JPlatform 10 SP7 - The main new features

New features

JPortal : New simplified editor and collaborative spaces

JPortal is the component allowing to build pages in JPlatform. This tool allows to act on the layout, the style and the portlets settings.

In version 8.0 of the Collaborative Spaces module, the composition of the home page of a collaborative space is now handled by JPortal. The objective is both to allow freer compositions than in the previous version (which only proposed a composition in columns) but also to allow community animators to act on the portlets.

JPortal requires to have a rather fine knowledge of the concepts of portal and portlets of JPlatform. And the portlets have many configuration options. However, the animators of collaborative spaces have generally not been trained to use JPortal. They therefore need a simpler interface than JPortal allowing them to act on the portlets that make up the home page.

For this reason, JPlatform 10 SP7 introduces a new simplified editing mode in JPortal. It is a complementary mode to the classic JPortal editing mode.

The simplified JPortal editor allows to :

• Reorganize the portlets by drag and drop
• Modify the style of the portlets (skin, color, ...)
• Choose the display template
• Modify the essential parameters of the portlet
• Add portlets

All this directly in the home page of the collaborative space, without having to enter the classic JPortal edition mode.

The new portlet editing mode exposes only the essential attributes that a collaborative space animator can act on.

The animator also has a new simplified interface to add portlets to the home page:

To go further and act on the advanced composition of the page, it is of course possible to switch to the classic JPortal edition:

Dans le cas des espaces collaboratifs, les animateurs peuvent aussi agir sur les applications qui sont proposées dans les onglets de l’entête en les réorganisant par glisser/déposer, en les renommant, en les retirant et en ajoutant de nouvelles applications :

This simplified editing mode is available not only for collaborative spaces but for all pages built with JPortal. It can be triggered via the "Admin" menu of the topbar.

An important point is that the modifications made on a portlet or an application with the simplified edition in a collaborative space do not modify the portlet but are recorded in the collaborative space as an overlay. Thus the same portlet can be used in several collaborative spaces and modified differently.

The creation of new portlets in a collaborative space has also been simplified. The facilitator just has to choose the type of portlet and fill in the information. The type of portlet is automatically activated and the information specific to the use in a collaborative space (notably the ability) is also positioned.

Public links: new options for sending the message

The "Public link" function allows you to send a link to download a document to an external person.

The interfaces for creating and managing public links offered a button to prepare an email to the recipients of the public link. Unfortunately, for technical reasons, this email could only be in text format and the link to the document download was therefore represented by the URL. Moreover, these interfaces also offered a button to copy the URL.

From JPlatform 10 SP7, the "Copy" button now offers 3 choices:

• Copy the message (in HTML format)
• Copy the HTML link (ie. the title of the document with a link to the download)
• Copy the URL (same function as the previous version)

You can copy the message, then send it by mail, by copying the message (in HTML format) in the mail.

The text of the message has also been revised to indicate the deadline (rather than a validity period). Example:

Dear Sir/Madam,

You can download the file until Thursday, July 6, 2023 with the following link: 

JPlatform 10 - Installation and Operation Manual.pdf

Best regards,

Content duplication : choice of the target workspace

Until now, to duplicate a content in another workspace you had to have the rights to create a content of the same type as in this workspace.

From now on, it is enough to be able to create content of the same type in at least one workspace. When the duplication is triggered, a modal window appears asking for the target workspace.

LDAP - Synchronization of the user's language

When user accounts are synchronized with LDAP directory data, the user language is now synchronized as standard with the LDAP attribute preferredLanguage.

If you want to allow users to change their language themselves, and therefore do not want to synchronize the user language with your LDAP data, clear this setting in the site properties, LDAP tab, Schema section, Language field (this setting corresponds to the new property ldap.mapping.language).

New UX features

Renaming of "Recommend" to "Share"

The term "Recommend" was not always well understood by users. From JPlatform 10 SP7, the terms "Recommend" and "Recommendation" are replaced by "Share" and "Share" in all interfaces. The term recommendation remains only for "recommend" an application or a profile.

Unification of sharing functions

The "Recommend" action has been replaced by "Share". This action opens a first modal proposing different sharing options. These options vary according to the nature of the shared object.

The possible options are :

• Share with members and groups: opens the recommendation modal
• Share with external parties (only for documents): opens the public link creation mode
• Share in another workspace (only for contents): opens the inter-workspace sharing mode

In addition to these options, a button allows you to copy the link of the publication.

