SVN Edge 5.0 Released – with Java 8 Support

I am pleased to announce the release and general availability of SVN Edge 5.0. Downloads for Windows, Linux and Solaris are available now. If you already have SVN Edge installed, you can update from within the application itself. Windows users should read on though.

The driver for this release was support for Java 8. Normally, new releases of Java are not that big a deal because Java has excellent backwards compatibility and code written and compiled for older versions generally works the same on newer versions. I’ve been working with Java since 1.1 and that has always been my experience. So we were caught by surprise when SVN Edge did not run on Java 8. SVN Edge is not really a Java app in the traditional sense as it is built atop the Groovy on Grails framework. The version of the Grails framework we were using did not run on Java 8, and at the time Java 8 was released there was only a beta version of a future Grails release with Java 8 support. This release became official a while later, but we then had the problem that we had to move our code base across several major releases of Grails in order to upgrade. We were intentionally staying on Grails 1.3.4 because the 2.0 release had significant compatibility changes and the benefits were not that compelling for us. Now, in order to support Java 8 we had to make the leap all the way to version 2.4.4. Anyway, this is just a long winded way of saying it took a while.

While we were in the process of doing this major upgrade of the application framework, we received confidential disclosure of several security vulnerabilities and other suggested security improvements that the application ought to make. This disclosure came from Security Consultant Oliver-Tobias Ripka, and we would like to extend our thanks to him for sharing this information as well as giving us time to correct the problems.

You can view the complete list of changes in this release, as well as all of the security-related fixes in the release notes.  I would like to call out a few of the improvements here as well though. First, in order to generally improve our security and to enable several of the suggested improvements we moved our security and authentication framework to Spring Security Framework. This allowed us to implement a more robust password hashing algorithm (bcrypt) as well as implement policies for stronger passwords and throttling of failed login attempts. For users that use internal users and Apache passwords, as opposed to LDAP, we also increased the security of those passwords to use bcrypt. We enabled strong security by default, but we also added a security.conf configuration file to allow users some control over these options. We also changed all of the forms in SVN Edge to carry one-time tokens to prevent attempts at Cross-Site Request Forgery (CSRF/XSRF) attacks.

We also made major changes to our database. We upgraded to a more recent version of HSQLDB and also made some changes to improve the reliability of the database. This is an in-memory database and over the years a very small number of users have run into corruption, probably after some kind of hard crash where the memory could not write back to disk. These have been rare and in most cases could be easily repaired. However, we wanted to make several improvements to try to further minimize the occurrence of these problems. Besides upgrading to a newer version, we also split our database into two. The most critical of our database information contains the configuration and users. This only changes when you change the configuration and the data is very small. However, we also store operational statistics and metrics in the database and these are larger and more volatile. They are also less critical, so we split these into a separate database which should reduce any chance of corruption. We also are leveraging a new feature of HSQLDB to take automatic backups of the database. So we now do this automatically every 12 hours to serve as a secondary backup that can be used to easily recover the database if needed.

Finally, we also made some changes to the Windows packaging. We now include Java as an embedded JRE so you no longer need to have Java installed on the system and expose the web browsers on the server to the possible vulnerabilities in the Java browser applet feature.  We also updated to the latest version of the libraries we use to run SVN Edge as a service. We were not aware of any bugs in this library but it did “officially” add support for Windows 8 and Windows 2012 so it seemed like a worthwhile upgrade. To take advantage of these changes, you must upgrade SVN Edge one time by using the latest Windows installer. You do not HAVE to do this. You can still update SVN Edge via the web UI. Doing so, simply will not change over to the embedded Java or the newer Windows service.

In addition to these changes we also picked up the most common bugs and feature requests that were in the backlog and of course we are including the latest released version of Apache, Subversion and OpenSSL etc. These are actually still the same version that were included in SVN Edge 4.0.14 since there have not been any updates since then.

A new major release of Subversion is on the near term horizon.  Subversion 1.9.0-RC1 was recently released which means the final GA release should be out in the next 4-6 weeks.  We will have a SVN Edge 5.1 or 5.2 release available sometime soon after which includes those binaries for all platforms.

 
* Apache, Apache Subversion and the Subversion logo are trademarks of the Apache Software Foundation. Subversion® is a registered trademark of the Apache Software Foundation.

Mark Phippard

Engineering manager for several teams at CollabNet, including CloudForge, Subversion, Subversion Edge, Git and our Desktops and Integrations. Project owner for the Subclipse project, which provides Subversion support in Eclipse. Also a full committer for the Subversion project. Product owner for GitEye, Subversion Edge and the CollabNet Desktops and Integrations.

Tagged with: , ,
Posted in Subversion
17 comments on “SVN Edge 5.0 Released – with Java 8 Support
  1. Jean-Luc Devenoge says:

    I’ve made the update from 4 to 5 using the web fonction. Sofar it was ok. Now if i restart the server the csvn console do not start automaticaly any more.

    If I start it manually then it works.

    This is the error by trying to start it from webmin:
    /etc/init.d/csvn: 662: /etc/init.d/csvn: -: not found
    Could not run the command using user “svnadministrator”.
    Advice: Make sure the user “svnadministrator” has a shell.
    If user “svnadministrator” has a no shell, you can specify one using SU_OPTS if your platform support it.
    For example, at the top of this script you can set: SU_OPTS=”-s /bin/bash”.
    Another workaround would be to use a OS service management tool if available on your platform.
    OS service management tools supported by this script are described at the top of this script.

