This document highlights major changes in CUBA Platform version 7.2.


Please note that in order to work with CUBA 7.2, you need to install Studio 13 or newer. Older versions of Studio don’t have correct support for project creation, migration and hot deployment.

All Resolved Issues

Breaking Changes

  1. Due to changes in the "remember me" login mechanism (see below) all application users will have to enter their credentials when logging in, as if their browser cookies were removed.

  2. The LoginScreen class has been refactored to simplify creation of alternative login screen implementations. The AuthInfo inner class has been moved into LoginScreenAuthDelegate, so if you have extended login screen in your project and overridden methods with this class in the signature, make the proper import to fix compilation, for example:

    public class ExtLoginScreen extends LoginScreen {
        protected void setAuthInfo(LoginScreenAuthDelegate.AuthInfo authInfo) {
        // ...
  3. Due to changes in SideMenu component, the main screen using such menu should have cssLayout as a root container. If you have the main screen with non-responsive side menu in your project, Studio will replace the root hbox with cssLayout upon automatic migration. If something is wrong with your main screen layout, make sure the root container is correct, for example:

    <window xmlns="http://schemas.haulmont.com/cuba/screen/window.xsd"
            <cssLayout id="horizontalWrap">
                <workArea id="workArea">
                <!-- -->
  4. Due to introducing security scopes, the cuba.anonymousSessionId application property has been removed. Now anonymous sessions for all scopes are created with random identifiers.

  5. The following changes have been made in the UserSession class:

    1. In the constructors, the collection of Role has been replaced with the collection of RoleDefinition.

    2. The addPermission() and removePermission() methods have been removed. The direct replacement for these methods is the manipulation with explicit permissions maps obtained from UserSession, for example:

      RoleDefinition joinedRole = userSession.getJoinedRole();
      Map<String, Integer> screenExplicitPermissions = joinedRole.screenPermissions().getExplicitPermissions();
      screenExplicitPermissions.put("demo_Customer.browse", 1);

      Another option is to create a new RoleDefinition using BasicRoleDefinition.builder() and then join with existing roles using RoleDefinitionsJoiner:

      RoleDefinition joinedRole = RoleDefinitionsJoiner.join(userSession.getJoinedRole(), myRole);
    3. The following methods have been removed: getConstraints(entityName), hasConstraints(), addConstraint(), removeConstraint(). To find a particular constraint, use getConstraints().findConstraintsByEntity(). To add or remove constraints, use AccessConstraintsBuilder:

      ConstraintsContainer constraintsContainer = AccessConstraintsBuilder.create()
                          .withJpql(MyEntity.class, "{E}.createdBy = :session$userLogin")
  6. The HTML content of many UI components (such as Label value and TextField caption) is now sanitized by default to prevent cross-site scripting (XSS). If you have any problems with displaying custom HTML, try to turn off the sanitization using the cuba.web.htmlSanitizerEnabled application property or in individual components using their setHtmlSanitizerEnabled() method.

  7. When using Folders Panel, the Add to set action and button do not appear automatically in the tables linked to the generic filter. If you need this action, add it explicitly as described in the Record Sets section.

  8. Amazon S3 file storage implementation has been moved to a separate add-on. See the add-on README for details.

  9. JGroups has been updated to version 4.1.8.Final. If you use middleware cluster, make the following changes in your JGroups configuration files:

    • For UDP configuration, replace:

      • MERGE2 with MERGE3

      • pbcast.NAKACK with pbcast.NAKACK2 and remove retransmit_timeout property

      • UNICAST with UNICAST3

      • FC with MFC

    • For TCP configuration, remove properties timer_type, timer.min_threads, timer.max_threads, timer.keep_alive_time, timer.queue_max_size, thread_pool.queue_enabled, thread_pool.queue_max_size, thread_pool.rejection_policy, oob_thread_pool.min_threads, oob_thread_pool.max_threads, oob_thread_pool.keep_alive_time, oob_thread_pool.queue_enabled, oob_thread_pool.queue_max_size, oob_thread_pool.rejection_policy and add property thread_pool.enabled="true". See details in this article.

  10. The DataContext.evictAll() has been renamed to evictModified(), which is a more appropriate name for the method evicting only modified and removed instances. Use the new clear() method to evict all instances including modified ones.

  11. The Icons.Icon.name() method has been renamed to iconName().

  12. Calendar has been generified and requires specifying particular datatype to work with corresponding date API (previously java.util.Date used directly).