Example of sharing mode for a document:

As a result:

• In actions on a publication
  • The Recommend action is replaced by Share
  • The following actions have been removed
    • Create a public link
    • Share in another workspace
    • Permalink
  • In the publications ttCard, the create a public link action no longer exists

"Bulk processing" replaces the shopping cart

The term "caddy" and its shopping cart icon could be confusing; some users associated it with a merchant site.

This term is now replaced by the term "Bulk processing". The icons representing the different states or actions on the bulk processing have also been revised:

The bulk processing function is not generally intended for all users. It is now possible to limit access to a specific population via the Bulk processing" ACL. This is an optional ACL. If it is not filled in, everyone has access to the functionality.

Renaming the alert level "Warning" to "Urgent

The term "Warning" for the third alert level (after "Information" and "Action") was misunderstood, especially in French. It has been renamed to "Urgent" to be more in line with its function.

Document: highlighting the editing action

Until now, the "Download" button has been highlighted on the document page.

However, it is actually quite rare that we only want to download the document since we have the viewer that displays it. So, when possible, we now put the "Open with..." button more prominently. The "Download" button is still available though.

Example

WYSIWYG & Adaptive images (responsive images)

Users can upload images on several occasions: blog post publication, article, gallery, in rich text areas, ... Sometimes these images are very large, especially when they are photos taken with a camera or a smartphone.

The display of these heavy images in the different pages of the site can cause slowdowns and unnecessary resource consumption because they are usually displayed in a size much smaller than the native size.

For interfaces where these images are in clearly identified fields (maps, article visuals, galleries, ...) a thumbnail of the image is generated and used instead of the original image. But, until now, in rich text areas, native images were used.

In JPlatform 10 SP7, images inserted by users in rich text areas, and exceeding certain resolutions, are displayed in thumbnail version, in order to reduce bandwidth and page loading time. By default the generated alternatives have the following widths: 640px, 1024px and 1920px

If an image has a width :

• smaller than 640px, it will be served in its original version, without alternative
• between 640px and 1920px, one or more alternative versions will be proposed, the largest image available will be the original one
• larger than 1920px, all alternatives will be proposed, and the largest image available will be the 1920px thumbnail

Search: new interface for filtering on a type

In the search interface, the filter on publication types has been revised. The long list of types has been replaced by a type selection field by auto-completion:

Category navigation: opening in a new tab

An option has been added on a category to indicate if it should open in a new tab when used for navigation.

The following Portlet Navigation templates take this option into account:

• Vertical Tree
• Vertical Menu
• Menu for the Topbar
• Horizontal menu with one level

Wysiwyg - TinyMCE 5 editor enabled by default

TinyMCE 5 had been introduced in JPlatform 10 SP5 (June 2021) but it was not enabled by default. TinyMCE 5 has proven to be stable and mature. Also, it is enabled by default in JPlatform 10 SP7.

If you have specific developments around TinyMCE, you have to follow the procedure released in June 2021 when JPlatform 10 SP5 was released, "TinyMCE 5 wysiwyg editor" in the JPlatform 10 SP7 Services Packs Application Notes to migrate them to the new version of the editor.

Accessibility

Jalios is committed to respecting the accessibility criteria defined in the RGAA 2.0. Audits have been carried out by Jalios and by customers. They revealed several points to be corrected.

JPlatform 10 SP7 includes a hundred or so accessibility fixes. These patches have also been extended to modules and a series of modules have been released or will be released in the next few months with patches dedicated to accessibility:

• JMag 5.4.1
• JNote 1.2
• JNews 2.3.1
• JCalendar 1.4.3
• ESN 6.7.2
• Collaborative space 8.0
• Poll 6.1
• Wiki 7.6
• Guided tours 1.2
• Conversation Spaces 6.1
• Explorer 4.6
• Bookmarks 6.4
• Comments 6.4
• Directory 8.2

Security and Rights

Protection against brute force attacks

A new protection against brute force attacks is now enabled by default based on the following behavior: after 2 authentication failures per 3 seconds interval, an authentication restriction is applied for a duration of 30 seconds for the user account, on the originating IP.

These values can be configured in the site properties, Access section:

The restriction consists in preventing any new connection attempt for the same user, on the same originating IP, during the specified time.

This restriction applies to the following authentication methods (the controls for each method being distinct from each other):

• by login / password
• by cookie
• by authkey

Please note that when using JDrive with browser authentication, it is necessary to allow at least 2 failed authentication attempts within 2 to 3 seconds.

