Version @version@ built on @builddate@.
Release Notes for Vaadin Framework @version@
- Overview of Vaadin @version@ Release
- Security fixes
- Change log for Vaadin @version@
- Enhancements in Vaadin @version-minor@
- Incompatible changes in @version-minor@
- Behavior altering changes in @version-minor@
- Known issues in @version-minor@
- Limitations in @version-minor@
- Vaadin Installation
- Package Contents
- Migrating from Vaadin 6 to Vaadin 7
- Vaadin @version@ dependencies
- Upgrading to Vaadin @version-minor@
- Supported technologies
- Vaadin on the Web
Overview of Vaadin @version@ Release
Vaadin @version@ is a maintenance release that includes a number of important bug fixes, as listed in the change log below.
For a list of enhancements in the last feature release, see Enhancements in Vaadin @version-minor@ and the Release Notes for Vaadin @version-minor@.0.
Security fixes in Vaadin Framework 7.1.11
Vaadin 7.1.11 fixes two security issues discovered during internal review.
Escaping of OptionGroup item icon URLs
The issue affects OptionGroup with item icons. Proper escaping of the src-attribute on the client side was not ensured when using icons for OptionGroup items. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.
In order for an application to be vulnerable, user provided input must
be used to form a URL used to display an icon for an OptionGroup item,
when showing that Option Group to other users.
The vulnerability has been classified as moderate, due to it's limited
application.
Escaping of URLs in Util.getAbsoluteUrl()
The client side Util.getAbsoluteUrl() did not ensure proper escaping of the given URL. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.
The method is used internally by the framework in such a manner that it
is unlikely this attack vector can be utilized in practice. However,
third party components, or future use of the method, could make an
attack viable.
The vulnerability has been classified as moderate, due to it's limited
application.
Change log for Vaadin @version@
This release includes the following closed issues:
- @release-notes-tickets@
You can also view the list of the closed issues at the Vaadin developer's site. .
Enhancements in Vaadin @version-minor@
The @version-minor@ includes many major and minor enhancements. Below is a list of the most notable changes:
- Internet Explorer 11 support
- Window Phone 8.1 support
- Long polling support through Atmosphere 2
- Font icon support
- Tomcat 8 support
- Wildfly 8 support
- Websocket support for Tomcat 8, Glassfish 4, Jetty 9.1, Wildfly 8
- TestBench 4 support
- GWT 2.6 compatibility
- Widget set size reduction
- Widget set compilation speed improvement by collapsing all permutations
- New built-in converters: StringToBigDecimal, StringToLong
- New built-in support for Date in communication
- WAI-ARIA improvements: Window, Notification, TabSheet
- Sass compiler is a separate project
- Support for @OnStateChange for easier state handling
- Reload events for UIs with @PreserveOnRefresh
- Responsive layouts
Tools have been updated for Vaadin @version-minor@ with the following changes:
- Maven
- Theme compilation support using vaadin:update-theme and vaadin:compile-theme
- Eclipse
- Theme compilation support using the provided button
- New projects are by default generated using Servlet 3.0 API
- Additional GWT compiler parameters can be specified
For enchancements introduced in Vaadin 7, see the Release Notes for Vaadin 7.0.0.
Incompatible changes
- It is assumed that the UI will no longer be used after Page.setLocation is called. Do not use this to start downloads.
- The portlet requests class VaadinGateinRequest is now called VaadinGateInRequest
- The JSON library has been changed from org.json to the json implementation from the Android SDK. They are 99% compatible.
- StringToNumberConverter has been removed in favor of more specific converters such as StringToBigDecimalConverter.
- (internal) Atmosphere has been updated from version 1.x to 2.x. These are not 100% compatible.
- (internal) There is no longer support for "multiple variable bursts" in the UIDL communication.
Behavior altering changes
- Default push fallback is now long-polling
- VerticalLayout and HorizontalLayout.replaceComponent now applies old component parameters (e.g. expand ratio) to the new component. This is now consistent between all layouts in the framework, where relevant properties are applied to the replacement.
- All GWT permutations are collapsed when using DefaultWidgetSet. To use separate permutations, inherit Vaadin instead of DefaultWidgetSet and add the needed entry-point.
