Open Liberty

Enhanced JWT validation, Java 26 support, and more in 26.0.0.4

2026-04-21T00:00:00+00:00

This release introduces support for selecting JWT signature algorithms from JOSE headers and adds Java 26 support. It also removes the default LTPA keys password for enhanced security, and includes file transfer restrictions and security vulnerability fixes.

In Open Liberty 26.0.0.4:

File Transfer changes for 26.0.0.4
Default LTPA keys password removal
Support selecting JWT signature and decryption algorithms from JOSE header
Support for Java 26
displayCustomizedExceptionText property
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 26.0.0.4.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.4

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code, or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging, and application management all from within your IDE.

File Transfer changes for 26.0.0.4

Liberty’s FileService MBean provided by the restConnector-2.0 feature now includes an extra blocklist attribute. This attribute is configured by the config element in the server.xml file. The default value of this attribute is ${server.output.dir}/resources/security. This behavior change resolves the security vulnerability CVE-2025-14915, by restricting default FileTransfer access to ${server.output.dir}/resources/security.

If FileTransfer access to ${server.output.dir}/resources/security is required, the original behavior can be restored by setting an empty blocklist.

For more information, see the documentation.

Default LTPA keys password removal

The default LTPA keys password is removed to resolve the security vulnerability CVE-2025-14917.

Previously, a default password for the LTPA keys was used when the keysPassword attribute was not defined in the element. With this change, the default password is no longer supported.

For existing servers, if the LTPA keys password is not configured in the server.xml file, the keystore_password in the server.env file is used. This value re-encrypts the LTPA keys in the ltpa.keys file. The LTPA keys themselves are not impacted. The keystore_password is configured in the server.env file during server creation unless the --no-password option is used with the server create command.

If a keysPassword is not defined in the element in the server.xml file and a keystore_password is not defined in the server.env file, the LTPA service fails. The following error message is displayed:

CWWKS4118E: LTPA configuration error. A keysPassword attribute is not configured on the  element, the 'ltpa_keys_password' environment variable is not set, and the 'keystore_password' environment variable is not set.

Confirm that an LTPA keys password is set up by doing the following steps:

Check to see whether a keysPassword attribute is provided for the element in the server.xml file (for example, ).
- If it is provided, this update does not affect you and no further action is needed.
- If it is not provided, do not add it and proceed to the next step.
Check to see whether the keystore_password environment variable exists in the server.env file (for example, keystore_password=myKeystorePassword).
- If it exists, then the keystore_password is used to reencrypt the LTPA keys that were previously encrypted with the default keysPassword when the server starts.
- If it does not exist, proceed to the next step.
Add the following environment variable to the server.env file (ensure you use the keystore_password here and not the ltpa_keys_password described in the next section for new servers):
```
keystore_password=your-desired-password
```
- The keystore_password is used to reencrypt the LTPA keys that were previously encrypted with the default keysPassword when the server starts.

For new servers, a new ltpa_keys_password is randomly generated during server creation. It is stored in the server.env file unless the --no-password option is specified with the server create command. The randomly generated ltpa_keys_password is used if the keysPassword attribute is not defined for the element.

For more information, see the LTPA configuration element.

Support selecting JWT signature and decryption algorithms from JOSE header

JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token header.

Previously, only one single signature algorithm (for example, RS256) was able to be configured for each configuration in the server.xml file. If the incoming JWT was signed with a different algorithm, validation would fail. This update allows the signature algorithm from the JWT header to be used for validation. It provides the flexibility of using different signature algorithms within a single configuration.

How to use

To enable signature algorithm selection from the header, set the signatureAlgorithm attribute to FROM_HEADER and optionally configure the allowedSignatureAlgorithms attribute to specify which algorithms are permitted.

If allowedSignatureAlgorithms is not configured, the default list contains all Open Liberty-supported signature algorithms: RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, and ES512.

When using FROM_HEADER with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., RS256_keyalias) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT’s header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the trustedAlias attribute (for jwtConsumer) or trustAliasName attribute (for openidConnectClient, oidcLogin and mpJwt), if configured.

See the following server.xml file configurations for examples on how to apply these settings to the supported elements:


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>

Learn more

Server configurations:

Documentation:

Support for Java 26

Java 26 is a recent Java release that introduces new features and enhancements over earlier versions that can be useful to review. This release is not a long-term support (LTS) release.

There are 10 new features (JEPs) in Java 26. Five are test features and five are fully delivered.

Test Features:

Delivered Features:

500: Prepare to Make Final Mean Final
504: Remove the Applet API
516: Ahead-of-Time Object Caching with Any GC
517: HTTP/3 for the HTTP Client API
522: G1 GC: Improve Throughput by Reducing Synchronization

A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation when using deep reflection. In Java 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement. Future releases would likely throw exceptions instead, making the final truly nonmutable.

Developers can opt in early to this stricter behavior by using a JVM flag (for example, --illegal-final-field-mutation=deny) to detect issues sooner. This change improves program correctness, security, and JVM optimizations.

Take advantage of these changes now to gain more time to evaluate how your applications and microservices behave on Java 26.

Get started today by downloading the latest release of IBM Semeru Runtime 26 or Temurin 26, then download and install the Open Liberty 26.0.0.4. Update your Liberty server’s server.env file with JAVA_HOME set to your Java 26 installation directory and start testing.

For more information on Java 26, see the Java 26 release notes page and API Javadoc page.

displayCustomizedExceptionText property

This release adds documentation and tests for the displayCustomizedExceptionText configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.

The feature is enabled through simple server.xml file configuration, where custom messages can be mapped to specific HTTP status codes (403 and 500).

Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.

 displaycustomizedexceptiontext="Custom error message"/>

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-14915	6.5	Privilege escalation	17.0.0.3-26.0.0.3	Affects the `restConnector-2.0` feature
CVE-2025-14917	6.7	Weaker security	17.0.0.3-26.0.0.3	Affects the `appSecurity-1.0`, `appSecurity-2.0`, `appSecurity-3.0`, `appSecurity-4.0`, and `appSecurity-5.0` features
CVE-2026-1561	5.4	Server-side request forgery	17.0.0.3-26.0.0.3	Affects the `samlWeb-2.0` feature
CVE-2026-29063	8.7	Prototype pollution	17.0.0.3-26.0.0.3	Affects the `openapi-3.1`, `mpOpenAPI-1.0`, `mpOpenAPI-1.1`, `mpOpenAPI-2.0`, `mpOpenAPI-3.0`, `mpOpenAPI-3.1`, `mpOpenAPI-4.0` and `mpOpenAPI-4.1` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 26.0.0.4 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Jakarta EE 11 Platform, Java 26, and more in 26.0.0.4-beta

2026-04-07T00:00:00+00:00

This beta introduces Jakarta EE 11 Platform and Web Profile, and delivers enhancements across Jakarta Authentication 3.1, Jakarta Authorization 3.0, and Jakarta Security 4.0. In addition, it provides a preview of Jakarta Data 1.1 M2, support for Java 26, MCP Server updates, and Jandex index improvements.

The Open Liberty 26.0.0.4-beta includes the following beta features (along with all GA features):

Jakarta EE 11 Platform and Web Profile
Beta support for Java 26
Updates to mcpServer-1.0
Preview of some Jakarta Data 1.1 M2 capability
Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules

Jakarta EE 11 Platform and Web Profile

Open Liberty 24.0.0.11-beta was one of the ratifying implementations for Jakarta EE 11 Core Profile. Building on that foundation, the 26.0.0.4-beta release completes Jakarta EE 11 beta support, including Jakarta EE Application Client 11.0, Jakarta EE Web Profile 11.0, and Jakarta EE Platform 11.0.

Liberty provides convenience features that bundle all component specifications in the Jakarta EE Web Profile and Jakarta EE Platform. The webProfile-11.0 Liberty feature includes all Jakarta EE Web Profile functions, including the new Jakarta Data 1.0 component. The jakartaee-11.0 Liberty feature provides the Jakarta EE Platform version 11 implementation. For Jakarta EE 11 features in the application client, use the jakartaeeClient-11.0 Liberty feature.

These convenience features enable developers to rapidly develop applications using all APIs in the Web Profile and Platform specifications. Unlike the jakartaee-10.0 Liberty feature, the jakartaee-11.0 Liberty feature does not enable the Managed Beans specification function any longer, as this specification was removed from the platform which includes removal of the jakarta.annotation.ManagedBean annotation API. Applications relying on the @ManagedBean annotation must migrate to use CDI annotations.

The Jakarta EE 11 Platform specification removes all optional specifications from the platform, meaning Jakarta SOAP with Attachments, XML Binding, XML Web Services, and Enterprise Beans 2.x APIs functions are not included with the jakartaee-11.0 Liberty feature. To use these capabilities, explicitly add Liberty features to your server.xml feature list: xmlBinding-4.0 for XML Binding, xmlWS-4.0 for SOAP with Attachments and XML Web Services, and enterpriseBeansHome-4.0 for Jakarta Enterprise Beans 2.x APIs. Alternatively, use the equivalent versionless features with the jakartaee-11.0 platform.

When using the Liberty application client with the jakartaeeClient-11.0 feature, Jakarta SOAP with Attachments, XML Binding, and XML Web Services client functions are not available. To continue using these functions in your Liberty application client, enable the xmlBinding-4.0 and the new xmlWSClient-4.0 features in your client.xml file.

To enable the Jakarta EE 11 beta features in your Liberty server’s server.xml:

  
    jakartaee-11.0

Or you can add the Web Profile convenience feature to enable all of the Jakarta EE 11 Web Profile beta features at once:

  
    webProfile-11.0

You can enable the Jakarta EE 11 features on the Application Client Container in the client.xml:

 
       jakartaeeClient-11.0

For more information, see the Jakarta EE Platform 11 Specification and the Jakarta EE Web Profile 11 Specification.

Application Authentication 3.1 (Jakarta Authentication 3.1)

Jakarta Authentication defines a general SPI for authentication mechanisms, which are controllers that interact with a caller and the container’s environment to obtain and validate the caller’s credentials. It then passes an authenticated identity (such as name and groups) to the container.

