maybe somewhere is a solution for this already, but I did not really find my exact case…
So I’m using the @JsonProperty annotation for my beans to be returned from a REST endpoint. So in Confluence 8, the codehaus version of jackson is providede and in Confluence 9 it’s the fasterxml version.
At the moment, to fix this I changed the annotations to this:
But as you see, this looks really ugly, and I thought maybe there is a better way? Do you know how I could use just one annotation, without adding these two annotations with the path in front of it to each variable?
I read about some changes related to Struts. Could these changes be affecting this issue? Additionally, I realized that all the actions defined under this xwork configuration no longer import the resources in the VM correctly.
@SujayCHegde Before Confluence 9.0.0 is released, please consider removing this warning from the logs:
2024-07-16 17:33:45,870 WARN [Catalina-utility-1] [osgi.hook.dmz.DmzResolverHook] filterMatches Package javax.ws.rs is internal and is not available for export to plugin …
Same with package javax.ws.rs.core.
Or explain what we can do to prevent this from being logged. Obviously we need access to this package for REST APIs.
IMO this shouldn’t show up on a customer instance whenever our apps are enabled.
Hi @SujayCHegde - Regarding the other JAX-WS stray warnings that I mentioned earlier and that @jens enumerated in the preceding post, beyond javax.ws.rs and javax.ws.rs.core, there is the same issue for javax.ws.rs.ext. It seems like this could potentially be resolved in a generic manner rather than hardcoding the packages one-by-one (see my comments in the post I linked above).
I’m getting a pile of these warnings when installing apps via the UPM in 9.0.0-rc1. Possible to fix? These are visible when running with -Dconfluence.devmode=true
Invocation blocked as method is not allowlisted: org.apache.commons.lang3.StringUtils#isNotEmpty(java.lang.CharSequence)
Thousands of lines of UPM log spam for clusters
When uploading apps onto a clustered DC instance, I also get a few thousand messages like this in the logs when installing an app (also with devmode enabled, if that makes a difference):
WARN [http-nio-8400-exec-4 url: /confluence/rest/plugins/1.0/installed-marketplace; user: admin] [atlassian.confluence.cache.TransactionalCacheFactory] logNonTxUsageWarning Update operation performed on transactional cache [HostLicenseCache] outside of a transaction. All updates to this cache should be performed from a thread with a valid transaction context.
Various other devmode breakages
When running with dev mode enabled, I see a few other basic things broken. For example, adding the Attachments macro to a page causes various JS errors and most of the interactive page features become non-functional, the sidebar does not render, and so on.
I’m still unable to reproduce this, if you attach a debugger breakpoint to org/apache/velocity/util/introspection/SecureIntrospectorImpl.java:367 and then compute method.getDeclaringClass().getClassLoader(), does the class originate from the ParallelWebappClassLoader?
If so, could you please provide further reproduction steps - what tool/command are you using to start Confluence and potentially a sample plugin JAR with which you are able to trigger the issue?
I did some deeper digging on this yesterday(Like the page you just shared), and I think it might be related to the Velocity template and the allowlist security improvements.
In most of the VM, I gather resources by defining this line, which will include the necessary JS files for the VM to run.
You do not need to allowlist resources. You need to allowlist Velocity templates external to your plugin JAR (if any) using the file allowlist capability, and any plugin class methods invoked from your templates using the method allowlist capability. Refer to the guides linked from the ‘Velocity template and allowlist security improvements’ section in the Preparing for Confluence 9.0 doc. Confluence will log warnings if your plugin is misconfigured.
However in this case, your template isn’t being rendered as your Action isn’t being executed at all. By default, only licensed users can view Actions. Refer to the ‘More secure defaults for endpoints’ section in the Preparing for Confluence 9.0 doc.
If a Confluence-specific filter blocks access when read-only mode is enabled, why can’t this (or another) Confluence-internal filter catch the ReadonlyException so we as app vendors don’t have to worry about it?
@metin appreciate you raising this problem! As you pointed out, it was a HTML issue. We’ve fixed this on our end and it should be available in Confluence v9.0.1, and later versions.
@ggautam Can you add another method for allow list?
We use com.atlassian.soy.renderer.SoyTemplateRenderer :
$soyRenderer.render(...)
We have this error: Method needs allowlisting: com.atlassian.soy.impl.DefaultSoyTemplateRenderer#render(java.lang.String java.lang.String java.util.Map)
Yes, the class originates from ParallelWebappClassLoader according to those instructions. In fact, the problem occurs not only when installing apps, but even when simply refreshing the main UPM page at http://confluence/plugins/servlet/upm.
I traced back the call stack to ASTMethod#execute:192 and the uberInfo suggests that this call to StringUtils#isNotEmpty is invoked from the Confluence system template in template/includes/menu-macros.vm[line 128, column 128].
Our app uses the Theme Plugin Module, which uses various layouts that override the default Confluence layouts.
We have the respective velocity file (*.vmd) for each of these layouts. However, it happens that resources are not being loaded at all. Neither Atlassian resources such as:
To get cluster events working cross-version, part #1 of the trick is to use the method above from @AndrewMorton to fetch the underlying event when receiving a ClusterEventWrapper. This is the only way to work with the ClusterEventWrapper, since the getEvent() method has a different return type in 9.0 and thus a different signature, so you cannot call it directly and have it work against multiple versions.
Part #2 of the trick is that you seemingly must also declare your app’s events as extends ConfluenceEvent implements ClusterEvent.
You need the implements ClusterEvent so that the regular EventPublisher will forward it to the cluster.
You also need extends ConfluenceEvent so that you can provide the correct base class for your events. This class was deprecated in 8.9, but it is still shipped as of 9.0.0-rc1 (and let me add that it would be really, really nice if Atlassian would not remove it).
In pre-9.0 versions, the cluster events arrive via the LegacyListenerHandler, which blindly casts your event to the com.atlassian.event.Event class. If you send events with a different superclass, the receiving node will throw a big Exception.
In 9.0, the com.atlassian.event.Event class was removed, so you cannot subclass it directly, which creates a dilemma.
The ConfluenceEvent class is your bridge, because they changed the inheritance: in pre-9.0, it extends com.atlassian.event.Event (meaning your class is of the correct type and it will not generate exceptions). In 9.0+, it extends org.springframework.context.ApplicationEvent, so it will still work there too.
I discovered that resources load correctly in a custom-defined namespace but not in namespaces prefixed with /plugins, as documented on the Atlassian Confluence Struts module page.
For example, an action using a custom namespace like /home loads the resources perfectly under Homepage.vm:
However, since our action is for macro editing, we need to use the /plugins namespace to ensure it works. In this case, the resources do not load as expected. I use #requireResourcesForContext("confluence-macro-edit") to ensure the necessary resources are loaded.
?