Open Liberty

Netty‑based HTTP transport in 26.0.0.6-beta

2026-06-02T00:00:00+00:00

This beta release introduces a preview of a Netty-based HTTP transport in Open Liberty, providing a modern, scalable foundation for HTTP and related communication protocols.

The Open Liberty 26.0.0.6-beta includes the following beta features (along with all GA features):

Netty‑based HTTP transport

Netty‑based HTTP transport

Open Liberty now provides a Netty‑based HTTP transport as a beta preview. This is an internal implementation swap for the underlying transport used for HTTP/1.1, HTTP/2, WebSocket, JMS, and SIP communications. Compared to previous releases, the key update in this release is the fix for the user-reported 100-continue issue. It is designed for zero migration: your applications and server.xml file should continue to behave the same. We are looking forward and counting on your feedback before GA!

Target persona: Application developers, performance engineers, and operations/site engineers who need to validate application behavior, measure throughput, and monitor observability.
Why it matters: Netty’s event-driven I/O model provides a modern foundation for long-term scalability, easier maintenance, and future performance enhancements— all without requiring changes to your APIs or configuration!

How to use it:

No changes are required to benefit from the current All Beta Features runtime for this release.

To help validate parity and performance for your real-world scenarios, try testing these areas:

HTTP/1.1 and HTTP/2: Large uploads or downloads, chunked transfers, compression-enabled content, keep-alive behavior.
WebSocket: Long-lived communications, backpressure scenarios
Timeouts: Read/write/keep-alive timeouts under load
Access logging: Verify formatting and log results compared to previous builds
JMS communications: Messages send/receive throughput, durable subscriptions

Limitations of the Beta release:

HTTP
- HTTP requests with content length greater than the maximum integer value fail due to internal limitations on request size with Netty.
- When the HTTP option maxKeepAliveRequests is unlimited, HTTP 1.1 supports a maximum of 50 pipelined requests.
- The HTTP option resetFramesWindow is reduced from millisecond to second precision due to limitations in the Netty library.
- Due to internal limitations of the Netty library, the HTTP option MessageSizeLimit is now adjusted to be capped at the maximum integer value for HTTP/2.0 connections.
- Due to internal differences with Netty, the HTTP option ThrowIOEForInboundConnections can behave differently from the Channel Framework implementation.
- Due to internal limitations of Netty, the TCP options acceptThread and waitToAccept are not implemented in this Beta and are ignored if set.
WebSocket
- WebSocket inbound requests can generate First Failure Data Capture RuntimeExceptions on connection cleanup when a connection is closed from the client side.
Application-Layer Protocol Negotiation (ALPN)
- Currently, our Netty implementation supports only the native JDK ALPN implementation. Additional information for the ALPN implementations that are currently supported by the Channel Framework but not our Netty beta can be found in the ALPN documentation.

Try it now

To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8.

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.6-beta
          zip

You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs:


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.6-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Jakarta EE 11 from Newbie to Pro with Open Liberty

2026-05-27T00:00:00+00:00

Jakarta EE 11 marks a significant milestone in the evolution of enterprise Java development. This release delivers enhanced developer productivity, improved performance, and modernized APIs that align with the Java LTS releases: Java SE 17, Java SE 21. For more information, see the Jakarta EE Platform 11 specification.

What’s New in Jakarta EE 11?

Jakarta EE 11 represents a major step forward for cloud-native enterprise Java applications. This release includes modernizing and restructuring the Test Compatibility Kits (TCKs), the new Jakarta Data specification, major updates to existing specifications, and support for the latest Java LTS releases, which enables developers to leverage enhancements in Java 21, including Virtual Threads and Records. The new and updated specifications are:

Data 1.0
Authentication 3.1
Authorization 3.0
Concurrency 3.1
Annotations 3.0
Interceptors 2.2
CDI 4.1
Faces 4.1
Expression Language 6.0
Servlet 6.1
WebSocket 2.2
RESTful Web Services 4.0
Persistence 3.2
Pages 4.0
Security 4.0
Validation 3.1

Jakarta Data 1.0: A Game Changer for Data Access

One of the most exciting additions to Jakarta EE 11 is Jakarta Data 1.0, a new specification that revolutionizes how developers interact with databases in enterprise applications.

What is Jakarta Data?

Jakarta Data provides an API for easier data access. A Java developer can split the details of persistence from the data model with several features, such as the ability to compose custom query methods on a Repository interface. Jakarta Data’s goal is to provide a familiar and consistent, Jakarta-based programming model for data access while still retaining the particular traits of the underlying data store. It is designed to be flexible and extensible, allowing developers to use it with various types of databases, including relational databases, NoSQL databases, and even in-memory data stores.

Key Features of Jakarta Data 1.0

Jakarta Data 1.0 includes:

Repository Pattern: Define data access through simple interfaces
Query by Method Name: Automatic query generation from method names (e.g., findByType, findByName)
Type Safety with StaticMetamodel: Enhanced type safety for queries
Pagination Support: Built-in pagination on Repository
Platform Integrations: Works with CDI, Persistence, NoSQL, Transactions, and Validation
Entity Support: Works with persistence and nosql entities

Jakarta Data Code Examples

Defining an Entity

import jakarta.persistence.Entity;
import jakarta.persistence.Id;

@Entity
public class Product {
    @Id
    private Long id;
    private String name;
    private String description;
    private double price;
    private int stockQuantity;

    // Constructors, getters, and setters
    public Product() {}

    public Product(String name, double price) {
        this.name = name;
        this.price = price;
    }

    // Getters and setters omitted for brevity
}

Creating a Repository Interface

import jakarta.data.repository.Repository;
import jakarta.data.repository.Find;
import jakarta.data.repository.Query;
import jakarta.data.repository.Save;
import jakarta.data.repository.Delete;
import jakarta.data.repository.OrderBy;
import jakarta.data.page.Page;
import jakarta.data.page.PageRequest;
import java.util.List;
import java.util.Optional;

@Repository
public interface ProductRepository {

    // Basic CRUD operations
    @Save
    Product save(Product product);

    @Find
    Optional findById(Long id);

    @Delete
    void delete(Product product);

    // Query by method name - automatically generates query
    List findByName(String name);

    List findByPriceLessThan(double price);

    List findByPriceBetween(double minPrice, double maxPrice);

    List findByNameContains(String keyword);

    // Sorting and pagination - requires @OrderBy for pagination
    @OrderBy("price")
    Page findByPriceGreaterThan(double price, PageRequest pageRequest);

    // Custom queries using @Query annotation
    @Query("SELECT p FROM Product p WHERE p.stockQuantity < 10")
    List findLowStockProducts();

    @Query("SELECT p FROM Product p WHERE p.price > ?1 ORDER BY p.price DESC")
    List findExpensiveProducts(double minPrice);
}

REST Endpoint Using Jakarta Data

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.inject.Inject;
import jakarta.data.page.Page;
import jakarta.data.page.PageRequest;
import java.util.List;

@Path("/products")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class ProductResource {

    @Inject
    private ProductRepository productRepository;

    @POST
    public Response createProduct(Product product) {
        Product created = productRepository.save(product);
        return Response.status(Response.Status.CREATED).entity(created).build();
    }

    @GET
    @Path("/search")
    public List searchProducts(@QueryParam("keyword") String keyword) {
        return productRepository.findByNameContains(keyword);
    }

    @GET
    @Path("/expensive")
    public Page getExpensiveProducts(
            @QueryParam("minPrice") @DefaultValue("100.0") double minPrice,
            @QueryParam("page") @DefaultValue("1") int page,
            @QueryParam("size") @DefaultValue("20") int size) {
        PageRequest pageRequest = PageRequest.ofPage(page).size(size);
        return productRepository.findByPriceGreaterThan(minPrice, pageRequest);
    }

    @GET
    @Path("/low-stock")
    public List getLowStockProducts() {
        return productRepository.findLowStockProducts();
    }
}

Benefits of Jakarta Data

Reduced Boilerplate: No need to write repetitive DAO/repository implementations
Type Safety: Compile-time checking of queries and method signatures
Database Flexibility: Switch between databases without changing application code
Improved Productivity: Focus on business logic instead of data access code
Standardization: Vendor-neutral API backed by the Jakarta EE community

Updated Specifications with Code Examples

Authentication 3.1

Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers that interact with a caller and a container’s environment to obtain the caller’s credentials, validate these, and pass an authenticated identity (such as name and groups) to the container.

