See all blog posts
Jakarta EE 11, Spring Boot 4.0, and more in 26.0.0.5
This release introduces official support for Jakarta EE 11, Spring Boot 4.0 applications, and updated TLS/SSL cipher handling in Open Liberty, including enhanced Spring Boot deployment support and simplified SSL cipher configuration.
In Open Liberty 26.0.0.5:
View the list of fixed bugs in 26.0.0.5.
Check out previous Open Liberty GA release blog posts.
Develop and run your apps using 26.0.0.5
If you’re using Maven, include the following in your pom.xml file:
<plugin>
<groupId>io.openliberty.tools</groupId>
<artifactId>liberty-maven-plugin</artifactId>
<version>3.12.0</version>
</plugin>Or for Gradle, include the following in your build.gradle file:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
}
}
apply plugin: 'liberty'Or if you’re using container images:
FROM icr.io/appcafe/open-libertyOr take a look at our Downloads page.
If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.
Jakarta EE 11 Core Profile, Web Profile, and Platform
Jakarta EE 11 Core Profile, Web Profile and Platform are now officially supported in Open Liberty! We’d like to start by thanking all those who provided feedback throughout our various betas.
Jakarta EE 11 marks a major milestone. It is the first Jakarta release to add a new specification to the platform since Java EE 8 in 2017 and, therefore, the first to provide a new component specification since the platform was taken over by the Eclipse Foundation. Among the many updates to existing Java specifications, it also removes all optional specifications and functions from the Platform. Liberty continues to support those optional specifications and functions when combined with Jakarta EE 11 features.
The Core Profile specification was introduced in Jakarta EE 10 to provide a profile for lightweight cloud native applications such as MicroProfile-based applications. With the introduction of Jakarta EE 11 support in this release, the MicroProfile 7.0 and 7.1 features also now work with Jakarta EE 11. You can run your MicroProfile 7 applications using either Jakarta EE 10 or Jakarta EE 11 features.
The following specifications make up the Jakarta Platform and the Core and Web profiles:
Jakarta EE Core Profile 11
| Specification | Updates | Liberty Feature Documentation |
|---|---|---|
Major update |
||
Major update |
||
Minor update |
||
Minor update |
||
Unchanged |
||
Unchanged |
||
Unchanged |
Jakarta EE Web Profile 11
| Specification | Updates | Liberty Feature Documentation |
|---|---|---|
Major Update |
See previous table |
|
New |
||
Major update |
||
Major update |
||
Major update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Minor update |
||
Unchanged |
Not applicable |
|
Unchanged |
||
Unchanged |
||
Unchanged |
Not applicable (see Javadoc) |
Jakarta EE Platform 11
| Specification | Updates | Liberty Feature Documentation |
|---|---|---|
Major update |
See previous table |
|
Major update |
||
Unchanged |
||
Unchanged |
||
Unchanged |
||
Unchanged |
||
Unchanged |
||
Unchanged |
| Enterprise Beans 4.0 is unchanged, but the optional EJB 2.x function is no longer enabled when the enterpriseBeans-4.0 feature is configured with other Jakarta EE 11 features. Users who want to use EJB 2.x APIs must also add the enterpriseBeansHome-4.0 feature. |
Liberty provides convenience features for running all of the component specifications that are contained in the Jakarta EE 11 Web Profile (webProfile-11.0) and the Jakarta EE 11 Platform (jakartaee-11.0). These convenience features enable you to rapidly develop applications using all of the APIs contained in their respective specifications. For Jakarta EE 11 features in the application client, use the jakartaeeClient-11.0 Liberty feature.