  13. In the REST API add-on, the responseView optional parameter can be used in create/update requests. Without it, only 3 attributes of the entity are returned in the response:

       "id": "<entityId>",
       "_entityName": "<entityName>",
       "_instanceName": "<intanceName>"

    To revert to the previous behavior for backward compatibility, set the cuba.rest.responseViewEnabled application property to false.

Security Subsystem

  1. The security subsystem permissions and roles have been reworked to provide "denied by default" model instead of the previous "allowed by default". Newly created with CUBA 7.2 projects will use the new model by default. If you migrate a project from the previous CUBA version, Studio will add the application properties explained in Legacy Roles and Permissions to keep your existing security configuration intact.

  2. Now security roles and access groups together with permissions and constraints can be defined at design time using annotated Java classes. It makes the access control more robust and eliminates difficulties with transferring the configuration between application instances (e.g. from the development environment to production). Please note that design-time roles will work only in new projects created with CUBA 7.2. If you are migrating from a previous version and want to create roles at design time, you have to remove the properties explained in Legacy Roles and Permissions and reconfigure all your existing roles and permissions.

  3. Security scopes have been introduced to allow you to define different sets of roles for users logging in through different clients. The motivation behind this feature is that REST API clients should normally have more restrictions than Generic UI, because Generic UI is more safe by its nature.


  1. Usage of Application Home has been standardized for development and deployment environment. When you start the application in Studio, the application home is created in deploy/app_home directory. It contains conf, temp and work directories for all application blocks, as well as the common logs directory. The application home also contains the empty local.app.properties file and the default logging configuration in logback.xml.


    In order to correctly work with the application home, development Tomcat must define app.home Java system property in its setenv.* scripts. So remove the old deploy/tomcat folder after upgrading to CUBA 7.2 and before running the application. The new Tomcat will be installed automatically.

    Setting app.home Java system property is recommended for all deployment variants, however sensible fallback is provided by the framework: it is either the working directory for UberJAR, or ${catalina.base}/work/app_home when running WAR on Tomcat, or just ~/.app_home otherwise.

  2. You can easily provide your own logging configuration for the development environment: just create etc/logback.xml file in the project, and when you start the application, the file will be copied to deploy/app_home and recognized by the logging initialization procedure.

  3. Now you can configure connections to databases using application properties, see Connecting to Databases. This method simplifies the overall configuration, because app.properties files define all settings including the data source parameters. Also, it makes your WAR file completely independent of the application server environment.

    Getting data sources from JNDI is supported as before, so no migration is required for existing projects.

  4. Spring profiles can be used to customize application in different environments.

  5. OS environment variables can be used as a source of application properties values.

  6. Redeployment of web applications without restarting the application server works more reliably as a result of using the Classloader Leak Prevention library.

Generic UI

  1. SideMenu is now collapsible, which saves horizontal space. Also, the branding image and other components of the menu have been rearranged. See also the Breaking Changes section for possible issues on migration.

  2. The "remember me" login mechanism has been completely reworked:

    • The new application property cuba.rememberMeExpirationTimeoutSec defines expiration timeout for "remember me" cookies and RememberMeToken entity instances. It is set to 30 days by default.

    • If the user selects the Remember Me checkbox in the login screen, next time they log in automatically without showing the login screen.

    • If the user logs out explicitly, or the cookie is expired, next time the login screen is shown again.

  3. Views used for loading data in screens can be defined right in the screen descriptors, see an example here. This feature reduces the need for creating shared views in the views.xml file.

  4. Standard actions now have parameters that can be configured in XML and Java. So you don’t have to rewrite the whole action behavior just to open an editor screen as a dialog, or to specify a different screen class. Use Component Inspector in Studio to find and assign action properties and handlers, or copy code snippets from the documentation.

  5. ViewAction allows you to open entity edit screen in read-only mode. The optional enableEditing can be used to switch to the edit mode without reopening the screen.

  6. Introduced StandardOutcome and DialogOutcome enumerations that can be used instead of CloseAction constants when closing screens and testing how the screen or dialog was closed.

  7. Form now supports flexible positioning of fields, see the colspan and rowspan XML attributes and corresponding parameters of the add() method.

  8. In addition to the global layout template for the generic filter, a layout can be specified for each filter instance, see controlsLayoutTemplate property.