Key changes in Authentication 3.1:

Removes references to the SecurityManager (aligned with Java’s deprecation and removal of SecurityManager)
Evolves the API in a smaller way to support the overall goals of Jakarta Security
Consists of several profiles, with each profile telling how a specific container (such as Jakarta Servlet) can integrate with and adapt to this SPI

The 3.1 version removes the deprecated Permission-related fields in the jakarta.security.auth.message.config.AuthConfigFactory class. The methods in the class no longer do permission checking. These changes are part of Jakarta EE 11’s removal of SecurityManager support.

Authentication 3.1 Code Example

import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.MessagePolicy;
import jakarta.security.auth.message.module.ServerAuthModule;
import jakarta.security.auth.message.callback.CallerPrincipalCallback;
import jakarta.security.auth.message.callback.GroupPrincipalCallback;
import jakarta.security.auth.message.callback.Callback;
import jakarta.security.auth.message.callback.CallbackHandler;
import jakarta.security.auth.message.callback.UnsupportedCallbackException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import java.util.Set;

public class CustomServerAuthModule implements ServerAuthModule {

    private CallbackHandler handler;

    @Override
    @SuppressWarnings("rawtypes")
    public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy,
                          CallbackHandler handler, Map options) throws AuthException {
        this.handler = handler;
    }

    @Override
    public AuthStatus validateRequest(MessageInfo messageInfo,
                                      jakarta.security.auth.message.callback.Subject clientSubject,
                                      jakarta.security.auth.message.callback.Subject serviceSubject)
                                      throws AuthException {
        // Extract credentials from request
        String username = extractUsername(messageInfo);
        String password = extractPassword(messageInfo);

        if (validateCredentials(username, password)) {
            // Set the caller principal
            CallerPrincipalCallback principalCallback =
                new CallerPrincipalCallback(clientSubject, username);

            // Set the groups
            GroupPrincipalCallback groupCallback =
                new GroupPrincipalCallback(clientSubject, new String[]{"users"});

            try {
                handler.handle(new Callback[]{principalCallback, groupCallback});
            } catch (IOException | UnsupportedCallbackException e) {
                throw new AuthException(e.getMessage());
            }

            return AuthStatus.SUCCESS;
        }

        return AuthStatus.FAILURE;
    }

    @Override
    public AuthStatus secureResponse(MessageInfo messageInfo,
                                     jakarta.security.auth.message.callback.Subject serviceSubject)
            throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    @Override
    public void cleanSubject(MessageInfo messageInfo,
                            jakarta.security.auth.message.callback.Subject subject)
                            throws AuthException {
        if (subject != null) {
            Set<Principal> principals = subject.getPrincipals();
            if (principals != null) {
                principals.clear();
            }
        }
    }

    @Override
    public Class[] getSupportedMessageTypes() {
        return new Class[]{HttpServletRequest.class, HttpServletResponse.class};
    }

    private String extractUsername(MessageInfo messageInfo) {
        // Extract username from request
        return "user";
    }

    private String extractPassword(MessageInfo messageInfo) {
        // Extract password from request
        return "password";
    }

    private boolean validateCredentials(String username, String password) {
        // Validate credentials
        return username != null && password != null;
    }
}

Authorization 3.0

What’s New in Authorization 3.0:

New PolicyFactory and Policy classes: Introduces jakarta.security.jacc.PolicyFactory and jakarta.security.jacc.Policy as replacements for the deprecated java.security.Policy class. With the new PolicyFactory API, you can now have a Policy per policy context instead of a global policy, allowing separate policies to be maintained for each application.
Programmatic policy provider registration: Adds the ability to register policy providers programmatically on a per-application basis, making Jakarta Authorization more suitable for cloud deployments. This mirrors the API available in Jakarta Authentication.
Convenience methods: Adds several convenience methods to make the API easier to use.

Removals and Changes in Authorization 3.0:

Removal of java.security.Policy dependency: Eliminates dependency on the deprecated java.security.Policy and java.security.SecurityManager classes, aligning with Java SE’s deprecation and removal of SecurityManager.
Breaking API changes: This is a major breaking update. Applications using Jakarta Authorization 2.x will need to migrate to the new PolicyFactory and Policy classes.

To configure your authorization modules in your application’s web.xml file, add specification defined context parameters:


 xmlns="https://jakarta.ee/xml/ns/jakartaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_1.xsd"
  version="6.1">

  
    jakarta.security.jacc.PolicyConfigurationFactory.provider
    com.example.MyPolicyConfigurationFactory
  

  
    jakarta.security.jacc.PolicyFactory.provider
    com.example.MyPolicyFactory

Due to Jakarta Authorization 3.0 no longer using the java.security.Policy class and introducing a new configuration mechanism for authorization modules, the com.ibm.wsspi.security.authorization.jacc.ProviderService Liberty API is no longer available with the appAuthorization-3.0 feature. If a Liberty user feature configures authorization modules, the OSGi service that provided a ProviderService implementation must be updated to use the PolicyConfigurationFactory and PolicyFactory set methods. These methods configure the modules in the OSGi service. Alternatively, you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a web.xml file.

Finally, the 3.0 API adds a new jakarta.security.jacc.PrincipalMapper class that you can obtain from the PolicyContext class when authorization processing is done in your Policy implementation. From this class, you can obtain the roles that are associated with a specific Subject to be able to determine whether the Subject is in the required role.