    Do you have any idees?

    Thanks for your help.
    Jean-Luc

  2. Jean-Luc Devenoge says:

    Hi,
    I’ve made the update from 4 to 5. So far it is ok.
    The problem that I have now is that the service do not start automatically any more.

    error is:
    root@HACHZH1SAS30:~# /etc/init.d/csvn start
    /etc/init.d/csvn: 662: /etc/init.d/csvn: -: not found
    Could not run the command using user “svnadministrator”.
    Advice: Make sure the user “svnadministrator” has a shell.
    If user “svnadministrator” has a no shell, you can specify one using SU_OPTS if your platform support it.
    For example, at the top of this script you can set: SU_OPTS=”-s /bin/bash”.
    Another workaround would be to use a OS service management tool if available on your platform.
    OS service management tools supported by this script are described at the top of this script.

    If I start it manually then it work ok.

    Any idee what I do wrong?

    Thanks,
    Jean-Luc

    PS: Running on Ubuntu 14.04

    • Thomas says:

      Hello, I have exactly the same problems after updating to version 5.

      I’m running on Debian 7

      Manual start with root user also fails. Startring with my csvn user works.

      Any ideas?

      Thanks.

      • Not a solution !!! but while collabnet help us it works:
        in the file /opt/csvn/bin/csvn

        remove the exit while it goes in error

        find the row “exit $RUN_AS_USER_EXITCODE”

        comment it with #

        # exit $RUN_AS_USER_EXITCODE

  3. wilson says:

    Hi!
    I am running SubversionEdge on windows server 2012R2. I have upgrade its version from admin web panel from Release: 4.0.12 to 5.01.
    While update it works fine for few time but once I click the getting star ted wizard it automatically stops and shows an error as below.

    ############ERROR starts here…############

    *An unexpected system error has occurred.

    ####Error

    Sorry, but an unexpected error occurred while processing the last request. If the problem persists, please contact an administrator.

    You can submit an error report to the Subversion Edge forum at users-svnedge@ctf.open.collab.net.
    Please include the error details to help the developers fix the problem. These details would not normally contain any sensitive information, but please review the data prior to sending it. [ Show details ]

    ###Details

    Error 500: No row with the given identifier exists: [com.collabnet.svnedge.domain.WizardStep#3]
    Servlet: grails
    URI: /csvn/grails/status/index.dispatch
    Exception Message: No row with the given identifier exists: [com.collabnet.svnedge.domain.WizardStep#3]
    Caused by: No row with the given identifier exists: [com.collabnet.svnedge.domain.WizardStep#3]
    Class: ApplicationFilters
    At Line: [260]

    ###### Stack Trace

    org.hibernate.ObjectNotFoundException: No row with the given identifier exists: [com.collabnet.svnedge.domain.WizardStep#3]
    at ApplicationFilters$_closure1_closure10_closure22.doCall(ApplicationFilters.groovy:260)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:575)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:276)
    at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:103)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
    at grails.plugin.springsecurity.web.authentication.RequestHolderAuthenticationFilter.doFilter(RequestHolderAuthenticationFilter.java:49)
    at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:82)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1484)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1476)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
    at org.eclipse.jetty.server.Server.handle(Server.java:370)
    at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
    at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
    at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
    at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
    at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)

    ######## END #########

  4. David says:

    Hi Wilson, I get the exact same error as you and it is when a user which is the admin user or has admin rights attempts to login to the console. Other non admin users do not have the same problem and can login successfully. If someone can please assist with finding a solution for this issue much appreciated as my admin user cannot login!

  5. Brendan says:

    Same error here:
    “/etc/init.d/csvn: 663: /etc/init.d/csvn: -: not found
    Could not run the command using user “ubuntu”.
    Advice: Make sure the user “” has a shell.
    If user “” has a no shell, you can specify one using SU_OPTS if your platform support it.
    For example, at the top of this script you can set: SU_OPTS=”-s /bin/bash”.
    Another workaround would be to use a OS service management tool if available on your platform.
    OS service management tools supported by this script are described at the top of this script.”

    Did anyone find a fix?

  6. wildfly says:

    i also find the problem,how to fix it,anyone can help me.

  7. BusiPlay says:

    SVN Edge seems to install the 1.8.14 version of the binaries. Can we upgrade the 1.9.1 – Edge Admin says no updates available

    • Stef says:

      …SVN Edge seems to install the 1.8.14 version of the binaries. Can we upgrade the 1.9.1 – Edge Admin says no updates available…

      The same for me, how can I update Edge 5.1 to SVN 1.9.1?

      • BusiPlay says:

        You don’t – SVN binaries are specialized for Edge and have not been updated. When I spoke with Collabnet folks they felt 1.9.1 was not yet stable enough to upgrade to, and there was no clear advanatge to doing so at this time

  8. Alexander says:

    Adding “SU_BIN” at the top of the script /opt/csvn/bin/csvn helped me with this error:

    SU_OPTS=”-s /bin/bash”
    SU_BIN=”/bin/su”

  9. Eveline says:

    Contrary to what the article claims, The installer for Csvn 5.1.2 (for Windows 7 64 bit) did not install a Java engine.
    After discovering that issue I manually installed jre1.8.0_92.
    And then I got the impression Csvn 5.1.2 still does not support recent releases of Java.
    Very disappointing!

Leave a Reply

Your email address will not be published. Required fields are marked *

*