Version @version@ built on @builddate@.
Release Notes for Vaadin Framework @version@
- Overview of Vaadin @version@ Release
- Security fixes
- Change log for Vaadin @version@
- Enhancements in Vaadin @version-minor@
- Limitations in @version-minor@
- Vaadin Installation
- Package Contents
- Migrating from Vaadin 6 to Vaadin 7
- Vaadin @version@ dependencies
- Upgrading to Vaadin @version-minor@
- Supported technologies
- Vaadin on the Web
Overview of Vaadin @version@ Release
Vaadin @version@ is a maintenance release that includes a number of important bug fixes, as listed in the change log below.
For a list of enhancements in the last feature release, see Enhancements in Vaadin @version-minor@ and the Release Notes for Vaadin @version-minor@.0.
Security fixes in Vaadin Framework 7.1.11
Vaadin 7.1.11 fixes two security issues discovered during internal review.
Escaping of OptionGroup item icon URLs
The issue affects OptionGroup with item icons. Proper escaping of the src-attribute on the client side was not ensured when using icons for OptionGroup items. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.
In order for an application to be vulnerable, user provided input must
be used to form a URL used to display an icon for an OptionGroup item,
when showing that Option Group to other users.
The vulnerability has been classified as moderate, due to it's limited
application.
Escaping of URLs in Util.getAbsoluteUrl()
The client side Util.getAbsoluteUrl() did not ensure proper escaping of the given URL. This could potentially, in certain situations, allow a malicious user to inject content, such as javascript, in order to perform a cross-site scripting (XSS) attack.
The method is used internally by the framework in such a manner that it
is unlikely this attack vector can be utilized in practice. However,
third party components, or future use of the method, could make an
attack viable.
The vulnerability has been classified as moderate, due to it's limited
application.
Change log for Vaadin @version@
This release includes the following closed issues:
- @release-notes-tickets@
You can also view the list of the closed issues at the Vaadin developer's site. .
Enhancements in Vaadin @version-minor@
The @version-minor@ includes many major and minor enhancements. Below is a list of the most notable changes:
- Server push (Use the @Push annotation to enable push for a UI)
- Server polling using UI.setPollInterval()
- Enhanced debug window
- Internet Explorer 10 support
- Sass compiler improvements: arithmetics, @content
- Dynamic CSS injection
- Support for SCSS/CSS files in all add-ons (Use Vaadin-Stylesheet in the manifest)
- Calendar is included in the core framework
- ProgressBar provides progress indication without polling (separated from ProgressIndicator)
- Tooltip and loading indicator delays configurable on server side
- The range of a DateField can be limited
- Window has maximize/restore controls
- UI and VaadinSession provide access() to access the UI and session while holding the needed lock
- A new @VaadinServletConfiguration annotation for configuring servlet parameters
- WAI-ARIA support for form fields, Button, and Tree
- The behavior of Property.toString() can be toggled using the legacyPropertyToString init parameter
- Default alignment can be set for layout components
- FieldGroup supports SQL date fields and date field creation
- Converter.convertToModel/convertFromModel now gets an additional parameter describing the target type
- The browser page can be reloaded programmatically using Page.reload()
- The VaadinServlet/VaadinPortlet and VaadinService classes have been refactored
- Several locking related fixes
- Client compiler dependencies are packaged as a separate jar
- DefaultWidgetSet is even more optimized (using compiler parameter -XenableClosureCompiler)
- Java assert statements have been added to critical code sections. Start JVM with -ea to use.
- StateChangeEvent.isInitialState() indicates if event is the first for a connector
- ClientConnector.isAttached() indicates if connector is attached
- Container.Filterable now contains a getContainerFilters() method
- TableQuery now supports schemas and catalogs
Tools have been updated for Vaadin @version-minor@ with the following changes:
- Maven
- Theme compilation support using vaadin:update-theme and vaadin:compile-theme
- Eclipse
- Theme compilation support using the provided button
- New projects are by default generated using Servlet 3.0 API
- Additional GWT compiler parameters can be specified
For enchancements introduced in Vaadin 7, see the Release Notes for Vaadin 7.0.0.