You can use the PrincipalMapper class in your Policy implementation’s impliesByRole (or implies) method, as shown in the following example:

public boolean impliesByRole(Permission p, Subject subject) {
    Map<String, PermissionCollection> perRolePermissions =
        PolicyConfigurationFactory.get().getPolicyConfiguration(contextID).getPerRolePermissions();
    PrincipalMapper principalMapper = PolicyContext.get(PolicyContext.PRINCIPAL_MAPPER);

    // Check to see if the Permission is in the all authenticated users role
    if (!principalMapper.isAnyAuthenticatedUserRoleMapped() && !subject.getPrincipals().isEmpty()) {
        PermissionCollection rolePermissions = perRolePermissions.get("**");
        if (rolePermissions != null && rolePermissions.implies(p)) {
            return true;
        }
    }

    // Check to see if the roles for the Subject provided imply the permission
    Set<String> mappedRoles = principalMapper.getMappedRoles(subject);
    for (String mappedRole : mappedRoles) {
        PermissionCollection rolePermissions = perRolePermissions.get(mappedRole);
        if (rolePermissions != null && rolePermissions.implies(p)) {
            return true;
        }
    }

    return false;
}

Concurrency 3.1

Jakarta Concurrency provides asynchronous capabilities to Jakarta EE application components. Jakarta Concurrency 3.1 provides enhanced concurrency utilities with several new features and improvements:

Integration with Java 21 Virtual Threads - Native support for virtual threads to improve scalability
Java Flow/ReactiveStreams and context propagation - Better integration with reactive programming models
Replace more features from EJB - Migrated scheduling and asynchronous capabilities (such as @Schedule and @Asynchronous annotations)
Become more CDI-centric - Improved integration with Jakarta CDI
Specification bug fixes and clarifications - Enhanced clarity and resolved ambiguities
TCK fixes and enhancements - Improved test coverage and reliability

import jakarta.enterprise.concurrent.ManagedExecutorService;
import jakarta.enterprise.concurrent.ManagedScheduledExecutorService;
import jakarta.enterprise.concurrent.ManagedExecutorDefinition;
import jakarta.annotation.Resource;
import jakarta.enterprise.context.ApplicationScoped;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;

@ApplicationScoped
@ManagedExecutorDefinition(
    name = "java:module/concurrent/VirtualThreadExecutor",
    virtual = true
)
public class ConcurrencyExample {

    @Resource(lookup = "java:module/concurrent/VirtualThreadExecutor")
    private ManagedExecutorService executorService;

    public CompletableFuture<String> asyncOperation() {
        // Leverages Virtual Threads on Java 21+
        return executorService.supplyAsync(this::processData);
    }

    private String processData() {
        return "Processed data";
    }
    @Asynchronous(
            executor = "java:module/concurrent/VirtualThreadExecutor",
            runAt = @Schedule(cron = "0 3 * * *")) // daily at 3 AM
    private void performMaintenanceTask(@Observes Startup event) {
        // Maintenance logic
    }
}

Annotations 3.0

Jakarta Annotations defines a collection of annotations representing common semantic concepts that enable a declarative style of programming in the Jakarta EE platform.

Changes in Annotations 3.0:

Removal of @ManagedBean: The deprecated @ManagedBean annotation has been fully removed from the specification. Developers must migrate to CDI managed beans using @Named and appropriate scope annotations.

Migrating from @ManagedBean

If your application uses @ManagedBean, you must migrate to CDI managed beans. The @ManagedBean annotation was deprecated in an earlier release and has been removed in Jakarta EE 11.

Migration Options:

Use CDI @Named for Faces or Expression Language access - If the bean needs to be accessible from Faces pages or Expression Language
Use CDI scope annotations without @Named - If the bean is only used for dependency injection

Interceptors 2.2

Jakarta Interceptors defines a means of interposing on business method invocations and specific events in the lifecycle of beans.

New features, enhancements or additions:

Updated dependencies for Jakarta EE 11
Jakarta Annotations to 3.0.0
Provide access to interceptor bindings from InvocationContext - New method getInterceptorBindings() added to InvocationContext interface

Removals, deprecations or backwards incompatible changes:

None

See the following CDI section for its usage.

CDI 4.1

Jakarta Contexts and Dependency Injection (CDI) specifies a means for obtaining objects in such a way as to maximize reusability, testability and maintainability compared to traditional approaches such as constructors, factories, and service locators (e.g., JNDI). CDI 4.1 brings important architectural improvements and new APIs to help framework developers build on CDI. CDI allows objects to be bound to lifecycle contexts, injected into application code, be subject to interceptors and decorators, and interact in a loosely coupled fashion via events.

Key changes in CDI 4.1:

Specification restructuring - Integration requirements with other Jakarta EE specs moved from CDI specification to Jakarta EE Platform, Web Profile, and Core Profile specifications
Expression Language separation - EL-related methods moved to new API jar (jakarta.enterprise.cdi-el-api) to remove CDI’s dependency on EL API
Interceptor binding access - New methods on InvocationContext to retrieve interceptor binding annotations
Method Invokers - New API allowing frameworks to call methods with CDI-managed arguments and instances
@Priority on producers - Producer methods and fields can now be annotated with @Priority for fine-grained alternative selection
Programmatic assignability rules - New BeanContainer methods to check if beans match injection points

Specification Restructuring

One of the major changes in CDI 4.1 is the restructuring of the specification to remove circular dependencies and improve modularity:

Integration requirements moved to platform specs: Previously, CDI defined requirements for integration with other Jakarta EE specifications including Servlet, Expression Language, Enterprise Beans, Transactions, Security, Validation, and Persistence. These integration requirements have now been moved to the Jakarta EE Platform, Web Profile, and Core Profile specifications as appropriate. This makes it easier to pass the CDI TCK independently and clarifies which integrations are required at each platform level.

Expression Language separation: The CDI API previously had a direct dependency on the Expression Language (EL) API because BeanManager included methods that referenced EL classes. In CDI 4.1:

EL-related methods on BeanManager (getELResolver() and wrapExpressionFactory()) are deprecated for removal in CDI 5.0
A new supplemental API jar jakarta.enterprise.cdi-el-api provides ELAwareBeanManager, a sub-interface of BeanManager with the same methods
This allows the core CDI API to remove its dependency on EL in the next major version
Existing users will see deprecation warnings and should migrate to ELAwareBeanManager before CDI 5.0

Retrieve Interceptor Binding Information

CDI 4.1 adds support to allow interceptors to retrieve and inspect the annotations that are used to bind them. Interceptors can now call InvocationContext.getInterceptorBindings() or one of the related methods to retrieve the annotations so that they can read values from them. This capability is particularly useful when you need to configure interceptor behavior based on annotation parameters.

For example, you might define a custom @Logged annotation with a parameter:

import jakarta.enterprise.util.Nonbinding;
import jakarta.interceptor.InterceptorBinding;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@InterceptorBinding
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Logged {
    @Nonbinding
    String value();
}

Then apply it to a method:

@Logged("myName")
public void myMethod() {
    // ....
}

An interceptor like this can read the myName value from the annotation and include it in the log message:

@Interceptor
@Logged("")
public class LoggedInterceptor {

    @AroundInvoke
    public Object logInvocation(InvocationContext context) throws Exception {
        // NEW in CDI 4.1: Find the @Logged annotation and extract its value
        String logName = context.getInterceptorBinding(Logged.class).value();

        System.out.println("Invoking method with log name: " + logName);

        try {
            Object result = context.proceed();
            System.out.println("Method completed successfully");
            return result;
        } catch (Exception e) {
            System.out.println("Method failed with exception: " + e.getMessage());
            throw e;
        }
    }
}

Method Invokers

Method invokers provide a way to invoke methods programmatically while allowing CDI to look up and inject some of the method parameters. This is particularly useful for frameworks that want to allow users to annotate methods and have those methods called with a mix of framework-provided and CDI-injected arguments.

Example use case: An alert system where users can apply @Alert to methods on managed bean classes. When an alert happens, the annotated methods are called with the alert ID as the first argument, and other arguments looked up from CDI.