  9. BulkEditor has the responsive layout, which you can control using the columnsMode attribute.

  10. In DateField, if the new autofill attribute is set to true, the current month and year is set automatically after entering a day.

  11. TimeField can work in 12h AM/PM format if you set its timeMode attribute to H_12.

  12. In Table and DataGrid, you can set initial sorting order declaratively using the sort attribute of the column element.

  13. For DataGrid and TreeDataGrid, you can use the following predefined styles: borderless, no-horizontal-lines, no-vertical-lines, no-stripes.

  14. PopupView supports setting its position using popupPosition, popupTop, popupLeft attributes.

  15. All tables and data grids now have Select all / Deselect all commands in the columns popup, which simplifies managing long lists of columns.

  16. setOptionImageProvider method have been added to LookupField and LookupPickerField. It allows you to display images for the field options (previously only icons could be used). Go to Handlers tab in Studio component inspector and double-click optionImageProvider field to generate handler code.

  17. Button has its own shortcut attribute, which allows you to assign keyboard shortcuts to buttons not linked to actions.

  18. The new Slider component has been implemented.

  19. If you set the autoLoad attribute of RowsCount to true, the component will load the number of rows in background and show it automatically.

  20. Filter component can now work with KeyValueCollectionContainer loaders.


  1. Kotlin is fully supported, which means that you can use it in all parts of the project: entities, beans, screen controllers, etc. Hot-deploy of screen controllers written in Kotlin also works.

  2. Now you can provide database migration scripts for additional data stores in /db/init_<datastore_name> and /db/update_<datastore_name> directories of the core module. The scripts will be executed by the createDb and updateDb Gradle tasks having the storeName parameter, as well as by the application server if the cuba.automaticDatabaseUpdate property is configured accordingly.

  3. Gradle 5.6.4 is used for migrated and new projects. Studio automatically sets the proper version in the gradle/wrapper/gradle-wrapper.properties file. Check it in case of any troubles with project building.

  4. JUnit 5 is used in new projects for tests. The documentation has been updated accordingly.

  5. ViewBuilder simplifies creation of views in the business logic and tests.

  6. DataManager's fluent interface allows you to specify JPQL queries in abbreviated format omitting parts of the query that can be inferred from the context.

  7. Listeners of read-only transient properties are now notified when related properties change. It helps to update UI components displaying read-only attributes that depend on some other mutable attributes.

  8. @PostConstruct methods can accept Spring beans available in the global module as parameters.

Updated Dependencies

Core framework:

com.fasterxml.jackson = 2.10.1
com.fasterxml.jackson-databind = 2.10.1
com.google.code.gson/gson = 2.8.6
com.google.guava/guava = 28.1-jre
com.microsoft.sqlserver/mssql-jdbc = 7.2.2.jre8
com.sun.mail/javax.mail = 1.6.2
com.vaadin = 8.9.2-0-cuba
commons-codec/commons-codec = 1.13
de.javakaffee/kryo-serializers = 0.45
mysql/mysql-connector-java = 8.0.17
org.apache.commons/commons-collections4 = 4.4
org.apache.commons/commons-compress = 1.19
org.apache.commons/commons-dbcp2 = 2.7.0
org.apache.commons/commons-pool2 = 2.7.0
org.apache.commons/commons-text = 1.8
org.apache.httpcomponents/httpclient = 4.5.10
org.apache.poi/poi = 4.1.1
org.aspectj/aspectjrt = 1.9.4
org.aspectj/aspectjweaver = 1.9.4
org.codehaus.groovy = 2.5.8
org.freemarker/freemarker = 2.3.29
org.hibernate.validator/hibernate-validator = 6.1.1.Fin`al
org.hsqldb/hsqldb = 2.5.0
org.jgroups/jgroups = 4.1.8.Final
org.jmockit/jmockit = 1.48
org.jsoup/jsoup = 1.12.1
org.postgresql/postgresql = 42.2.8
org.slf4j/log4j-over-slf4j = 1.7.29
org.slf4j/slf4j-api = 1.7.29
org.springframework = 5.2.1.RELEASE
org.springframework.security = 5.2.1.RELEASE
tomcat = 9.0.27

FTS add-on:

org.apache.lucene = 8.2.0
org.apache.tika/tika-parsers = 1.22

Reports add-on:

com.haulmont.yarg = 2.2.4
org.apache.poi/ooxml-schemas = 1.4
org.apache.xmlbeans/xmlbeans = 3.1.0
. . .