- Requests to "/context;jsessionid=xyz" are redirected to "/context/;jsessionid=xyz" which is against specifications but based on how jsessionid is used
- Adding a ValueChangeListener to a component will make it immediate
- ComboBox is immediate by default
Known issues
- Not all features are implemented for devices using pointer events.
- Push reconnecting does not work in all situations when
- using Firefox and streaming
- using IE8-11 and long-polling
Limitations
- It is currently not possible to specify font-size as em or %, or layout component sizes with em (#10634)
- Push is currently not supported in portals (See #11493)
- HTTP session can not be invalidated while using push (#11721)
- Cookies are not available while using push (#11808)
- Not all proxies are compatible with websockets. If you are using push with an incompatible proxy you might have to force the transport mode to streaming. Some proxies have problems with streaming also - you need to ensure that the proxy does not buffer responses for HTTP streaming to work.
Vaadin Installation
Vaadin is a Java framework for building modern web applications that look great, perform well and make you and your users happy. Vaadin is available under the Apache License, Version 2.0 (see the license.html in the Vaadin ZIP or JAR package).
The easiest ways to install Vaadin are:
- If using Maven, define it as a dependency or use any of the available archetypes (only vaadin-application is available for Vaadin 7 at the time of this release) to create a new project
- If using Eclipse, use the Vaadin Plugin for Eclipse, which automatically downloads the Vaadin libraries. To use this prerelease version, the plugin should be installed from the experimental update site (http://vaadin.com/eclipse/experimental).
It is also available as a ZIP package downloadable from Vaadin Download page.
Package Contents
Inside the ZIP installation package you will find:
- Separate server-side (vaadin-server) and client-side (vaadin-client, vaadin-client-compiler) development libraries
- Precompiled widget set (vaadin-client-compiled) for server-side development
- Shared library (vaadin-shared) for both server- and client-side libraries
- Built-in themes (vaadin-themes)
- Dependency libraries provided under the lib/ folder
See the README.TXT in the installation package for detailed information about the package contents. Book of Vaadin (for Vaadin 7) gives more detailed instructions.
For server-side development, copy the vaadin-server , vaadin-client-compiled , vaadin-shared , and vaadin-themes from the main folder and the dependencies from the lib folder to the WEB-INF/lib folder of your Vaadin project. (The vaadin-client-compiled is necessary if you do not wish to compile the widget set by your own, which you need to do if you use almost any add-on components.)
Updates to the Packaging
Since Vaadin 7.2.0, the old vaadin-theme-compiler has been moved into a separate project and renamed to vaadin-sass-compiler. It is now included along with the other 3rd party dependencies in the ZIP package.
For pure client-side development, you only need the vaadin-client and vaadin-client-compiler JARs, which should be put to a non-deployed project library folder, such as lib . You also need them if you compile the widget set for any reason, such as using Vaadin add-ons, or create new server-side components integrated with client-side widgets.
Migrating from Vaadin 6
All Vaadin 6 applications need some changes when migrating to Vaadin 7. The most obvious changes are in the application/window API and require extending either UI or UI.LegacyApplication instead of Application. A detailed list of migration changes are given in the Vaadin 7 Migration Guide.
Any custom client-side widgets need to be ported to use the new client-server communication API, or the Vaadin 6 compatibility API.
Vaadin 6 add-ons (ones that contain widgets) do not work in Vaadin 7 - please check the add-ons in Vaadin Directory for Vaadin 7 support.
Vaadin @version@ Dependencies
When using Maven, Ivy, Gradle, or other dependency management system, all Vaadin dependencies are downloaded automatically. This is also the case when using the Vaadin Plugin for Eclipse.
The Vaadin ZIP installation package includes the dependencies in the lib subfolder. These need to be copied to the WEB-INF/lib folder of the web application that uses Vaadin.
The dependencies are listed in the Licensing description. Some are explicit dependencies packaged and distributed as separate JARs, while some are included inside other libraries.
Bean Validation
If you use the bean validation feature in Vaadin 7, you need a Bean Validation API implementation. You need to install the implementation JAR in the WEB-INF/lib directory of the web application that uses validation.