Limitations
- It is currently not possible to specify font-size as em or %, or layout component sizes with em (#10634)
- Push is currently not supported in portals (See #11493)
- HTTP session can not be invalidated while using push (#11721)
- Cookies are not available while using push (#11808)
- Not all proxies are compatible with websockets. If you are using push with an incompatible proxy you might have to force the transport mode to streaming. Some proxies have problems with streaming also - you need to ensure that the proxy does not buffer responses for HTTP streaming to work.
Vaadin Installation
Vaadin is a Java framework for building modern web applications that look great, perform well and make you and your users happy. Vaadin is available under the Apache License, Version 2.0 (see the license.html in the Vaadin ZIP or JAR package).
The easiest ways to install Vaadin are:
- If using Maven, define it as a dependency or use any of the available archetypes (only vaadin-application is available for Vaadin 7 at the time of this release) to create a new project
- If using Eclipse, use the Vaadin Plugin for Eclipse, which automatically downloads the Vaadin libraries. To use this prerelease version, the plugin should be installed from the experimental update site (http://vaadin.com/eclipse/experimental).
It is also available as a ZIP package downloadable from Vaadin Download page.
Package Contents
Inside the ZIP installation package you will find:
- Separate server-side (vaadin-server) and client-side (vaadin-client, vaadin-client-compiler) development libraries
- Precompiled widget set (vaadin-client-compiled) for server-side development
- Shared library (vaadin-shared) for both server- and client-side libraries
- Built-in themes (vaadin-themes) and the theme compiler (vaadin-theme-compiler)
- Dependency libraries provided under the lib/ folder
See the README.TXT in the installation package for detailed information about the package contents. Book of Vaadin (for Vaadin 7) gives more detailed instructions.
For server-side development, copy the vaadin-server , vaadin-client-compiled , vaadin-shared , vaadin-theme-compiler , and vaadin-themes from the main folder and the dependencies from the lib folder to the WEB-INF/lib folder of your Vaadin project. (The vaadin-client-compiled is necessary if you do not wish to compile the widget set by your own, which you need to do if you use almost any add-on components.)
For pure client-side development, you only need the vaadin-client and vaadin-client-compiler JARs, which should be put to a non-deployed project library folder, such as lib . You also need them if you compile the widget set for any reason, such as using Vaadin add-ons, or create new server-side components integrated with client-side widgets.
Migrating from Vaadin 6
All Vaadin 6 applications need some changes when migrating to Vaadin 7. The most obvious changes are in the application/window API and require extending either UI or UI.LegacyApplication instead of Application. A detailed list of migration changes are given in the Vaadin 7 Migration Guide.
Any custom client-side widgets need to be ported to use the new client-server communication API, or the Vaadin 6 compatibility API.
Vaadin 6 add-ons (ones that contain widgets) do not work in Vaadin 7 - please check the add-ons in Vaadin Directory for Vaadin 7 support.
Vaadin @version@ Dependencies
When using Maven, Ivy, Gradle, or other dependency management system, all Vaadin dependencies are downloaded automatically. This is also the case when using the Vaadin Plugin for Eclipse.
The Vaadin ZIP installation package includes the dependencies in the lib subfolder. These need to be copied to the WEB-INF/lib folder of the web application that uses Vaadin.
The dependencies are listed in the Licensing description. Some are explicit dependencies packaged and distributed as separate JARs, while some are included inside other libraries.
Bean Validation
If you use the bean validation feature in Vaadin 7, you need a Bean Validation API implementation. You need to install the implementation JAR in the WEB-INF/lib directory of the web application that uses validation.
Upgrading to Vaadin @version-minor@
Upgrading the Eclipse Plugin
Vaadin 7 requires that you use a compatible version of the Vaadin Plugin for Eclipse. The stable version of the plugin is available from the http://vaadin.com/eclipse update site. Please see the section about updating the plugin in the Book of Vaadin and the installation instructions at the download site for more details.
