summaryrefslogtreecommitdiffstats
path: root/WebContent/release-notes.html
blob: b05a5e1548ab94ad31542a85684f6ae6e8e9bdb4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Vaadin Framework @version@</title>
<link rel="stylesheet" type="text/css" href="css/styles.css" />

<!--[if lte IE 6]>
		<link rel="stylesheet" type="text/css" href="css/ie.css" />
		<![endif]-->
<style type="text/css">
.nested-list ol {
	counter-reset: item
}

.nested-list li {
	display: block
}

.nested-list li:before {
	content: counters(item, ".") ". ";
	counter-increment: item
}
</style>
</head>
<!-- /head -->
<body>

	<div id="header">
		<h1>Vaadin &ndash; thinking of U and I</h1>
		<div id="version">
			<strong>Version @version@</strong>
		</div>
	</div>
	<!-- /header -->

	<div id="content">

		<p>Version @version@ built on @builddate@.</p>

		<h2 id="tableofcontents">Release Notes for Vaadin Framework
			@version@</h2>
		<ul>
			<li><a href="#overview">Package contents</a>
			</li>
			<li><a href="#security-fixes">Security fixes in Vaadin @version-minor@</a>
			</li>
			<li><a href="#enhancements">Enhancements in Vaadin @version-minor@</a>
			</li>
			<li><a href="#fixes">Fixes in Vaadin @version@</a>
			</li>
			<li><a href="#backwardsincompatibilities">Backwards
					incompatible changes in Vaadin @version-minor@</a>
			</li>
			<li><a href="#dependencies">Vaadin @version@ dependencies</a>
			</li>
			<li><a href="#upgrading">Upgrading to Vaadin @version-minor@</a>
			</li>
			<li><a href="#knownissues">Known problems and limitations in
					Vaadin @version@</a>
			</li>
			<li><a href="#supportedversions">Supported technologies</a>
			</li>
			</li>
			<li><a href="#vaadinontheweb">Vaadin on the Web</a>
			</li>
		</ul>
		<h2 id="overview">Package Contents</h2>
		<p>
			<b>Vaadin</b> is a Java framework for building modern web
			applications that look great, perform well and make you and your
			users happy. <b>Vaadin</b> is available under the Apache 2 license
			(see license.html).
		</p>
		<p>
			<b>Vaadin</b> is distributed as a single JAR file. Inside the JAR you
			will find:
			<ul>
				<li>Vaadin server and client side classes (/com)</li>
				<li>Vaadin server and client side sources (/com)</li>
				<li>The default widget set (/VAADIN/widgetsets)</li>
				<li>Themes: Runo, Reindeer and Chameleon (/VAADIN/themes)</li>
				<li>Release notes (/release-notes.html)</li>
				<li>Licensing information (/license.html)</li>
			</ul>
		</p>

		<h2 id="security-fixes">Security fixes in Vaadin @version-minor@</h2>
		<p>Vaadin 6.7.0 and later incorporates fixes for the following security issues:</p>
    <ul>
        <li><a href="http://dev.vaadin.com/ticket/7669">#7669</a> CSRF/XSS vulnerability through separator injection</li>
        <li><a href="http://dev.vaadin.com/ticket/7670">#7670</a> Directory traversal vulnerability</li>
        <li><a href="http://dev.vaadin.com/ticket/7671">#7671</a> Contributory XSS: Possibility to inject HTML/JavaScript in system error messages</li>
        <li><a href="http://dev.vaadin.com/ticket/7672">#7672</a> Contributory XSS: possibility for injection in certain components</li>
    </ul>

		<p>
		These issues were discovered by Wouter Coekaerts (<a href="http://wouter.coekaerts.be/">http://wouter.coekaerts.be/</a>) and an internal review.
		Immediate upgrade to a version containing the fixes (6.6.7 or later or 6.7.0 or later) is strongly recommended for all users.
		</p>

		<p>
		The most serious of these issues is the directory traversal attack that can allow read access to the class files of an application as well as some configuration information. 
		</p> 

		<p>
		If unable to immediately upgrade Vaadin to a version containing the fixes, the directory traversal vulnerability can be mitigated by not mapping the context path
		"/VAADIN" to a Vaadin servlet in web.xml but instead deploying such static resources (themes and widgetsets) directly on the server and serving them as files. 
		</p>