@ApplicationScoped
public class MyBean {

    @Alert
    public void myAlert1(int id) {
        // Do something
    }

    @Alert
    public void myAlert2(int id, MyOtherBean otherBean) {
        // Do something with otherBean
    }
}

Creating invokers (done within a CDI extension):

public class InvokerExtension implements Extension {

    public static record AlertMethod(Invoker invoker, int parameterCount) { }
    List alertMethods = new ArrayList<>();

    public  void createInvokers(@Observes @WithAnnotations(Alert.class) ProcessManagedBean pmb) {
        for (AnnotatedMethodsuper T> m : pmb.getAnnotatedBeanClass().getMethods()) {
            if (m.isAnnotationPresent(Alert.class)) {
                validate(m);

                InvokerBuilder> builder = pmb.createInvoker(m);

                // Look up the bean instance when invoking
                builder.withInstanceLookup();

                // Look up all arguments except the first
                int parameterCount = m.getParameters().size();
                for (int i = 1; i < parameterCount; i++) {
                    builder.withArgumentLookup(i);
                }

                alertMethods.add(new AlertMethod(builder.build(), parameterCount));
            }
        }
    }
}

Calling invokers:

public void invokeAlerts(int i) throws Exception {
    for (AlertMethod method : alertMethods) {
        // Construct an array of arguments
        Object[] args = new Object[method.parameterCount];
        // First argument is the alert id
        args[0] = i;
        // All other arguments are looked up from CDI, so we pass in null

        // Call the method
        method.invoker.invoke(null, args);
    }
}

Note: null must be passed for any instance or argument that is to be looked up from CDI. In this example, the bean instance and all arguments except the first are looked up from CDI, so we pass null for the instance and null for arguments at positions 1 and beyond.

@Priority on Producer Methods and Fields

Previously, a producer method or field declared as an alternative could only be enabled and have a priority assigned by putting the @Priority annotation on the containing bean class. If a class contained several alternative producer methods, there was no way to assign a different priority to each.

CDI 4.1 allows the @Priority annotation to be placed directly on the producer field or method, enabling fine-grained control over alternative selection:

Before CDI 4.1 (priority on class):

@ApplicationScoped
@Priority(10)
public class ProducerClass {

    @Produces
    @Alternative
    public String produceString() {
        return "OK";
    }
}

CDI 4.1 (priority on producer method):

@ApplicationScoped
public class ProducerClass {

    @Produces
    @Alternative
    @Priority(10)
    public String produceString() {
        return "OK";
    }
}

This allows different producer methods in the same class to have different priorities, giving you more flexibility when working with alternatives.

Programmatic Access to Assignability Rules

CDI defines resolution rules that determine which beans can be injected into each injection point. Previously, there was no way to apply these rules programmatically without re-implementing the logic. CDI 4.1 adds two new methods to BeanContainer that implement the matching rules:

// Check if a bean matches an injection point
boolean isMatchingBean(Set<Type> beanTypes,
                      Set<Annotation> beanQualifiers,
                      Type requiredType,
                      Set<Annotation> requiredQualifiers);

// Check if an event matches an observer
boolean isMatchingEvent(Type specifiedType,
                       Set<Annotation> specifiedQualifiers,
                       Type observedEventType,
                       Set<Annotation> observedEventQualifiers);

These methods allow frameworks and extensions to programmatically check whether beans or events match specific requirements using the same rules that CDI uses internally.

Expression Language 6.0

Jakarta Expression Language defines an expression language for Java applications. This release makes the dependency on the java.desktop module optional, removes references to the SecurityManager, and provides a small number of usability improvements.

New features in Expression Language 6.0:

java.desktop module no longer required: The java.desktop module is no longer required at runtime, improving modularity
New length property for arrays: A new property, length, is now supported for arrays, making it easier to get array sizes in EL expressions
Java Records support: Added support, enabled by default, for java.lang.Record instances via the new RecordELResolver
Java Optional support: Added support, disabled by default, for java.lang.Optional instances via the new OptionalELResolver

Removals:

All code deprecated as of Expression Language 5.0 has been removed, specifically the getFeatureDescriptors() method from the ELResolver interface
All references to the Java SecurityManager and associated APIs have been removed

Using the new `length` property for arrays

import jakarta.el.*;
import java.util.Arrays;

public class ArrayLengthExample {

    public static void main(String[] args) {
        // Create EL context
        ExpressionFactory factory = ExpressionFactory.newInstance();
        StandardELContext context = new StandardELContext(factory);

        // Create an array and add it to the context
        String[] fruits = {"Apple", "Banana", "Cherry", "Date", "Elderberry"};
        context.getELResolver().setValue(context, null, "fruits", fruits);

        // NEW in EL 6.0: Use the 'length' property to get array size
        ValueExpression lengthExpr = factory.createValueExpression(
            context, "${fruits.length}", Integer.class);
        Integer length = (Integer) lengthExpr.getValue(context);

        System.out.println("Array length: " + length); // Output: 5

        // You can also use it in conditional expressions
        ValueExpression hasItemsExpr = factory.createValueExpression(
            context, "${fruits.length > 0}", Boolean.class);
        Boolean hasItems = (Boolean) hasItemsExpr.getValue(context);

        System.out.println("Has items: " + hasItems); // Output: true
    }
}

Using RecordELResolver for Java Records

Java Records are now supported by default in EL 6.0:

import jakarta.el.*;

// Define a Java Record
public record Product(String name, double price, int quantity) {
    public double totalValue() {
        return price * quantity;
    }
}

public class RecordELResolverExample {

    public static void main(String[] args) {
        // Create EL context
        ExpressionFactory factory = ExpressionFactory.newInstance();
        StandardELContext context = new StandardELContext(factory);

        // Create a Record instance
        Product product = new Product("Laptop", 999.99, 5);
        context.getELResolver().setValue(context, null, "product", product);

        // NEW in EL 6.0: Access Record components directly
        ValueExpression nameExpr = factory.createValueExpression(
            context, "${product.name}", String.class);
        String name = (String) nameExpr.getValue(context);
        System.out.println("Product name: " + name); // Output: Laptop

        ValueExpression priceExpr = factory.createValueExpression(
            context, "${product.price}", Double.class);
        Double price = (Double) priceExpr.getValue(context);
        System.out.println("Product price: " + price); // Output: 999.99

        // Access Record methods
        ValueExpression totalExpr = factory.createValueExpression(
            context, "${product.totalValue()}", Double.class);
        Double total = (Double) totalExpr.getValue(context);
        System.out.println("Total value: " + total); // Output: 4999.95
    }
}

Using OptionalELResolver for Java Optional

Support for java.lang.Optional is available but disabled by default. To enable it, you need to add the OptionalELResolver to your EL context:

import jakarta.el.*;
import java.util.Optional;

public class OptionalELResolverExample {

    public static void main(String[] args) {
        // Create EL context
        ExpressionFactory factory = ExpressionFactory.newInstance();
        StandardELContext context = new StandardELContext(factory);

        context.addELResolver(new OptionalELResolver());

        // Create Optional values
        Optional<String> presentValue = Optional.of("Hello, EL 6.0!");
        Optional<String> emptyValue = Optional.empty();

        context.getELResolver().setValue(context, null, "message", presentValue);
        context.getELResolver().setValue(context, null, "emptyValue", emptyValue);

        // Access Optional values - automatically unwrapped if present
        ValueExpression messageExpr = factory.createValueExpression(
            context, "${message}", String.class);
        String message = (String) messageExpr.getValue(context);
        System.out.println("Message: " + message); // Output: Hello, EL 6.0!

