v4.1.8

• Fixed a rounding bug that could cause requests for certain scale-constrained images to return HTTP 403 status.
• Fixed a potential NullPointerException from Java2dProcessor when the processor.metadata.respect_orientation configuration key is set to true.
• Improved TurboJpegProcessor's ability to partially decode corrupt source images.
• Improve the efficiency of the health check endpoint.

v4.1.7

• Fixed a sporadic JVM crash when using KakaduNativeProcessor under load with a derivative cache enabled.
• Fixed incorrect success status in response to image requests that have failed with a VM error.
• Fixed a NumberFormatException caused by incorrect Java version parsing when running in a beta or early-access JVM.
• Fixed an IOException appearing in the log at the conclusion of a successful request involving HttpSource when chunking is enabled.
• Fixed a NullPointerException when returning nil from the overlay() delegate method. (Thanks to @ccare)
• Fixed an error from the embedded Jetty server when trying to use a key store with multiple certificates.

v4.1.6

• Image information is no longer included in IIIF information responses with an HTTP 403 status.
• Fixed overridden boolean values not being recognized in inherited configuration files.
• Fixed information responses failing to respect the page URL query argument.
• Fixed a bug that caused requests for data beyond an offset of 2^31 from S3Source and AzureStorageSource to fail when chunking is enabled.
• Updated JRuby to version 9.2.11.1, which addresses multiple CVEs.
• Updated Jackson to version 2.11.0, which addresses multiple CVEs.

v4.1.5

• Fixed the IIIF Image API 2.x endpoint's handling of identifiers containing backslashes.
• Fixed a potential NullPointerException thrown by various AbstractIIOImageReader methods resulting from improper exception handling.
• Improved the user-friendliness of error messages resulting from illegal quality and format arguments in image requests.
• Reduced an error-level log statement resulting from an exception while streaming from a derivative cache to the response to debug-level.
• Jetty has been upgraded to version 9.4.24.v20191120, which addresses multiple CVEs.

v4.1.4

• Fixed the health-check endpoint (at /health).
• Fixed error responses when encountering empty request headers. (Thanks to @RRMoelker)
• Fixed incorrect URIs in Link header values in certain IIIF Image API v2 image endpoint responses.
• The ?response-content-disposition query argument correctly handles filenames containing spaces.
• Image endpoints return HTTP 403 instead of 500 in response to AccessDeniedExceptions from the underlying Source.
• Fixed two separate bugs in KakaduNativeProcessor that both caused empty regions to appear in certain images.
• Fixed overly restrictive signature verification in KakaduDemoProcessor and OpenJpegProcessor that could cause errors with some valid images.
• Fixed TurboJpegProcessor not respecting the processor.background_color configuration key.
• Fixed the PurgeItemFromCache API method not working with S3Cache and AzureStorageCache.
• When using AutomaticSelectionStrategy, processor initialization errors are logged at debug-level rather than error-level.

v4.1.3

• Added an undocumented HttpSource2 source which works the same as
  HttpSource, and uses the same configuration keys and delegate method, but
  is backed by a different HTTP client library. If you are having problems with
  HttpSource, try this one instead. The current implementation of
  HttpSource will probably be replaced by this one in the next major version.
• Fixed a missing resulting_size key in the delegate script's options hash,
  introduced in 4.1.
• Fixed a bug in KakaduNativeProcessor that could cause requests for certain
  scales to fail (or possibly even crash the JVM).
• Fixed the behavior of response-content-disposition query arguments
  containing a filename argument.
• Fixed failing to source-cache non-selectively-readable images when using
  Java2dProcessor or JaiProcessor with the source cache enabled and a source
  for which chunking is enabled.
• The Jetty client used by HttpSource has been downgraded to the version used
  in 4.1.1 due to a bug in the version used in 4.1.2.
• Fixed the behavior of the print_stack_trace_on_error_pages configuration key
  in the context of certain unrecoverable errors.

v4.1.2

• Fixed incorrect @id values in information responses when a query argument
  is present in the URI.
• Fixed a potential failure to fall back to the next candidate processor when
  TurboJpegProcessor is in the candidate chain but libjpeg-turbo is not
  available.
• Fixed a potential IIOException when reading certain JPEG images with
  JaiProcessor.
• Fixed newlines (\n) appearing literally in string overlays.
• Updated the Jetty dependency to address the following security vulnerability:
  CVE-2019-10247.
• Updated the PDFBox dependency to address the following security
  vulnerability: CVE-2019-0228.

v4.1.1

• Fixed NoSuchMethodErrors from various processors when running in Java 8.
• Fixed failure to locate the delegate script when delegate_script.pathname
  is set to a relative path outside of the current working directory.
• Fixed a regression in the handling of the X-Forwarded-Path header.
• Fixed breakage in manual processor selection from the Control Panel.
• Fixed an error from Java2dProcessor when downscaling TIFF source images to a
  very small size.
• Fixed improper codestream access in KakaduNativeProcessor that could cause
  cause degraded output for certain images.
• Improved resilience when reading certain oddly-encoded GIFs in
  Java2dProcessor and JaiProcessor.

v4.1

Configuration

• Configuration values can be obtained from the environment. See the user manual for more information.

