Relevant Changes in Bloomreach Experience Manager 14
This pages describes the relevant changes between Bloomreach Experience Manager 13 and Bloomreach Experience Manager 14.
As part of the integration of our Bloomreach Experience Manager and Bloomreach Discovery products into the BRX platform, as of version 14, Bloomreach Experience Manager uses the new Navapp UI. Navapp allows users to navigate seamlessly between the different applications that are part of BRX.
Security Model and Configuration
The security model and its configuration has been completely overhauled to achieve a simpler, cleaner, and more robust way of achieving commonly required authorization constraints. As a result, every implementation project that upgrades from 13.4 to 14.0 will have to go through and apply specific security configuration changes. Recommended is that before the upgrade, you first read the new Security Model Concepts and referenced documentation thereof, as well as the major Security Configuration Overhaul. And if you did and use any of the Security Configurations similar to those described at Version 13 Authentication and Authorisation Walkthroughs (for version 13, or earlier), make sure to also first read the Version 14 Authentication and Authorisation Walkthroughs since the way to achieve a certain setup has changed significantly.
Woodstox XML Processor Version Downgrade
The Woodstox XML processing library is bundled with the brXM product as a transitive dependency of Apache CXF. Woodstox has been downgraded to a lower major version in 14.0.0 as compared to 13.4.0, due to a change in the direct dependency between CXF and Woodstox. Please take special care with upgrading your project, especially if you make direct use of Woodstox APIs, as there are backwards incompatible changes in Woodstox.
- Login access to the CMS, Console and Repository Browser (servlet) now requires (only) a dedicated userrole. When using custom administrator accounts, make sure to grant these userroles!
- The Reporting dashboard no longer is enabled/shown by default as they typically were only used needed for specific users/groups. This now requires explicitly assigning the xm.report.user userrole to those specific users/groups.
- The URLRewriter is now only accessible for users with administrator privileges.
- The Experience Manager Overview now only shows the Channels the logged in user has at least the privilege to view them (role channel-viewer).
Creating a new Channel now requires a dedicated privilege (role channel-admin), which is not (no longer) granted to the default webmaster group but to users/groups with the userrole xm.channel.admin (e.g. admins). This privilege now also can be granted separately per HST site.
The templatecomposer manage.changes.privileges property is now obsolete (no longer used).
The Repository PingServlet (and StatusServlet) no longer allows using an anonymous session user, by default now the pre-defined (system) ping-user is used.
- The internally used SecurityService was refactored with several API and model changes, and no longer is available from the HippoWorkspace but needs to be retrieved through the HippoServiceRegistry:
- Default read/write access from (your own) user/group(s) has been dropped for logged in users (other than admins). Changing a user its password programatically now requires using a dedicated ChangePasswordManager API, available from the new RepositorySecurityManager via the HippWorkspace.
- Editors no longer have direct (jcr) write access on folders and documents variants. They only have jcr write access on document variants they are holder of (are currently editing).
- The Delivery Tier Authorization configuration also has been revamped, using the new RepositoryAuthenticationProvider and Userroles by default. Customers using the community (Forge) provided HST Spring Security Support still can use the now deprecated HippoAuthenticationProvider, but should consider upgrading the addon, once it becomes available.
- The default configuration for the Autoexport addon has been extended to now also export groups, roles and userroles and protect against potentially destructive (security) configuration.
- The Social Sharing feature, which was accessible through the Share menu in the document editor, has been removed in Bloomreach Experience Manager 14.0.
The default config file loading behavior for HST properties has changed. In particular, HST properties that are intended to be used by the CMS (or platform) webapp are now configured in a different properties file by default. This is most likely to affect projects that make use of CRISP. Please review HST Container Configuration for details.