers client certificate authentication, but no certificate is installed on the JVM running JPlatform, and you want to use login/password authentication

To do this, set the ldap.server.client-certificate-enabled property to true.

6. Security

6.1 Permissions-Policy

The Feature-Policy specification was introduced in JPlatform 10 SP3. This specification has since evolved to be renamed Permissions-Policy (it is still in working draft).

JPlatform 10 SP5 introduces the simultaneous use of both variants in order to comply with the latest security standards while ensuring the security of browsers not yet supporting the latest version.

6.2 CSRF token required for a disconnection

A valid CSRF token is now required to trigger a logout action.

This default behavior can be overridden by setting the auth-mgr.logout.check-csrf property to false.

If you are using an SSO :

• If you have developed a specific SSO module, which allows a logout to be triggered from an external application that does not have the CSRF token, you can implement your own control through the canLogout API introduced on AuthenticationHandler ;
• With the SAML module, you must use version 2.3 or higher to authorize the disconnection from the IdP (SAML-31 evolution).

6.3 Setting the SameSite attribute on the session cookie

It is possible to modify the SameSite attribute (if not filled in) of a cookie provided during a response (whether this cookie is created by the server or the JPlatform code).

The configuration is done by cookie name with a property like (with a cookie named JSESSIONID):

channel.security.cookies-rules.JSESSIONID.replace-empty-samesite: None

6.4 Open API CSRF check

In order to enhance security, a CSRF check is now possible on POST requests on all OpenAPI REST resources.

Note that other prevention measures already prevent CSRF attacks on these resources (SameSite Cookie).

This is an additional measure to complete the protection arsenal.

Your HTTP clients must use one of the following measures to pass these checks:

• Using AuthKey authentication
• Adding an "X-Jcms-CSRF-Header" HTTP header of some value to the request

This new CSRF check is active by default;

• For the administration resource /admin/status
• On all admin resources added in 10 SP5 (JCMS-8396)

It is currently disabled on all other resources (although data modifying resources already require a CSRF check to be present).

It will be enabled globally in a future version of JPlatform (JCMS-8547).

It can be configured on a per-property basis by specifying the name of the class (or one of the super classes) corresponding to the resource.

Example

# rest.check-csrf.{class-fqn}: true

rest.check-csrf.com.jalios.jcms.rest.resources.AbstractAdminRestResource: true

7. Development

7.1 Tags for applications

New tags are available for the building of applications. They simplify the development of applications, guarantee the use of good practices (especially for some points related to accessibility) and make it easier for you to benefit from UI/UX evolutions on apps. A detailed documentation is in preparation.

Here is an example of use:

<jalios:app name="debug">
  <jalios:appSidebar icon="edit" appUrl="debug/debugsp5.jsp" iconTitleProp="edit">
    <jalios:appSidebarSection title="Filters">
      <jalios:field name="search" resource="field-app">
        <jalios:control settings='<%= new TextFieldSettings().placeholder("Search for text").aria("label","Search in app") %>' />
      </jalios:field>
    </jalios:appSidebarSection>
  </jalios:appSidebar>
  <%-- MAIN --%>
  <jalios:appMain headerTitle="App Title">
    <jalios:buffer name="APP_HEADER_BOTTOM">
      <ul class="nav nav-tabs" role="tablist">
        <li role="presentation" class="active"><a href="" role="tab">Active tab</a></li>
        <li role="presentation"><a href="" role="tab">Tab 1</a></li>
        <li role="presentation"><a href="" role="tab">Tab 2</a></li>
      </ul>
    </jalios:buffer>
    <jalios:appBodyInclude pub='<%= channel.getPublication("7098_Media") %>' />
  </jalios:appMain>
</jalios:app>

7.2 Forms

Properties: new typed fields

It is now possible to declare an editable property of a module to enter a color, an image, a media, one or more types.

Possible suffixes:

• .chooser-color : color chooser
• .chooser-image : image chooser
• .chooser-media : media chooser
• .chooser-type : content type or User Content type chooser
• .chooser-types : a list of chooser for Content types or User Content
• .chooser-type-MySuperType : a chooser for type extended from MySuperType
• .chooser-types-MySuperType : a list of chooser for types extended from MySuperType

Example:

jcmsplugin.myplugin.myprop: prop
jcmsplugin.myplugin.enabled.boolean: true
jcmsplugin.myplugin.mycolor.chooser-color:
jcmsplugin.myplugin.myimage.chooser-image:
jcmsplugin.myplugin.mymedia.chooser-media:
jcmsplugin.myplugin.mytype.chooser-type:
jcmsplugin.myplugin.mytypes.chooser-types:

Hidden fields

Hidden fields are usually handled in plain HTML:

<input type="hidden" name="foo" value="bar" />

But if we forget to encode the value then it can be an attack vector.

To avoid this, JPlatform 10 SP5 proposes the HiddenSettings that handles these issues:

<jalios:control settings='<%= new HiddenSettings().name("foo").value("bar") %>' />

Type Editor: Publication Type field

A new field type is proposed for publication types. It allows you to select publication types. It is possible to specify a super type to limit the scope.

Example:

Form modification control

The addition of the CSS class jalios-dirty-form-control on a <form> tag allows to display a message to the user if he leaves the page while one of the form fields has been modified.

