Vaadin – thinking of U and I

Version @version@ built on @builddate@.

Release Notes for Vaadin Framework @version@

• Package contents
• Security fixes in Vaadin @version-minor@
• Enhancements in Vaadin @version-minor@
• Fixes in Vaadin @version@
• Backwards incompatible changes in Vaadin @version-minor@
• Vaadin @version@ dependencies
• Upgrading to Vaadin @version-minor@
• Known problems and limitations in Vaadin @version@
• Supported technologies
• Vaadin on the Web

Package Contents

Vaadin is a Java framework for building modern web applications that look great, perform well and make you and your users happy. Vaadin is available under the Apache 2 license (see license.html).

Vaadin is distributed as a single JAR file. Inside the JAR you will find:

• Vaadin server and client side classes (/com)
• Vaadin server and client side sources (/com)
• The default widget set (/VAADIN/widgetsets)
• Themes: Runo, Reindeer and Chameleon (/VAADIN/themes)
• Release notes (/release-notes.html)
• Licensing information (/license.html)

Security fixes in Vaadin @version-minor@

Vaadin 6.7.0 and later incorporates fixes for the following security issues:

• #7669 CSRF/XSS vulnerability through separator injection
• #7670 Directory traversal vulnerability
• #7671 Contributory XSS: Possibility to inject HTML/JavaScript in system error messages
• #7672 Contributory XSS: possibility for injection in certain components

These issues were discovered by Wouter Coekaerts (http://wouter.coekaerts.be/) and an internal review. Immediate upgrade to a version containing the fixes (6.6.7 or later or 6.7.0 or later) is strongly recommended for all users.

The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information.

If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path "/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files.

The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker) for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application in the browser.

Enhancements in Vaadin @version-minor@

SQLContainer

SQLContainer connects your application to an SQL database using JDBC. SQLContainer allows you to easily bind data stored in a SQL database to Table and Select components, as well as edit the data using Forms. Compared to many object-relational tools this provides you with fast, low-level database access.

SQLContainer was previously distributed as an add-on and has now been integrated into the framework.

TreeTable

TreeTable is an extended Table component that can show hierarchical structures in its first column. Users can show or hide children from a small icon before the actual column value in the first column.

TreeTable is, similarly to Table, designed to scale well with large number of rows by only sending the needed rows to the browser. With the Collapsible Container extension, a developer can build the data provider so that it does not consume too much memory on the server side either.

Chameleon Theme

Chameleon Theme provides a completely new look and feel for your application.

The theme is built on top of the Vaadin Base theme and tries to keep out of the way where appropriate, so small modifications are easy to do with CSS.

The theme contains several different useful styles for many of the basic components like big and warning for a Label. You can even combine many styles together, like big warning

If the default color scheme does not suit your taste, feel free to use the online color scheme editor at http://demo.vaadin.com to build a customized theme.You can also change the base font size for the whole theme with the same editor.

Note that the theme is intentionally simplified for some browsers, most notably old Internet Explorer versions.

Notification now supports a plain text mode for its contents

OptionGroup now supports a HTML mode for the item captions

OptionGroup now supports item icons

MenuBar now supports a HTML mode for the item captions

ComboBox now supports scrolling using the mouse wheel

Table ColumnGenerator can now generate plain text in addition to Components

TabSheet tabs can be styled individually

Button can be automatically disabled when clicked

Tree, Table and TreeTable support tooltips for individual items or cells

Table and TreeTable now support GeneratedRows that can be used for grouping or summary rows

TreeTable supports animation for expand and collapse operations

TreeTable supports expand and collapse listeners

PopupDateField and InlineDateField now support time zones

ComboBox can now be used as a replacement for NativeSelect

Audio and Video components implement support for HTML5 <audio> and <video> elements.

CDI can now also be used with @SessionScoped beans.

