Version 6.6.7 built on 2011-09-28.
Release Notes for Vaadin Framework 6.6.7
- Upgrading from Vaadin 6.0 or 6.1
- General Upgrade Instructions
- Notes and Limitations for Google App Engine
- Important known problems in Vaadin 6.6.7
Vaadin 6.6.7 is a maintenance release for Vaadin Framework 6.6. It contains several important fixes.
Security fixes in Vaadin Framework 6.6.7
Vaadin 6.6.7 fixes several security issues discovered by Wouter Coekaerts (http://wouter.coekaerts.be/) and an internal review. Immediate upgrade to a version containing the fixes is strongly recommended for all users. The issues are:
- #7670 Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() (critical)
- #7669 CSRF/XSS vulnerability through separator injection (important)
- #7672 Contributory XSS: possibility for injection in certain components (moderate)
The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information.
If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path "/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files.
The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker) for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application in the browser.
Change Log, Future Releases, and Upgrading
See this list of closed tickets for a full list of tickets fixed in this release.
Problem fixes and enhancements planned for upcoming releases can be found in the Vaadin Roadmap in Vaadin Trac.
As always, when upgrading from an earlier version, you should recompile any custom widget sets and refresh your project in Eclipse. If you are upgrading from 6.5.x or earlier, notice that Vaadin 6.6 uses GWT 2.3 (included in the installation package). See General Upgrade Instructions for more details on upgrading.
Enhancements in Vaadin Framework 6.6
- GWT has been updated to version 2.3
- If using Eclipse, update the Vaadin Plugin for Eclipse to the latest version before upgrading a project to use the new Vaadin version
- If using build scripts to compile widget sets, after upgrading GWT libraries, copy and add also the validation-api-1.0.0.GA.jar and validation-api-1.0.0.GA-sources.jar to the class path
- In Liferay, the latest version of Vaadin Control Panel for Liferay is needed for compiling the portal widget set
- See the General Upgrade Instructions for more information
- An error is shown to the end user when JAR and widgetset version do not match (#5423)
- Support for touch device interfaces: one-finger touch scrolling, drag and drop, Slider, SplitPanel, sub-window handling, notifications, etc.
- Support for Internet Explorer 9
In the server-side API:
- More versatile Container.Filterable API that allows complex filters in containers (#6286)
- Support for specifying nested bean properties with addNestedContainerProperty() (#4995)
- Abstract base class AbstractProperty for simple Property implementations (#6860)
- A getListeners() method to return all listeners in all classes that support listeners (#1410)
- New AbstractContainer for common functionality in containers, especially listeners (#6521)
- New submitUpload() method in the Upload component to start the upload programmatically (#6630)
- BrowserInfo now includes browser time and timezone (#6691)
- New getColumnGenerator() method in Table to get a column generator (#6844)
- New AbstractProperty class for common features in Property implementations (#6860)
- Renamed horizontal/verticalDropLocation() to getHorizontal/VerticalDropLocation() in WrapperTargetDetails (#6823)
- CheckBox now supports null values, displayed as false (#6918)
- The method Button.fireClick(MouseEventDetails) is used by Button instead of Button.fireClick(). Subclasses should override the former and not the latter.
- The 'liferay' theme is included in Vaadin core starting from version 6.6.2. Themes still need to be copied to the shared resource directory in a Liferay installation when upgrading Vaadin.
- MenuBar supports checkable items (on/off) starting from version 6.6.2.
In the client-side API:
- Server communication methods in ApplicationConnection can now be overridden (#6885)
Fixes in Vaadin 6.6.7
#7541 Table.setColumnCollapsed("id",true) will cleared PropertyDataSource for any fields in table item properties #3125 Portlet size is not updated when window is resized #6420 Solution for menu too long. #7560 ComboBox: Writing the name of a new item and clicking on drop down menu works inconsistently.
The full details of the defects can be found at dev.vaadin.com.
Backward-Incompatible Changes in Vaadin Framework 6.6
- The addContainerFilter() in Container.Filterable no longer accepts a filter string as a parameter, but a Filter object. You can use addContainerFilter(new SimpleStringFilter(...)) to get the same functionality of the old method.
- DateFields no longer sets invalidAllowed(false) by default. The new behavior is consistent with all other fields in Vaadin and with DateField in Vaadin 6.3 and earlier.
- Top level windows no more gain focus automatically when the application is loaded in embedded hosting solutions like in Portals. Thus keyboard shortcuts might not work until a Vaadin component is focused either by user or via the server side API. (#6724)
Upgrading from Vaadin 6.0 or 6.1
The way how widget sets are defined was simplified in Vaadin 6.2. Existing projects, where custom widgets (a custom widget set) are used, must be migrated when upgrading to Vaadin 6.2 or later. Projects where the default widget set is used do not need migration. For most projects this should be a quite painless upgrade.
For applications where custom widgets are used (also applicable to widget projects):
- Remove the getTag() method from all components and replace it with a @ClientWidget(VClientSideWidget.class) annotation. Tag names are no longer used to map the server-side and client-side part of the component. This is done automatically using the @ClientWidget annotation.
- Remove the WidgetSet.java file. This file is no longer needed as the mapping between the server- and the client-side is done automatically using @ClientWidget.
If you are using widgets from another project (typically in a separate JAR file):
- Acquire a new JAR which is compatible with Vaadin 6.3 and add it to WEB-INF/lib. The widget set compilation will automatically include the JAR in your .gwt.xml during compilation if you use the Eclipse Compile Widget Set button. For Ant/Maven you need to specify the location of the widget set JARs that you want to include in the application widget set.
If you package a widget set as a JAR for use in other projects:
- Replace getTag() with @ClientWidget and remove the -WidgetSet.java as described above.