        // Empty Optional returns null
        ValueExpression emptyExpr = factory.createValueExpression(
            context, "${emptyValue}", String.class);
        String emptyResult = (String) emptyExpr.getValue(context);
        System.out.println("emptyValue: " + emptyResult); // Output: null

        // Use with conditional expressions
        ValueExpression hasMsgExpr = factory.createValueExpression(
            context, "${message != null}", Boolean.class);
        Boolean hasMessage = (Boolean) hasMsgExpr.getValue(context);
        System.out.println("Has message: " + hasMessage); // Output: true
    }
}

Using EL 6.0 in Faces/Facelets


 value="Total items: #{products.length}" />

 rendered="#{products.length > 0}">
     value="#{products}" var="product">
         value="#{product.name}: $#{product.price}" />
    



 value="#{productRecord.name}" />
 value="#{productRecord.price}" />
 value="Total: $#{productRecord.totalValue()}" />


 value="No products available"
              rendered="#{products.length == 0}" />

Faces 4.1

Jakarta Faces defines an MVC framework for building user interfaces for web applications, including UI components, state management, event handling, input validation, page navigation, and support for internationalization and accessibility. This release removes references to the SecurityManager, further aligns with CDI where possible, and provides various small enhancements and clarifications.

New features in Faces 4.1:

Generic FacesMessage: Make FacesMessage#VALUES / VALUES_MAP generic for better type safety
CDI event firing: Require firing events for @Initialized, @BeforeDestroyed, @Destroyed for build-in scopes
Missing generics: Add missing generics to API that were missed in Faces 4.0
Flow injection: Support @Inject of current flow like @Inject Flow currentFlow
UUIDConverter: Add new converter for UUID types
ExternalContext enhancement: Add setResponseContentLengthLong method for large content
UIRepeat enhancement: Add rowStatePreserved property to UIRepeat, exactly the same as UIData
Development mode default: jakarta.faces.FACELETS_REFRESH_PERIOD default when ProjectStage is Development
FacesMessage improvements: Implement equals(), hashcode(), toString() methods

Removals:

Deprecate unused composite.extension
Remove references to the SecurityManager

Using the new UUIDConverter

import jakarta.faces.view.ViewScoped;
import jakarta.inject.Named;
import jakarta.faces.convert.UUIDConverter;
import java.io.Serializable;
import java.util.UUID;

@Named
@ViewScoped
public class EntityBean implements Serializable {

    private UUID entityId;
    private String entityName;

    public void init() {
        // NEW in Faces 4.1: UUIDConverter automatically handles UUID conversion
        // Generate a new UUID for the entity
        entityId = UUID.randomUUID();
    }

    public void saveEntity() {
        System.out.println("Saving entity with ID: " + entityId);
        // The UUID is automatically converted to/from String in the view
    }

    // Getters and setters
    public UUID getEntityId() { return entityId; }
    public void setEntityId(UUID entityId) { this.entityId = entityId; }
    public String getEntityName() { return entityName; }
    public void setEntityName(String entityName) { this.entityName = entityName; }
}



     value="Entity ID:" />
     value="#{entityBean.entityId}" />

     value="Entity Name:" />
     value="#{entityBean.entityName}" />

     value="Save" action="#{entityBean.saveEntity}" />



 value="Current ID: #{entityBean.entityId}" />

Injecting the current Flow

import jakarta.faces.flow.Flow;
import jakarta.faces.view.ViewScoped;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.io.Serializable;

@Named
@ViewScoped
public class FlowAwareBean implements Serializable {

    // NEW in Faces 4.1: Direct injection of current Flow
    @Inject
    private Flow currentFlow;

    public String getFlowInfo() {
        if (currentFlow != null) {
            return "Current flow: " + currentFlow.getId();
        }
        return "Not in a flow";
    }

    public boolean isInFlow() {
        return currentFlow != null;
    }

    public String getFlowId() {
        return currentFlow != null ? currentFlow.getId() : null;
    }
}

Using rowStatePreserved in UIRepeat



 value="#{productBean.products}" var="product"
           rowStatePreserved="true">
    
         value="#{product.name}: " />
         value="#{product.quantity}" />
         value="Update"
                        action="#{productBean.updateProduct(product)}" />

Using setResponseContentLengthLong for large files

import jakarta.faces.context.ExternalContext;
import jakarta.faces.context.FacesContext;
import jakarta.inject.Named;
import jakarta.enterprise.context.RequestScoped;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

@Named
@RequestScoped
public class FileDownloadBean {

    public void downloadLargeFile() throws IOException {
        FacesContext facesContext = FacesContext.getCurrentInstance();
        ExternalContext externalContext = facesContext.getExternalContext();

        // Simulate a large file (> 2GB)
        long fileSize = 3_000_000_000L; // 3GB

        externalContext.responseReset();
        externalContext.setResponseContentType("application/octet-stream");
        externalContext.setResponseHeader("Content-Disposition",
            "attachment; filename=\"largefile.bin\"");

        // NEW in Faces 4.1: setResponseContentLengthLong for files > 2GB
        externalContext.setResponseContentLengthLong(fileSize);

        try (OutputStream output = externalContext.getResponseOutputStream()) {
            // Write file content
            // ... (implementation details)
        }

        facesContext.responseComplete();
    }
}

Generic FacesMessage with improved type safety

import jakarta.faces.application.FacesMessage;
import jakarta.faces.context.FacesContext;
import jakarta.inject.Named;
import jakarta.enterprise.context.RequestScoped;

@Named
@RequestScoped
public class MessageBean {

    public void demonstrateGenericMessages() {
        FacesContext context = FacesContext.getCurrentInstance();

        // NEW in Faces 4.1: FacesMessage.VALUES and VALUES_MAP are now generic
        // This provides better type safety when working with message severities

        FacesMessage infoMsg = new FacesMessage(
            FacesMessage.SEVERITY_INFO,
            "Information",
            "This is an info message"
        );

        FacesMessage warnMsg = new FacesMessage(
            FacesMessage.SEVERITY_WARN,
            "Warning",
            "This is a warning message"
        );

        FacesMessage errorMsg = new FacesMessage(
            FacesMessage.SEVERITY_ERROR,
            "Error",
            "This is an error message"
        );

        // NEW in Faces 4.1: FacesMessage now implements equals(), hashCode(), toString()
        System.out.println(infoMsg.toString());

        // Compare messages
        FacesMessage anotherInfoMsg = new FacesMessage(
            FacesMessage.SEVERITY_INFO,
            "Information",
            "This is an info message"
        );

        if (infoMsg.equals(anotherInfoMsg)) {
            System.out.println("Messages are equal");
        }

        context.addMessage(null, infoMsg);
        context.addMessage(null, warnMsg);
        context.addMessage(null, errorMsg);
    }
}

Security 4.0

Jakarta Security is the overarching API designed to provide a holistic, vendor-neutral security model for the Jakarta EE platform. It simplifies authentication and authorization by leveraging CDI and annotations to manage three core artifacts: Authentication Mechanisms, Identity Stores, and Permission Stores.

Jakarta Security 4.0 provides an In-memory Identity Store, which is a developer-defined store of credential information that is used during the Open Liberty authentication and authorization work flow. It provides a quick, simple, and convenient authentication mechanism for Liberty application testing, debugging, demos, and more.