The 3.1 version of the Jakarta Authentication API removes the deprecated Permission-related fields in the jakarta.security.auth.message.config.AuthConfigFactory class. The methods in the class no longer do permission checking also. These changes are part of Jakarta EE 11’s removal of SecurityManager support.

You can enable the Jakarta Authentication 3.1 feature by adding the appAuthentication-3.1 Liberty feature in the server.xml file:

    
        appAuthentication-3.1

For more information, see the Jakarta Authentication 3.1 specification and javadoc.

Application Authorization 3.0 (Jakarta Authorization 3.0)

Jakarta Authorization defines an SPI for authorization modules, which are repositories of permissions that facilitate subject-based security by determining whether a subject has a specific permission. It also defines algorithms that transform security constraints for specific containers, such as Jakarta Servlet or Jakarta Enterprise Beans, into these permissions.

The 3.0 API introduces the new jakarta.security.jacc.PolicyFactory and jakarta.security.jacc.Policy classes for doing authorization decisions. These classes are added to remove the dependency on the java.security.Policy class, which is deprecated in newer versions of Java. With the new PolicyFactory API, now you can have a Policy per policy context instead of having a global policy. This design allows separate policies to be maintained for each application.

Additionally, the 3.0 specification defines a mechanism to define PolicyConfigurationFactory and PolicyFactory classes in your application by using a web.xml file. This design allows for an application to have a different configuration than the server-scoped one, but still allow for it to delegate to a server scoped factory for any other applications. Authorization modules can do this delegation by using decorator constructors for both PolicyConfigurationFactory and PolicyFactory classes.

To configure your authorization modules in your application’s web.xml file, add specification defined context parameters:


 xmlns="https://jakarta.ee/xml/ns/jakartaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_1.xsd"
  version="6.1">

  
    jakarta.security.jacc.PolicyConfigurationFactory.provider
    com.example.MyPolicyConfigurationFactory
  

  
    jakarta.security.jacc.PolicyFactory.provider
    com.example.MyPolicyFactory

Due to Jakarta Authorization 3.0 no longer using the java.security.Policy class and introducing a new configuration mechanism for authorization modules, the com.ibm.wsspi.security.authorization.jacc.ProviderService Liberty API is no longer available with the appAuthorization-3.0 feature. If a Liberty user feature configures authorization modules, the OSGi service that provided a ProviderService implementation must be updated to use the PolicyConfigurationFactory and PolicyFactory set methods. These methods configure the modules in the OSGi service. Alternatively you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a web.xml file.

Finally, the 3.0 API adds a new jakarta.security.jacc.PrincipalMapper class that you can obtain from the PolicyContext class when authorization processing is done in your Policy implementation. From this class, you can obtain the roles that are associated with a specific Subject to be able to determine whether the Subject is in the required role.

You can use the PrincipalMapper class in your Policy implementation’s impliesByRole (or implies) method, as shown in the following example:

    public boolean impliesByRole(Permission p, Subject subject) {
        Map<String, PermissionCollection> perRolePermissions =
            PolicyConfigurationFactory.get().getPolicyConfiguration(contextID).getPerRolePermissions();
        PrincipalMapper principalMapper = PolicyContext.get(PolicyContext.PRINCIPAL_MAPPER);

        // Check to see if the Permission is in the all authenticated users role (**)
        if (!principalMapper.isAnyAuthenticatedUserRoleMapped() && !subject.getPrincipals().isEmpty()) {
            PermissionCollection rolePermissions = perRolePermissions.get("**");
            if (rolePermissions != null && rolePermissions.implies(p)) {
                return true;
            }
        }

        // Check to see if the roles for the Subject provided imply the permission
        Set<String> mappedRoles = principalMapper.getMappedRoles(subject);
        for (String mappedRole : mappedRoles) {
            PermissionCollection rolePermissions = perRolePermissions.get(mappedRole);
            if (rolePermissions != null && rolePermissions.implies(p)) {
                return true;
            }
        }
        return false;
    }

You can enable the Jakarta Authorization 3.0 feature by adding the appAuthorization-3.0 Liberty feature in the server.xml file:

    
        appAuthorization-3.0

For more information, see the Jakarta Authorization 3.0 specification and javadoc.

Application Security 6.0 (Jakarta Security 4.0)

An In-memory Identity Store is a developer-defined store of credential information that is used during the Open Liberty authentication and authorization work flow. It provides a quick, simple, and convenient authentication mechanism for Liberty application testing, debugging, demos, and more.

Multiple HTTP Authentication Mechanisms (HAMs) can now be defined within the same application. These mechanisms can be specified through built-in Jakarta annotations such as @FormAuthenticationMechanismDefinition or through custom implementations of the HttpAuthenticationMechanism interface.
A new method is added to the SecurityContext interface called getAllDeclaredCallerRoles(), which returns a list of all static (declared) application roles that the authenticated caller is in.
References to the IdentityStorePermission class are removed as it was previously deprecated.

All features are available as part of appSecurity-6.0.

All feature use cases are targeted towards Jakarta EE web application developers who want to move to a modern Jakarta version and use implementations of the Jakarta Security 4.0 specification.

In-memory identity store

Before the introduction of the new identity store specification, Jakarta Security natively supported only two types of identity stores: database and LDAP, both of which are used for credential validation. While effective for production environments, these options were considered heavyweight for testing, debugging, and demonstration scenarios.

Developers can also implement custom identity stores, but doing so requires bespoke code to collect, validate, and manage credential information. This effort can divert attention from core application development. A built-in, in-memory identity store reduces this burden for non-production use cases such as testing, debugging, and demonstrations.

Multiple HAMs

It is now possible for multiple authentication mechanisms to logically act as a single HTTP Authentication Mechanism (HAM), providing a more flexible, dynamic, and configurable approach to the authentication workflow.

Access to the HttpAuthenticationMechanism is now abstracted by an internal implementation of the new Jakarta HttpAuthenticationMechanismHandler interface. This implementation prioritizes custom‑defined HAMs first and then falls back to the built‑in (annotation‑defined) HAMs, in the following order: OpenID, custom form, form, and basic authentication mechanisms.

Developers are free to provide their own implementation of the HttpAuthenticationMechanismHandler, allowing them to define a custom prioritization strategy for selecting HAMs. They must supply such an implementation if any built‑in HAMs are defined with the optional qualifiers attribute set.

getAllDeclaredCallerRoles()

The SecurityContext interface implementation is updated to include a new method, getAllDeclaredCallerRoles(), which returns a list of the declared application roles for an authenticated caller. If the caller is not authenticated or has no declared roles, the method returns an empty list.

How to use

Enable Jakarta Security 4.0 features within the server.xml file by adding the appSecurity-6.0 feature as shown in the following example:

 description = "Liberty server">

    . . .

    
        appSecurity-6.0
    

     allowInMemoryIdentityStores="true"/>

    . . .

As shown in the preceding example, when an application defines an in‑memory identity store in code, its use must also be explicitly enabled in the server.xml configuration. By default, the allowInMemoryIdentityStores attribute is set to false, which instructs the Liberty authentication workflows not to use in‑memory identity stores, even when a custom identity store handler is present. For applications that rely on multiple HAMs, the allowInMemoryIdentityStores attribute does not need to be set.

In-Memory Identity Store

The Jakarta Security Specification 4.0 provides details on how to specify credential information to be used during the authentication workflow through the new @InMemoryIdentityStoreDefinition annotation, as shown in the following example:

. . .

@InMemoryIdentityStoreDefinition (
    priority = 10,
    priorityExpression = "${80/20}",
    useFor = {VALIDATE, PROVIDE_GROUPS},
    useForExpression = "#{'VALIDATE'}",
    value = {
        @Credentials(callerName = "jasmine", password = "secret1", groups = { "caller", "user" } )
    }
)

All attributes for the @InMemoryIdentityStoreDefinition annotation are shown in the example. The priority, priorityExpression, useFor, and useForExpression attributes are optional and set to sensible defaults.

The @Credentials annotation maps one or more caller names to a password and optional group values. The callerName and password attributes are mandatory. If either one is omitted, a compilation error occurs.

The example demonstrates a single caller definition with credential information that uses a plain-text password. However, it is highly recommended that passwords be supplied that uses an Open Liberty–supported encoding mechanism, as illustrated in the next example.

@InMemoryIdentityStoreDefinition (
    value = {
        @Credentials(callerName = "jasmine",  password = "{xor}LDo8LTorbg==", groups = { "caller", "user" } ),
        @Credentials(callerName = "frank", groups = { "user" }, password = "{hash}ARAAA  Fyyw=="),
        @Credentials(callerName = "sally", groups = { "user" }, password = "{aes}ARAFIYJ  WRQNA==")
    }
)

Encrypted and encoded passwords can be generated by using the Open Liberty securityUtility, which is included under the wlp/bin/securityUtility path. The following example demonstrates how to encode a text string by using the xor encoding mechanism.

wlp/bin/securityUtility encode --encoding=xor
Enter text: 
Re-enter text:
{xor}PTA9Lyg

Multiple HAMs

Application Specification

The Jakarta Security 4.0 specification allows multiple HTTP Authentication Mechanisms (HAMs) to be defined within a single application, as shown in the following example:

@BasicAuthenticationMechanismDefinition(realmName="basicAuth")

@FormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/form-login-error.html",
                loginPage = "/form-login.html"))

@CustomFormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/custom-login-error.html",
                loginPage = "/custom-login.html"))

This example demonstrates how three HTTP Authentication Mechanisms (HAMs) can be defined within a single application.

Custom HAMs can also be defined in the same application by implementing the HttpAuthenticationMechanism interface in one or more classes, as shown in the following example:

@ApplicationScoped
// @Priority is optional and used to control selection priority if multiple custom definitions exist
@Priority(100)
public class CustomHAM implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest(
        HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext httpMessageContext) throws AuthenticationException {

            // implement custom logic here, and return an AuthenticationStatus
            return AuthenticationStatus.NOT_DONE;
    }
}

So a single application can have a mix of both annotation-defined HAMs and custom ones. In the previous two snippets of code, a total of four HAMs are defined (three by annotation and one custom one).

@Priority must be used to raise or lower the priority of one custom HAM over another. If not specified, then a default priority is assigned. If more than one custom HAM is defined, their priorities need to be explicitly set to unique values. If the priorities are set to the same value or remain unset and inherit the same default value, an error occurs.

HAM resolution

An internal implementation of the Jakarta Security 4.0 HttpAuthenticationMechanismHandler interface (the "internal HAM handler") is provided. When an application defines multiple HAMs, this internal handler selects a single HAM to be used in the authentication flow.

The order in which HAMs are considered (when present) is as follows:

Custom (developer‑provided) HAMs
- If multiple custom HAMs are defined, their relative order is resolved by using @Priority.
OpenIdAuthenticationMechanismDefinition
CustomFormAuthenticationMechanismDefinition
FormAuthenticationMechanismDefinition
BasicAuthenticationMechanismDefinition

Given this ordering, the Custom HAM is always selected in the authentication workflow if all five HAM types are defined in the application.

A developer must provide a custom implementation of the HttpAuthenticationMechanismHandler interface (a "custom HAM handler") if the internal HAM handler does not meet their requirements. A custom handler always takes precedence over the internal HAM handler, allowing any tailored algorithm to select a single HAM from multiple available mechanisms. Additional information about creating and using a custom HAM handler is provided in a later section.

Qualifiers

HAMs - whether defined through annotations or as custom defined - can also include an optional class‑level qualifier to simplify HAM injection into a custom HAM handler. For example, if you want to define qualified HAMs, you would first declare qualifier interfaces such as:

@Qualifier
@Retention(RUNTIME)
@Target({TYPE, METHOD, FIELD, PARAMETER})
public @interface Admin {
}

(Not shown is the qualifier definitions for User, Fallback which follow an identical pattern, and are used below).

Then, import and use the qualifiers in your in-built or custom HAM specifications, such as:

@CustomFormAuthenticationMechanismDefinition(, qualifiers={Admin.class})

@BasicAuthenticationMechanismDefinition(, qualifiers={User.class})

and

@ApplicationScoped
@Fallback   // add custom qualifier to be used during injection
public class CustomHAM implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest (. . .)  {
         . . .
    }
}

The three HAMs defined in the example are available for injection into a custom HAM handler based on their qualifier names. This scenario represents the typical use case for applications that define multiple HAMs.

If qualifiers are specified in any of the built-in HAM definitions, a custom HAM handler must be provided; otherwise, an error is raised. This requirement comes directly from the Jakarta Security specification. Details about creating and using a custom HAM handler are explained in the next section.

To implement a custom HAM handler, define a public class that is annotated with @ApplicationScoped that implements the HttpAuthenticationMechanismHandler interface. Also, inject the qualified HAMs by using standard CDI syntax, as shown in the following section:

@Default
@ApplicationScoped
public class CustomHAMHandler implements HttpAuthenticationMechanismHandler {

    @Inject @Admin // this will be the FormHAM
    private HttpAuthenticationMechanism adminHAM;

    @Inject @User // this will be the BasicHAM
    private HttpAuthenticationMechanism userHAM;

    @Inject @Fallback // this will be the Custom HAM
    private HttpAuthenticationMechanism fallbackHAM;

    public AuthenticationStatus validateRequest(
        HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext context
    ) throws AuthenticationException {

        String path = request.getRequestURI();

        // route to appropriate mechanism based on path, default to my-realm
        if (path.startsWith("/admin")) { // FormHAM
            return adminHAM.validateRequest(request, response, context);
        } else if (path.startsWith("/user")) { // BasicHAM
            return userHAM.validateRequest(request, response, context);
        } else { // Custom HAM
            return fallbackHAM.validateRequest(request, response, context);
    }
}

This custom HAM handler takes priority over the internal HAM handler, allowing a different prioritisation algorithm to be implemented.

getAllDeclaredCallerRoles()

To use the new SecurityContext method, inject the SecurityContext implementation into your application and call the method directly, as shown in the following section:

    @Inject
    private SecurityContext securityContext;

. . .

    Set<String> allDeclaredCallerRoles = securityContext.getAllDeclaredCallerRoles();

    System.out.println("All declared caller roles for caller ["
        + securityContext.getCallerPrincipal().getName()
        + "] are "
        + allDeclaredCallerRoles.toString());

Learn more

Further information can be found in the Jakarta Security Specification 4.0:

For more information about the securityUtility command, see the WAS Liberty base topic.

Beta support for Java 26

Java 26 is a recent Java release that introduces new features and enhancements over earlier versions that can be useful to review. This release is not a long-term support (LTS) release.

There are 10 new features (JEPs) in Java 26. Five are test features and five are fully delivered.

Test Features:

Delivered Features:

500: Prepare to Make Final Mean Final
504: Remove the Applet API
516: Ahead-of-Time Object Caching with Any GC
517: HTTP/3 for the HTTP Client API
522: G1 GC: Improve Throughput by Reducing Synchronization

Take advantage of these changes now to gain more time to evaluate how your applications and microservices behave on Java 26.

Get started today by downloading the latest release of IBM Semeru Runtime 26 or Temurin 26, then download and install the Open Liberty 26.0.0.4-beta. Update your Liberty server’s server.env file with JAVA_HOME set to your Java 26 installation directory and start testing.

For more information on Java 26, see the Java 26 release notes page and API Javadoc page.

Updates to `mcpServer-1.0`

The Model Context Protocol (MCP) is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature mcpServer-1.0 allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows.

This beta release of Open Liberty includes updates to the mcpServer-1.0 feature including dynamic registration of tools and support for version 2025-11-25 of the protocol.

Dynamically register MCP tools

Tools can now be registered dynamically through an API. This capability allows the set of available tools on the server to be adjusted based on configuration or environment.

Tools can be registered by injecting ToolManager and calling its methods to add, remove, and list the available tools on the server. The full Javadoc for ToolManager can be found within the Liberty beta in dev/api/ibm/javadoc/io.openliberty.mcp_1.0-javadoc.zip.

Tools can be registered when the application starts through the CDI Startup event. See the following example where the Startup event is used to register a weather forecast tool only if a WeatherClient bean is available.

    @Inject
    ToolManager toolManager;

    @Inject
    Instance weatherClientInstance;

    private void createWeatherTool(@Observes Startup startup) {
        if (weatherClientInstance.isResolvable()) {
            WeatherClient weatherClient = weatherClientInstance.get();
            toolManager.newTool("getForecast")
                       .setTitle("Weather Forecast Provider")
                       .setDescription("Get weather forecast for a location")
                       .addArgument("latitude", "Latitude of the location", true, Double.class)
                       .addArgument("longitude", "Longitude of the location", true, Double.class)
                       .setHandler(toolArguments -> {
                           Double latitude = (Double) toolArguments.args().get("latitude");
                           Double longitude = (Double) toolArguments.args().get("longitude");
                           String result = weatherClient.getForecast(
                                     latitude,
                                     longitude,
                                     4,
                                     "temperature_2m,snowfall,rain,precipitation,precipitation_probability");
                           return ToolResponse.success(result);
                       })
                       .register();
        }
    }

Tool registration starts with newTool(), then the information about the tool is added, including its title, description, and arguments. The handler supplies the code to run when the tool is called. It has one parameter, which is a ToolArguments object, which provides access to the arguments and other information about the tool call request. The handler must always create and return a ToolResponse.

Accept the 2025-11-25 MCP protocol

The mcpServer-1.0 feature now accepts version 2025-11-25 of the Model Context Protocol (MCP), although it does not support any new features introduced in this version of the protocol.

Supporting MCP 2025-11-25 introduces two notable behavior changes:

Tool name restrictions: Tool names are now limited to ASCII letters ('A–Z, a–z'), digits ('0–9'), and the underscore ('_'), hyphen ('-'), and dot ('.') characters.
Improved handling of invalid tool arguments: Invalid arguments passed when invoking a tool are now treated as tool execution errors rather than protocol errors. This change allows the LLM to receive feedback that the tool was called incorrectly and to retry with corrected arguments.

Paginated results

The result of a tools/list call is now paginated with a page size of 20. This means that if there are more than 20 tools deployed on the server, clients make several small calls to retrieve the list of tools, rather than one large call.

Bug fixes

During cancellation of a tool call, we check that both the session id and the authenticated user match the session id and the user that made the tool call. Previously only the session id was checked.
Messages that are returned to the MCP client no longer contain Open Liberty message codes.
Structured content is only returned when client is using protocol version 2025-06-18 or later.

Further information

For more information about the mcpServer-1.0 feature and how to get started using the beta, see our dedicated blog post.
For more information about the Model Context Protocol, see modelcontextprotocol.io

Preview of some Jakarta Data 1.1 M2 capability

Previews some new capability at the Jakarta Data 1.1 Milestone 2 level: Constraint subtype parameters for repository methods that constrain to repository @Find operations and limited use of Restriction with repository @Find operations. Also included from the prior beta are: retrieving a subset/projection of entity attributes and the @Is annotation.

Previously, parameter-based @Find reposotory methods could filter results only using equality conditions. This limitation has now been removed, allowing additional filtering options to be defined.

Filtering can now be specified in several ways. One approach is to define the repository method parameter as a Constraint subtype, or to indicate the constraint subtype by using the @Is annotation. Alternatively, a repository @Find method can include a special parameter of type Restriction, allowing the application to supply one or more restrictions dynamically at runtime when the method is invoked.

In Jakarta Data, you define simple Java objects called entities to represent data, and interfaces called repositories to define data operations. You inject a repository into your application and use it. The implementation of the repository is automatically provided.

Start by defining an entity class that corresponds to your data. With relational databases, the entity class corresponds to a database table and the entity properties (public methods and fields of the entity class) generally correspond to the columns of the table. An entity class can be:

annotated with jakarta.persistence.Entity and related annotations from Jakarta Persistence
a Java class without entity annotations, in which case the primary key is inferred from an entity property named id or ending with Id and an entity property named version designates an automatically incremented version column.

Here’s a simple entity:

@Entity
public class Product {
    @Id
    public long id;

    public String name;

    public double price;

    public double weight;
}

After you define the entity to represent the data, it is usually helpful to have your IDE generate a static metamodel class for it. By convention, static metamodel classes begin with the underscore ('_') character, followed by the entity name.

Because this beta is available well before the release of Jakarta Data 1.1, IDE support for this generation cannot be expected yet. However, a static metamodel class can be provided in the same form that an IDE would generate for the Product entity.

@StaticMetamodel(Product.class)
public interface _Product {
    String ID = "id";
    String NAME = "name";
    String PRICE = "price";
    String WEIGHT = "weight";

    NumericAttributeLong> id = NumericAttribute.of(
            Product.class, ID, long.class);
    TextAttribute name = TextAttribute.of(
            Product.class, NAME);
    NumericAttributeDouble> price = NumericAttribute.of(
            Product.class, PRICE, double.class);
    NumericAttributeDouble> weight = NumericAttribute.of(
            Product.class, WEIGHT, double.class);
}

The first half of the static metamodel class includes constants for each of the entity attribute names so that you don’t need to otherwise hardcode string values into your application. The second half of the static metamodel class provides a special instance for each entity attribute, from which you can build restrictions and sorting to apply to queries at run time. This capability enables many powerful operations with repository queries, but those features are deferred to a future beta.

A repository defines operations that are related to the Product entity. Your repository interface can inherit from built-in interfaces such as BasicRepository and CrudRepository to gain various general-purpose repository methods for inserting, updating, deleting, and querying for entities. In addition to these capabilities, the repository can define custom operations by using the static metamodel and annotations such as @Find or @Delete.

@Repository(dataStore = "java:app/jdbc/my-example-data")
public interface Products extends CrudRepositoryLong> {

    // Filtering is pre-defined at development time by the @Is annotation,
    @Find
    @OrderBy(_Product.PRICE)
    @OrderBy(_Product.NAME)
    List costingUpTo(@By(_Product.PRICE) @Is(AtMost.class) double maxPrice);

    // Constraint types, such as Like, can also pre-define filtering.
    // Allow additional filtering at run time by including a Restriction,
    @Find
    Page named(@By(_Product.Name) Like namePattern,
                        Restriction filter,
                        Order sorting,
                        PageRequest pageRequest);

    // Retrieve a single entity attribute, identified by @Select,
    @Find
    @Select(_Product.PRICE)
    Optional<Double> priceOf(@By(_Product.ID) long productNum);

    // Retrieve multiple entity attributes as a Java record,
    @Find
    @Select(_Product.WEIGHT)
    @Select(_Product.NAME)
    Optional weightAndNameOf(@By(_Product.ID) long productNum);

    static record WeightInfo(double itemWeight, String itemName) {}
}

Here is an example of using the repository and static metamodel:

@DataSourceDefinition(name = "java:app/jdbc/my-example-data",
                      className = "org.postgresql.xa.PGXADataSource",
                      databaseName = "ExampleDB",
                      serverName = "localhost",
                      portNumber = 5432,
                      user = "${example.database.user}",
                      password = "${example.database.password}")
public class MyServlet extends HttpServlet {
    @Inject
    Products products;

    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
            throws ServletException, IOException {
        // Insert:
        Product prod = ...
        prod = products.insert(prod);

        // Filter by supplying values only:
        List found = products.costingUpTo(50.0, "%keyboard%");

        // Compute filtering at run time,
        Page page1 = products.named(
                        Like.suffix("printer"),
                        Restrict.all(_Product.price.times(taxRate).plus(shipping).lessThan(250.0),
                                     _Product.weight.times(kgToPounds).between(10.0, 20.0)),
                        Order.by(_Product.price.desc(),
                                 _Product.name.asc(),
                                 _Product.id.asc()),
                        PageRequest.ofSize(10));

        // Find one entity attribute:
        price = products.priceOf(prod.id).orElseThrow();

        // Find multiple entity attributes as a Java record:
        WeightInfo info = products.getWeightAndName(prod.id);
        System.out.println(info.itemName() + " weighs " + info.itemWeight() + " kg.");

        ...
    }
}

Learn more

Jakarta Data 1.1 API Javadoc
Jakarta Data 1.1 overview page

Maven coordinates for Data 1.1 Milestone 2:


    jakarta.data
    jakarta.data-api
    1.1.0-M2

This beta includes only the Data 1.1 features for entity subsets and projections, the @Is annotation, and Constraint subtypes as parameters for repository Find methods. It also includes limited support for Restriction as a special parameter for repository Find methods. The navigate operations are not implemented for restrictions and constraints. Other new Data 1.1 features are not included in this beta.

Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules.

Previously, Jandex indexes across all module types were read only from META-INF/jandex.idx. This update extends support for web modules to also read indexes from WEB-INF/classes/META-INF/jandex.idx, bringing it in line with industry practices.

Jandex indexes are read from the original or the new location only when Jandex use is enabled. For compatibility with earlier versions, reading indexes from the new location must be enabled using a new application property.

Benefits

Improved Compatibility: Improve compatibility with industry standard practices.
Faster Startup Times: Continue to benefit from Jandex’s efficient annotation indexing.

Target Persona

Customers who wish to place Jandex indexes at industry standard locations in their web modules.

Target Features

This update applies to the scanning of classes within applications. Class scanning (which includes annotation scanning) is a general purpose function that is used by many features.

Problem Description

To gather information about application classes, including annotation data, the classes must be scanned. This scanning process is expensive because the entire application must be read and processed.

To improve performance, class scanning can be performed during application packaging, with the scan results stored in an index within the application. Jandex provides this capability.

Jandex scan results are typically written to META-INF/jandex.idx.

For JAR files, this path is relative to the root of the JAR. For WAR files, however, the META-INF/jandex.idx path can have two interpretations: it can be relative to the root of the WAR file, or relative to the WEB-INF/classes directory.

Before this update, Liberty used the location relative to the root of the WAR file. However, industry-standard practices place the location relative to the WEB-INF/classes directory. This update enables Liberty to also use the WEB-INF/classes location.

How to Use

Support for reading Jandex indexes under WEB-INF/classes is enabled by a new property on the application and applicationManager elements:

Property: useJandexUnderClasses
Description: Enables use of a Jandex index for WAR WEB-INF/classes under /WEB-INF/classes/META-INF/jandex.idx.
Possible values: true | false
Default value: false

Example: applicationManager

 useJandex="true" useJandexUnderClasses="true"/>

Example: application

 location="TestServlet40.ear" useJandex="true" useJandexUnderClasses="true"/>

When the new property is placed on an application manager element, it applies to all web modules of all applications. When the new property is placed on an application element, the property applies to only that application. If the property is set on both the application manager element and an application element, the value on the application element overrides the value on the application manager element for that application.

Limitation

Jandex index support requires explicit enablement. See the useJandex property on applicationManager and on application elements. The new useJandexUnderClasses property is meaningful only if the useJandex property is true.

For compatibility with earlier versions, reads of Jandex from the new location require explicit enablement. See the new useJandexUnderClasses property, as documented previously. Explicit enablement is required to prevent applications from accidentally reading an out of date Jandex index from the new location. An out of date Jandex index might cause application errors that are hard to detect.

The name of the new property, useJandexUnderClasses, is subject to revision.

Learn More

Try it now

To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. To enable the MCP server feature, follow the instructions from MCP standalone blog. The beta works with Java SE 25, Java SE 21, Java SE 17, Java SE 11, and Java SE 8.

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.4-beta
          zip

You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs:


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.4-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

UserRegistry Attribute Reader Enhancement, Jandex Index Format Support Update and more in 26.0.0.3

2026-03-24T00:00:00+00:00

This release introduces UserRegistry Attribute Reader APIs for retrieving user attributes from LDAP and custom registries, and adds support for Jandex index formats 11-13 to improve application startup performance. Other highlights include changes to AES encoding and fixes for security vulnerabilities and bugs.

In Open Liberty 26.0.0.3:

UserRegistry Attribute Reader Enhancement
Jandex Index Format Support Update
AES encoding changes
Security Vulnerability (CVE) Fixes
Notable bug fixes

View the list of fixed bugs in 26.0.0.3.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.3

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

UserRegistry Attribute Reader Enhancement

The UserRegistry API provides applications with the ability to retrieve specific user attributes and search for users based on attribute values directly from LDAP and custom user registries.

What’s New?

Previously, the UserRegistry API supported only basic user lookups such as searching by userSecurityName or by using wildcard pattern matching. However, it did not allow applications to retrieve specific user attributes or search for users based on attribute values. These capabilities were available in traditional WebSphere through the VMM API. The introduction of these two new APIs now enables applications to search for users and retrieve attributes from LDAP and custom user registries.

With this enhancement, you can now retrieve specific attributes for a user by using the getAttributesForUser() method. This method supports retrieval of individual attributes such as email or phoneNumber, or "*" to retrieve all available attributes for a user.

You can also search for users based on attribute values by using the getUsersByAttribute() method, enabling applications to locate users by matching specific attribute criteria. These methods are supported for LDAP user registries. Custom user registry implementations can also implement and support these methods.

How to Use It

New API methods added to UserRegistry.java:

default Map getAttributesForUser(String userSecurityName, Set attributeNames)

Description: Returns a Map containing the specified attributesNames and their corresponding values for the given userSecurityName, as configured in the LDAP user registry.

UserRegistry ur = RegistryHelper.getUserRegistry("realmName");

// valid ldap attribute names
Set<String> attributeNames = Set.of("telephoneNumber", "uid", "mail");  // or "*" for retrieving all attributes
Map<String, Object> result = ur.getAttributesForUser("testuser", attributeNames);

// output in trace.log
> getAttributesForUser Entry
  testuser
  [telephoneNumber, uid, mail]

< getAttributesForUser Exit
  {uid=testuser, mail=testuser@example.com, telephoneNumber=}

default SearchResult getUsersByAttribute(String attributeName, String value, int limit)

Description: Returns a SearchResult object that contains a list of users that match an attributeName with specified value that is configured in the LDAP user registry.