Sampler is no longer distributed as part of Vaadin @version@. It will be available as a separate download

Book of Vaadin is no longer distributed with Vaadin @version@. It is available as a separate download from http://vaadin.com/book

The full details of the enhancements can be found at dev.vaadin.com.

Fixes in Vaadin @version@

#7852 TreeTable partial update throws NegativeArraySizeException
#3125 Portlet size is not updated when window is resized
#7780 TreeTable rendering problem when adding or removing nodes
#7836 Table repaint throws ArrayIndexOutOfBounds when using FileSystemContainer
#5562 Widgetset build throws an exception while throwing an exception
#7698 FileSystemContainer throws NPE when a directory cannot be read
#7790 table.requestRepaint() does not invoke cellStylesGenerators
#7822 Loading Vaadin application in JBoss AS 7 throws java.lang.LinkageError
#7823 JBoss 7 AS can't load FlagSeResource
#7839 Out of Sync error when using Generated Columns with TreeTable
#7918 Test with Firefox 8 #7923 Shrinking browser window not detected if resizeLazy is enabled

The full details of the defects can be found at dev.vaadin.com.

Backwards incompatible changes in Vaadin @version-minor@

Table.ColumnGenerator.generateCell has been changed to return Object instead of Component to enable generation of plain text.

Package names for SQLContainer, TreeTable and Chameleon Theme java files have been changed from com.vaadin.addons.* to com.vaadin.*

If you have been using SQLContainer, TreeTable or Chameleon Theme as add-ons, remove the add-on jars from the project.

The DOM structure of Forms without descriptions has changed, which means that any TestBench scripts testing this kind of Form need to be updated. If your tests start failing, subtract one from the index in the test script, e.g. change

VForm[0]/domChild[0]/domChild[3]

into

VForm[0]/domChild[0]/domChild[2]

and your tests will pass again.

Vaadin @version@ dependencies

Vaadin uses GWT @gwt-version@ for widget set compilation. GWT can be downloaded from http://code.google.com/webtoolkit/. GWT can also be automatically downloaded by the Vaadin Plug-in for Eclipse. Please note that GWT @gwt-version@ requires the validation-api-1.0.0.GA.jar and validation-api-1.0.0.GA-sources.jar files in addition to gwt-dev.jar and gwt-user.jar for widget set compilation.

Upgrading to Vaadin @version-minor@

When upgrading from an earlier Vaadin version, you must

• Recompile your classes using the new Vaadin JAR. Binary compatibility is only guaranteed for maintenance releases of Vaadin.
• Recompile any add-ons you have created using the new Vaadin JAR.
• Recompile your widget set using the new Vaadin JAR and the newly compiled add-ons.
• If you have extracted a theme from the Vaadin JAR, you need to update it with the theme provided in the new Vaadin JAR.

Remember also to refresh the project in your IDE to ensure that the new version of everything is in use.

Using the "?debug" URL parameter you can verify that the version of the servlet (JAR), the theme and the widgetset all match.

Eclipse users should always check if there is a new version of the Eclipse Plug-in available. The Eclipse Plug-in can be used to update the Vaadin version in the project (Project properties » Vaadin).

Maven users should update the Vaadin dependency version in the pom.xml unless it is defined as LATEST . You must also ensure that the GWT dependency uses the correct version and recompile your project and your widget set.

Liferay and other portal users must install the new vaadin-@version@.jar as ROOT/WEB-INF/lib/vaadin.jar in the portal. Additionally the contents of the VAADIN folder from the JAR must be extracted to the ROOT/html/VAADIN directory in the Liferay installation. If your portal uses custom widgets, install the latest version of Vaadin Control Panel for Liferay for easy widget set compilation.

Upgrading from Vaadin 6.5 or earlier

If you are upgrading from 6.5.x or earlier, notice that Vaadin @version@ uses GWT @gwt-version@. Upgrade your dependencies as necessary. See the dependencies section for more information.