Endpoints

• The redirect() and authorized?() delegate methods have been merged into a new authorize() method, which enables a superset of their functionality, including challenge responses and redirects to "virtual" quality-limited versions. Authorization can also be set up to align with the IIIF Authentication API 1.0's "all or nothing access" or "tiered access" schemes.
• The endpoint.public.auth.* keys that controlled global HTTP Basic protection have also been replaced by the authorize() delegate method.
• The maximum allowed scale can set in the configuration.
• Running tasks are displayed in the Control Panel.
• Added HTTP API endpoints for status and health checks.
• In the IIIF Image API 2.x endpoint, the Access-Control-Allow-Origin response header is always included in the information response regardless of whether an Origin header was sent in the request, in order to align more closely with the IIIF Image API.
• Improved handling and documentation of the X-Forwarded-Port header.
• The /iiif URI path no longer redirects to a specific Image API version, and now returns HTTP 404.
• Bug fixes related to cropping-by-percent of EXIF-rotated images.
• During image requests, authorize() is called earlier in the setup process, for better efficiency.
• Removed the Restlet dependency.

Sources

• HttpSource, S3Source, and AzureStorageSource are able to request chunks of resources on demand, which can improve performance when reading images in selectively-readable encodings like JPEG2000 and multi-resolution TIFF.
• HttpSource sends initial HEAD requests instead of ranged GET requests.
• The hash returned from the httpsource_resource_info() delegate method may include custom request headers.
• HttpSource's HttpSource.trust_invalid_certs configuration key has been renamed HttpSource.allow_insecure. When enabled, insecure cipher suites are accepted as well as insecure certificates.
• S3Source uses a Minio client instead of the AWS Java SDK client, to work around a possible thread-starvation bug in the AWS Java SDK when S3Source and S3Cache are in use at the same time.

Processors

• Added configurable processor selection strategies, one of which uses the existing processor.* configuration keys, and the other of which uses an automatic strategy that attempts to choose a "best" processor on a per-request basis.
• Added TurboJpegProcessor.
• Added the repeat position for image overlays.
• Efficiency improvements in KakaduNativeProcessor.
• KakaduNativeProcessor supports sizeByDistortedWidthHeight.
• Java2dProcessor and PdfBoxProcessor can preserve XMP metadata across most source and output formats.
• KakaduNativeProcessor respects the processor.metadata.preserve configuration key for XMP metadata.
• Worked around a bug in the GraphicsMagick gm command that causes occasional "broken pipe" errors from GraphicsMagickProcessor when reading images from a FileSource.
• KakaduDemoProcessor has been deprecated, as it has been made more-or-less redundant by KakaduNativeProcessor.
• Updated the PDFBox dependency.
• Removed normalization.

Caches

• S3Cache uses last-accessed rather than last-modified times.
• Changed the S3Cache and AzureStorageCache key naming schemes to improve organization and avoid problems with edge cases.

Other

• The change log has moved from the website to this file.
• Java 11 is supported.

v4.0.3

• Fixed a scaling-related regression in PdfBoxProcessor.
• Streams consumed from S3Source are drained fully before closure, which makes its connection pool more efficient and fixes a warning-level error message from its internal HTTP client.
• Fixed inability to use ScriptLookupStrategy with AzureStorageSource. (Thanks to @marc-sensenich)
• Fixed a potential math error when cropping certain images with an embedded EXIF Orientation tag.
• Improved exception handling in S3Source and S3Cache.
• Fixed inability of S3Cache and AzureStorageCache to recognize a cache.server.derivative.ttl_seconds key value greater than 2^31.
• Worked around an issue in OpenJPEG that could cause OpenJpegProcessor to fail when reading certain images from the source cache.
• Corrected the gray quality to grey in the IIIF Image API 1.x endpoint.
• Updated the Tika dependency to address the following security vulnerability: CVE-2018-17197.
• Updated the Jackson dependency to address several security vulnerabilities.
• Updated the PDFBox dependency.