Preparing for Confluence 7.15

This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 7.15.

Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.

Latest milestone
18 November 2021

7.15.0-rc1

Download
Issues with this milestone?

Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.

On this page:

Planned changes

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone. 

Security uplift

Status: ONGOING

We're continuing to identify and upgrade core components and libraries to the newest versions. We will not break our official APIs. However, certain libraries, transitive dependencies, and behaviours might change.

We'll provide a list of any libraries and dependencies we've upgraded in this version closer to release.

XWork blocklists

Status: COMPLETE

Confluence has incorporated a blocklist in the XWork stack for OGNL expressions. This has been done to enhance Confluence security, and as an extra preventative layer to deter OGNL attacks in future.

Confluence’s fork of XWork (1.0.3-atlassian-8) utilizes an OGNL parser to block access to particular classes and Java packages, which means it will affect incoming parameters or OGNL expression based Velocity template variables, etc. This is similar to Struts internal security mechanism.

Three options are used in Confluence to configure the XWork security blocklist in xwork.xml:

  • xwork.excludedClasses - a comma-separated list of excluded classes.

  • xwork.excludedPackageNames - a comma-separated list of excluded packages, used to restrict all classes inside a particular package or its sub-packages.

  • xwork.allowedClasses - a comma-separated list of particular classes to be marked as allowed specifically, even if the parent package is restricted or its static method is used.

Note: Along with the above blocklist, usage of static method and fields will continue to be restricted. This is an extension of what Confluence already has in Webwork for OGNL security.

Values configured in the blocklists / allowlist...

xwork.excludedClasses

java.lang.Object, java.lang.Runtime, java.lang.System, 
java.lang.Class, java.lang.ClassLoader, java.lang.Shutdown, 
java.lang.ProcessBuilder, java.lang.Thread, sun.misc.Unsafe, 
com.opensymphony.xwork.ActionContext

xwork.excludedPackageNames

ognl, java.io , java.net, java.nio, javax, freemarker.core, 
freemarker.template, freemarker.ext.jsp, freemarker.ext.rhino, 
sun.misc, sun.reflect, javassist, org.apache.velocity, 
org.objectweb.asm, org.springframework.context, 
com.opensymphony.xwork.util, org.apache.tomcat, 
org.apache.catalina.core, 
org.wildfly.extension.undertow.deploymentjava.lang.reflect, 
com.atlassian.cache, com.atlassian.confluence.util.http, 
com.atlassian.failurecache, com.atlassian.vcache, 
com.atlassian.sal.api.net, com.google.common.cache, 
com.google.common.net, com.hazelcast, java.jms, java.rmi, 
javax.management, javax.naming, org.apache.catalina.session, 
org.apache.commons.httpclient, org.apache.httpcomponents.httpclient,
 org.apache.http.client, org.ehcache, com.google.common.reflect, 
com.sun.jmx, com.sun.jna, javax.xml, jdk.nashorn, net.bytebuddy, 
net.sf.cglib, org.apache.bcel, org.javassist, org.ow2.asm, 
sun.awt.shell, sun.corba, sun.invoke, sun.launcher, sun.management, 
sun.misc, sun.net, sun.nio, sun.print, sun.reflect, sun.rmi, 
sun.security, sun.tracing, sun.tools.jar, com.atlassian.activeobjects, 
com.atlassian.hibernate, java.sql, javax.persistence, javax.sql, 
liquibase, net.java.ao, net.sf.hibernate, 
com.atlassian.confluence.setup.bandana, com.atlassian.filestore, 
com.atlassian.media, com.google.common.io, java.util.jar, 
java.util.zip, org.apache.commons.io, 
com.atlassian.confluence.impl.util.sandbox, 
com.atlassian.confluence.util.io, 
com.atlassian.confluence.util.sandbox, com.atlassian.quartz, 
com.atlassian.scheduler, com.atlassian.utils.process, 
com.atlassian.util.concurrent, io.atlassian.util.concurrent, 
java.util.concurrent, org.apache.commons.exec, 
org.springframework.expression.spel, 
org.springframework.util.concurrent, org.quartz, oshi

xwork.allowedClasses

com.atlassian.confluence.util.GeneralUtil, java.io.Serializable, 
java.lang.reflect.Proxy, net.sf.hibernate.proxy.HibernateProxy, 
net.sf.cglib.proxy.Factory, java.io.ObjectInputValidation, 
net.java.ao.Entity, net.java.ao.RawEntity, 
net.java.ao.EntityProxyAccessor

XStream allowlist change

Status: COMPLETE

The XStream allowlist is now enabled by default when Confluence is running in dev mode. 