To learn more about this, see :

https://docs.jalios.com/jplatform10/jcms/fr/front-end/javascript/controle-de-modifications-d-un-formulaire-163408

Aria label in forms

It is now possible to easily add aria-x on controls using the following syntax

<jalios:field name="ariaLabelTest" value="HasAria" label="Input with arias">
  <jalios:control settings='<%= new TextFieldSettings().aria("invalid", true).aria("label","My other label for screenreader") %>' />
</jalios:field>

Modals with clickable steps

All modals using a FormHandler derived from EditPublicationHandler benefit from direct access to a step. If this is not the case for your FormHandler, you can still benefit from it by overloading the isFormStepClickable()method.

7.3 API Java

ChannelListener.initAfterStartup()

In the ChannelListenerclass, the new initAfterStartup() method allows to launch a process at the end of the JPlatform startup, once the site is ready to be accessed.

StartupDataGenerator

The new StartupDataGenerator class simplifies the generation of data at startup. It extends from ChannelListener and implements the initAfterStartup()method. It provides utility methods that simplify the generation of data at the first installation of a module for example.

Example of category creation at startup

Declaration of virtual IDs

In plugin.prop :

$id.jcmsplugin.demo.cat.root:
$id.jcmsplugin.demo.cat.topics:

 

Declaration of language properties

In fr.prop :

data.$id.jcmsplugin.demo.cat.root.name: Module Démo
data.$id.jcmsplugin.demo.cat.topics.name: Thèmes

In en.prop :

data.$id.jcmsplugin.demo.cat.root.name: Demo Plugin
data.$id.jcmsplugin.demo.cat.topics.name: Topics

 

StartupDataGenerator implementation

class DemoChannelListener extends StartupDataGenerator {

  private static final String VID_CAT_ROOT = "$id.jcmsplugin.demo.cat.root";
  private static final String VID_CAT_TOPICS = "$id.jcmsplugin.demo.cat.topics";

  @Override
  protected createData() {
    Category root = createCategory(VID_CAT_ROOT);
    createCategory(VID_CAT_TOPICS, root)
  }
}

AbstractDBQueryBuilder

During development, we may have to create new data types in the database that extend directly from Data. In this case, contrary to the types derived from Publication, it is up to the developer to code the querying mechanics for this new type.

A good practice consists in writing a builder, i.e. a class which allows to position all the query criteria and to obtain the results under different forms (number of results, paginated list of results, first result of the list, ...)

The AbstractDBQueryBuilder class facilitates the development of these builders. It factorizes the search criteria in common (firstResult(), maxResults(), orderBy(), author()) and proposes the same methods to get the results (build(), count(), list(), firstResult()).

Example: 

public class JBookBorrowingQueryBuilder extends AbstractDBQueryBuilder<JBookBorrowing> {

  private AbstractBook book;
  private Member borrower;

  public JBookBorrowingQueryBuilder() {
    setDefaultOrder(Order.desc(BORROWING_DATE_FIELD));
  }

  public JBookBorrowingQueryBuilder book(AbstractBook book) {
    this.book = book;
    return this;
  }
  
  public JBookBorrowingQueryBuilder borrower(Member borrower) {
    this.borrower = borrower;
    return this;
  }

  public JBookBorrowingQueryBuilder orderByBorrowingDate() {
    return (JBookBorrowingQueryBuilder)(orderBy(Order.desc(BORROWING_DATE_FIELD)));
  }

  @Override
  protected void addCriterions(Criteria criteria) {
    addBookCriterion(criteria);
    addBorrowerCriterion(criteria);
  }
  
  private void addBookCriterion(Criteria criteria) {
    if (book != null) {
      criteria.add(Restrictions.eq(BOOK_ID_FIELD, book.getId()));
    }
  }

  private void addBorrowerCriterion(Criteria criteria) {
    if (borrower != null) {
      criteria.add(Restrictions.eq(BORROWER_ID_FIELD, borrower.getId()));
    }
  }

}

 

QueryHandler : setting a context for QueryFilter

It is now possible to convey from a QueryHandler information that will be transmitted in the context of QueryFilter via the QueryHandler.getQueryFIlterContext()method.

Example:

queryHandler.getQueryFilterContext().put(myKey, myValue);

7.4 JSP overriding

Since a long time ago, JPlatform allows to override some core JSPs such as the authentication page, search, the profile sheet of a member, ..

With JPlatform 10 SP5, it is now possible to override any JSP, accessed directly or included dynamically (as long as it includes doInitPage.jspf). This is done by declaring a property.

Example of use: to override the XML export (jsp /admin/exportXml.jsp):

jsp.override./admin/exportXml.jsp: /plugins/MyPlugin/exportXml.jsp

 

And if in the JSP the overload should not be done after all (or we just wanted to intercept the request to do something else)

​

<%
request.setAttribute(com.jalios.jcms.ResourceHelper.JSP_OVERRIDE_CANCELLED, Boolean.TRUE);
%>

This new feature is very powerful since it allows you to override all standard JPlatform interfaces. So make sure you only use it for the right reasons. With great power comes great responsibility... 😉

7.5 OpenAPI REST

JPlatform 10 SP5 adds new REST resources (or end-point) for OpenAPI: