Migration Guide 5.1.1_en - terasolunaorg/terasoluna-gfw GitHub Wiki

Guide for migration from 5.1.0 to 5.1.1

.. only:: html

 .. contents:: table of contents
    :depth: 2
    :local:

Key changes in 5.1.1

The key changes in 5.1.1 are as below.

Update MyBatis to 3.3.1

From 5.1.1,updated MyBatis to 3.3.1 to incorporate the following bug fixes. In accordance with this update, MyBatis Spring has been updated to 1.2.5

  • [#492] NPE when ResultSet is null

Some specification change of common library

From 5.1.1, changed some specification of common library for bug fixes

  • [#554] MessagePanelTag doesn't close with </div> when it's empty
  • [#565] TransactionToken does not support some special flows
  • [#593] createToken() of TransactionTokenContextImpl does not work properly

Blank project changes

From 5.1.1, changed some setting files of blank project

Changes due to modification of common library

Changes to resolve security vulnerability[(CVE-2016-5007)]

  • [single#201] [multi#244] Add workaround settings for CVE-2016-5007(Path Matching Inconsistency)

Procedure for migrating from 5.1.0 to 5.1.1

The migration procedure is as follows.

Note

Legend

Required : This procedure is mandatory
Required by case : This procedure is mandatory if conditions match
Optional : This procedure is recommended (Implement it as required)
- : This procedure is not required

[General]

.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step Procedure MavenMultiple Projects MavenSingle Project EclipseWTP Project
Update the dependent library Required Required Required
Change HTTP proxy setting of RestClient Optional Optional Optional

[Spring Security]

.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step Procedure MavenMultiple Projects MavenSingle Project EclipseWTP Project
[CVE-2016-5007] Setting for vulnerability resolution of MVC Path Matching Inconsistency. Required Required Required

[Apache Commons Fileupload]

.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step Procedure MavenMultiple Projects MavenSingle Project EclipseWTP Project
[CVE-2016-3092] Setting for vulnerability resolution of Apache Commons Fileupload Required by case Required by case Required by case

[MyBatis Spring]

.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step Procedure MavenMultiple Projects MavenSingle Project EclipseWTP Project
Temporary countermeasures to deal with WARN log bug which is the output at the time of application termination by defining SqlSessionTemplateas a bean Required by case Required by case Required by case

[Common Library]

.. tabularcolumns:: |p{0.10\linewidth}|p{0.30\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|p{0.20\linewidth}|
Step Procedure MavenMultiple Projects MavenSingle Project EclipseWTP Project
Correction due to specification change of MassagePanelTag Required by case Required by case Required by case
Correction due to deprecation of TransactionTokenContext Required by case Required by case Required by case
Correction due to addition of @TransactionTokenChecktype attribute,TransactionTokenType.CHECK Optional Optional Optional

[Step 1] Update dependent libraries

Please update common library and dependent library of TERASOLUNA Server Framework for Java (5.x)

.. tabularcolumns:: |p{0.35\linewidth}|p{0.25\linewidth}|p{0.25\linewidth}|p{0.15\linewidth}|
Library name Version before update Version after update Remarks
TERASOLUNA Server Framework for Java (5.x) Common Library 5.1.0.RELEASE 5.1.1.RELEASE  
MyBatis 3.3.0 3.3.1  
MyBatis Spring 1.2.3 1.2.5  

[Procedure's required cases]

This procedure is mandatory.

[Step 1-1] In case of using Maven Multiple Projects

This update procedure is for projects created using mvn archetype

Please modify the version to ``5.1.1.RELEASE``of pom file of the parent project.

  • ($YOUR_MULTIPLE_PROJECT_ROOT/pom.xml)
<!-- omitted -->
<parent>
    <groupId>org.terasoluna.gfw</groupId>
    <artifactId>terasoluna-gfw-parent</artifactId>
    <version>5.1.1.RELEASE</version>                    <!-- ### Modification location ### -->
</parent>
<!-- omitted -->

[Step 1-2] In case of using Maven Single Project

This update procedure is for projects created using mvn archetype or for the project downloaded from release site

Please modify the version to ``5.1.1.RELEASE``of project's pom file .

  • ($YOUR_SINGLE_PROJECT/pom.xml)
<!-- omitted -->
<parent>
    <groupId>org.terasoluna.gfw</groupId>
    <artifactId>terasoluna-gfw-parent</artifactId>
    <version>5.1.1.RELEASE</version>                    <!-- ### Modification location ### -->
</parent>
<!-- omitted -->

[Step 1-3] In case of using Eclipse WTP Project

This update procedure is for Eclipse WTP projects downloaded from release site

For the update procedure please refer :ref:`Eclipse_WTP_Project`.