See Persistence in Confluence: Security configuration in our developer documentation for more info on Bandana and XStream security configuration.

WRM upgrade

Status: DELAYED

Update : Due to some performance regressions, we have reverted the WRM upgrade. We're working on the issue and hope to upgrade WRM in the next Confluence release. 

In this release we've upgraded WRM (web-resource manager) from 4.1.8 to 5.4.7.  Get an overview of the changes in the changelog

We don't expect this upgrade to have any impact on your apps, as there are no breaking changes to the API. However, there are some implementation changes that may have an impact.

Changes in Java

Several implementation details in the atlassian-plugins-webresource module have changed. If your app depends upon this module directly, you may be impacted by these changes. Consult the version 5 upgrade guide for a list of these changes.

Changes in JavaScript

The WRM.require function previously returned a jQuery.Deferred object. In WRM 5, it returns a native Promise.

If you are using the return value of WRM.require:

var thenable = WRM.require('a-resurce-or-context-name')

there will be some subtle differences in the behaviour of the returned object. These are covered in the version 5 upgrade guide.

If you're using: 

WRM.require('a-resource-or-context-name')

or

WRM.require('a-resource-or-context-name', function callMeWhenEverythingLoads() { ... })

everything will continue to work as it did previously.

Hibernate upgrade

Status: ADVANCE NOTICE

We're working on upgrading Hibernate from 5.2 to 5.4. This includes breaking changes like removing deprecated features/interfaces.

Notable features that have been removed:

  • Support for JDBC parameterised queries. Classes that implement  HibernateContentQueryFactory  should be verified to assure that named parameters are used instead.
  • RegionAccessStrategy  and other access strategy interfaces have been replaced.

See Hibernate 5.2 to 5.4 upgrade contains breaking changes for more information. 

We're currently targeting 7.16 for this work. We’ll keep you posted if that changes.

Removal of editor-v3 

Status: ADVANCE NOTICE

When we upgraded our editor to TinyMCE v4 way back in Confluence 6.14, we introduced an unsupported dark feature that could be used to revert to the v3 editor (frontend.editor.v4 / frontend.editor.v4.disable). We plan to remove this dark feature flag in a future Confluence release, as they are no longer tested or reliable.

Once that happens, the editor-v3 WRM context will no longer be loaded. Any resources used only in this context can be removed completely. The editor and editor-v4 contexts are unchanged, and with this change, resources in editor-v4 can be safely moved to editor.

Changes to basic authentication

Status: ADVANCE NOTICE

We plan to provide admins the ability to disable basic authentication, and will be recommending any integrations use personal access tokens instead. Learn more about disabling basic authentication . You can start testing now by manually upgrading the SSO for Atlassian Server and Data Center to 4.2.0. 

We're currently targeting 7.16 for this work. 

Change to page and attachment history versioning

Status: ADVANCE NOTICE

As part of our work to introduce retention rules for historical page and attachment versions, we have changed the way versions are numbered in the page history and attachment history.

Versions will not be renumbered when deleted by a user, or by the retention rules scheduled jobs. This may cause issues for apps that rely on the current behaviour where versions are reordered after deletion. 

We're currently targeting 7.16 for this work. 


Implemented changes

In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.

Release Candidate - 18 November 2021

Milestone 7.15.0-rc1

  • No significant changes in this release candidate. 

Beta 3 - 15 November 2021

Milestone 7.15.0-beta3

  • Revert WRM upgrade due to performance regression. 

Beta 2 - 5 November 2021

Milestone 7.15.0-beta2

  • No significant changes in this milestone. 

Beta 1 - 21 October 2021

Milestone 7.15.0-beta1

  • XWork blocklist and allowlist

EAP 3 – 11 October 2021

Milestone 7.15.0-m35

  • No significant changes in this milestone. 

EAP 2 – 4 October 2021

Milestone 7.15.0-m27

  • No significant changes in this milestone. 

EAP 1 – 26 September 2021

Milestone 7.15.0-m20

  • WRM upgrade


Looking for updated documentation? Check out the Confluence EAP space for the latest docs.

Did you know we’ve got a new developer community? Head to community.developer.atlassian.com/ to check it out! We’ll be posting in the announcements category if when new EAP releases are available.

Last modified on Nov 18, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.