Upgrading to Vaadin @version-minor@
Upgrading the Eclipse Plugin
Vaadin 7 requires that you use a compatible version of the Vaadin Plugin for Eclipse. The stable version of the plugin is available from the http://vaadin.com/eclipse update site. Please see the section about updating the plugin in the Book of Vaadin and the installation instructions at the download site for more details.
You can also use the experimental Vaadin Plugin for Eclipse. Its update site is http://vaadin.com/eclipse/experimental .
General Upgrading Instructions
When upgrading from an earlier Vaadin version, you must:
- Recompile your classes using the new Vaadin version. Binary compatibility is only guaranteed for maintenance releases of Vaadin.
- Recompile any add-ons you have created using the new Vaadin
- Unless using the precompiled widget set, recompile your widget set using the new Vaadin version
Remember also to refresh the project in your IDE to ensure that the new version of everything is in use.
By using the " ?debug " URL parameter, you can verify that the version of the servlet, the theme, and the widget set all match.
Eclipse users should always check if there is a new version of the Eclipse Plug-in available. The Eclipse Plug-in can be used to update the Vaadin version in the project (Project properties » Vaadin).
Maven users should update the Vaadin dependency version in the pom.xml unless it is defined as LATEST . You must also ensure that the GWT dependency uses the correct version and recompile your project and your widget set.
Liferay and other portal users must install the
Vaadin libraries in
Notes and Limitations for Google App Engine
The following instructions and limitations apply when you run a Vaadin application under the Google App Engine.
-
Applications must use GAEVaadinServlet instead of VaadinServlet in web.xml .
-
Session support must be enabled in appengine-web.xml :
<sessions-enabled>true</sessions-enabled>
-
Avoid using the session for storage, usual App Engine limitations apply (no synchronization, that is, unreliable).
-
Vaadin uses memcache for mutex, the key is of the form _vmutex<sessionid> .
-
The Vaadin VaadinSession class is serialized separately into memcache and datastore; the memcache key is _vac<sessionid> and the datastore entity kind is _vac with identifiers of the type _vac<sessionid> .
-
DO NOT update application state when serving an ConnectorResource (such as ClassResource.getStream()).
-
The application remains locked during uploads - a progress bar is not possible
For other known problems, see open tickets at developer site dev.vaadin.com.
Supported Technologies
Vaadin 7 is compatible with Java 6 and newer. Vaadin 7 is especially supported on the following operating systems:
- Windows
- Linux
- Mac OS X
Vaadin 7 requires Java Servlet API 2.4 but also supports later versions and should work with any Java application server that conforms to the standard. The following application servers are supported:
- Apache Tomcat 5-8
- Apache TomEE 1
- Oracle WebLogic Server 10.3-12
- IBM WebSphere Application Server 7-8
- JBoss Application Server 4-7
- Wildfly 8
- Jetty 5-9
- Glassfish 2-4
Vaadin 7 supports the JSR-286 Portlet specification and all portals that implement the specification should work. The following portals are supported:
- Liferay Portal 5.2-6
- GateIn Portal 3
- eXo Platform 3
- IBM WebSphere Portal 8
Vaadin also supports Google App Engine.
Vaadin supports the following desktop browsers:
- Mozilla Firefox 18-28
- Mozilla Firefox 17 ESR, 24 ESR
- Internet Explorer 8-11
- Safari 6-7
- Opera 12, 16-20
- Google Chrome 23-34
Additionally, Vaadin supports the built-in browsers in the following mobile operating systems:
- iOS 5-7
- Android 2.3-4
Vaadin SQL Container supports the following databases:
- HSQLDB
- MySQL
- MSSQL
- Oracle
- PostgreSQL
Vaadin on the Web
- vaadin.com - The developer portal containing everything you need to know about Vaadin
- vaadin.com/demo - A collection of demos for Vaadin
- vaadin.com/learn - Getting started with Vaadin
- vaadin.com/forum - Forums for Vaadin related discussions
- vaadin.com/book - Book of Vaadin - everything you need to know about Vaadin
- vaadin.com/api - Online javadocs
- vaadin.com/directory - Add-ons for Vaadin
- vaadin.com/pro-account - Commercial support and tools for Vaadin development
- vaadin.com/services - Expert services for Vaadin
- vaadin.com/company - Information about the company behind Vaadin
- dev.vaadin.com - Bug tracker
- How to get the source code of Vaadin