Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4
The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
In Open Liberty 25.0.0.4:
View the list of fixed bugs in 25.0.0.4.
Check out previous Open Liberty GA release blog posts.
Develop and run your apps using 25.0.0.4
If you’re using Maven, include the following in your pom.xml
file:
<plugin>
<groupId>io.openliberty.tools</groupId>
<artifactId>liberty-maven-plugin</artifactId>
<version>3.11.3</version>
</plugin>
Or for Gradle, include the following in your build.gradle
file:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.3'
}
}
apply plugin: 'liberty'
Or if you’re using container images:
FROM icr.io/appcafe/open-liberty
Or take a look at our Downloads page.
If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.
InstantOn Support for J2EEManagement, AppClientSupport and WsSecurity
Open Liberty InstantOn provides fast startup times for MicroProfile and Jakarta EE applications. With InstantOn, your applications can start in milliseconds, without compromising on throughput, memory, development-production parity, or Java language features. InstantOn uses the Checkpoint/Restore In Userspace (CRIU) feature of the Linux kernel to take a checkpoint of the JVM that can be restored later. InstantOn supports a subset of Open Liberty features. Any public features that are enabled outside of the supported set of features for InstantOn cause the checkpoint to fail with an error message. As of the 25.0.0.4 release, the following features are enhanced to support InstantOn.
Support for Java 24 in Open Liberty
Released on 18 March 2025, Java 24 introduces many new features and enhancements over previous versions of Java. However, since Java 24 is not a Long-Term Support (LTS) release, support for it will end when the next version of Java is supported. It offers many features worth checking out.
Here are the JEP changes in Java 24:
-
484: Class-File API
-
485: Stream Gatherers
-
488: Primitive Types in Patterns, instanceof, and switch (Second Preview)
-
495: Simple Source Files and Instance Main Methods (Fourth Preview)
-
496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism
-
497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
-
498: Warn upon Use of Memory-Access Methods in sun.misc.Unsafe
With the disabling of the Security Manager, you can no longer attempt to start Java with a Security Manager, install one during runtime nor use AccessController::checkPermission
, Policy::setPolicy
, SecurityManager::check*
or Subject::getSubject
. Make sure to fully test your applications for this big change and refer to the description section of JEP 486 for more information.
Take advantage of the changes in Java 24 in Open Liberty now and get more time to review your applications, microservices, and runtime environments on your favorite server runtime!
To start using Java 24 with Open Liberty, just download the latest release of Java 24, download and install the 25.0.0.4 or later version of Open Liberty. Then edit your Liberty server’s server.env file and set JAVA_HOME to your Java 24 installation and start testing!
For more information on Java 24, please visit the Java 24 release notes page, API Javadoc page or download page. For more information on Open Liberty, please visit our documentation page.
Providing Liberty audit logs to OpenTelemetry using MicroProfile Telemetry 2.0
MicroProfile Telemetry 2.0 delivers the latest OpenTelemetry technology, enabling the collection and export of metrics and logs in addition to distributed tracing.
The Open Liberty Audit feature captures security-related events from the runtime environment and emits human-readable audit records to a file-based log. You can now collect Liberty audit logs and send them to your configured OpenTelemetry exporter by using the MicroProfile Telemetry 2.0 feature (mpTelemetry-2.0
) with the Audit feature (audit-1.0
or audit-2.0
). This update builds on existing capabilities for other Open Liberty runtime log sources (message, trace, and ffdc) and application logs generated by the java.util.logging
(JUL) component.
To collect audit logs, add either the audit-1.0
or audit-2.0
feature and the mpTelemetry-2.0
feature to your server.xml
file. Configure the new audit
log source to the source
attribute for the mpTelemetry
server configuration element, as shown in the following example:
<featureManager>
<feature>audit-2.0</feature>
<feature>mpTelemetry-2.0</feature>
</featureManager>
<mpTelemetry source="audit"/>
You can also configure which audit events are captured and routed to OpenTelemetry by specifying audit events and outcomes in the auditFileHandler
element, as shown in the following example:
<auditFileHandler maxFiles="5" maxFileSize="20" compact="true">
<events name="AuditEvent_1" eventName="SECURITY_AUTHN" outcome="SUCCESS"/>
<events name="AuditEvent_2" eventName="SECURITY_AUTHN" outcome="REDIRECT"/>
<events name="AuditEvent_3" eventName="SECURITY_AUTHN" outcome="FAILURE"/>
<events name="AuditEvent_4" eventName="SECURITY_AUTHZ"/>
</auditFileHandler>
For more information about the Audit feature, see the feature documentation. For more information about using OpenTelemetry as a comprehensive observability solution, see Collect logs, metrics, and traces with OpenTelemetry.
Security vulnerability (CVE) fixes in this release
CVE | CVSS Score | Vulnerability Assessment | Versions Affected | Notes |
---|---|---|---|---|
5.5 |
Denial of service |
21.0.0.2 - 25.0.0.3 |
Affects the |
|
5.9 |
Denial of service |
17.0.0.3 - 25.0.0.3 |
Affects the |
For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.
Get Open Liberty 25.0.0.4 now
Available through Maven, Gradle, Docker, and as a downloadable archive.