Migration Guide 1.0.3 - terasolunaorg/terasoluna-gfw GitHub Wiki
.. only:: html .. contents:: Table of contents :depth: 2 :local:
Main changes in version 1.0.3 are following.
- Updated the Spring Framework to 3.2.14
Note
About security vulnerability of JSTL
The JSTL 1.2 has the security vulnerability in some tags for XML operation. For security vulnerability of JSTL, refer to CVE-2015-0254. If problem tags is used, modify to use the
org.apache.taglibs:taglibs-standard-jstlel:1.2.3+
instead of thejavax.servlet:jstl:1.2
.For update procedures, refer to Update JSTL.
From version 1.0.3, Spring Framework has been updated to 3.2.14.RELEASE to fix important bugs.
- [CVE-2015-3192] DoS Attack with XML Input (SPR-13136)
Migration procedures are as follows.
Note
Legend
Required : This procedure is mandatory.Required by case : This procedure is mandatory, if conditions match.Optional : This procedure is recommended. Perform it if you feel the need.- : This procedure is not required.
[General]
.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step | Procedure | MavenMultiple Projects | MavenSingle Project | EclipseWTP Project |
---|---|---|---|---|
|
Update dependency libraries | Required | Required | Required |
Update TERASOLUNA Global Framework Common Library and dependency libraries.
.. tabularcolumns:: |p{0.35\linewidth}|p{0.25\linewidth}|p{0.25\linewidth}|p{0.15\linewidth}|
Library Name | From version | To version | Remarks |
---|---|---|---|
TERASOLUNA Global Framework Common Library | 1.0.2.RELEASE | 1.0.3.RELEASE | |
Spring Framework | 3.2.13.RELEASE | 3.2.14.RELEASE |
[Procedure's required cases]
This procedure is required.
This update procedure is for the projects which are generated by using mvn archetype.
Update pom file in your parent project.
($YOUR_MULTIPLE_PROJECT_ROOT/pom.xml
)
<parent>
<groupId>org.terasoluna.gfw</groupId>
<artifactId>terasoluna-gfw-parent</artifactId>
<version>1.0.3.RELEASE</version> <!-- ### Need to edit ### -->
</parent>
This update procedure is for projects that are generated by using mvn archetype or downloaded from the release site.
Update pom file in your project. ($YOUR_SINGLE_PROJECT/pom.xml
)
<parent>
<groupId>org.terasoluna.gfw</groupId>
<artifactId>terasoluna-gfw-parent</artifactId>
<version>1.0.3.RELEASE</version> <!-- ### Need to edit ### -->
</parent>
This update procedure is for Eclipse WTP project which is downloaded from the release site.
For update procedures, refer to Update libraries for using Eclipse WTP Project .
This update procedure is for Eclipse WTP project which is downloaded from the release site.
Note
Legend
[Table Header]Non : Blank project for none O/R MapperJPA : Blank project for JPAMB2 : Blank project for MyBatis 2[Marks]* : target for operations
Download the Eclipse WTP Project of 1.0.3.RELEASE.
If Eclipse is running, stop the Eclipse.
Update(delete and add) jar files in $YOUR_ECLIPSE_WTP_PROJECT/src/main/webapp/WEB-INF/lib
.