[Step 2] Change HTTP proxy setting of RestClient

From 5.1.1, the recommended setting of HTTP proxy has been changed from system property to RestClient as it affects the entire application.

[Procedure's required case]

This procedure is recommended when HTTP proxy of RestClient is set to system property.

[Modification method]

For each RestTemplatemodify the setting of HTTP proxy server, using SimpleClientHttpRequestFactoryor HttpComponentsClientHttpRequestFactory.

【Before modification】

  • Example of system property setting
//omitted

@Value("${api.proxy.host}")
String proxyHost;

@Value("${api.proxy.portNum}")
String proxyPort;

// omitted

System.setProperty("http.proxyHost", proxyHost);
System.setProperty("http.proxyPort", proxyPort);

【After modification】

For implementation after modification,please refer How to configure HTTP Proxy server of guideline. ( English or Japanese )

[Step 3] [CVE-2016-5007] Setting for MVC Path Matching Inconsistency vulnerability resolution

[Procedure's required case]

This procedure is mandatory.

However,please note that if intentionally an URL with spaces is used then applying this may prevent the system from operating normally.

[Modification method]

Add following setting to spring-mvc.xml.

【Before modification】

<mvc:annotation-driven>
   <!-- omitted -->
</mvc:annotation-driven>

【After modification】

<mvc:annotation-driven>
   <!-- omitted -->
   <mvc:path-matching path-matcher="pathMatcher" />
</mvc:annotation-driven>


<bean id="pathMatcher" class="org.springframework.util.AntPathMatcher">
    <property name="trimTokens" value="false" />
</bean>

For details please refer Specifying a Web resource for applying access policy. ( English or Japanese )

[Step 4] CVE-2016-3092 Setting for Apache Commons Fileupload vulnerability resolution

It may be necessary to address the following vulnerability.

[CVE-2016-3092] Apache Commons Fileupload information disclosure vulnerability

[Procedure's required case]

If Apache Commons Fileuploadversion managed by Spring IO Platform 2.0.6.RELEASE which is 5.1.1 compliant is used, the vulnerability reported in CVE-2016-3092 does not occur.

Also when the version of Apache Commons Fileuploadis changed and used.

For details, please refer File Upload Warning of guideline. ( English or Japanese )

[Modification method]

When using Apache Commons Fileuploaduse version 1.3.2 or above.

【Before modification】

<dependency>
    <groupId>commons-fileupload</groupId>
    <artifactId>commons-fileupload</artifactId>
    <version>1.3.1</version>
</dependency>

【After modification】

<dependency>
    <groupId>commons-fileupload</groupId>
    <artifactId>commons-fileupload</artifactId>
    <version>1.3.2</version>
</dependency>

[Step 5]Temporary countermeasures to deal with WARN log bug which is the output at the time of application termination by defining SqlSessionTemplate as a bean

From 5.1.1, bug fixes were made by updating MyBatis Spring to 1.2.5.

[Procedure's required case]

Please make corrections as necessary, when SqlSessionTemplateis defined as a bean,to temporarily countermeasure against a bug in which the WARN log is outputted when the application is terminated.

[Fix]

Delete the method(destroy-methodattribute)that is called when Spring's ApplicationContext is terminated.

【Before modification】

<bean id="batchSqlSessionTemplate"
      class="org.mybatis.spring.SqlSessionTemplate"
      destroy-method="getExecutorType">
    <constructor-arg index="0" ref="sqlSessionFactory"/>
    <constructor-arg index="1" value="BATCH"/>
</bean>

【After modification】

<bean id="batchSqlSessionTemplate"
      class="org.mybatis.spring.SqlSessionTemplate">
    <constructor-arg index="0" ref="sqlSessionFactory"/>
    <constructor-arg index="1" value="BATCH"/>
</bean>

[Step 6] Correction due to specification change of MassagePanelTag

[Procedure's required case]

If implementing tests that are aware of MassagePanelTagspecification then modification is necessary.

[Specification change contents]

If the value was empty <div/>was output, even if it is empty, changed it to output complete tag <div></div>

For details, refer to the following.

  • [#554] MessagePanelTag doesn't close with </div> when it's empty

[Step 7]Correction due to deprecation of TransactionTokenContext

From 5.1.1, `` TransactionTokenContext`` has been deprecated.

[Procedure's required case]

If TransactionTokenContextis used then modification is necessary so that it will not be used.

[Remarks]

If the application-oriented API provided by TransactionTokenContextis used, it will affect the internal behavior of the framework,since it can be built in such a way that TransactionTokencan not be maintained in a correct state, it is recommended not to use this API.

[Step 8] Correction due to addition of @TransactionTokenCheck's type attribute,TransactionTokenType.CHECK

[Procedure's required case]

Application of this procedure is optional. Please check if necessary.