- Add a "Vaadin-Widgetsets: <fully qualified name of widgetset>" (e.g. "Vaadin-Widgetsets: com.example.widgetset.mywidgetset") row to the META-INF/MANIFEST.MF of the JAR file. This enables the widget set builder to automatically detect and include the widget set in other projects.
General Upgrade Instructions
When upgrading from an earlier version of the Vaadin library, you should always do the following.
- If you have extracted any built-in themes or widget sets from the Vaadin Jar to a VAADIN folder that is served statically by the application server, you need to delete the old themes and widget sets and re-extract them from the new Vaadin Jar.
- Upgrade the Vaadin Integration Plugin for Eclipse to the latest version
- Use the http://vaadin.com/eclipse software site to upgrade or install the stable version of the Vaadin Integration Plugin in Eclipse. If you have installed an unstable version of the plugin (see below), you need to remove it first.
- For using pre-release versions of Vaadin and nightly builds, it is either recommended or often necessary to use the unstable "experimental" Vaadin Plugin for Eclipse. In such case, add http://vaadin.com/eclipse/experimental as a Software Site in Eclipse and upgrade the Vaadin Plugin.
- Select the new version in the Vaadin section in project preferences1
- The Eclipse plugin will automatically download the required GWT libraries and update launch configurations and the project build path
1 The Vaadin section is enabled only if the Vaadin Facet is configured for the project
NetBeans and Build Script Users
If you build the Vaadin application or the widget sets using an Ant script, such as in NetBeans, follow the following instructions:
- Copy the vaadin-6.6.7.jar library to the WEB-INF/lib directory in the project and remove the old version
- Refresh the project (in NetBeans or Eclipse)
- If using any add-ons containing custom widget sets:
- If the GWT version has changed, copy the GWT libraries to the compilation-time library directory of the project. The GWT libraries should not be located in the WEB-INF/lib directory, as they are not deployed together with the web application.
- validation-api-1.0.0.GA.jar (a GWT dependency)
- validation-api-1.0.0.GA-sources.jar (a GWT dependency)
You can use the WebContent/docs/example-source/build-widgetset.xml Ant script in the Vaadin installation package as a template for a script for compiling the widget sets.
- If the Vaadin version is defined as LATEST in the pom.xml, the new version is automatically used and you simply need to recompile the project.
- If the Vaadin version is defined explicitly in the pom.xml, edit the file to change the version.
Maven downloads the defined Vaadin version and required GWT libraries automatically.
Notice that there can sometimes be a delay between the official release of Vaadin to when it is submitted to the central repository. Once in the central repository, the replication to other repositories can take several hours.
- You may need to install a new version of the Vaadin Control Panel for Liferay
- Install the new Vaadin Jar to the ROOT/WEB-INF/lib directory in the portal
- Extract the contents of the VAADIN folder from the Jar to the static ROOT/html/VAADIN directory in Liferay. Only the PortalDefaultWidgetSet widget set is needed.
- If using any add-on components or custom widget sets, use the Vaadin Control Panel to recompile the combining widget set
Similar instructions apply for other portals, except that you need to recompile the widget sets for example using the build-widgetset.xml script included in the Vaadin installation package.
Notes and Limitations for Google App Engine
The following instructions and limitations apply when you run a Vaadin application under the Google App Engine.
Applications must use GAEApplicationServlet instead of ApplicationServlet in web.xml.
Session support must be enabled in appengine-web.xml:
Avoid using the session for storage, usual App Engine limitations apply (no synchronization, i.e, unreliable).
Vaadin uses memcache for mutex, the key is of the form _vmutex<sessionid>.
The Vaadin WebApplicationContext class is serialized separately into memcache and datastore; the memcache key is _vac<sessionid> and the datastore entity kind is _vac with identifiers of the type _vac<sessionid>.
DO NOT update application state when serving an ApplicationResource (e.g ClassResource.getStream()).
AVOID (or be very careful when) updating application state in a TransactionListener or a HttpServletRequestListener - they are called even when the application is not locked and won't be serialized (e.g ApplicationResource), and changes can thus go missing (it should be safe to update things that can be safely discarded later - i.e valid only for the current request)
The application remains locked during uploads - a progress bar is not possible
Important known problems in Vaadin 6.6.7
#1155: Uncompressing the installation package fails in Windows if using the default Zip uncompression. Uncompression gives (in Windows Vista) an error message about too long filenames, and a more obscure message in other versions of Windows. Workaround: use 7-Zip or some other good unzip program for Windows.
For other known problems, see open tickets at developer site dev.vaadin.com.
Vaadin is available for the following operating systems:
- Windows (see the Zip installation notice above)
- Mac OS X Tiger (mac) or Leopard (leopard)
- Other UNIX operating systems, such as Sun Solaris
Vaadin supports Java Servlet API 2.3 and later versions and should work with any Java application server that conforms to the standard. It supports the following application servers:
- Apache Tomcat, version 4.1 or later
- BEA WebLogic® Server, version 9.2 or later
- IBM WebSphere® Application Server, version 6.1 or later
- JBoss Application Server, version 3.2.8 or later
- Jetty, version 5 or later
- Glassfish, version 2 or later
Vaadin supports the following browsers for using the applications made with it:
- Mozilla Firefox 3, 4, and 5
- Internet Explorer releases 6, 7, 8 and 9
- Safari 4 and 5
- Opera 10 and 11
- Google Chrome (latest version)
The support for browsers follows the support by GWT. The browsers are supported on both Windows and Mac, if available. Firefox is supported also on Linux. There may be differences between the exact versions of the supported browsers that may cause incompatibility with applications made with Vaadin.