.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Library Name | Delete File | Add File | Non | JPA | MB2 |
---|---|---|---|---|---|
TERASOLUNA Global Framework Common Library | terasoluna-gfw-common-1.0.2.RELEASE.jar | terasoluna-gfw-common-1.0.3.RELEASE.jar | * | * | * |
terasoluna-gfw-web-1.0.2.RELEASE.jar | terasoluna-gfw-web-1.0.3.RELEASE.jar | * | * | * | |
terasoluna-gfw-security-core-1.0.2.RELEASE.jar | terasoluna-gfw-security-core-1.0.3.RELEASE.jar | * | * | * | |
terasoluna-gfw-security-web-1.0.2.RELEASE.jar | terasoluna-gfw-security-web-1.0.3.RELEASE.jar | * | * | * | |
terasoluna-gfw-jpa-1.0.2.RELEASE.jar | terasoluna-gfw-jpa-1.0.3.RELEASE.jar | * | |||
terasoluna-gfw-mybatis2-1.0.2.RELEASE.jar | terasoluna-gfw-mybatis2-1.0.3.RELEASE.jar | * | |||
Spring Framework | spring-aop-3.2.13.RELEASE.jar | spring-aop-3.2.14.RELEASE.jar | * | * | * |
spring-aspects-3.2.13.RELEASE.jar | spring-aspects-3.2.14.RELEASE.jar | * | * | * | |
spring-beans-3.2.13.RELEASE.jar | spring-beans-3.2.14.RELEASE.jar | * | * | * | |
spring-context-3.2.13.RELEASE.jar | spring-context-3.2.14.RELEASE.jar | * | * | * | |
spring-context-support-3.2.13.RELEASE.jar | spring-context-support-3.2.14.RELEASE.jar | * | * | * | |
spring-core-3.2.13.RELEASE.jar | spring-core-3.2.14.RELEASE.jar | * | * | * | |
spring-expression-3.2.13.RELEASE.jar | spring-expression-3.2.14.RELEASE.jar | * | * | * | |
spring-jdbc-3.2.13.RELEASE.jar | spring-jdbc-3.2.14.RELEASE.jar | * | * | * | |
spring-orm-3.2.13.RELEASE.jar | spring-orm-3.2.14.RELEASE.jar | * | * | * | |
spring-tx-3.2.13.RELEASE.jar | spring-tx-3.2.14.RELEASE.jar | * | * | * | |
spring-web-3.2.13.RELEASE.jar | spring-web-3.2.14.RELEASE.jar | * | * | * | |
spring-webmvc-3.2.13.RELEASE.jar | spring-webmvc-3.2.14.RELEASE.jar | * | * | * |
Update(delete and add) source jar files in $YOUR_ECLIPSE_WTP_PROJECT/src/main/webapp/WEB-INF/libsrc
.
.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Library Name | Delete File | Add File | Non | JPA | MB2 |
---|---|---|---|---|---|
TERASOLUNA Global Framework Common Library | terasoluna-gfw-common-1.0.2.RELEASE-sources.jar | terasoluna-gfw-common-1.0.3.RELEASE-sources.jar | * | * | * |
terasoluna-gfw-web-1.0.2.RELEASE-sources.jar | terasoluna-gfw-web-1.0.3.RELEASE-sources.jar | * | * | * | |
terasoluna-gfw-security-core-1.0.2.RELEASE-sources.jar | terasoluna-gfw-security-core-1.0.3.RELEASE-sources.jar | * | * | * | |
terasoluna-gfw-security-web-1.0.2.RELEASE-sources.jar | terasoluna-gfw-security-web-1.0.3.RELEASE-sources.jar | * | * | * | |
terasoluna-gfw-jpa-1.0.2.RELEASE-sources.jar | terasoluna-gfw-jpa-1.0.3.RELEASE-sources.jar | * | |||
terasoluna-gfw-mybatis2-1.0.2.RELEASE-sources.jar | terasoluna-gfw-mybatis2-1.0.3.RELEASE-sources.jar | * | |||
Spring Framework | spring-aop-3.2.13.RELEASE-sources.jar | spring-aop-3.2.14.RELEASE-sources.jar | * | * | * |
spring-aspects-3.2.13.RELEASE-sources.jar | spring-aspects-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-beans-3.2.13.RELEASE-sources.jar | spring-beans-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-context-3.2.13.RELEASE-sources.jar | spring-context-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-context-support-3.2.13.RELEASE-sources.jar | spring-context-support-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-core-3.2.13.RELEASE-sources.jar | spring-core-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-expression-3.2.13.RELEASE-sources.jar | spring-expression-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-jdbc-3.2.13.RELEASE-sources.jar | spring-jdbc-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-orm-3.2.13.RELEASE-sources.jar | spring-orm-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-tx-3.2.13.RELEASE-sources.jar | spring-tx-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-web-3.2.13.RELEASE-sources.jar | spring-web-3.2.14.RELEASE-sources.jar | * | * | * | |
spring-webmvc-3.2.13.RELEASE-sources.jar | spring-webmvc-3.2.14.RELEASE-sources.jar | * | * | * |
Update the referenced libraries in all of the following files, using replace string.
