Migration 7.0 to 7.1

Removed Libraries from Project Classpath

Some libraries have been removed from the project classpath and are no longer available to the Axon.ivy project.


If you still need them, you can add them manually to the Axon.ivy project. There is one big advantage: You can now use it in the version you need. It concerns the following libraries:

  • Lucene: lucene-core-4.5.1.jar, lucene-analyzers-common-4.5.1.jar, lucene-queryparser-4.5.1.jar
  • JGroups: jgroups-3.3.4.Final.jar
  • Jetty: jetty-continuation-7.4.5.v20110725.jar, jetty-http-7.4.5.v20110725.jar, jetty-io-7.4.5.v20110725.jar, jetty-server-7.4.5.v20110725.jar, jetty-util-7.4.5.v20110725.jar
  • Freemarker: freemarker-2.3.23.jar
  • Spring Security Crypto: spring-security-crypto-4.2.3.RELEASE.jar
  • DB Libraries: ecs-1.4.2.jar, hsqldb-, jt400-, jtds-1.3.1.jar, mysql-connector-java-5.1.42.jar, ojdbc8-, postgresql-42.1.3.jar, mssql-jdbc-6.2.1.jre8.jar

Library upgrades

REST services: CSRF-protection now enabled by default

CSRF-protection is now enabled by default on all REST services provided by Axon.ivy (including services provided by the mobile workflow API and services provided by custom Axon.ivy projects).


To call a modifying REST service via PUT, POST or DELETE the caller needs to provide a HTTP Header called X-Requested-By with any value e.g. ivy. This is the Jersey provided protection of REST services against cross-site request forgery (CSRF). If the CSRF header is not provided on a modifying REST request the request will fail with an HTTP Status 400 (Bad Request). Custom REST services via GET, HEAD or OPTIONS should therefore be implemented in a way that they don't modify data.

The CSRF protection for REST services can be server-wide disabled by setting the configuration property REST.Servlet.CSRF.Protection to false. However, that is not recommended.

The engine operates with packed projects

The engine is now able to execute projects in packed zip or iar files. If you deploy a new project to the engine, the new Process Model Versions will now contain a packed file instead of an expanded project directory by default.


Already deployed projects keep their expanded directory format.

Read-only projects

The packed projects are read-only projects. If you try to change the contents of such a project at runtime it will fail with a java.nio.file.ReadOnlyFileSystemException.

Get write access

If write access is necessary, for instance because the ivy.cms write API is used, the related project must be made writable. This can be done by deploying the project as an expanded project:

  • with the maven project-build-plugin, the configuration parameter deployTargetFileFormat must be set to EXPANDED.
  • with the deploy directory, it can be enforced by providing an options.yaml file with the following content
  fileFormat : EXPANDED
  • with the Engine Cockpit, use the EXPANDED File Format Option in the deployment dialog.

IvyAddOns not supported anymore

All document generating functions from IvyAddOns are now available in the DocFactory project. This project can be imported over the Ivy Projects Importer. All other IvyAddOns functions are not supported anymore.

Macros in Authentication Section of Web Service Call Inscription

The fields in the authentication section on the web service inscription mask are automatically converted to properties. You were able to use macros in these fields, which will be converted to valid ivy script. There is one special case which won't be supported anymore: Macro expansion within macro expansion. For example: The macro <%= ivy.co("/pathInCms") %> reads the content from the specified cms path. If there is also macro in the specified cms path, this macro will not be expanded anymore.

Import a Xpert.ivy 3.9 project is no longer possible

The support to import a Xpert.ivy 3.9 project into Axon.ivy Designer has been removed. If you need to convert a Xpert.ivy 3.9 project use Axon.ivy Designer 7.0 or earlier.

Renew / Change the session ID after login

To prevent from the Session Fixation attack Axon.ivy renews / changes the session ID after login. If you have any trouble with it (e.g. in combination with Mobile App) you can disable this by changing the configuration property Session.RenewIdOnLogin to false. If you migrate from 7.0.4 the feature is per default disabled and stays disabled after migration. We highly recommend enabling this feature by changing the configuration property Session.RenewIdOnLogin to true.