Upgrading from Vaadin 6.1 or earlier

The way widget sets are created was completely changed in Vaadin 6.2. Existing projects, where custom widgets (a custom widget set) are used, must be migrated when upgrading to Vaadin 6.2 or later. Projects where the default widget set is used do not need migration. See Vaadin 6.2.0 release notes for more details.

Known problems and limitations in Vaadin @version@

• #1155: Uncompressing the installation package fails in Windows if using the default Zip uncompression. Uncompression gives (in Windows Vista) an error message about too long filenames, and a more obscure message in other versions of Windows. Workaround: use 7-Zip or some other good unzip program for Windows.

Notes and Limitations for Google App Engine

The following instructions and limitations apply when you run a Vaadin application under the Google App Engine.

• Applications must use GAEApplicationServlet instead of ApplicationServlet in web.xml .

• Session support must be enabled in appengine-web.xml :

      <sessions-enabled>true</sessions-enabled>

• Avoid using the session for storage, usual App Engine limitations apply (no synchronization, i.e, unreliable).

• Vaadin uses memcache for mutex, the key is of the form _vmutex<sessionid> .

• The Vaadin WebApplicationContext class is serialized separately into memcache and datastore; the memcache key is _vac<sessionid> and the datastore entity kind is _vac with identifiers of the type _vac<sessionid> .

• DO NOT update application state when serving an ApplicationResource (e.g ClassResource.getStream()).

• AVOID (or be very careful when) updating application state in a TransactionListener or a HttpServletRequestListener - they are called even when the application is not locked and won't be serialized (e.g ApplicationResource), and changes can thus go missing (it should be safe to update things that can be safely discarded later - i.e valid only for the current request)

• The application remains locked during uploads - a progress bar is not possible

For other known problems, see open tickets at developer site dev.vaadin.com.

Supported technologies

Vaadin is based on Java 5 and it is also compatible with most other operating system supporting Java 5 or newer. Vaadin is supported on the following operating systems:

• Windows (see the Zip installation notice above)
• Linux
• Mac OS X

Vaadin requires Java Servlet API 2.3 but also supports later versions and should work with any Java application server that conforms to the standard. The following application servers are supported:

• Apache Tomcat, version 4.1-7.0
• Oracle WebLogic® Server, version 9.2-10.3.5(11gR1)
• IBM WebSphere® Application Server, version 6.1-8.0
• JBoss Application Server, 3.2.8-7.0
• Jetty, version 5.0-7.0
• Glassfish, version 2.0-3.1

Vaadin supports JSR-168 and JSR-286 Portlet specifications. All portals that implement either of the portlet specifications should work. The following portals are supported:

• Liferay Portal 5.2-6.0
• GateIn Portal 3.1
• eXo Platform 3
• Oracle WebLogic® Portal 10gR3
• WebSphere Portal 6.1-7.0

Vaadin also supports Google App Engine.

Vaadin supports the following browsers:

• Mozilla Firefox 3-8
• Internet Explorer 6-9
• Safari 4-5
• Opera 10-11
• Google Chrome 13-15

Vaadin supports the built-in browsers in the following mobile operating systems:

• iOS 4-5
• Android 2-3

Vaadin on the Web

• vaadin.com - The developer portal containing everything you need to know about Vaadin
• demo.vaadin.com - A collection of demos for Vaadin
• vaadin.com/learn - Getting started with Vaadin
• vaadin.com/forum - Forums for Vaadin related discussions
• vaadin.com/book - Book of Vaadin - everything you need to know about Vaadin
• vaadin.com/api - Online javadocs
• vaadin.com/directory - Add-ons for Vaadin
• dev.vaadin.com - Bug tracker
• dev.vaadin.com/svn/versions/@version-minor@ - Source code
• vaadin.com/pro-account - Commercial support and tools for Vaadin development
• vaadin.com/services - Expert services for Vaadin
• vaadin.com/company - Information about the company behind Vaadin

vaadin }> thinking of U and I ↑ Back to top