$YOUR_ECLIPSE_WTP_PROJECT/.classpath
$YOUR_ECLIPSE_WTP_PROJECT/build.xml
.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Library Name | Before | After | Non | JPA | MB2 |
---|---|---|---|---|---|
TERASOLUNA Global Framework Common Library | terasoluna-gfw-common-1.0.2.RELEASE | terasoluna-gfw-common-1.0.3.RELEASE | * | * | * |
terasoluna-gfw-web-1.0.2.RELEASE | terasoluna-gfw-web-1.0.3.RELEASE | * | * | * | |
terasoluna-gfw-security-core-1.0.2.RELEASE | terasoluna-gfw-security-core-1.0.3.RELEASE | * | * | * | |
terasoluna-gfw-security-web-1.0.2.RELEASE | terasoluna-gfw-security-web-1.0.3.RELEASE | * | * | * | |
terasoluna-gfw-jpa-1.0.2.RELEASE | terasoluna-gfw-jpa-1.0.3.RELEASE | * | |||
terasoluna-gfw-mybatis2-1.0.2.RELEASE | terasoluna-gfw-mybatis2-1.0.3.RELEASE | * | |||
Spring Framework | spring-aop-3.2.13.RELEASE | spring-aop-3.2.14.RELEASE | * | * | * |
spring-aspects-3.2.13.RELEASE | spring-aspects-3.2.14.RELEASE | * | * | * | |
spring-beans-3.2.13.RELEASE | spring-beans-3.2.14.RELEASE | * | * | * | |
spring-context-3.2.13.RELEASE | spring-context-3.2.14.RELEASE | * | * | * | |
spring-context-support-3.2.13.RELEASE | spring-context-support-3.2.14.RELEASE | * | * | * | |
spring-core-3.2.13.RELEASE | spring-core-3.2.14.RELEASE | * | * | * | |
spring-expression-3.2.13.RELEASE | spring-expression-3.2.14.RELEASE | * | * | * | |
spring-jdbc-3.2.13.RELEASE | spring-jdbc-3.2.14.RELEASE | * | * | * | |
spring-orm-3.2.13.RELEASE | spring-orm-3.2.14.RELEASE | * | * | * | |
spring-tx-3.2.13.RELEASE | spring-tx-3.2.14.RELEASE | * | * | * | |
spring-web-3.2.13.RELEASE | spring-web-3.2.14.RELEASE | * | * | * | |
spring-webmvc-3.2.13.RELEASE | spring-webmvc-3.2.14.RELEASE | * | * | * |
If problem tags is used, modify to use the org.apache.taglibs:taglibs-standard-jstlel:1.2.3+
instead of the javax.servlet:jstl:1.2
.
For target tags, refer to CVE-2015-0254.
Note
Latest version of org.apache.taglibs:taglibs-standard-jstlel is 1.2.5 at the time of 1.0.3 release.
Exclude the javax.servlet:jstl
and add the org.apache.taglibs:taglibs-standard-jstlel:1.2.3+
in the <dependencyManagement>
.
($YOUR_MULTIPLE_PROJECT_ROOT/pom.xml
)
<dependencyManagement>
</dependencies>
<!-- omit -->
<dependency> <!-- ### Need to add ### -->
<groupId>org.terasoluna.gfw</groupId>
<artifactId>terasoluna-gfw-web</artifactId>
<version>${terasoluna.gfw.version}</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency> <!-- ### Need to add ### -->
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-jstlel</artifactId>
<version>${taglibs-standard-jstlel.version}</version>
</dependency>
<!-- omit -->
</dependencies>
</dependencyManagement>
<properties>
<!-- omit -->
<taglibs-standard-jstlel.version>1.2.5</taglibs-standard-jstlel.version> <!-- ### Need to add ### -->
<!-- omit -->
</properties>
Note
Method of manage the version
We will recommended to manage the version using property(e.g.
${taglibs-standard-jstlel.version}
).
Add the org.apache.taglibs:taglibs-standard-jstlel
in the web project.
($YOUR_MULTIPLE_PROJECT_ROOT/xxx-web/pom.xml
)
<dependency> <!-- ### Need to add ### -->
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-jstlel</artifactId>
</dependency>
Exclude the javax.servlet:jstl
.
($YOUR_SINGLE_PROJECT/pom.xml
)
<dependency>
<groupId>org.terasoluna.gfw</groupId>
<artifactId>terasoluna-gfw-web</artifactId>
<exclusions> <!-- ### Need to add ### -->
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</exclusion>
</exclusions>
</dependency>
Add the org.apache.taglibs:taglibs-standard-jstlel
.
($YOUR_SINGLE_PROJECT/pom.xml
)
<dependency> <!-- ### Need to add ### -->
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-jstlel</artifactId>
<version>1.2.5</version>
</dependency>