Decrease the bcrypt configuration

As mentioned above, a mechanism has been introduced to prevent brute force attack attempts. As a result, it is no longer necessary to have an excessively high bcrypt configuration for protection against brute force attacks via the web.

Therefore, to avoid a CPU load related to this bcrypt configuration, JPlatform 10 SP7 restores the bcrypt configuration to 10 (compared to 12 in SP4, SP5 and SP6)

Forgotten password procedure

No more mail sent for non-existent accounts

During the procedure to forget the password by entering an email address, an email was sent in all circumstances, including when the email address entered did not correspond to any account on the site.

The default behavior has been strengthened in terms of security: an email is only sent when an account corresponding to the email address can be identified.

This prevents malicious users from abusing the forgot password feature to send unwanted emails to unrelated email addresses outside the platform.

The previous behavior can be re-enabled by setting the channel.reset-password.send-mail-to-unknown-user: true

Whatever the configuration, the message displayed to the user who made the request does not give any indication of the existence of the account or not, so as not to disclose any information about it.

Denial of service protection

A new denial of service protection is now enabled by default based on the following behavior:

After 4 forgotten password requests (for different emails) per 1 hour interval, a restriction is applied for 1 hour on the originating IP.

The restriction consists in preventing any new forgotten password request by a client with the same originating IP, during the specified duration.

This protection can be configured with the following properties:

#  Enable throttling or not ?
channel.reset-password.throttle.throttle-enabled: true
#  Time range in seconds during which the threshold is verified.
channel.reset-password.throttle.range-seconds: 3600
#  Number of password reset attempts permitted in the specified time range.
channel.reset-password.throttle.threshold: 4
#  Number of seconds before the blocked/throttled can be released.
channel.reset-password.throttle.throttling-duration-seconds: 3600

Option to deny authentication to users whose passwords no longer meet password security constraints

Password validation rules can be configured in JPlatform to impose a minimum complexity.

If these validation rules are changed, authentication is allowed for accounts using a password that respects the old validation policy, but not the new rule in effect.

A new configuration option is available in JPlatform 10 SP7 to deny authentication for accounts that do not follow the new rules.

If you enable this behavior, users who do not comply with the current constraints will be notified and prompted to change their password by following the password reset process (via entering their email address).

This behavior is disabled by default. To enable it, set the following property:

auth-mgr.simpleauth.inform-user-of-old-password: true

Warning: before enabling this behavior, make sure that at least one administrator uses a password with the current rules, otherwise you may not be able to access the site with a login/password authentication.

This policy does not apply to accounts that use only external authentication (LDAP or other SSO).

Option to display a message to users when BCrypt security constraints change

When the security settings of BCrypt are changed, all existing passwords that no longer respect the constraints are automatically disabled and not functional.

A login attempt with the associated account results in an authentication failure, without any further information for the user.

A new configuration option is available in JPlatform 10 SP7 to allow the display of a message when a connection fails.

Users are notified and prompted to proceed with a password change by following the password reset process (via entering their email address).

This behavior discloses information to anonymous users: the existence of an account that matches the user ID entered.

For this reason, and in application of the "Secure by default" best practice, the option is disabled by default.

You can activate it with the following property:

auth-mgr.simpleauth.inform-user-of-old-password: true

Note: this behavior concerns only the non-respect of the security settings of the BCrypt hashes stored by JPlatform.

As the plaintext password is unknown to JPlatform, this message is not triggered by a possible change of the password validation rules.

For this, see the previous section for an alternative approach.

This policy does not apply for accounts using only external authentication (LDAP or other SSO).

E-mail required at registration

The E-mail field was visually marked as mandatory, but was not. From now on, E-mail is mandatory in the registration form

Advanced settings

Choice of the display portal of an application

By default all applications with a shortcut are displayed in the application portal.

It is now possible to force a particular display portal for a given application.

To do so, you need to

1. Create a portal (with a Selection portlet or equivalent in JPortal)
2. Note the identifier of this portal
3. Add the property shortcut.<APP_NAME>.portal: <PORTAL_ID>
   • APP_NAME is the same name as the one declared in the property shortcut.<APP_NAME>.link 
   • PORTAL_ID is the identifier of the portal to use

If we want to put an access to an App from the navbar, after having done the previous operations, we must :

• Add a category in Navbar
• Associate the created portal to this category
• Create a redirection portal associated to this category and redirecting to the same JSP as declared in shortcut.<APP_NAME>.link

Increase of the default duration of CSS and JS caches

Until now, the duration of CSS and JS caches was 10 days. As there is a simple way to force the invalidation of the caches without affecting this duration (via channel.packer.version), in SP7 we have increased the duration to 365 days. This can be set via the following property:

channel.packer.cache-expiration: 365

Mails: configurable headers

It is possible, by simple declaration of properties, to add personalized mail headers to all the mails sent by the platform.