UserRegistry ur = RegistryHelper.getUserRegistry("realmName");

SearchResult searchResult = ur.getUsersByAttribute("email", "testuser@example.com", 1);

// output in trace.log
> getUsersByAttribute Entry
  email
  testuser@example.com
  1

< getUsersByAttribute Exit
  SearchResult hasMore=false [testuser]

To learn more about the user registry, see the following resources:

Jandex Index Format Support Update

Open Liberty now supports the latest Jandex index formats, allowing the use of Jandex indexes that are created with Jandex version 3.1.0 and later. Jandex is a space‑efficient Java annotation indexer and offline reflection library that improves application startup performance by pre‑indexing class metadata.

This feature targets application developers and DevOps engineers who work with Jakarta EE and MicroProfile applications. It is designed to optimize application startup times and reduce runtime costs.

What’s New?

With this update, Open Liberty supports Jandex index formats 11, 12, and 13. Jandex versions 3.1.0 through the current latest version, 3.5.3, generate indexes that use these formats.

Previously, Open Liberty supported Jandex index format versions only up to and including version 10. This index format limitation meant that applications packaged with Jandex indexes could not use index formats beyond version 10 while retaining the expected performance improvements. To preserve these performance benefits, build tooling had to continue using a Jandex version prior to 3.1.0, or explicitly configure Jandex index generation to produce indexes that use index format up to and including version 10.

Benefits

The added support for Jandex index formats has several benefits:

Improved Compatibility: Works seamlessly with the latest versions of build tools and frameworks that use newer Jandex versions
Faster Startup Times: Continue to benefit from Jandex’s efficient annotation indexing without version constraints
Reduced Maintenance: No need to maintain multiple Jandex versions or regenerate indexes for compatibility
Future-Proof: Stay current with the Jandex ecosystem as it evolves

Limitations

When using Jandex indexes, ensure that the index files are kept up to date with the application classes. If a Jandex index is not synchronized with the application classes, it can contain incorrect annotation data, which can cause the application to function incorrectly. Out‑of‑date Jandex indexes cannot be reliably detected.

Open Liberty does not read index formats higher than index format 13. If a new version of Jandex adds a higher index format version, Open Liberty requires an update before it can read Jandex indexes that use the higher index format version.

The Open Liberty feature mpGraphQL, which is obtained from an external source, is limited to reading Jandex index formats no higher than index format 10. If the feature mpGraphQL is used, Jandex indexes should be generated by using index format 10. This limitation applies to all current versions of mpGraphQL, including the current highest version, mpGraphQL-2.0.

Lifting Restriction

Previously, when Jandex usage was enabled and an application included Jandex indexes that used formats 11 through 13, Open Liberty displayed an error message and ignored those indexes. In such cases, annotation scanning was performed by using Liberty’s internal annotation scanning mechanism.

With the addition of support for Jandex index formats 11 through 13, Open Liberty now uses indexes that are generated in these formats. These indexes must be kept up to date with the application classes. Ensure that the Jandex indexes packaged with your application accurately reflect the current application classes.

How to Use

No configuration changes are required in the server.xml file to enable support for the new Jandex index formats. Open Liberty automatically detects the Jandex index format and selects the appropriate index reader for that format. It reads indexes that use formats 11, 12, and 13, and continues to support indexes that use format up to version 10.

By default, Jandex usage is disabled. To enable Jandex, set the useJandex property to true in either an application element or the applicationManager element.

If you are generating Jandex indexes as part of your build process, you can now use the latest Jandex Maven plugin or Gradle plugin versions:

Maven Example:


    io.smallrye
    jandex-maven-plugin
    3.5.3
    
        
            make-index
            
                jandex

Gradle Example:

plugins {
    id 'org.kordamp.gradle.jandex' version '2.3.0'
}

Open Liberty automatically detects and recognizes the generated META-INF/jandex.idx file for any supported index format version.

For more information, see the Jandex Documentation

AES encoding changes

The securityUtility encode command now requires a key to be specified for AES encodings. Specify a key by including one of the following options: --key, --base64Key, --aesConfigFile, or --keyring. This update resolves CVE-2025-14923.

The following command now results in an error because a key is not specified in the command.

securityUtility encode --encoding=aes "password"

When using AES encoding, one of the following arguments must be specified: --key, --base64Key, --aesConfigFile, or --keyring.

The following is an example of a valid usage with the new requirement.

securityUtility encode --encoding=aes --key=mycustomkey "password"
{aes}ARArmkfkgGyE1eiN8mKKjnkUDrFUFuuq2FlpDqrJKBgTAEYeN+PLP45wChLvIhlnWEDHnSA4zJI9KA3k5R9e/QDC+O2tzr3EwD3IMMAfvfOYxxqNPmoXqIeRVPD8TPZWnIIPmCnvyROw5A8=

For more information, see the full documentation for securityUtility encode and password encryption.

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-14923	4.7	Weaker security	17.0.0.3-26.0.0.2
CVE-2024-29371	7.5	Denial of service	21.0.0.3-26.0.0.2	Affects the `openidConnectClient-1.0`, `socialLogin-1.0`, `mpJwt-1.2`, `mpJwt-2.0`, `mpJwt-2.1`, and `jwt-1.0` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.3.

Get Open Liberty 26.0.0.3 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Model Context Protocol Server 1.0 updates in 26.0.0.3-beta

2026-03-10T00:00:00+00:00

The 26.0.0.3-beta release updates the mcpServer-1.0 feature with response encoders and provides request ID access to tools for logging and auditing.

The Open Liberty 26.0.0.3-beta includes the following beta features (along with all GA features):

Encode responses with ContentEncoder and ToolResponseEncoder
Access the request ID from a tool

The Model Context Protocol (MCP) is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature (mcpServer-1.0) allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows.

Encode responses with ContentEncoder and ToolResponseEncoder

When a client calls a tool, the object that is returned by the tool method is converted to a ToolResponse, which usually contains one or more Content objects. The ToolResponse maps directly to the result returned in the response.

If you need more control over the response from your tool, you can return a ToolResponse or Content object directly. Now, it is also possible to register encoders to control how other objects are converted into a response.

Use ToolResponseEncoder to convert an object into a ToolResponse, which gives you complete control over the whole response.
Use ContentEncoder when you only need to convert an object into a Content that is included in the response. You can also return a list of objects, and each object is individually converted into a Content and included in the response.

If a tool method returns an object for which no encoder is provided, JSON-B encodes the object as JSON, which is returned as text content.

Example

Consider a tool that does a search over some datastore:

@Tool(description = "search the data store")
public SearchResult search(@ToolArg(name="query", description="the query to run") String query) {
    SearchResult result = datastore.runQuery(query);
    return result;
}

In this scenario, the SearchResult object encapsulates a list of individual results. Each entry contains a summary, associated metadata, and a relevance score that indicates its relationship to the query.

By default, the SearchResult object that is returned is encoded as JSON by using JSON-B and placed into a TextContent. However, to return each search result summary as an individual TextContent and map the relevance score to a priority annotation, a ToolResponseEncoder is to be used.

Create a CDI bean that implements the ToolResponseEncoder interface and implement:

the encode method to create a ToolResponse from a SearchResult
the supports method to indicate that your encoder can be used for any SearchResult

@ApplicationScoped
public class SearchResultEncoder implements ToolResponseEncoder<SearchResult> {

    public boolean supports(Class runtimeType) {
        // This encoder can encode SearchResult and any subtypes
        return SearchResult.class.isAssignableFrom(runtimeType);
    }

    public ToolResponse encode(SearchResult searchResult) {
        if (searchResult.results().isEmpty()) {
            return ToolResponse.error("No results");
        }

        ArrayList contents = new ArrayList<>();
        for (var result : searchResult.results()) {
            // Set the priority annotation based on the relevance
            Annotations annotations = new Annotations(null, null, result.relevance());
            // Create a TextContent from the summary, and add the annotations
            contents.add(new TextContent(result.summary(), null, annotations));
        }

        // Create a successful response, using the created TextContents
        return ToolResponse.success(contents);
    }
}

This encoder is used for any tools in the application that return a SearchResult

Access the request ID from a tool

Each request from an MCP client includes a unique session-based Request ID, which is now accessible to tools and is useful for logging and auditing.

To access the ID, add a RequestId parameter to the tool method:

@Tool(description = "search the data store")
public SearchResult search(@ToolArg(name="query") String query, RequestId requestId) {
    logger.log(INFO, "Running search (" + requestId.asString() + ") for query: " + query);
    // ....
}

Notable bug fixes

The following bugs have been fixed:

Output schemas were not generated correctly for asynchronous tool methods which have structuredContent = true
Omitting the arguments object when calling a tool would result in an error. The arguments object is optional if the tool does not require any arguments

Try it now

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.3-beta
          zip


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.10.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.3-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Support for Java Toolchains in Liberty Build Plugins

2026-03-02T00:00:00+00:00

Liberty Gradle and Maven plugins now support Java Toolchains. This feature allows you to decouple the JDK used to run your build tool (Gradle or Maven) from the JDK used to compile your code and run your Liberty server and applications.

When a toolchain is configured, the Liberty build plugins automatically detect the specified JDK and use it to start the Liberty server, ensuring environment consistency across your development team.

Why use Java Toolchains?

Using Java toolchains provides several advantages for enterprise development and CI/CD pipelines:

Environment Consistency: Ensure every developer and build server uses the exact same JDK version for the runtime, regardless of what is installed as the system default.
Decoupling: You can run your build tool (e.g., Maven or Gradle) on a newer, high-performance JVM while targeting an older JDK (like Java 8 or 11) for the actual Liberty server.
Simplified Configuration: Avoid manually setting and maintaining JAVA_HOME environment variables across different machines. The build tool handles the discovery and provisioning of the required JDK.
Early Detection: If a developer tries to build a project but lacks the required JDK version, the build tool will provide a clear error or automatically download the correct version (depending on your configuration).