		<p>
		The other vulnerabilities typically require user actions (pasting text crafted by the attacker into the application or following a link crafted by the attacker)
		for a successful attack, but may be exploitable more directly in certain applications. They can allow the attacker to control the user session for the application
		in the browser.
		</p>
    
		<h2 id="enhancements">Enhancements in Vaadin @version-minor@</h2>
		<p>
			<b>SQLContainer</b>
		</p>
		<p>SQLContainer connects your application to an SQL database using
			JDBC. SQLContainer allows you to easily bind data stored in a SQL
			database to Table and Select components, as well as edit the data
			using Forms. Compared to many object-relational tools this provides
			you with fast, low-level database access.</p>
		<p>SQLContainer was previously distributed as an add-on and has
			now been integrated into the framework.</p>
		<p>
			<b>TreeTable</b>
		</p>
		<p>TreeTable is an extended Table component that can show
			hierarchical structures in its first column. Users can show or hide
			children from a small icon before the actual column value in the
			first column.</p>
		<p>TreeTable is, similarly to Table, designed to scale well with
			large number of rows by only sending the needed rows to the browser.
			With the Collapsible Container extension, a developer can build the
			data provider so that it does not consume too much memory on the
			server side either.</p>
		<p>
			<b>Chameleon Theme</b>
		</p>
		<p>Chameleon Theme provides a completely new look and feel for
			your application.</p>
		<p>
			The theme is built on top of the Vaadin Base theme and tries to keep
			out of the way where appropriate, so small modifications are easy to
			do with CSS.
			<p>
				The theme contains several different useful styles for many of the
				basic components like <i>big</i> and <i>warning</i> for a Label. You
				can even combine many styles together, like <i>big warning</i>
			</p>
			If the default color scheme does not suit your taste, feel free to
			use the online color scheme editor at <a
				href="http://demo.vaadin.com/">http://demo.vaadin.com</a> to build a
			customized theme.You can also change the base font size for the whole
			theme with the same editor.
			<p>
				<i>Note that the theme is intentionally simplified for some
					browsers, most notably old Internet Explorer versions.</i>
			</p>
		</p>
		<p>
			<b>Notification</b> now supports a plain text mode for its contents
		</p>
		<p>
			<b>OptionGroup</b> now supports a HTML mode for the item captions
		</p>
        <p>
            <b>OptionGroup</b> now supports item icons
        </p>        
		<p>
			<b>MenuBar</b> now supports a HTML mode for the item captions
		</p>
		<p>
			<b>ComboBox</b> now supports scrolling using the mouse wheel
		</p>
		<p>
			<b>Table ColumnGenerator</b> can now generate plain text in addition
			to Components
		</p>
		<p>
			<b>TabSheet</b> tabs can be styled individually
		</p>
		<p>
			<b>Button</b> can be automatically disabled when clicked
		</p>
		<p>
			<b>Tree, Table</b> and <b>TreeTable</b> support tooltips for
			individual items or cells
		</p>
		<p>
			<b>Table</b> and <b>TreeTable</b> now support GeneratedRows that can
			be used for grouping or summary rows
		</p>
		<p>
			<b>TreeTable</b> supports animation for expand and collapse
			operations
		</p>
		<p>
			<b>TreeTable</b> supports expand and collapse listeners
		</p>
		<p>
			<b>PopupDateField</b> and <b>InlineDateField</b> now support time
			zones
		</p>
        <p>
            <b>ComboBox</b> can now be used as a replacement for NativeSelect
        </p>
        <p>
            <b>Audio</b> and <b>Video</b> components implement support for HTML5 &lt;audio&gt; and &lt;video&gt; elements.
        </p>
        <p>
            <b>CDI</b> can now also be used with @SessionScoped beans.
        </p>
		<p>
			<b>Sampler</b> is no longer distributed as part of Vaadin @version@.
			It will be available as a separate download
		</p>
		<p>
			<b>Book of Vaadin</b> is no longer distributed with Vaadin @version@.
			It is available as a separate download from <a
				href="http://vaadin.com/book">http://vaadin.com/book</a>
		</p>
		<p>
			The <a
				href="http://dev.vaadin.com/query?status=closed&type=enhancement&milestone=Vaadin+6.7.0.rc1&or&status=closed&type=enhancement&milestone=Vaadin+6.7.0.beta1&or&status=closed&type=enhancement&milestone=Vaadin+6.7.0&group=status&col=id&col=summary&col=type&col=owner&col=priority&col=component&col=version&order=priority">full
				details of the enhancements</a> can be found at dev.vaadin.com.</a>
		</p>
		<h2 id="fixes">Fixes in Vaadin @version@</h2>
		
