Preparing for Confluence 7.15
This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 7.15.
Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.
Latest milestone
18 November 2021 | 7.15.0-rc1 | Download |
Issues with this milestone?
Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.
On this page:
Planned changes
In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone.
Security uplift
Status: ONGOING
We're continuing to identify and upgrade core components and libraries to the newest versions. We will not break our official APIs. However, certain libraries, transitive dependencies, and behaviours might change.
We'll provide a list of any libraries and dependencies we've upgraded in this version closer to release.
XWork blocklists
Status: COMPLETE
Confluence has incorporated a blocklist in the XWork stack for OGNL expressions. This has been done to enhance Confluence security, and as an extra preventative layer to deter OGNL attacks in future.
Confluence’s fork of XWork (1.0.3-atlassian-8) utilizes an OGNL parser to block access to particular classes and Java packages, which means it will affect incoming parameters or OGNL expression based Velocity template variables, etc. This is similar to Struts internal security mechanism.
Three options are used in Confluence to configure the XWork security blocklist in xwork.xml
:
xwork.excludedClasses - a comma-separated list of excluded classes.
xwork.excludedPackageNames - a comma-separated list of excluded packages, used to restrict all classes inside a particular package or its sub-packages.
xwork.allowedClasses - a comma-separated list of particular classes to be marked as allowed specifically, even if the parent package is restricted or its static method is used.
Note: Along with the above blocklist, usage of static method and fields will continue to be restricted. This is an extension of what Confluence already has in Webwork for OGNL security.
XStream allowlist change
Status: COMPLETE
The XStream allowlist is now enabled by default when Confluence is running in dev mode.
See Persistence in Confluence: Security configuration in our developer documentation for more info on Bandana and XStream security configuration.
WRM upgrade
Status: DELAYED
Update : Due to some performance regressions, we have reverted the WRM upgrade. We're working on the issue and hope to upgrade WRM in the next Confluence release.
In this release we've upgraded WRM (web-resource manager) from 4.1.8 to 5.4.7. Get an overview of the changes in the changelog.
We don't expect this upgrade to have any impact on your apps, as there are no breaking changes to the API. However, there are some implementation changes that may have an impact.
Changes in Java
Several implementation details in the atlassian-plugins-webresource
module have changed. If your app depends upon this module directly, you may be impacted by these changes. Consult the version 5 upgrade guide for a list of these changes.
Changes in JavaScript
The WRM.require
function previously returned a jQuery.Deferred
object. In WRM 5, it returns a native Promise
.
If you are using the return value of WRM.require
:
var thenable = WRM.require('a-resurce-or-context-name')
there will be some subtle differences in the behaviour of the returned object. These are covered in the version 5 upgrade guide.
If you're using:
WRM.require('a-resource-or-context-name')
or
WRM.require('a-resource-or-context-name', function callMeWhenEverythingLoads() { ... })
everything will continue to work as it did previously.
Hibernate upgrade
Status: ADVANCE NOTICE
We're working on upgrading Hibernate from 5.2 to 5.4. This includes breaking changes like removing deprecated features/interfaces.
Notable features that have been removed:
- Support for JDBC parameterised queries. Classes that implement
HibernateContentQueryFactory
should be verified to assure that named parameters are used instead. RegionAccessStrategy
and other access strategy interfaces have been replaced.
See Hibernate 5.2 to 5.4 upgrade contains breaking changes for more information.
We're currently targeting 7.16 for this work. We’ll keep you posted if that changes.
Removal of editor-v3
Status: ADVANCE NOTICE
When we upgraded our editor to TinyMCE v4 way back in Confluence 6.14, we introduced an unsupported dark feature that could be used to revert to the v3 editor (frontend.editor.v4
/ frontend.editor.v4.disable)
. We plan to remove this dark feature flag in a future Confluence release, as they are no longer tested or reliable.
Once that happens, the editor-v3
WRM context will no longer be loaded. Any resources used only in this context can be removed completely. The editor
and editor-v4
contexts are unchanged, and with this change, resources in editor-v4
can be safely moved to editor.
Changes to basic authentication
Status: ADVANCE NOTICE
We plan to provide admins the ability to disable basic authentication, and will be recommending any integrations use personal access tokens instead. Learn more about disabling basic authentication . You can start testing now by manually upgrading the SSO for Atlassian Server and Data Center to 4.2.0.
We're currently targeting 7.16 for this work.
Change to page and attachment history versioning
Status: ADVANCE NOTICE
As part of our work to introduce retention rules for historical page and attachment versions, we have changed the way versions are numbered in the page history and attachment history.
Versions will not be renumbered when deleted by a user, or by the retention rules scheduled jobs. This may cause issues for apps that rely on the current behaviour where versions are reordered after deletion.
We're currently targeting 7.16 for this work.
Implemented changes
In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.
Release Candidate - 18 November 2021
Milestone 7.15.0-rc1
- No significant changes in this release candidate.
Beta 3 - 15 November 2021
Milestone 7.15.0-beta3
- Revert WRM upgrade due to performance regression.
Beta 2 - 5 November 2021
Milestone 7.15.0-beta2
- No significant changes in this milestone.
Beta 1 - 21 October 2021
Milestone 7.15.0-beta1
- XWork blocklist and allowlist
EAP 3 – 11 October 2021
Milestone 7.15.0-m35
- No significant changes in this milestone.
EAP 2 – 4 October 2021
Milestone 7.15.0-m27
- No significant changes in this milestone.
EAP 1 – 26 September 2021
Milestone 7.15.0-m20
- WRM upgrade
Looking for updated documentation? Check out the Confluence EAP space for the latest docs.
Did you know we’ve got a new developer community? Head to community.developer.atlassian.com/ to check it out! We’ll be posting in the announcements category if when new EAP releases are available.