New features in Security 4.0:

Multiple HTTP Authentication Mechanisms (HAMs): Multiple HTTP Authentication Mechanisms can now be defined within the same application. These mechanisms can be specified through built-in Jakarta annotations such as @FormAuthenticationMechanismDefinition or through custom implementations of the HttpAuthenticationMechanism interface. Prioritisation of multiple HAMs can be managed by a custom implementation of the HttpAuthenticationMechanismHandler instead of relying on the default algorithm provided by Jakarta Security.
Qualifiers for Built-in Authentication Mechanisms: Built-in authentication mechanisms (BASIC, FORM, Custom FORM, OpenID Connect) now have qualifiers by default, whereas before they were unqualified. This enables programmatic selection and injection of specific authentication mechanisms.
In-memory Identity Store: Provides @InMemoryIdentityStoreDefinition annotation for defining credential stores directly in code. This is designed for testing, debugging, and demos - not recommended for production use.
New SecurityContext method: A new method getAllDeclaredCallerRoles() is added to the SecurityContext interface, which returns a list of all static (declared) application roles that the authenticated caller is in.

Removals and Breaking Changes:

All references to the SecurityManager have been removed from the specification
Built-in authentication mechanisms now have a qualifier by default, whereas before they were unqualified

In-memory Identity Store

Before the introduction of the new identity store specification, Jakarta Security natively supported only two types of identity stores: database and LDAP, both of which are used for credential validation. While effective for production environments, these options were considered heavyweight for testing, debugging, and demonstration scenarios.

The Jakarta Security Specification 4.0 provides details on how to specify credential information to be used during the authentication workflow through the new @InMemoryIdentityStoreDefinition annotation:

@InMemoryIdentityStoreDefinition (
    priority = 10,
    priorityExpression = "${80/20}",
    useFor = {VALIDATE, PROVIDE_GROUPS},
    useForExpression = "#{'VALIDATE'}",
    value = {
        @Credentials(callerName = "jasmine", password = "secret1", groups = { "caller", "user" } )
    }
)

All attributes for the @InMemoryIdentityStoreDefinition annotation are shown in the example. The priority, priorityExpression, useFor, and useForExpression attributes are optional and set to sensible defaults.

The @Credentials annotation maps one or more caller names to a password and optional group values. The callerName and password attributes are mandatory. If either one is omitted, a compilation error occurs.

The example demonstrates a single caller definition with credential information that uses a plain-text password. However, it is highly recommended that passwords be supplied using an Open Liberty-supported encoding mechanism, as illustrated in the next example:

@InMemoryIdentityStoreDefinition (
    value = {
        @Credentials(callerName = "jasmine",  password = "{xor}LDo8LTorbg==", groups = { "caller", "user" } ),
        @Credentials(callerName = "frank", groups = { "user" }, password = "{hash}ARAAA  Fyyw=="),
        @Credentials(callerName = "sally", groups = { "user" }, password = "{aes}ARAFIYJ  WRQNA==")
    }
)

Encrypted and encoded passwords can be generated by using the Open Liberty securityUtility, which is included under the wlp/bin/securityUtility path. The following example demonstrates how to encode a text string by using the xor encoding mechanism:

wlp/bin/securityUtility encode --encoding=xor
Enter text: 
Re-enter text:
{xor}PTA9Lyg

Since this feature is designed for testing and debugging purpose, when an application defines an in‑memory identity store in code, its use must also be explicitly enabled in the server.xml configuration, as shown below. By default, the allowInMemoryIdentityStores attribute is set to false, which instructs the Liberty authentication workflows not to use in‑memory identity stores, even when a custom identity store handler is present.


    ...
    
        appSecurity-4.0
    
     allowInMemoryIdentityStores="true" />
    ...

Multiple HTTP Authentication Mechanisms

The Jakarta Security 4.0 specification allows multiple HTTP Authentication Mechanisms (HAMs) to be defined within a single application:

@BasicAuthenticationMechanismDefinition(realmName="basicAuth")

@FormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/form-login-error.html",
                loginPage = "/form-login.html"))

@CustomFormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/custom-login-error.html",
                loginPage = "/custom-login.html"))

This example demonstrates how three HTTP Authentication Mechanisms (HAMs) can be defined within a single application.

Custom HAMs can also be defined in the same application by implementing the HttpAuthenticationMechanism interface in one or more classes:

@ApplicationScoped
// @Priority is optional and used to control selection priority if multiple custom definitions exist
@Priority(100)
public class CustomHAM implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest(
        HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext httpMessageContext) throws AuthenticationException {

            // implement custom logic here, and return an AuthenticationStatus
            return AuthenticationStatus.NOT_DONE;
    }
}

So a single application can have a mix of both annotation-defined HAMs and custom ones. In the previous two snippets of code, a total of four HAMs are defined (three by annotation and one custom one).

@Priority must be used to raise or lower the priority of one custom HAM over another. If not specified, then a default priority is assigned. If more than one custom HAM is defined, their priorities need to be explicitly set to unique values. If the priorities are set to the same value or remain unset and inherit the same default value, an error occurs.

HAM Resolution

An internal implementation of the Jakarta Security 4.0 HttpAuthenticationMechanismHandler interface (the "internal HAM handler") is provided. When an application defines multiple HAMs, this internal handler selects a single HAM to be used in the authentication flow.

The order in which HAMs are considered (when present) is as follows:

Custom (developer-provided) HAMs
- If multiple custom HAMs are defined, their relative order is resolved by using @Priority.
OpenIdAuthenticationMechanismDefinition
CustomFormAuthenticationMechanismDefinition
FormAuthenticationMechanismDefinition
BasicAuthenticationMechanismDefinition

Given this ordering, the Custom HAM is always selected in the authentication workflow if all five HAM types are defined in the application.

A developer must provide a custom implementation of the HttpAuthenticationMechanismHandler interface (a "custom HAM handler") if the internal HAM handler does not meet their requirements. A custom handler always takes precedence over the internal HAM handler, allowing any tailored algorithm to select a single HAM from multiple available mechanisms.

Qualifiers

HAMs, whether defined through annotations or as custom defined, can also include an optional class-level qualifier to simplify HAM injection into a custom HAM handler. For example, if you want to define qualified HAMs, you would first declare qualifier interfaces such as:

import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.FIELD;
import static java.lang.annotation.ElementType.PARAMETER;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;

import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import jakarta.inject.Qualifier;

@Qualifier
@Retention(RUNTIME)
@Target({TYPE, METHOD, FIELD, PARAMETER})
public @interface Admin {
}

import static java.lang.annotation.ElementType.METHOD;
import static java.lang.annotation.ElementType.FIELD;
import static java.lang.annotation.ElementType.PARAMETER;
import static java.lang.annotation.ElementType.TYPE;
import static java.lang.annotation.RetentionPolicy.RUNTIME;

import java.lang.annotation.Retention;
import java.lang.annotation.Target;
import jakarta.inject.Qualifier;

@Qualifier
@Retention(RUNTIME)
@Target({TYPE, METHOD, FIELD, PARAMETER})
public @interface User {
}

Now define multiple Basic HTTP Authentication Mechanisms in the main application:

import Admin;
import User;

import jakarta.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.ws.rs.ApplicationPath;
import jakarta.ws.rs.core.Application;


@BasicAuthenticationMechanismDefinition(realmName="admin-realm", qualifiers={Admin.class})
@BasicAuthenticationMechanismDefinition(realmName="user-realm", qualifiers={User.class})

@ApplicationScoped
@ApplicationPath("/")
public class MultipleHAMsApplication extends Application {
}

In the example, two Basic HTTP Authentication Mechanisms are defined in the main application. The @BasicAuthenticationMechanismDefinition annotation is used to define the realm name and the qualifier for each mechanism. The qualifiers are used to distinguish between the two mechanisms during injection.