	<p>
    #7788   Field.setProperyDatasource() does not reflect value for 6.7.0<br/>
    #7479   Vaadin apps cannot current be deployed on IBM WebSphere v8<br/>
    #7724   TextField with PropertyFormatter did not repaint in 6.7.0 (event with requestRepaint() call)<br/>
    #7731   Javascript error when adding an item to an empty Table when setColumnWidth is used<br/>
    #7776   AbstractField don't respect value change events from property during commit<br/>
    #7778   Table rendering problem<br/>
    #6588   Repainting in TextChangeListener will send wrong value to client.<br/>
    #7720   TreeTable doesn't get refreshed if all entries are removed<br/>
    #7738   Slashes or backslahes in ApplicationResources URLs should not be encoded<br/>
    #7753   TreeTable gets into a state that causes internal error when getChildren throws an exception.<br/>
    #3710   Width is miscalculated for the footer layouts in forms of undefined size<br/>
    #7548   TestBench pressSpecialKey (arrows) doesn't work on Tree in IE6<br/>
    #7708   DragAndDropWrapper.setDescription("foo") does not work<br/>
    #7736   Logging level of SqlContainer is too high<br/>
    #7755   Debug window "highlight component" does not work with sub windows<br/>
    	</p>
		<p>
			The <a href="http://dev.vaadin.com/query?status=closed&type=defect&milestone=Vaadin%20@version@">full
				details of the defects</a> can be found at dev.vaadin.com.
		</p>

		<h2 id="backwardsincompatibilities">Backwards incompatible
			changes in Vaadin @version-minor@</h2>
		<p>Table.ColumnGenerator.generateCell has been changed to return
			Object instead of Component to enable generation of plain text.</p>
		<p>Package names for SQLContainer, TreeTable and Chameleon Theme
			java files have been changed from com.vaadin.addons.* to com.vaadin.*</p>
		</p>
		<p>If you have been using SQLContainer, TreeTable or Chameleon
			Theme as add-ons, remove the add-on jars from the project.</p>
		<p>The DOM structure of Forms without descriptions has changed, which means
		    that any TestBench scripts testing this kind of Form need to be updated.
		    If your tests start failing, subtract one from the index in the test script,
		    e.g. change
		    <pre class="codeblock">VForm[0]/domChild[0]/domChild[3]</pre>
		    into
		    <pre class="codeblock">VForm[0]/domChild[0]/domChild[2]</pre>
		    and your tests will pass again.</p>

		<h2 id="dependencies">Vaadin @version@ dependencies</h2>
		Vaadin uses GWT @gwt-version@ for widget set compilation. GWT can be
		downloaded from <a href="http://code.google.com/webtoolkit/">http://code.google.com/webtoolkit/</a>.
		GWT can also be automatically downloaded by the Vaadin Plug-in for
		Eclipse. Please note that GWT @gwt-version@ requires the <i>validation-api-1.0.0.GA.jar</i>
		and <i>validation-api-1.0.0.GA-sources.jar</i> files in addition to <i>gwt-dev.jar</i>
		and <i>gwt-user.jar</i> for widget set compilation.

		<h2 id="upgrading">Upgrading to Vaadin @version-minor@</h2>
		<p>
			When upgrading from an earlier Vaadin version, you must
			<ul>
				<li>Recompile your classes using the new Vaadin JAR. Binary
					compatibility is only guaranteed for maintenance releases of
					Vaadin.</li>
				<li>Recompile any add-ons you have created using the new Vaadin
					JAR.</li>
				<li>Recompile your widget set using the new Vaadin JAR and the
					newly compiled add-ons.</li>
				<li>If you have extracted a theme from the Vaadin JAR, you need
					to update it with the theme provided in the new Vaadin JAR.</li>
			</ul>
		</p>
		<p>Remember also to refresh the project in your IDE to ensure that
			the new version of everything is in use.</p>
		<p>Using the "?debug" URL parameter you can verify that the
			version of the servlet (JAR), the theme and the widgetset all match.</p>
		<p>
			<b>Eclipse</b> users should always check if there is a new version of
			the Eclipse Plug-in available. The Eclipse Plug-in can be used to
			update the Vaadin version in the project (Project properties &raquo;
			Vaadin).
		</p>

		<p>
			<b>Maven</b> users should update the Vaadin dependency version in the
			<tt>pom.xml</tt>
			unless it is defined as
			<tt>LATEST</tt>
			. You must also ensure that the GWT dependency uses the correct
			version and recompile your project and your widget set.