To enable the Jakarta EE Platform 11 features, add the jakartaee-11.0 feature to your server.xml file:
<featureManager>
<feature>jakartaee-11.0</feature>
</featureManager>Alternatively, to enable the Jakarta EE Web Profile 11 features, add the webProfile-11.0 feature to your server.xml file:
<featureManager>
<feature>webProfile-11.0</feature>
</featureManager>Although no convenience feature exists for the Core Profile, you can enable its equivalent by adding the following features to your server.xml file:
<featureManager>
<feature>jsonb-3.0</feature>
<feature>jsonp-2.1</feature>
<feature>cdi-4.1</feature>
<feature>restfulWS-4.0</feature>
</featureManager>To run Jakarta EE 11 features on the Application Client Container, add the following entry in your client.xml file:
<featureManager>
<feature>jakartaeeClient-11.0</feature>
</featureManager>For more information reference:
Spring Boot 4.0
Open Liberty currently supports running Spring Boot 1.5.x, 2.x, and 3.x applications. With the introduction of the new springBoot-4.0 feature, users can now deploy Spring Boot 4.x applications. While Liberty has consistently supported Spring Boot applications packaged as WAR files, this enhancement extends support to both JAR and WAR formats for Spring Boot 4.x applications.
The springBoot-4.0 feature provides complete support for running a Spring Boot 4.x application on Open Liberty, as well as the ability to thin the application when building containerized applications.
To use this feature, users must be running Java 17 or later with Jakarta EE 11 features enabled. If the application uses servlets, it must be configured to use servlet-6.1. Include the following features in your server.xml file to configure the server.
<featureManager>
<feature>springBoot-4.0</feature>
<feature>servlet-6.1</feature>
</featureManager>The server.xml configuration for deploying a Spring Boot application follows the same approach used in earlier Liberty Spring Boot versions.
<springBootApplication id="spring-boot-app" location="spring-boot-app-0.1.0.jar" name="spring-boot-app" />As in earlier versions, the Spring Boot application JAR can be deployed by placing it in the /dropins/spring folder. The springBootApplication configuration in the server.xml file can be omitted when this deployment method is used.
Update to TLS/SSL Cipher support
Liberty now uses the effective cipher list from the JDK for SSL configuration. The securityLevel attribute in the SSL configuration is not used anymore. In addition, the enabledCiphers attribute in the SSL config is updated to customize the SSL ciphers in a more flexible way.
Liberty’s securityLevel based cipher categories no longer provide meaningful value. The MEDIUM and LOW categories contain no remaining ciphers.
The enabledCiphers attribute now has two mutually exclusive modes: (1) Specify a custom list of ciphers separated by spaces, or (2) Specify filter criteria to add (+) or remove (-) cipher suites from the effective JDK cipher list. If the value set in enabledCiphers contains a static entry and a +/- entry, an error is logged, and the server ignores the enabledCiphers value by returning the effective JDK cipher list.
Existing Usage: A user sets securityLevel as HIGH
<ssl id="defaultSSL" securityLevel=HIGH/>The securityLevel attribute is now ignored, so the previous <ssl> configuration is treated equivalently to the configuration shown here where there is no securityLevel attribute configured.
<ssl id="defaultSSL"/>Existing Usage: A user specifies all ciphers from the effective JDK list, excluding all TLS_RSA ciphers except for one (TLS_RSA_WITH_AES_128_GCM_SHA256)
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256">Example with new syntax: Use wildcards to achieve the same logic
<ssl id="defaultSSL" enabledCiphers="-TLS_RSA* +TLS_RSA_WITH_AES_128_GCM_SHA256"/>To learn more about Transport Security, see SSL Constants Javadoc, JSSEProvider Javadoc, and SSL Configuration Reference.
Security vulnerability (CVE) fixes in this release
| CVE | CVSS Score | Vulnerability Assessment | Versions Affected | Notes |
|---|---|---|---|---|
7.5 |
Identity spoofing |
17.0.0.3-26.0.0.4 |
For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.
Notable bugs fixed in this release
We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.5.
Get Open Liberty 26.0.0.5 now
Available through Maven, Gradle, Docker, and as a downloadable archive.
