This release is a new version of the Portlet API, addressing a Security CVE. We are changing one method implementation, GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it provided a default implementation that could serve any resource in the web application. Having it serve resources without the programmer actually implementing the serveResource method was considered to be a potential security vulnerability.
From the 2.1.0 Portlet Specification: ------ PLT.2.6 Changes Introduced with Version 2.1.0 Version 2.1.0 is a maintenance release amending the description of Resource Serving Dispatching in section PLT.5.4.5.3. This change, along with the associated Portlet API version 2.1.0 jar file update, closes a potential security vulnerability associated with Common Vulnerabilities and Exposures ID CVE-2015-1926. By default the serveResource method in the GenericPortlet class does nothing. However, if a portlet initialization parameter with the reserved name “javax.portlet.automaticResourceDispatching” is set to true, the GenericPortlet serveResource method will attempt to forward the request to the resource ID set on the URL triggering the resource request. If no resource ID is set, the serveResource method does nothing. —— Binary Downloads: https://dist.apache.org/repos/dist/release/portals/portlet-api/binaries/ <https://dist.apache.org/repos/dist/release/portals/portlet-api/binaries/> Source Downloads: https://dist.apache.org/repos/dist/release/portals/portlet-api/sources/ <https://dist.apache.org/repos/dist/release/portals/portlet-api/sources/> Maven: <dependency> <groupId>org.apache.portals</groupId> <artifactId>portlet-api_2.1.0_spec</artifactId> <version>1.0</version> </dependency> Javadocs: http://portals.apache.org/portlet-api/portlet-api-2.1.0/ <http://portals.apache.org/portlet-api/portlet-api-2.1.0/>