Minimum Version Requirements

To use toolchain support, ensure you are using the following plugin versions or newer:

Liberty Maven Plugin: 3.12.0
Liberty Gradle Plugin: 3.10.0

Liberty Gradle Plugin Support

The Liberty Gradle plugin integrates with the standard Gradle Java Toolchain feature. It does not require a Liberty-specific configuration block; it automatically honors the project’s java { toolchain { … } } settings.

How to use

Apply the java plugin and define the desired Java version in your build.gradle file:

plugins {
    id 'java'
    id 'io.openliberty.tools.gradle.Liberty' version '3.10.0'
}

java {
    toolchain {
        // Required Java version for your project
        languageVersion = JavaLanguageVersion.of(17)
        // Optional: include vendor if you need to distinguish between toolchains
        // vendor.set(JvmVendorSpec.ADOPTIUM)
    }
}

Liberty Maven Plugin Support

By leveraging Maven Toolchains, the Liberty Maven plugin can decouple the JDK used to run the plugin from the JDK used to run your Liberty server. It retrieves these definitions from your local toolchains.xml.

How to use

Configure toolchains.xml: Ensure your ~/.m2/toolchains.xml defines the JDKs available on your system.
Update pom.xml: Configure the plugin versions in your liberty-maven-plugin configurations and add a configuration.


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
            11

Dev mode behavior

When you run gradle libertyDev or mvn liberty:dev, the plugin ensures environment consistency by applying the following logic:

Server JVM: Sets the Liberty server process’s JAVA_HOME to the configured toolchain JDK.
Recompilation: Automatically uses the toolchain JDK for compilation (e.g., compileJava and compileTestJava tasks in Gradle, or compiler:compile and compiler:testCompile goals in Maven).
Logs: Look for confirmation in the terminal output to verify the toolchain is active:

Gradle	`CWWKM4101I: The :libertyDev task is using the configured toolchain JDK located at /path/to/jdk-17`
Maven	`CWWKM4101I: The liberty:dev goal is using the configured toolchain JDK located at /path/to/jdk-17`

Rules and precedence

Both plugins follow a specific order of operations:

Manual Overrides: If JAVA_HOME is set in server.env or jvm.options, that value takes precedence over the Java toolchain.
Toolchain Resolution: If no manual override exists, the plugin uses the resolved toolchain JDK.
Fallback: If no toolchain is found, the plugin falls back to the JVM currently running the build.

Verification

To confirm which JDK the Liberty server started with, check the messages.log file (located in ${server.output.dir}/logs/). You should see entries similar to the following:

********************************************************************************
product = Open Liberty 25.0.0.12 (wlp-1.0.108.cl251220251117-0302)
wlp.install.dir = /path/to/project/build/wlp/
java.home = /path/to/java/semeru-11.0.28/Contents/Home
java.version = 11.0.28
java.runtime = IBM Semeru Runtime Open Edition (11.0.28+6)
os = Mac OS X (26.1; aarch64) (en_IN)
process = 62955@Device-Name.local
Classpath = /path/to/project/build/wlp/bin/tools/ws-server.jar
Java Library path = /path/to/java/semeru-11.0.28/Contents/Home/lib/default:/path/to/java/semeru-11.0.28/Contents/Home/lib:/usr/lib
********************************************************************************

Conclusion

With Java toolchain support in the Liberty Gradle and Maven plugins, managing your development environment becomes significantly more robust. By defining your Java version at the project level, you eliminate the "it works on my machine" class of bugs related to mismatched JDKs. Whether you are using Gradle’s automatic provisioning or Maven’s toolchain manager, your Liberty server will now stay in perfect sync with your source code’s requirements.

Further Documentation

For detailed technical specifications, refer to the toolchains.md documentation in the plugin repositories:

Liberty Gradle Plugin: toolchain.md
Liberty Maven Plugin: toolchain.md

Reporting Issues

We welcome feedback and contributions! If you encounter any bugs or have feature requests, please report them in our open-source repositories:

For Maven issues, visit the Liberty Maven Plugin GitHub Issues.
For Gradle issues, visit the Liberty Gradle Plugin GitHub Issues.

Java Toolchains in Liberty Build Plugins in 26.0.0.2

2026-02-24T00:00:00+00:00

This release introduces Java Toolchains support, enabling developers to decouple the JDK used to run build tools from the JDK used to run the Liberty server.

In Open Liberty 26.0.0.2:

Java Toolchains in Liberty Build Plugins
Security Vulnerability (CVE) Fixes
Notable bug fixes

View the list of fixed bugs in 26.0.0.2.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.2

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.10.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

Java Toolchains in Liberty Build Plugins

In the latest release of the Liberty build plugins, support has been added for Java Toolchains. This enhancement enables developers to decouple the JDK used to run their build tools (Maven or Gradle) from the JDK used to run the Liberty server and their applications. This provides greater flexibility and environmental consistency.

Java Toolchains support

The Liberty build plugins now support the standard Java Toolchain mechanism. Previously, Liberty plugins were restricted to using the same Java version that was running Maven or Gradle. This prevented developers from using more recent JDK versions for their build process if their applications required a specific older JDK version.

With Java Toolchains, you can now run your build tool on a modern JDK (for example, Java 25). At the same time, Liberty servers and all server operations can execute using a different, configured JDK (for example, Java 8).

Maven Plugin integration

The Liberty Maven Plugin now integrates seamlessly with the maven-toolchain-plugin as of version 3.12.0. To use this feature, define your available JDKs in your ~/.m2/toolchains.xml file and then configure tag in . The plugin automatically detects and uses the toolchain specified in your project’s pom.xml file.

For detailed configuration steps and parameters, see the Liberty Maven Plugin Toolchain documentation.

The plugin acknowledges the JDK vendor and version constraints that are defined in your Maven profiles, helping to ensure that your server environment remains consistent across different developer machines and CI/CD pipelines.

Gradle Plugin integration

The Liberty Gradle plugin now recognizes the native java { toolchain { … } } configuration block as of version 3.10.0. This configuration provides a unified way to manage Java versions across multi-project builds, where different services might have different runtime requirements.

For detailed configuration steps and parameters, see the Liberty Gradle Plugin Toolchain documentation.

When a toolchain is configured in your build.gradle, the Liberty plugin uses that specific Java runtime for all server-related tasks (for example, libertyDev and libertyStart).

Try it now

To start using Java Toolchains, update your build tools to the latest versions of the Liberty Maven or Gradle plugins.

For Maven:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
            11

For Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.10.0'
    }
}
apply plugin: 'liberty'


java {
    toolchain {
        languageVersion = JavaLanguageVersion.of(17)
        // Optional: specify vendor
        // vendor = JvmVendorSpec.ADOPTIUM
    }
}

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-14914	7.6	Remote code execution	17.0.0.3-26.0.0.1	Affects the `restConnector-2.0` feature

CVE-2025-14914

7.6

Remote code execution

17.0.0.3-26.0.0.1

Affects the restConnector-2.0 feature

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.2.

Get Open Liberty 26.0.0.2 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Model Context Protocol Server 1.0 updates and more in 26.0.0.2-beta

2026-02-10T00:00:00+00:00

This beta release enhances the mcpServer-1.0 feature with role-based authorization, the new _meta field, and key bug fixes. It also adds documentation and tests for displayCustomizedExceptionText, allowing users to replace default Liberty error messages with clearer, custom text.

The Open Liberty 26.0.0.2-beta includes the following beta features (along with all GA features):

Model Context Protocol Server 1.0 updates
displayCustomizedExceptionText property

Model Context Protocol Server 1.0 updates

This beta release of Open Liberty includes important updates to the mcpServer-1.0 feature including role-based authorization, the _meta field, and a few bug fixes.

Prerequisites

To use the mcpServer-1.0 feature, Java 17 or later must be installed on the system.

Implement role-based authorization for MCP tools via annotations

The following new annotations allow you to restrict tool usage through authorization policies:

@DenyAll - Resource is denied. This annotation is the strictest policy.
@RolesAllowed - Resource is allowed for pre-authorised users in a role (the same as a group in Liberty).
@PermitAll - Resource is allowed for anyone (even unauthenticated users).

These security annotations are declared on two levels:

Class level - Every method in the class inherits this class level annotation.
Method level - Overrides any class level annotations.

For complete reference documentation, see the Jakarta Security Annotations specification.

The mcpServer-1.0 feature does not currently implement all of the authorization-server-metadata-discovery requirements specified in the MCP specification. However, you can use any of Liberty’s authentication and authorization mechanisms to authenticate users and assign roles. The mcpServer-1.0 feature can then ensure that users can access only the tools that are permitted for their assigned roles.

Basic authorization example

The following example shows how to configure MCP tools to require authentication and to ensure that users have the appropriate roles to access specific tools. Users authenticate using Basic Authentication, and the list of users and their roles are configured in a basicRegistry in the server.xml file.

Consider an online bookshop that has different users each with different authorization levels:

Users - can buy books and track prices
Moderators - can manage the books available
Admins - can manually ban users

Clients who connect without authenticating can only display the available books or register as a new user.

// common imports for all classes below

import io.openliberty.mcp.annotations.Tool;
import io.openliberty.mcp.annotations.ToolArg;
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.RolesAllowed;
import jakarta.enterprise.context.ApplicationScoped;

Security Annotation example classes

@ApplicationScoped
public class BookShopTools {

    // Admin Tool
    @RolesAllowed("Admins")
    @Tool(name = "banUser")
    public String banUser(@ToolArg(name = "userName", description = "Name of user to be banned") String userName)  {...}

    // Moderator Tools
    @RolesAllowed("Moderators")
    @Tool(name = "addBook")
    public String addBook(@ToolArg(name = "bookCode", description = "Code to uniquely identify the book") String bookCode)  {...}

    @RolesAllowed("Moderators")
    @Tool(name = "deleteBook")
    public String deleteBook(@ToolArg(name = "bookCode", description = "Code to uniquely identify the book") String bookCode)  {...}

    // User Tools
    @RolesAllowed("Users")
    @Tool(name = "buyBook")
    public String buyBook(@ToolArg(name = "bookCode", description = "Code to uniquely identify the book") String bookCode) {...}

    @RolesAllowed("Users")
    @Tool(name = "trackBookPrice")
    public String trackBookPrice(@ToolArg(name = "bookCode", description = "Code to uniquely identify the book") String bookCode)  {...}
}

@ApplicationScoped
@PermitAll // PermitAll Class level Annotation applies to all class tools, unless overwritten on method level
public class PublicTools {

    @Tool(name = "displayBooks")
    public String displayBooks(@ToolArg(name = "bookCode", description = "Code to uniquely identify the book") String book)  {...}

    @Tool(name = "registerNewUser")
    public String registerNewUser(@ToolArg(name = "userName", description = "The name for the user to be registered") String input,
                                  @ToolArg(name = "password", description = "The password for the user to be registered") String input)  {...}
}

Steps required

Create an application with @ApplicationScoped and expose the tools with the required annotations.
Create a server.xml file with the users.
Ensure that the groups map to the roles created in the tool.
Add users to the groups in the server.xml file.