This is done via the declaration of properties respecting the nomenclature mail.header.{Header-Name}: {Header-Value}

Examples :

# Set custom header
mail.header.X-MyCustomHeader: FooBar

# Set custom return-path to handle bounce email (error message, auto replies, etc)
mail.header.Return-Path: bounced@example.com

# Set null return-path address to disable bounce email
mail.header.Return-Path: <>

Note that this customization was already possible by specific development by inserting itself during the invocation of MailPolicyFilter.beforeSendMail(MailMessage msg, HashMap<String,Object> contextMap).

Sent mails indicated as auto-generated

All mails sent by the platform are now indicated as auto-generated, via the mail header Auto-Submitted: auto-generated in application of RFC 3834 §5.2.

This allows to indicate to remote mail services to avoid sending return mail messages in case of absence of the recipient.

This behavior can be globally disabled with the following property :

mail.set-auto-generated: false

This behavior can also be disabled in specific development, for some mails only, by setting the context attribute "mail.set-auto-generated" to false when invoking MailPolicyFilter.beforeSendMail(MailMessage, HashMap<String,Object>).

No more blocking of the page following an ajax error

When an error occurred during an Ajax request, the user could not do anything on the page except reload it.

In JPlatform 10 SP7, when an error occurs during a processing, a toastr will appear indicating to the user that there was an error, but he will be able to continue to click on elements that trigger javascripts in the page.

For developers, if the developer mode is activated on the webapp, the content of the error will be shown in the toastr.

Asynchronous processing of member deletions

All member deletions are now processed via a producer/consumer in a dedicated thread (to ensure no SQL deadlock)

• All existing APIs remain synchronous (but actually wait quietly for the consumer to do its job)
• Deletions from batch processing of members (caddy) are now asynchronous
  • the user is informed that the processing has been submitted
  • members being deleted are returned via an integrity check

Configuration options available:

# enable/disable this new behavior, to revert to previous behavior (default:true)
member.async-delete.enabled: true/false

# limit the wait time of the "synchronous" performDelete (defaut: 0ms ==infinite wait time)
member.async-delete.timeout: 0

Development

Tag <jalios:dropdown>

<jalios:dropdown> tag produces a dropdown menu that is typically used to produce contextual menus on an object (e.g., a card, a row in a table, a portlet, ...)

<jalios:dropdown triggerLabel="Ouvrir le menuuuu" triggerIcon="more-v" triggerCss="btn btn-default"  >
  <li><a><jalios:icon src="more-v" /> Custom Items</a></li>
  <li><a>Test 2</a></li>
  <li><a>Test 3</a></li>
  <li class="divider"></li>
  <li><a>Test after divider</a></li>
</jalios:dropdown>

For more information, visit documentation.

Tags <jalios:button>, <jalios:buttonModal> and <jalios:buttonAjax>

These tags generate a button that respects accessibility rules and that can be used for modal window openings or to trigger actions in Ajax.

<jalios:buttonAjax label="Ajax Refresh" confirm="true" confirmText="YOU SURE ?" css="btn btn-default"/>
<jalios:buttonAjax label="Ajax Refresh" css="btn btn-default"/>
<jalios:button css="btn btn-default" url="tesT.jsp"><jalios:icon src="share" /> Inner Content</jalios:button>
<jalios:button css="btn btn-default"><jalios:icon src="share" /> Inner Content</jalios:button>
<jalios:button label="Label with tag attr" css="btn btn-default" />
<jalios:buttonModal label="appstore.sidebar.admin.add-application" url="jcore/appstore/app/createApplicationModal.jsp" css="btn btn-default btn-add-application" icon="add"/>

For more information, visit documentation.

Tag <jalios:noResult>

The <jalios:noResult> tag produces a standard message in case there is no result. It is possible to replace the visual and the text.

<jalios:noResults />
<jalios:noResults text="jportal.simple-edition.no-form-portlet" />

For more information, visit documentation.

Search field

Search fields are often present in the sidebar or navbar of applications. This new control standardizes the UX/UI of this type of field.

For more information, visit documentation.

Icon field

The Icon control proposes to select an icon in the set of vector icons of JPlatform (WebFont Icomoon and JIcons)

For more information, visit documentation.