		</p>

		<b>Liferay and other portal</b> users must install the new
		vaadin-@version@.jar as
		<t>ROOT/WEB-INF/lib/vaadin.jar</b> in the portal. Additionally the
		contents of the <tt>VAADIN</tt> folder from the JAR must be extracted
		to the <tt>ROOT/html/VAADIN</tt> directory in the Liferay
		installation. If your portal uses custom widgets, install the latest
		version of <a
			href="http://vaadin.com/directory#addon/vaadin-control-panel-for-liferay">Vaadin
			Control Panel for Liferay</a> for easy widget set compilation.

		<h3>Upgrading from Vaadin 6.5 or earlier</h3>
		If you are upgrading from 6.5.x or earlier, notice that Vaadin
		@version@ uses GWT @gwt-version@. Upgrade your dependencies as
		necessary. See <a href="#dependencies">the dependencies</a> section
		for more information.
		</p>

		<h3 id="widgetupgrade">Upgrading from Vaadin 6.1 or earlier</h3>

		<p>
			The way widget sets are created was completely changed in Vaadin 6.2.
			Existing projects, where custom widgets (a custom widget set) are
			used, must be migrated when upgrading to Vaadin 6.2 or later.
			Projects where the default widget set is used do not need migration.
			See <a
				href="http://vaadin.com/download/release/6.2/6.2.0/release-notes.html">Vaadin
				6.2.0 release notes</a> for more details.
		</p>





		<h3 id="knownissues">Known problems and limitations in Vaadin
			@version@</h3>

		<ul>
			<li><p id="zipissue">
					<a href="http://dev.vaadin.com/ticket/1155">#1155</a>:
					Uncompressing the installation package fails in Windows if using
					the default Zip uncompression. Uncompression gives (in Windows
					Vista) an error message about too long filenames, and a more
					obscure message in other versions of Windows. Workaround: use <a
						href="http://www.7-zip.org/">7-Zip</a> or some other good unzip
					program for Windows.
				</p>
			</li>
		</ul>
		<h4 id="gae">Notes and Limitations for Google App Engine</h4>

		<p>The following instructions and limitations apply when you run a
			Vaadin application under the Google App Engine.</p>

		<ul>
			<li><p>
					Applications must use <b>GAEApplicationServlet</b> instead of <b>ApplicationServlet</b>
					in
					<tt>web.xml</tt>
					.
				</p>
			</li>

			<li><p>
					Session support must be enabled in
					<tt>appengine-web.xml</tt>
					:
				</p> <pre>    &lt;sessions-enabled&gt;true&lt;/sessions-enabled&gt;</pre>
			</li>

			<li><p>Avoid using the session for storage, usual App Engine
					limitations apply (no synchronization, i.e, unreliable).</p>
			</li>

			<li><p>
					Vaadin uses memcache for mutex, the key is of the form
					<tt>_vmutex&lt;sessionid&gt;</tt>
					.
				</p>
			</li>

			<li><p>
					The Vaadin <b>WebApplicationContext</b> class is serialized
					separately into memcache and datastore; the memcache key is
					<tt>_vac&lt;sessionid&gt;</tt>
					and the datastore entity kind is
					<tt>_vac</tt>
					with identifiers of the type
					<tt>_vac&lt;sessionid&gt;</tt>
					.
				</p>
			</li>

			<li><p>
					DO NOT update application state when serving an <b>ApplicationResource</b>
					(e.g <b>ClassResource</b>.<i>getStream()</i>).
				</p>
			</li>

			<li><p>
					AVOID (or be very careful when) updating application state in a <b>TransactionListener</b>
					or a <b>HttpServletRequestListener</b> - they are called even when
					the application is not locked and won't be serialized (e.g <b>ApplicationResource</b>),
					and changes can thus go missing (it should be safe to update things
					that can be safely discarded later - i.e valid only for the current
					request)
				</p>
			</li>