The following additional configuration is required in the server.xml (See the comments in the XML example for details.):

The appSecurity feature
The transportSecurity feature
Define a user registry
Enable TLS (Transport Layer Security) for security
Require TLS (Transport Layer Security) to ensure that credentials aren’t sent in cleartext

 description="Liberty server config for Security Annotations">

  
    servlet-6.0
    cdi-4.0
    mcpServer-1.0
    
    appSecurity-5.0
    transportSecurity-1.0
  

   location="../fatTestPorts.xml" />

  
   id="defaultKeyStore" password="Liberty" />

  
   id="defaultHttpEndpoint"
                httpPort="-1"
                httpsPort="9443">
  

   id="basic" realm="BasicRealm">

       

       
        name="Sam"   password="{xor}KzosKy8+LDwoMC07aw=="/>
        name="Nile"  password="{xor}KzosKy8+LRwoMC07aw=="/>
        name="Cloe"  password="{xor}KzosKy8+LEwoMC07aw=="/>
        name="Vick"  password="{xor}KzosKy8+LFwoMC07aw=="/>

       
        name="Sally" password="{xor}KzosKy8+LCwoMC07bQ=="/>
        name="Harry" password="{xor}KzosKy8+LCwoMC07bQ=="/>

       
        name="Bob"   password="{xor}KzosKy8+LCwoMC07bA=="/>
        name="Noah"  password="{xor}KzosKy8+LCwoMC07aw=="/>


       

        name="Users">
            name="Nile"/>
            name="Sam"/>
            name="Cloe"/>
            name="Vick"/>
       

        name="Moderators">
            name="Sally"/>
            name="Harry"/>
       

        name="Admins">
            name="Bob"/>
            name="Noah"/>

It is also possible to add multiple roles to tools: @RolesAllowed("Admins, Moderators"). Doing so grants access to users who have either role.

If a role that is used in @RolesAllowed annotation is not mentioned in the server.xml file, that just means that no user has that role. If it is the only role that is allowed to call the tool, then no users can call the tool.

MCP: Tools can access metadata that the client sends in the _meta field.

The MCP specification reserves the _meta property or parameter so clients and servers can attach additional metadata to their interactions. Key name format: valid _meta key names have two segments:

An optional prefix (e.g. "example.com/") and
A name ("myKey")

The whole _meta key is seen as "example.com/myKey"

Adding a Tool Meta parameter

The following code shows an example metaKey used to retrieve the value of the metadata. In the example, the metakey is "example.org/location"

    @Tool(name = "noArgsRequest",
          title = "call tool without providing arguments in params",
          description = "return string made from args and metadata",
          structuredContent = false)
    public String noArgsRequest(Meta meta) {
        Jsonb jsonb = JsonbBuilder.create();
        String location = (String) meta.getValue(MetaKey.from("example.org/location"));
        BigDecimal timestamp = (BigDecimal) meta.getValue(MetaKey.from("timestamp"));
        String result = "You have called this tool from " + location + " at timestamp " + timestamp.toString();
        return result;
    }

Returning metadata in a tool response

A method can return any metadata by using the ToolResponse object:

   @Tool(name = "addPersonToListToolResponse",
         title = "adds person to people list",
         description = "adds person to people list",
         structuredContent = true)
    public @Schema(value = "{ ... }",description = "Returns list of person object")
    ToolResponse addPersonToListToolResponse(@ToolArg(name = "employeeList", description = "List of people") List employeeList,
                                             @ToolArg(name = "person", description = "Person object") Optional person) {
        Person personInstance = person.get();
        employeeList.add(personInstance);
        Jsonb jsonb = JsonbBuilder.create();
        MapObject> _meta = new HashMap<>();
        _meta.put(MetaKey.from("timestamp"), 1762860699);
        _meta.put(MetaKey.from("example.org/location"), "Hursley");
        _meta.put(MetaKey.from("example.org/person"), personInstance);
        return new ToolResponse(false, List.of(new TextContent(jsonb.toJson(employeeList))), employeeList, _meta);
    }

The _meta field enables protocol extensions without breaking compatibility. The following examples illustrate common use cases:

1) Cost Tracking Extension

Track API costs for expensive operations.

How it works:

Server reports the cost of executing a tool in the result metadata.
Client tracks total spending across operations.

2) Rate Limiting Extension

Prevent resource exhaustion and ensure fair access.

How it works:

Metadata shows the remaining quota before each call for time window
If limit is exceeded, the error includes retry time in _meta

3) Caching Hints Extension

Optimize performance through intelligent caching.

How it works:

Server includes caching information in the tool call result
Client can implement client-side caching

4) Bringing it all together

All three of the preceding extensions might be built into your MCP server as extensions:

{
  "name": "ToolForMetaDataExample",
  "description": "ToolDescription",
  "inputSchema": { ... },
  "_meta": {
    // Rate Limiting Extension - com.example.rateLimit namespace
    "com.example.rateLimit/requests": 100,
    "com.example.rateLimit/period": "hour",
    "com.example.rateLimit/remaining": 47,
    // Cost Tracking Extension - com.example.cost namespace
    "com.example.cost/estimatedCost": 0.02,
    "com.example.cost/currency": "USD",
    // Caching Hints Extension - com.example.cache namespace
    "com.example.cache/cacheable": true,
    "com.example.cache/cacheKey": "LondonWeather",
    "com.example.cache/ttl": 300
  }
}

Notable bug fixes in MCP 1.0

1) MCP Server feature used ISO-8859-1 and did not handle non-Latin characters

MCP requests and responses are now encoded correctly using UTF-8.

2) Fix asynchronous MCP Tool error handling

Previously, when an asynchronous tool returned a failed completion stage, the system did not verify whether the exception was a business or technical error. This resulted in all failures being reported as internal errors.
The system now differentiates between exception types. This categorization ensures that business errors are returned to the client, while technical errors are reported in the Liberty server log.

displayCustomizedExceptionText property

This beta release adds documentation and tests for the displayCustomizedExceptionText configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.

The feature is enabled through simple server.xml file configuration, where custom messages can be mapped to specific HTTP status codes (403 and 500).

Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.

 displaycustomizedexceptiontext="Custom error message"/>

Try it now

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.2-beta
          zip


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.10.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.2-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Take the Jakarta EE survey

2026-02-04T00:00:00+00:00

Calling Java Developers. Your input matters!

The IBM Application Development User Research team is running a quick 5-minute survey to learn about the enterprise Java and Jakarta EE specifications/frameworks/models you use. This will help us understand your needs and build better products.

Take the survey → https://ibm.co/60418Ym81

Open Liberty’s post on Linkedin

Log throttling and notable bug fixes in 26.0.0.1

2026-01-27T00:00:00+00:00

In this release, Open Liberty introduces log throttling to automatically suppress excessive, repeated log messages, helping developers reduce noise and manage high-volume logging more effectively.

In Open Liberty 26.0.0.1:

Log Throttling
Security Vulnerability (CVE) Fixes
Notable bug fixes

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in 26.0.0.1.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.1

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.11.5

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.6'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

Log Throttling

Open Liberty Logging is introducing log throttling. Developers previously had no way to throttle or suppress high-volume messages. This new feature helps to prevent excessive log output when the same log events occur repeatedly within a short span of time.

Throttling is enabled by default. While enabled, Liberty tracks each messageID using a sliding window. By default, any messageID that is repeated more than 1,000 times within a five-minute interval is suppressed. A throttle warning is logged when throttling begins.

Log throttling can be configured to throttle messages based on the message or messageID by using the throttleType logging attribute. The number of messages allowed before throttling begins can be configured by using the throttleMaxMessagesPerWindow attribute.

Log Throttling is disabled by setting throttleMaxMessagesPerWindow to 0.

Currently, these attributes can be configured as follows:

In server.xml:

 throttleMaxMessagesPerWindow="5000" throttleType="messageID" />

In bootstrap.properties:

com.ibm.ws.logging.throttle.max.messages.per.window=5000
com.ibm.ws.logging.throttle.type=messageID

In server.env:

WLP_LOGGING_THROTTLE_MAX_MESSAGES_PER_WINDOW=5000
WLP_LOGGING_THROTTLE_TYPE=messageID

Difference between message and messageID:

Consider the following example of a log event: TEST0111I: Hello World!.

When throttleType is set to messageID, throttling is exclusively applied based on the number of occurrences of the messageID. In this example, TEST0111I is used for throttling.

When throttleType is set to message, throttling is applied to the entire message. Any variation in the message content is tracked separately. In this example, TEST0111I: Hello World! is used for throttling.

Security vulnerability (CVE) fixes in this release

CVE CVSS Score Vulnerability Assessment Versions Affected Notes

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-12635	5.4	Cross-site scripting	17.0.0.3-25.0.0.12	Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0`, and `servlet-6.0` features

CVE-2025-12635

5.4

Cross-site scripting

17.0.0.3-25.0.0.12

Affects the servlet-3.1, servlet-4.0, servlet-5.0, and servlet-6.0 features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.1.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to openliberty.io on those topics to make their adoption as easy as possible.

Two new guides have been published under the Observability category:

Get Open Liberty 26.0.0.1 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Log Throttling and Model Context Protocol Server 1.0 updates in 26.0.0.1-beta

2026-01-13T00:00:00+00:00

In this beta release, Open Liberty introduces log throttling to prevent excessive log output by limiting repeated high-volume messages within a short time span. It also includes updates to the mcpServer-1.0 feature.

The Open Liberty 26.0.0.1-beta includes the following beta features (along with all GA features):

Log Throttling
Model Context Protocol Server 1.0 updates

Log Throttling

Log throttling can be configured to throttle messages based on the message or messageID by using the throttleType logging attribute. The number of messages allowed before throttling can be configured by using the throttleMaxMessagesPerWindow attribute.

Log Throttling is disabled by setting throttleMaxMessagesPerWindow to 0.

Currently, these attributes can be configured as follows:

In server.xml:

 throttleMaxMessagesPerWindow="5000" throttleType="message" />

In bootstrap.properties:

com.ibm.ws.logging.throttle.max.messages.per.window=5000
com.ibm.ws.logging.throttle.type=messageID

Difference between message and messageID:

Consider the following example of a log event: TEST0111I: Hello World!.

When throttleType is set to messageID, throttling is exclusively applied based on the number of occurrences of the messageID. In this example, TEST0111I is used for throttling.

Model Context Protocol Server 1.0 updates

This beta release of Open Liberty includes important updates to the mcpServer-1.0 feature, including asynchronous tool support, support for stateless mode, and a few bug fixes.

Prerequisites

To use the mcpServer-1.0 feature, Java 17 must be installed on the system.

Update on the MCP JAR location

The MCP server JAR is located in a new directory, /dev/ibm/api, replacing the location used in the initial beta. For complete instructions on building an MCP server in Liberty, see the set up guide.

Asynchronous Tool Execution Support

MCP tools can now run asynchronously by returning a CompletionStage. If a tool needs to wait for something, such as for data to be returned from a remote system, running asynchronously allows it to wait without occupying a thread.

The tool method can return a CompletionStage quickly, but the response is not returned to the client until the CompletionStage completes and provides the response data.

The following example illustrates how this approach would look for a tool that calls an asynchronous Jakarta REST client:

private Client client = ClientBuilder.newClient();

@Tool
public CompletionStage<String> toolName(@ToolArg(name = "value") int value) {
    return client.target("https://example.com/api")
            .queryParam("value", value)
            .request()
            .rx()
            .get(String.class);
}

Stateless Mode

Parts of the Model Context Protocol require the server to store client information and reuse it for subsequent requests from the same client. This stateful behavior creates challenges when clustering MCP servers. When requests from the same client are handled by different servers, the stored information must be shared across all servers.

One way to address this problem is through session affinity. The ingress or load balancer in front of the MCP servers helps ensure that all requests from a single session are served by the same server. However, this approach requires special support for how MCP identifies sessions, and such support for MCP session affinity is not widely available yet.

This beta introduces another option, called stateless mode. This option disables MCP features that require state to be stored, allowing MCP servers to be clustered easily without any special logic for session affinity.

Currently, enabling stateless mode disables the client’s ability to cancel tool calls. As we add new features, we document which features are disabled or have limitations in stateless mode.

To enable stateless mode in your application, you need to add the following configuration in your server.xml file:

 stateless="true"/>

One of the main differences in stateless mode is that the server does not assign a session ID to clients. As a result, subsequent client requests do not include the Mcp-Session-Id header.

Working with structured content in MCP Tools

The MCP specification supports returning structured content from tools.

Returning structured content

It is now possible to return structured JSON from a tool method. To enable this capability, set structuredContent = true on the @Tool annotation and return a POJO from your tool method:

public record Street(String streetName, String roadType) {}

@Tool(name = "getStreet",
      description = "Look up a street by name"
      structuredContent = true)
public Street getStreet(@ToolArg(name = "street", description = "the street name") String streetName){
    //Get street information
    return new Street(streetName, "One way Street");
}

Open Liberty uses Jakarta JSON Binding (JSON-B) to encode the returned Street object into JSON and this is returned to the MCP client in the structuredContent field of the response. For compatibility with earlier versions and older clients that do not support structuredContent, the encoded JSON is also returned as TextContent. In addition, Open Liberty generates a schema for the method’s return type to indicate the expected data structure to the MCP client.

Customizing Serialization

Since Open Liberty uses JSON-B to encode the returned object, you can use the standard JSON-B annotations to customize how your objects are serialized.

Customizing schemas with `@Schema`

MCP protocol requires tools to declare schemas for their inputs and outputs. These schemas help clients to understand what to send and what to expect in return. Open Liberty generates these schemas automatically by inspecting your Java types - although you can customize them by using the @Schema annotation. The simplest use of @Schema is to add descriptions to your types. These descriptions help clients understand the purpose of each type or field.

@Schema(description = "Represents Street information")
public record Street(
    @Schema(description = "Name of the street")
    String streetName,

    @Schema(description = "type of the road and its rules")
    String roadType
) {}

@Tool(name = "getStreet",
      description = "Look up a street by name"
      structuredContent = true)
public Street getStreet(@ToolArg(name = "street", description = "the street name") String streetName) {
    // Get street information
    return new Street(streetName, "One way Street");
}

If the default schemas do not meet your needs, you can provide a complete schema override. You might need to do an override if you use JSON-B annotations to customize the serialization of the object causing the generated schema to no longer match. A schema override is performed by providing a value to the @Schema annotation.

@Schema("""
{
    "type": "object",
    "required": ["streetName"],
    "properties": {
        "streetName": {
            "type": "string"
        },
        "roadType": {
            "type": "string",
            "enum": [
                "One Way Street",
                "Dual Carriageway",
                "Motorway"
            ]
        }
    }
}
""")
public record Street(String streetName, String roadType) {}

You usually also need to provide an output schema for a tool method that returns a ToolResponse. In this case, Open Liberty does not know what type your tool is going to return, so it cannot generate a detailed schema for it.

@Schema("""
{
    "type": "object",
    "required": ["streetName"],
    "properties": {
        "streetName": {
            "type": "string"
        },
        "roadType": {
            "type": "string",
            "enum": [
                "One Way Street",
                "Dual Carriageway",
                "Motorway"
            ]
        }
    }
}
""")
@Tool(structuredContent = true)
public ToolResponse toolName() {
    Street street = yourService.getStreetInfo();
    return ToolResponse.structuredSuccess(street)
}

Use @Schema(description = "…") when you want to add helpful context for clients, and @Schema(value = "{…}") when you have more complex types and the auto-generated schema does not reflect your actual JSON output.

Allowing annotations in MCP Content objects

As specified in the MCP specification, MCP annotations can be added to Content objects returned from tool methods. These annotations are not Java annotations; instead, they are additional fields that provide hints to clients about how to use and display the content.

The annotation includes the following fields:

audience field - an enum of type Role that indicates the intended audience for the content.
lastModified field - a string containing an ISO 8601-formatted timestamp that indicates when the content object was last modified.
priority field - a double value between 0.0 to 1.0 that indicates the importance of the content object.

The following example shows how annotation fields can be added to tools.

@Tool
public TextContent toolName(@ToolArg(name = "input") String input) {
    Content.Annotations annotations = new Content.Annotations(Role.USER,
                                                              Instant.now().toString(),
                                                              1.0);
    return new TextContent("My Generated Text", null, annotations);
}

Result:

{
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "content": [
            {
                "annotations": {
                    "audience": "user",
                    "lastModified": "2025-12-11T12:31:04",
                    "priority": 1.0
                },
                "text": "My Generated Text",
                "type": "text"
            }
        ],
        "isError": false
    }
}

Try it now

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.11.5
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.1-beta
          zip


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.6'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.1-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Open Liberty

Enhanced JWT validation, Java 26 support, and more in 26.0.0.4

Develop and run your apps using 26.0.0.4

File Transfer changes for 26.0.0.4

Default LTPA keys password removal

Support selecting JWT signature and decryption algorithms from JOSE header

How to use

Learn more

Support for Java 26

displayCustomizedExceptionText property

Security vulnerability (CVE) fixes in this release

Get Open Liberty 26.0.0.4 now

Jakarta EE 11 Platform, Java 26, and more in 26.0.0.4-beta

Jakarta EE 11 Platform and Web Profile

Application Authentication 3.1 (Jakarta Authentication 3.1)

Application Authorization 3.0 (Jakarta Authorization 3.0)

Application Security 6.0 (Jakarta Security 4.0)

In-memory identity store

Multiple HAMs

getAllDeclaredCallerRoles()

How to use

In-Memory Identity Store

Multiple HAMs

Application Specification

HAM resolution

Qualifiers

getAllDeclaredCallerRoles()

Learn more

Beta support for Java 26

Updates to mcpServer-1.0

Dynamically register MCP tools

Accept the 2025-11-25 MCP protocol

Paginated results

Bug fixes

Further information

Preview of some Jakarta Data 1.1 M2 capability

Learn more

Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules.

Benefits

Target Persona

Target Features

Problem Description

How to Use

Limitation

Learn More

Try it now

We welcome your feedback

UserRegistry Attribute Reader Enhancement, Jandex Index Format Support Update and more in 26.0.0.3

Develop and run your apps using 26.0.0.3

UserRegistry Attribute Reader Enhancement

What’s New?

How to Use It

Jandex Index Format Support Update

What’s New?

Benefits

Limitations

Lifting Restriction

How to Use

AES encoding changes

Security vulnerability (CVE) fixes in this release

Notable bugs fixed in this release

Get Open Liberty 26.0.0.3 now

Model Context Protocol Server 1.0 updates in 26.0.0.3-beta

Encode responses with ContentEncoder and ToolResponseEncoder

Example

Access the request ID from a tool

Notable bug fixes

Try it now

We welcome your feedback

Support for Java Toolchains in Liberty Build Plugins

Why use Java Toolchains?

Minimum Version Requirements

Liberty Gradle Plugin Support

How to use

Liberty Maven Plugin Support

How to use

Dev mode behavior

Rules and precedence

Verification

Conclusion

Updates to `mcpServer-1.0`

Customizing schemas with `@Schema`