XNAT 1.6.1 Release Notes

These release notes address the 1.6.1 update only. For the 1.6 release, see the XNAT 1.6 Release Notes

We went much more modest on the cake this time. It's left over from a 3-year-old's birthday party:


Tomcat 7 Compatibility

Changes have been made throughout XNAT to support Tomcat 7 and other versions of Tomcat with HttpOnly session cookies enabled. Please note that the application has not been fully validated against Tomcat 7 or HttpOnly-enabled servers, but development instances on Tomcat 7 have been working without issue.


Changes have been made to all of the XNAT applets. These changes were related to:

  • HttpOnly session cookie management
  • Compatibility with the protocols framework
  • Handling a variety of DICOM modalities in addition to the standard DICOM MR
  • Load-time performance
Overall, the applets should be more robust and load much more quickly.

Browser Compatibility

Many issues related to cross-browser performance and function have been addressed. Most significantly, a number of issues were caused by eager caching behavior on Internet Explorer. Caching has been aggressively squashed in user interface-related calls.

Security and Access Management

The XNAT 1.6 release included a sweeping change in the security and access management implementation. XNAT 1.6.1 addresses some of the issues caused by this change, especially:

  • The Require Login setting, when set to false, now properly allows non-authenticated users to access public projects on the system.
  • Addresses within the system that require anonymous access, such as the JSESSION REST call, are properly exposed.
  • Authentication provider configurators are broken out from the authentication providers, which will allow for more flexible configuration of alternate means of authentication, e.g. OpenID, in the future.
  • Failed login attempts now display a generic error message indicating that login failed.
  • Timed out users now get a message that they were logged out due to session time out.
  • Removed the boss user from the default security settings, added a warning when active boss accounts are found on the system.
  • Non-authenticated calls to the REST API now return 401s as expected instead of trying to re-direct the user to the login page.
  • Pipelines can be run as an LDAP-authenticated user.
  • Added message when user has multiple active sessions.

Build Process

The XNAT 1.6 release also included support for modules. The main problem is that updating modules required a full re-build of XNAT (e.g. running update.sh), even when Java code wasn't modified. The quick-deploy-templates script now properly explodes and re-deploys code from modules.

The required value for the Restlet autoWire parameter in the web.xml is now detetermined automatically, setting to true when XNAT is hosted in an application context in Tomcat and false when XNAT is the root application in the server.

DICOM SCP Receiver Support

Adding multiple DICOM SCP receivers has been made much simpler. Further, DICOM SCP receivers can now be enabled and disabled (although not created or deleted) through the administrator's configuration tab, or through the REST API.

Custom Property Management

XNAT can initialize persistent properties from property bundles in the application. These properties can then be modified through the SettingsRestlet to allow for custom extensions of the system configuration.

Known Issues

Project Members Demoted to Collaborators

A bug in 1.6.1 prevents project members from editing project data (essentially, they become collaborators).  Fixed for 1.6.2, or to get it sooner, pull the following changesets from xnat_builder:

hg pull -r e26268a -r 45db26b -r dd65bbd -r 359f580 -r f4b0680 -r 9cecdbc -r 5c43e5f -r eeb6fc5 -r 6dbb201 -r a52510d -r 50e4b24 -r 89c441e -r eaf71a9 -r 06194a8