			<li><p>The application remains locked during uploads - a
					progress bar is not possible</p>
			</li>
		</ul>


		<p>
			For other known problems, see open tickets at developer site <a
				href="http://dev.vaadin.com/">dev.vaadin.com</a>.
		</p>

		<h2 id="supportedversions">Supported technologies</h2>

		<p>
			Vaadin is based on <b>Java 5</b> and it is also compatible with most
			other operating system supporting Java 5 or newer. Vaadin is
			supported on the following <b>operating systems</b>:
		</p>

		<ul>
			<li>Windows (see the <a href="#knownissues">Zip installation
					notice above</a>)</li>
			<li>Linux</li>
			<li>Mac OS X</li>
		</ul>

		<p>
			Vaadin requires <b>Java Servlet API 2.3</b> but also supports later
			versions and should work with any Java application server that
			conforms to the standard. The following <b>application servers</b>
			are supported:
		</p>

		<ul>
			<li>Apache Tomcat, version 4.1-7.0</li>
			<li>Oracle WebLogic&reg; Server, version 9.2-10.3.5(11gR1)</li>
			<li>IBM WebSphere&reg; Application Server, version 6.1-8.0</li>
			<li>JBoss Application Server, 3.2.8-7.0</li>
			<li>Jetty, version 5.0-7.0</li>
			<li>Glassfish, version 2.0-3.1</li>
		</ul>
		<p>
			Vaadin supports JSR-168 and JSR-286 Portlet specifications. All
			portals that implement either of the portlet specifications should
			work. The following <b>portals</b> are supported:
		</p>
		<ul>
			<li>Liferay Portal 5.2-6.0</li>
			<li>GateIn Portal 3.1</li>
			<li>eXo Platform 3</li>
		</ul>
		<p>
			Vaadin also supports <b>Google App Engine</b>.
		</p>
		<p>
			Vaadin supports the following <b>browsers</b>:
		</p>

		<ul>
			<li>Mozilla Firefox 3-6</li>
			<li>Internet Explorer 6-9</li>
			<li>Safari 4-5</li>
			<li>Opera 10-11</li>
			<li>Google Chrome 13</li>
		</ul>

		<h2 id="vaadinontheweb">Vaadin on the Web</h2>
		<p>
			<ul>
				<li><a href="http://vaadin.com">vaadin.com - The developer
						portal containing everything you need to know about Vaadin</a>
				</li>
				<li><a href="http://demo.vaadin.com">demo.vaadin.com - A
						collection of demos for Vaadin</a></li>
				<li><a href="http://vaadin.com/learn">vaadin.com/learn -
						Getting started with Vaadin</a></li>
				<li><a href="http://vaadin.com/forum">vaadin.com/forum -
						Forums for Vaadin related discussions 
				</li>
				<li><a href="http://vaadin.com/book">vaadin.com/book - Book
						of Vaadin - everything you need to know about Vaadin 
				</li>
				<li><a href="http://vaadin.com/api">vaadin.com/api - Online
						javadocs 
				</li>
				<li><a href="http://vaadin.com/directory">vaadin.com/directory
						- Add-ons for Vaadin 
				</li>
				<li><a href="http://dev.vaadin.com">dev.vaadin.com - Bug
						tracker 
				</li>
				<li><a
					href="http://dev.vaadin.com/svn/versions/@version-minor@">dev.vaadin.com/svn/versions/@version-minor@
						- Source code 
				</li>
				<li><a href="http://vaadin.com/pro-account">vaadin.com/pro-account
						- Commercial support and tools for Vaadin development 
				</li>
				<li><a href="http://vaadin.com/services">vaadin.com/services
						- Expert services for Vaadin 
				</li>
				<li><a href="http://vaadin.com/company">vaadin.com/company
						- Information about the company behind Vaadin 
				</li>
			</ul>
		</p>
	</div>
	<!-- /content-->


	<div id="footer">
		<span class="slogan"><strong>vaadin <em>}></em> </strong>
			thinking of U and I<span> <a href="#top">&uarr; Back to
					top</a>
	</div>
	<!-- /footer -->

</body>
</html>