You can also use the experimental Vaadin Plugin for Eclipse. Its update site is http://vaadin.com/eclipse/experimental .
General Upgrading Instructions
When upgrading from an earlier Vaadin version, you must:
- Recompile your classes using the new Vaadin version. Binary compatibility is only guaranteed for maintenance releases of Vaadin.
- Recompile any add-ons you have created using the new Vaadin
- Unless using the precompiled widget set, recompile your widget set using the new Vaadin version
Remember also to refresh the project in your IDE to ensure that the new version of everything is in use.
By using the " ?debug " URL parameter, you can verify that the version of the servlet, the theme, and the widget set all match.
Eclipse users should always check if there is a new version of the Eclipse Plug-in available. The Eclipse Plug-in can be used to update the Vaadin version in the project (Project properties » Vaadin).
Maven users should update the Vaadin dependency version in the pom.xml unless it is defined as LATEST . You must also ensure that the GWT dependency uses the correct version and recompile your project and your widget set.
Liferay and other portal users must install the
Vaadin libraries in
Notes and Limitations for Google App Engine
The following instructions and limitations apply when you run a Vaadin application under the Google App Engine.
-
Applications must use GAEVaadinServlet instead of VaadinServlet in web.xml .
-
Session support must be enabled in appengine-web.xml :
<sessions-enabled>true</sessions-enabled>
-
Avoid using the session for storage, usual App Engine limitations apply (no synchronization, that is, unreliable).
-
Vaadin uses memcache for mutex, the key is of the form _vmutex<sessionid> .
-
The Vaadin VaadinSession class is serialized separately into memcache and datastore; the memcache key is _vac<sessionid> and the datastore entity kind is _vac with identifiers of the type _vac<sessionid> .
-
DO NOT update application state when serving an ConnectorResource (such as ClassResource.getStream()).
-
The application remains locked during uploads - a progress bar is not possible
For other known problems, see open tickets at developer site dev.vaadin.com.
Supported Technologies
Vaadin 7 is compatible with Java 6 and newer. Vaadin 7 is especially supported on the following operating systems:
- Windows
- Linux
- Mac OS X
Vaadin 7 requires Java Servlet API 2.4 but also supports later versions and should work with any Java application server that conforms to the standard. The following application servers are supported:
- Apache Tomcat 5-7
- Apache TomEE 1
- Oracle WebLogic Server 10.3-12
- IBM WebSphere Application Server 7-8
- JBoss Application Server 4-7
- Jetty 5-9
- Glassfish 2-4
Vaadin 7 supports the JSR-286 Portlet specification and all portals that implement the specification should work. The following portals are supported:
- Liferay Portal 5.2-6
- GateIn Portal 3
- eXo Platform 3
Vaadin also supports Google App Engine.
Vaadin supports the following desktop browsers:
- Mozilla Firefox 18-24
- Mozilla Firefox 17 ESR
- Internet Explorer 8-10
- Safari 6
- Opera 12,16
- Google Chrome 23-29
Additionally, Vaadin supports the built-in browsers in the following mobile operating systems:
- iOS 5-7
- Android 2.3-4
Vaadin SQL Container supports the following databases:
- HSQLDB
- MySQL
- MSSQL
- Oracle
- PostgreSQL
Vaadin on the Web
- vaadin.com - The developer portal containing everything you need to know about Vaadin
- vaadin.com/demo - A collection of demos for Vaadin
- vaadin.com/learn - Getting started with Vaadin
- vaadin.com/forum - Forums for Vaadin related discussions
- vaadin.com/book - Book of Vaadin - everything you need to know about Vaadin
- vaadin.com/api - Online javadocs
- vaadin.com/directory - Add-ons for Vaadin
- vaadin.com/pro-account - Commercial support and tools for Vaadin development
- vaadin.com/services - Expert services for Vaadin
- vaadin.com/company - Information about the company behind Vaadin
- dev.vaadin.com - Bug tracker
- How to get the source code of Vaadin