Now finally, define an implementation of the HttpAuthenticationMechanismHandler to choose which qualified HAM to use:

import Admin;
import User;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Default;
import jakarta.inject.Inject;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanismHandler;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

@ApplicationScoped
public class CustomHAMHandler implements HttpAuthenticationMechanismHandler {

    @Inject @Admin
    private HttpAuthenticationMechanism adminHAM;

    @Inject @User
    private HttpAuthenticationMechanism userHAM;

    public CustomHAMHandler() {
    }

    @Override
    public AuthenticationStatus validateRequest(HttpServletRequest request,
                                                HttpServletResponse response,
                                                HttpMessageContext httpMessageContext) throws AuthenticationException {
        String requestURI = request.getRequestURI();
        String contextPath = request.getContextPath();

        String path = requestURI;
        if (contextPath != null && !contextPath.isEmpty()) {
            path = requestURI.substring(contextPath.length());
        }

        if (path.startsWith("/resource/admin")) {
            return adminHAM.validateRequest(request, response, httpMessageContext);
        } else if (path.startsWith("/resource/user")) {
            return userHAM.validateRequest(request, response, httpMessageContext);
        }
        return AuthenticationStatus.SEND_FAILURE;
    }
}

Note, you can also add a qualifier to custom HTTP Authentication Mechanisms (as you could prior to Jakarta Security 4.0) and inject the custom HAM into your custom HAM handler.

getAllDeclaredCallerRoles()

To use the new SecurityContext method, inject the SecurityContext implementation into your application and call the method directly:

    @Inject
    private SecurityContext securityContext;

    Set<String> allDeclaredCallerRoles = securityContext.getAllDeclaredCallerRoles();

    System.out.println("All declared caller roles for caller ["
        + securityContext.getCallerPrincipal().getName()
        + "] are "
        + allDeclaredCallerRoles.toString());

    @GET
    @Path("/info")
    @Produces(MediaType.APPLICATION_JSON)
    public String getSecureInfo() {
        String username = securityContext.getUserPrincipal().getName();
        boolean isAdmin = securityContext.isUserInRole("ADMIN");

        return String.format(
            "{\"user\": \"%s\", \"isAdmin\": %b}",
            username,
            isAdmin
        );
    }

    @GET
    @Path("/admin")
    @Produces(MediaType.TEXT_PLAIN)
    public String adminOnly() {
        if (!securityContext.isUserInRole("ADMIN")) {
            throw new SecurityException("Admin access required");
        }
        return "Welcome, administrator!";
    }
}

Servlet 6.1

Jakarta Servlet defines a server-side API for handling HTTP requests and responses. This release removes references to the SecurityManager and provides various small enhancements and clarifications.

New features in Servlet 6.1:

Allow control of status code and response body when sending a redirect
Add a query string attribute to error dispatches
Add constants for new HTTP status codes
Add overloaded methods that use Charset rather than String
Add ByteBuffer support to ServletInputStream and ServletOutputStream
Various clarifications throughout the specification

Removals:

All references to the SecurityManager and associated APIs have been removed

Custom Redirect with Status Code Control

Servlet 6.1 allows you to control the HTTP status code when sending redirects:

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebServlet("/redirect-example")
public class RedirectServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        String action = request.getParameter("action");

        if ("permanent".equals(action)) {
            // Send a 301 Moved Permanently redirect
            response.sendRedirect("/new-location", HttpServletResponse.SC_MOVED_PERMANENTLY);
        } else if ("temporary".equals(action)) {
            // Send a 307 Temporary Redirect (preserves request method)
            response.sendRedirect("/temp-location", HttpServletResponse.SC_TEMPORARY_REDIRECT);
        } else {
            // Default 302 Found redirect
            response.sendRedirect("/default-location");
        }
    }
}

Using Charset Methods

Servlet 6.1 adds overloaded methods that accept Charset instead of String for better type safety:

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;

@WebServlet("/charset-example")
public class CharsetServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        // Use Charset instead of String for character encoding
        response.setCharacterEncoding(StandardCharsets.UTF_8);
        response.setContentType("text/html");

        PrintWriter writer = response.getWriter();
        writer.println("");
        writer.println("UTF-8 Encoded Response");
        writer.println("Special characters: é, ñ, ü, 中文");
        writer.println("");
    }
}

ByteBuffer Support

Servlet 6.1 adds ByteBuffer support to ServletInputStream and ServletOutputStream:

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.ServletOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;

@WebServlet("/bytebuffer-example")
public class ByteBufferServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        response.setContentType("application/octet-stream");

        // Create a ByteBuffer with data
        String data = "Binary data using ByteBuffer";
        ByteBuffer buffer = ByteBuffer.wrap(data.getBytes(StandardCharsets.UTF_8));

        // Write ByteBuffer directly to ServletOutputStream
        ServletOutputStream outputStream = response.getOutputStream();
        outputStream.write(buffer);
        outputStream.flush();
    }
}

Error Dispatch with Query String

Servlet 6.1 adds a query string attribute to error dispatches:

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.RequestDispatcher;
import java.io.IOException;
import java.io.PrintWriter;

@WebServlet("/error-handler")
public class ErrorHandlerServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        response.setContentType("text/html");
        PrintWriter writer = response.getWriter();

        // Access error attributes including the new query string attribute
        Integer statusCode = (Integer) request.getAttribute(RequestDispatcher.ERROR_STATUS_CODE);
        String message = (String) request.getAttribute(RequestDispatcher.ERROR_MESSAGE);
        String requestUri = (String) request.getAttribute(RequestDispatcher.ERROR_REQUEST_URI);
        String queryString = (String) request.getAttribute(RequestDispatcher.ERROR_QUERY_STRING);

        writer.println("");
        writer.println("Error Handler");
        writer.println("Status Code: " + statusCode + "");
        writer.println("Message: " + message + "");
        writer.println("Request URI: " + requestUri + "");

        // New in Servlet 6.1: Query string is now available in error dispatches
        if (queryString != null) {
            writer.println("Query String: " + queryString + "");
        }

        writer.println("");
    }
}

RESTful Web Services 4.0

Jakarta RESTful Web Services provides a foundational API to develop web services following the Representational State Transfer (REST) architectural pattern. The full details for this release are as follows.