[Specification change contents]

TransactionTokenType.CHECKhas been added to the type attribute of @TransactionTokenCheck

For details, please refer No. 3 Type of Attributes of @TransactionTokenCheck annotation of guideline. ( English or Japanese )

Appendix for 5.1.1

Library update when using Eclipse WTP Project

This update procedure is for Eclipse WTP project downloaded from,`release site <https://github.com/terasolunaorg/terasoluna-gfw-web-blank/releases/>`_

Note

Legend

[Table header]
Non : Blank project independent of O/R Mapper
MB3 : Blank project for MyBatis3
JPA : Blank project for JPA
[Remarks column]
* : Operation target

[Step 1]

Please download Eclipse WTP Project of 5.1.1.RELEASE .

[Step 2]

If Eclipse is running, exit Eclipse.

[Step 3]

Please update(delete and then add)jar file of``$YOUR_ECLIPSE_WTP_PROJECT/src/main/webapp/WEB-INF/lib``.

.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Libraray name Delete file Add file Non MB3 JPA
TERASOLUNA Server Framework for Java (5.x) Common Library terasoluna-gfw-common-5.1.0.RELEASE.jar terasoluna-gfw-common-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-jodatime-5.1.0.RELEASE.jar terasoluna-gfw-jodatime-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-security-core-5.1.0.RELEASE.jar terasoluna-gfw-security-core-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-security-web-5.1.0.RELEASE.jar terasoluna-gfw-security-web-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-web-5.1.0.RELEASE.jar terasoluna-gfw-web-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-web-jsp-5.1.0.RELEASE.jar terasoluna-gfw-web-jsp-5.1.1.RELEASE.jar * * *
  terasoluna-gfw-mybatis3-5.1.0.RELEASE.jar terasoluna-gfw-mybatis3-5.1.1.RELEASE.jar *
  terasoluna-gfw-jpa-5.1.0.RELEASE.jar terasoluna-gfw-jpa-5.1.1.RELEASE.jar *
MyBatis mybatis-3.3.0.jar mybatis-3.3.1.jar *
  mybatis-spring-1.2.3.jar mybatis-spring-1.2.5.jar *

[Step 4]

Please update (delete and then add) the jar file for source storage``$YOUR_ECLIPSE_WTP_PROJECT/libsrc``.

.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Library name Delete file Add file Non MB3 JPA
TERASOLUNA Server Framework for Java (5.x) Common Library terasoluna-gfw-common-5.1.0.RELEASE-sources.jar terasoluna-gfw-common-5.1.1.RELEASE-sources.jar * * *
  terasoluna-gfw-jodatime-5.1.0.RELEASE-sources.jar terasoluna-gfw-jodatime-5.1.1.RELEASE-sources.jar * * *
  terasoluna-gfw-security-web-5.1.0.RELEASE-sources.jar terasoluna-gfw-security-web-5.1.1.RELEASE-sources.jar * * *
  terasoluna-gfw-web-5.1.0.RELEASE-sources.jar terasoluna-gfw-web-5.1.1.RELEASE-sources.jar * * *
  terasoluna-gfw-web-jsp-5.1.0.RELEASE-sources.jar terasoluna-gfw-web-jsp-5.1.1.RELEASE-sources.jar * * *
MyBatis mybatis-3.3.0-sources.jar mybatis-3.3.1-sources.jar *
  mybatis-spring-1.2.3-sources.jar mybatis-spring-1.2.5-sources.jar *

[Step 6]

Please use the replacement string to update the reference library.

  • $YOUR_ECLIPSE_WTP_PROJECT/.classpath
  • $YOUR_ECLIPSE_WTP_PROJECT/build.xml
.. tabularcolumns:: |p{0.25\linewidth}|p{0.30\linewidth}|p{0.30\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|p{0.05\linewidth}|
Library name Replacement target string Replacement string Non MB3 JPA
TERASOLUNA Server Framework for Java (5.x) Common Library terasoluna-gfw-common-5.1.0.RELEASE terasoluna-gfw-common-5.1.1.RELEASE * * *
  terasoluna-gfw-jodatime-5.1.0.RELEASE terasoluna-gfw-jodatime-5.1.1.RELEASE * * *
  terasoluna-gfw-security-web-5.1.0.RELEASE terasoluna-gfw-security-web-5.1.1.RELEASE * * *
  terasoluna-gfw-web-5.1.0.RELEASE terasoluna-gfw-web-5.1.1.RELEASE * * *
  terasoluna-gfw-web-jsp-5.1.0.RELEASE terasoluna-gfw-web-jsp-5.1.1.RELEASE * * *
MyBatis mybatis-3.3.0 mybatis-3.3.1 *
  mybatis-spring-1.2.3 mybatis-spring-1.2.5 *
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️