uPortal 4.0.14 Release Announcement

Apereo is proud to announce uPortal 4.0.14, continuing in our regular patch releases of uPortal 4.0.

Human-readable release notes

uPortal 4.0.14 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship a slew of minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, portlet administration permissions are bugged such that

CVE-2014-3146 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
CVE-2014-3147 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.

This release includes essential fixes for successfully implementing delegated portlet administration features. This release attempts to root the portlet management group and category selection selector UI at a close-to-tree-root yet-selectable-by-the-user group or category, fixes JSON web service permission checks to succeed when they ought instead of always failing for non-super-users, and fixes the portlet publishing lifecycle stage step of the portlet publication workflow for non-super-users.

This release also adds the Emergency Alert portlet to the guest view, which will be an important fix for adopters using guest views and emergency alerts, and drops the category from the default emergency-alert portlet definition to prevent users from adding it to odd places in their own layouts.

This release works with Tomcat 7.0.47 (and later?) whereas without this fix ending and upgrading user sessions was bugged.

The reset-password portlet had been bugged so as to be unusable, but this release includes a fix. Guest user account detection is now case-insensitive. Permissions administration principal selection is fixed.

This release fixes DLM ProfileEvaluator import to now successfully import the XML it exports.

Search over the portlet registry standardizes to lowercase and so should have more search hits that you'd expect.

The in-memory password encryption key is now conveniently configured in portal.properties to encourage adopters to set it. You have changed that encryption key from the default, if you're using in-memory passwords, right?

Speaking of caching passwords in memory, CAS / ClearPass users should review ClearPass cache update synchronicity configuration changes in this release. This release includes out-of-the-box CAS / ClearPass configuration that's closer to ready-to-go more generally (but is still off-by-default).

In this release the calendar portlet's default US holiday data feed now draws (working) from Google, replacing a previous default configuration that went bad.

This release upgrades to jquery and jqueryUI 1.8.24, jquery-mobile to 1.3.2 and tweaks Fluid to support jQuery 1.8, disables UI scaling under muniversality, improves text shadows, fixes UI glitches in portlet-administration, in portlet titles, and in the hc and coal themes, and removes the (broken) Popular Portlets button from the Portlet Manager. A new portlet preference governs whether the portal-activity portlet displays popular searches.

This release bumps the versions of some included portlets:

In under-the-hood tweaks, this release patches away some database resource leaks, configures uPortal's ehcache to be shared, tweaks the environment filter set, updates Maven exclusions, and silences an extraneous hsql shutdown EOFException, and adds some null handling on the JSON web services accessing groups and in the person attribute group store.

The quickstart configuration in this release bumps the max memory to 500 mb.

On upgrade, you may want to: