refactor(uPortal-webapp): consolidate skin + JSP onto /resource-server/#2983
Merged
bjagg merged 2 commits intoMay 14, 2026
Merged
Conversation
7951eb4 to
351e009
Compare
…r/; trim dead libs
Problem: uPortal core's skin descriptors and admin JSPs were the
largest fleet-wide consumer of legacy /ResourceServingWebapp/...
paths and a bundle of 2008-2015 utility libraries (lodash 4.17.4,
modernizr 2.6.2, normalize.css 2.1.2, four polyfill webjars). Most
of those libs are either CVE-prone, native-replaceable on modern
browsers, or both. The <rs:compressJs> JSP tag the admin pages used
is already a no-op upstream (the resource-server-utils maintainers
deprecated it; minification moved to esbuild) — its presence in the
markup is dead weight. Tango and famfamfam icon URLs across the
admin chrome and skin SCSS still pointed at the legacy WAR.
Goal: move every legacy /ResourceServingWebapp/ reference to the
modern /resource-server/ context, drop libraries that no consumer
needs, and remove the dead taglib wrappers — ahead of the legacy
overlay being retired from uPortal-start.
Changes:
- uPortal-webapp/src/main/webapp/WEB-INF/jsp/Search/{search,searchLauncher,searchRest}.jsp,
WEB-INF/jsp/Translator/translator.jsp,
WEB-INF/jsp/SessionTimeout/header.jsp,
WEB-INF/jsp/DynamicRespondrSkin/skinConfig.jsp,
WEB-INF/jsp/Statistics/reportGraph.jsp: remove the no-op
<rs:compressJs>...</rs:compressJs> wrappers around inline <script>
bodies. Indentation preserved.
- uPortal-webapp/src/main/webapp/WEB-INF/jsp/Search/searchRest.jsp,
WEB-INF/jsp/Invoker/sitemap.jsp: drop the lodash 4.17.4 <script>
tag (CVE-2018-3721, CVE-2019-10744, CVE-2020-8203, CVE-2021-23337).
Rewrite 12 _.forEach/_.startCase/_.kebabCase/_.has/_.every/
_.unescape/_.forOwn callsites to native ES (Object.keys+forEach,
Array.prototype.forEach, plus three small inline helpers
startCase/kebabCase/hasPath/unescapeHtml).
- uPortal-webapp/src/main/webapp/WEB-INF/jsp/Statistics/reportGraph.jsp:
swap four <rs:resourceURL var=... /> calls for canvg/rgbcolor/base64/
canvas2image to <c:set var=... value="/resource-server/rs/..."/>
(var indirection preserved).
- uPortal-webapp/src/main/webapp/media/skins/respondr/common/common_skin.xml:
swap modernizr to /resource-server/rs/...; THEN remove modernizr
entirely (zero Modernizr.* callsites in the workspace, no
.no-js/.js CSS dependencies — pure dead weight). Remove the four
polyfill <js> entries (core-js-bundle, regenerator-runtime,
whatwg-fetch, webcomponents-polyfill) — uPortal targets BS5
baseline browsers (no IE), all of which natively support these APIs.
- uPortal-webapp/src/main/webapp/media/skins/respondr/defaultSkin/skin.xml:
swap fontawesome 4.7.0 to /resource-server/rs/...; remove
normalize.css 2.1.2 (Bootstrap 5 reboot.css supersedes it for
any BS5-baseline browser).
- uPortal-webapp/src/main/webapp/media/skins/respondr/common/scss/entity-selector.scss:
path-swap nine famfamfam silk icon URLs from
/ResourceServingWebapp/rs/famfamfam/silk/... to /resource-server/...
- uPortal-webapp/src/main/webapp/media/skins/common/javascript/uportal/modern-portlet-browser.js,
WEB-INF/jsp/BackgroundPreference/viewBackgroundPreference.jsp,
WEB-INF/flows/locale-selector/selectLocale.jsp: path-swap legacy
tango / famfamfam silk + flag icon URLs to /resource-server/.
- uPortal-webapp/src/main/resources/org/apereo/portal/tenants/sampledata/portlet-definition/skin.portlet-definition.xml,
uPortal-webapp/src/test/resources/org/apereo/portal/io/xml/portlet/test_4-0.portlet.xml:
same path swap in tenant sample data + a test fixture.
- docs/developer/other/API.md: align an example URL with the modern
context.
Notes: tango/0.8.90, famfamfam silk/1.3, fontawesome 4.7.0, and
modernizr/normalize bundles are byte-identical at the modern
/resource-server/rs/... paths in resource-server-webapp:1.5.x.
The remaining famfamfam refs in entity-selector.scss require Sass
recompilation at deploy time. <rs:resourceURL>'s var-indirection
swap to <c:set> uses JSTL imported via the standard
WEB-INF/jsp/include.jsp. The <rs:compressJs> tag stays valid (still
in resource-server-utils as a deprecated pass-through) — the cleanup
here is consumer-side. End-to-end verified by uPortal-start's full
Playwright suite (121/122 with 1 documented chrome dropdown flake;
all visual smoke + news-reader/CKEditor instantiation tests green).
…n_skin.xml
Problem: the resource-server consolidation pass landed via the
prior chore/resource-server-consolidation commit
(refactor(uPortal-webapp): consolidate skin + JSP onto
/resource-server/) missed three entries in common_skin.xml that
the skin XSL expanded to legacy /ResourceServingWebapp/rs/...
URLs (underscore, backbone, jquery-plugins/rating). Pages that
include the common skin chrome — i.e. every uPortal page,
including admin /p/.../?pCm=config views — still fetched these
legacy paths.
Goal: complete the consolidation by routing those three libs
through the modern /resource-server/ context, so the legacy
ResourceServingWebapp overlay can be dropped from uPortal-start
without leaving load-bearing chrome scripts unresolved.
Changes:
- uPortal-webapp/src/main/webapp/media/skins/respondr/common/
common_skin.xml: drop the resource="true" attribute and prefix
the path with /resource-server for the three plain/aggregated
pairs:
/rs/underscore/1.8.3/underscore.{js,min.js}
/rs/backbone/1.3.3/backbone-1.3.3.{js,min.js}
/rs/jquery-plugins/rating/1.0/bootstrap-rating-input.{js,min.js}
All three libs are served at byte-identical relative paths
under the modern /resource-server/ context (verified via curl
against a running portal); zero runtime difference in
rendering, just the URL prefix changes.
Notes: the commented-out jqueryui i18n entries (immediately above
the first changed pair) are left in place. They are inactive
markup with a clear "Uncomment for internationalization" note;
out of scope for this commit. Caught by extending the visual-
resource-server smoke spec in uPortal-start to navigate
uportal-links?pCm=config (whose chrome surfaced the three legacy
hits).
351e009 to
0468c6d
Compare
Member
Author
|
Hi @Naenyn — your fix from #2982 (commit 1a39f95, "Comment out / deprecate less") is intact on master and is reachable from this PR's branch history as an ancestor; I just verified via |
ChristianMurphy
approved these changes
May 12, 2026
bjagg
added a commit
to bjagg/uPortal-start
that referenced
this pull request
May 14, 2026
Problem: PR uPortal-Project#694's visual-resource-server smoke spec gates on no /ResourceServingWebapp/ URLs being requested by uPortal core or any of the deployed portlets. The pins were on versions predating both the uPortal-side path swaps (uPortal-Project/uPortal#2983, in v5.17.8) and the portlet-side overlay drops (SimpleContent uPortal-Project#554, Feedback uPortal-Project#112, NewsReader uPortal-Project#438; in 3.4.3 / 1.3.2 / 5.1.5 respectively). CI's visual smoke tests therefore stayed red until all five releases shipped together. Goal: pick up the Wave 1 portlet releases and the Wave 2 uPortal release so PR uPortal-Project#694's CI exercises the full post-consolidation stack. Changes: - bump uPortalVersion 5.17.7 -> 5.17.8 (uPortal#2983: skin XML + JSP path swaps off /ResourceServingWebapp/; drop dead utility-lib webjar deps) - bump simpleContentPortletVersion 3.4.2 -> 3.4.3 (uPortal-Project#554: CKEditor 4.22.1 webjar; drop resource-server-content overlay) - bump feedbackPortletVersion 1.3.1 -> 1.3.2 (uPortal-Project#112: drop overlay) - bump newsReaderPortletVersion 5.1.4 -> 5.1.5 (uPortal-Project#438: native mini-template renderer replacing Handlebars 3.0.3; drop overlay) Notes: validated locally against a fresh portalInit + tomcatStart with the bumped pins. Five of six visual-resource-server tests pass (guest welcome, admin home, student home, CKEditor 4 webjar instantiation, uportal-links config). The news-portlet-renders-without-Handlebars test was already failing in CI before this commit; not a regression from the bumps. CalendarPortlet event-fetch is flaky in local quickstart data; tracked separately. Refs: uPortal-Project#694
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Moves uPortal core's skin descriptors, admin JSPs, and chrome-asset references off the legacy
/ResourceServingWebapp/context to the modern/resource-server/. Also drops a bundle of 2008–2015 utility libraries (lodash 4.17.4, modernizr 2.6.2, normalize.css 2.1.2, four polyfill webjars) that were either CVE-prone, native-replaceable on modern browsers, or both. Removes dead<rs:compressJs>taglib wrappers (already a no-op upstream).Two commits:
c80cdea43b— main consolidation: JSP<rs:compressJs>cleanup, skin SCSS path swaps to/resource-server/, tango/famfamfam icon URL swaps in the admin chrome and skin, drop the dead utility-lib webjar dependencies. ~30 files.0468c6de77— finishing touch inrespondr/common/common_skin.xml: the threeresource="true"entries (underscore, backbone, jquery-plugins/rating) that the first commit missed are now routed through/resource-server/. All three libs are served at byte-identical relative paths under the modern overlay; verified via curl.Why
Ahead of the
ResourceServingWebappoverlay being retired fromuPortal-start, every reference to/ResourceServingWebapp/...in uPortal core needs to land on/resource-server/.... The dead<rs:compressJs>wrappers (already deprecated byresource-server-utilsmaintainers; minification moved to esbuild) are dead weight in the markup.Test plan
./gradlew installin this repo, then./gradlew :overlays:uPortal:tomcatDeploy && ./gradlew tomcatStartin uPortal-start/p/uportal-links/?pCm=config: zero requests to/ResourceServingWebapp/...tests/ux/smoke/visual-resource-server.spec.ts) passes — that suite asserts the absence of legacy URL requests; companion PR chore: resource-server consolidation in uPortal-start uPortal-start#694 extends its coverage touportal-links?pCm=configCompanion PRs
9068d91(release as 2.4.3-SNAPSHOT) drops lodash fromconfigLinks.jspand switches to/resource-server/