#Release Notes

The Webswing version 23.2 comes with Jakarta EE support, Component migration, Drop-in deployments, Session inactivity and lock screen, Configurable file viewers and many other improvements and bug fixes. In this page we will list also other changes for minor releases.

#23.2.7 LTS

Release date: April 4th 2024

• Sanitize locale and timezone strings from browser (#977)
• Fixed calling printDataTransferCompleted listener from print job (#975)
• File chooser provider interface improvements (#944)
• Check Origin in Websocket connection for http/2 (#952)
• Removed com.sun.java.swing.plaf.gtk.GTKLookAndFeel from add-exports

#23.2.6 LTS

Release date: March 22nd 2024

• Added option to create focusable HW popups (#974)
• Sync clipboard not working after app start (#971)
• Java 21 support (#914)

#23.2.5

Release date: March 7th 2024

• File chooser provider interface (#944)
• Enforce max clients configuration for all connections from browser including reconnects (#955)
• Support locking key state (CAPS_LOCK, SCROLL_LOCK, NUM_LOCK) (#959)
• Fixed IME input (#964)
• Check Origin header in Websocket connection (#952)
• OIDC: fixed default config value (#949)
• Support for Keycloak 18+ (#956)
• Authentication retry issue with Keycloak (#957)
• Fixed EditLive freezing issue (#958)
• File upload failed error handling (#962)
• Fixed OS dependent flag --add-exports (#965)
• Migration toolkit improvements (#905)

Fixed 3rd party vulnerabilities

General

• Loop with Unreachable Exit Condition ('Infinite Loop') CVE-2024-25710 [High Severity]

#23.2.4

Release date: February 6th 2024

• Java FX 17 support (#951)
• Direct drag'n'drop - API method to unregister drop component, show drop component overlay for visible rect bounds only (#950)
• OIDC security module - add option to url-encode redirect_uri (#949)
• Fixed issue when downloading file without extension (#948)
• Fixed invokeAndWait exception when processing keyboard events (#941)
• Fixed synchronization of URL reloading in Admin Console (#931)

Known issue: Version 23.2.4 introduces a problem with starting OIDC/Keycloak security module (Change #949 is missing default configuration value). Solution: To prevent NullPointerException (NPE), users must manually add "forceUrlEncodeCallbackUrl": false to the security module configuration or re-save the configuration in admin console.

#23.2.3

Release date: January 4th 2024

• Websocket not disconnected after network killed (#939)
• JDialog should not be maximized by double-clicking its title bar (#942)
• Possible to undock window to a new tab (#937)
• Fixed drag and drop issue with JWindow (#934)
• Fixed processing order of keyboard triggered focus events (#941)
• CRLF should be replaced by LF when geting the text from clipboard (#938)
• OIDC: use Apache HTTP client v2 for more robust DNS resolution (#920)

Fixed 3rd party vulnerabilities

Test Tool

• NULL Pointer Dereference CVE-2023-5590 [High Severity]

Shiro Security module

• URL Redirection to Untrusted Site ('Open Redirect') CVE-2023-46750 [Medium Severity]

#23.2.2

Release date: December 6th 2023

• Fixed drag'n'drop between 2 Swing windows (#934)
• Fixed windowClosing event preventDefault for iframes inside HtmlPanel (#935)
• Fixed race condition when reloading Admin Console server connection URLs while initializing (#931)
• Shift + mouse wheel does not scroll horizontally (#933)
• Configurable session logging in webswing server (#929)
• autoLogout does not work if shutdown triggered by user inactivity (#927)
• Fixed sessionpool.close.with.session not working (#932)
• Handshake sent before application start (#930)
• Fixed pasting plain text to HTML JEditorpane (#928)
• Migration toolkit improvements (#905)

Fixed 3rd party vulnerabilities

Test Tool

• NULL Pointer Dereference CVE-2023-5590 [High Severity]

#23.2.1

Release date: November 9th 2023

• Synchronized Admin Console endpoints - createApp, removeApp, startApp, stopApp (#924)
• Session lock improvements (#875)
• Use Apache HTTP client for more robust DNS resolution in OIDC
• Component migration improvements (#905)
• DirectDraw fix for custom paints (#858)
• Netbeans splash screen image misplaced (#919)
• Gracefully shutdown Jetty server (#909)
• Fixed issues with password manager (#915)
• Improved instance reconnect after network disconnect (#918)
• Show log tab in session detail view in Admin Console for resilient instances (#901)
• Fixed font field in Admin Console config in cluster (#901)
• Do not allow to scroll view in touch mode when offscreen input is focused (#901)
• Fixed synchronization in event handling of Test Tool (#901)
• Reset mirror when session changes with session switcher (#901)
• Mirror and shutdown not working when instance reconnects to another server in cluster (#916)
• Idle sessions not cleared when session pool dies (#865)
• Improve throughput of SwingInstanceSet.findByInstanceId (#912)
• Auto-scaler config change leaks a thread (#901)
• Fixed recording playback for webkit browsers (#901)

Fixed 3rd party vulnerabilities

Test Tool

• Hotrod-client CVE-2023-4586

SAML2 Security module

• Apache Santuario: Private Key disclosure in debug-log output CVE-2023-44483

Jetty

• HTTP/2 HPACK integer overflow and buffer allocation CVE-2023-36478

#23.2

Release date: October 10th 2023

New Features and Major Changes:

• Jakarta EE: Support for Jakarta servlet containers, while keeping backward compatibility so Webswing can run on both Tomcat 9 and 10.
• Component migration (beta): Less invasive way to render your swing components as native web components
• Drop-in deployments: Create self-contained application packages includeing Webswing configurations for easy distribution and deployment
• Session inactivity and lock screen: User inactivity can now result in locking, disconnecting or terminating the session
• Configurable file viewers: Customize how specific file types are handled when open, print, or edit methods are used (see java.awt.Desktop)

Minor improvements:

• Vaadin integration
• Input mode support for touch devices
• Embedding fonts in PDF
• 3rd party vulnerability updates

Breaking change - custom security modules need to be rebuilt due to Jakarta EE support.