UILinkItem API

This API allows to make a list of links from a property prefix.

For more information, visit documentation.

Modal: referral step

In some interfaces, it is sometimes necessary to have a first step that guides the user to the right interface. This principle is used in several interfaces of JPlatform:

• In JLearn: adding a local video or a remote video
• In JEvent: creation of a face-to-face, video or hybrid event
• In JProcess: create or import a process

CSS classes are now available to homogenize and simplify the development of these referral steps:

<jalios:modal title='Start a new activity'  css="modal-lg">

  <div class="modal-options-text">What do you want to do ?</div>

  <div class="modal-options">

    <div class="modal-option clickable" data-jalios-url="plugins/MyPlugin/jsp/option1.jsp" data-jalios-options='{"mode":"ajax"}'>
      <jalios:icon src="myplugin-option1"/>
      <div class="modal-option-title">Option 1</div>
      <div class="modal-option-subtitle">Option 1 subtitle</div>
    </div>

    <div class="modal-option clickable" data-jalios-url="plugins/MyPlugin/jsp/option2.jsp" data-jalios-options='{"mode":"ajax"}'>
      <jalios:icon src="myplugin-option2"/>
      <div class="modal-option-title">Option 2</div>
      <div class="modal-option-subtitle">Option 2 subtitle</div>
    </div>

    <div class="modal-option clickable" data-jalios-url="plugins/MyPlugin/jsp/option3.jsp" data-jalios-options='{"mode":"ajax"}'>
      <jalios:icon src="myplugin-option3"/>
      <div class="modal-option-title">Option 3</div>
      <div class="modal-option-subtitle">Option 3 subtitle</div>
    </div>
  </div>

</jalios:modal>

Reading / writing an attribute in the current query

In some Java developments we may need to set or retrieve the value of an attribute of the current request. Until now it was necessary to pass by the method channel.getCurrentServletRequest(), to check that it was not null and to make the reading or the addition of the attribute.

In JPlatform 10 SP7, two utility methods simplify these actions:

channel.setCurrentRequestAttribute("myAttribute", "myValue");
String myAttribute = (String)channel.getCurrentRequestAttribute("myAttribute");

Update of the libraries

Several Java libraries have been updated in JPlatform 10 SP7.

Migration

Java 11 required

Java 8 has reached the end of active support since March 31, 2022 and is only supported for security patches.
Java 11 has been out for more than 5 years and will end support in September 2023.
cf https://endoflife.date/java

For this reason, JPlatform 10 SP7 requires JDK 11.

Jalios is aiming to support JDK 17, but this version is NOT yet certified with JPlatform 10 SP7

JSoup : Whitelist → Safelist

Following the update of the JSoup library to version 1.15.x (JCMS-9246), any specific developments that programmatically loaded/modified the HTML cleanup whitelists must be adapted.

• APIs JSoup  
  • org.jsoup.safety.Whitelist → org.jsoup.safety.Safelist
    
    
• APIs JPlatform (dans le package com.jalios.jcms.wysiwyg) : 
  

  Avant (supprimé dans JPlatform 10 SP7)	Après
  Whitelist WysiwygManager.getWhitelist()	Safelist WysiwygManager.getSafelist()
  Whitelist WysiwygManager.loadWhitelist(JProperties)	Safelist WysiwygManager.loadSafelist(JProperties)
  WysiwygManager.CLEANHTML_CTXT_WHITELIST	WysiwygManager.CLEANHTML_CTXT_SAFELIST

   

Note: Only the Java APIs have been changed as a result of this library update.
The name of the properties used to configure the HTML cleanup has NOT been changed, they are still wysiwyg.sanitize-html.whitelist.*

If you are using the following modules, the indicated versions or newer MUST be installed

• Exchange Plugin : 10.3
• Horizon Plugin : 2.1.2
• JServices : 1.3 ou 2.0
• JCalendar : 1.3.1, 1.4
• Local Calendar Plugin : 1.1

External Data Sources must be explicitly declared

If you use external Data Sources in fields of type "DB Record" or "SQL Query" you must :

1. Explicitly declare the datasources with the property channel.external-datasources
2. Explicitly activate the corresponding functionalities
   • channel.dbrecord.enabled: true
   • channel.sqlquery.enabled: true

Example:

channel.external-datasources: jdbc/myExternalDB1 jdbc/myExternalDB2
channel.dbrecord.enabled: true
channel.sqlquery.enabled: true