New features in RESTful Web Services 4.0:

TCK tests for multipart/form-data API: Added comprehensive tests for multipart form data handling
TCK tests for default ExceptionMapper: Added tests to verify default exception mapping behavior
Added containsHeaderString method to a few APIs: New method added to the APIs -ClientRequestContext, ClientResponseContext, ContainerRequestContext, ContainerResponseContext and HttpHeaders to provide an easy way to check whether a header contains specific values
Required TCK for convenience method: Added required tests for the new convenience method merged in PR 1066
Clarified JavaSE support: Clarified JavaSE support in Section 2.3 of specification
Added getMatchedResourceTemplate method to UriInfo: New method to retrieve the matched resource template
Added JSON Merge Patch support: Support for RFC 7396 JSON Merge Patch

Removals:

Remove JAXB dependency: Jakarta REST no longer depends on JAXB
Remove ManagedBean support: ManagedBean support has been removed from Jakarta REST

Basic REST Resource Example

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.*;
import java.util.List;
import java.util.ArrayList;

@Path("/products")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class ProductResource {

    private static List products = new ArrayList<>();

    @GET
    public Response getAllProducts() {
        return Response.ok(products).build();
    }

    @GET
    @Path("/{id}")
    public Response getProduct(@PathParam("id") Long id) {
        Product product = products.stream()
            .filter(p -> p.getId().equals(id))
            .findFirst()
            .orElse(null);

        if (product == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }

        return Response.ok(product).build();
    }

    @POST
    public Response createProduct(Product product) {
        products.add(product);
        return Response.status(Response.Status.CREATED)
            .entity(product)
            .build();
    }

    @PUT
    @Path("/{id}")
    public Response updateProduct(@PathParam("id") Long id, Product updatedProduct) {
        Product product = products.stream()
            .filter(p -> p.getId().equals(id))
            .findFirst()
            .orElse(null);

        if (product == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }

        products.remove(product);
        products.add(updatedProduct);

        return Response.ok(updatedProduct).build();
    }

    @DELETE
    @Path("/{id}")
    public Response deleteProduct(@PathParam("id") Long id) {
        boolean removed = products.removeIf(p -> p.getId().equals(id));

        if (!removed) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }

        return Response.noContent().build();
    }
}

class Product {
    private Long id;
    private String name;
    private Double price;

    // Constructors, getters, setters
    public Long getId() { return id; }
    public void setId(Long id) { this.id = id; }
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }
    public Double getPrice() { return price; }
    public void setPrice(Double price) { this.price = price; }
}

Using getMatchedResourceTemplate (NEW in 4.0)

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.*;

@Path("/api/users")
public class UserResource {

    @Context
    private UriInfo uriInfo;

    @GET
    @Path("/{userId}/orders/{orderId}")
    @Produces(MediaType.APPLICATION_JSON)
    public Response getUserOrder(
            @PathParam("userId") Long userId,
            @PathParam("orderId") Long orderId) {

        // NEW in REST 4.0: getMatchedResourceTemplate method
        String template = uriInfo.getMatchedResourceTemplate();
        System.out.println("Matched template: " + template);
        // Output: /api/users/{userId}/orders/{orderId}

        // Use the template for logging, metrics, or routing decisions
        return Response.ok()
            .entity(new Order(orderId, userId))
            .header("X-Resource-Template", template)
            .build();
    }
}

class Order {
    private Long orderId;
    private Long userId;

    public Order(Long orderId, Long userId) {
        this.orderId = orderId;
        this.userId = userId;
    }

    public Long getOrderId() { return orderId; }
    public Long getUserId() { return userId; }
}

JSON Merge Patch Support (NEW in 4.0)

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.*;
import jakarta.json.Json;
import jakarta.json.JsonMergePatch;
import jakarta.json.JsonValue;
import jakarta.json.bind.Jsonb;
import jakarta.json.bind.JsonbBuilder;

@Path("/customers")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class CustomerResource {

    private static Customer customer = new Customer(1L, "John Doe", "john@example.com");

    @GET
    @Path("/{id}")
    public Response getCustomer(@PathParam("id") Long id) {
        return Response.ok(customer).build();
    }

    // NEW in REST 4.0: JSON Merge Patch support (RFC 7396)
    @PATCH
    @Path("/{id}")
    @Consumes(MediaType.APPLICATION_MERGE_PATCH_JSON)
    public Response patchCustomer(
            @PathParam("id") Long id,
            JsonValue patchJson) {

        try (Jsonb jsonb = JsonbBuilder.create()) {
            // Convert customer to JsonValue
            JsonValue customerJson = jsonb.fromJson(
                jsonb.toJson(customer), JsonValue.class);

            // Create merge patch manually from the incoming JSON
            JsonMergePatch mergePatch = Json.createMergePatch(patchJson);
            // Apply the merge patch
            JsonValue patchedJson = mergePatch.apply(customerJson);

            // Convert back to Customer object
            Customer patchedCustomer = jsonb.fromJson(
                patchedJson.toString(), Customer.class);

            customer = patchedCustomer;

            return Response.ok(customer).build();
        } catch (Exception e) {
            return Response.status(Response.Status.BAD_REQUEST)
                .entity("Invalid patch: " + e.getMessage())
                .build();
        }
    }
}

class Customer {
    private Long id;
    private String name;
    private String email;

    public Customer() {}

    public Customer(Long id, String name, String email) {
        this.id = id;
        this.name = name;
        this.email = email;
    }

    // Getters and setters
    public Long getId() { return id; }
    public void setId(Long id) { this.id = id; }
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }
    public String getEmail() { return email; }
    public void setEmail(String email) { this.email = email; }
}

Multipart Form Data Handling

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.*;
import java.io.InputStream;
import java.io.IOException;
/**
 * Demonstrates multipart/form-data handling in Jakarta REST 4.0
 * using the standard EntityPart API (new in REST 4.0)
 */
@Path("/upload")
public class FileUploadResource {
    @POST
    @Consumes(MediaType.MULTIPART_FORM_DATA)
    @Produces(MediaType.APPLICATION_JSON)
    public Response uploadFile(
            @FormParam("file") EntityPart filePart,
            @FormParam("description") String description) {
        if (filePart == null) {
            return Response.status(Response.Status.BAD_REQUEST)
                .entity(new UploadResponse(null, 0, "No file provided"))
                .build();
        }
        try {
            String fileName = filePart.getFileName().orElse("unknown");
            // Read the file content to get size
            long fileSize = 0;
            try (InputStream is = filePart.getContent()) {
                byte[] buffer = new byte[8192];
                int bytesRead;
                while ((bytesRead = is.read(buffer)) != -1) {
                    fileSize += bytesRead;
                }
            }
            // Process the file
            System.out.println("Uploading file: " + fileName);
            System.out.println("File size: " + fileSize);
            System.out.println("Description: " + description);
            System.out.println("Content-Type: " + filePart.getMediaType());
            return Response.ok()
                .entity(new UploadResponse(fileName, fileSize, "Upload successful"))
                .build();
        } catch (IOException e) {
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR)
                .entity(new UploadResponse(null, 0, "Error processing file: " + e.getMessage()))
                .build();
        }
    }
}

class UploadResponse {
    private String fileName;
    private long fileSize;
    private String message;

    public UploadResponse(String fileName, long fileSize, String message) {
        this.fileName = fileName;
        this.fileSize = fileSize;
        this.message = message;
    }

    // Getters
    public String getFileName() { return fileName; }
    public long getFileSize() { return fileSize; }
    public String getMessage() { return message; }
}

Persistence 3.2

Jakarta Persistence defines a standard for management of persistence and object/relational mapping in Java environments.

New features in Persistence 3.2:

Java Record Support: Adds support for Java record types as embeddable classes
java.time Support: Adds support for java.time.Instant and java.time.Year with clarified JDBC mappings for basic types
New Query Operators: Adds union, intersect, except, cast, left, right, and replace operators for Jakarta Persistence QL and criteria queries
String Concatenation: Adds || as a concatenation operator and id and version functions to Jakarta Persistence QL
Criteria API Enhancements: Adds CriteriaSelect, subquery(EntityType) and joins on EntityType to Criteria API
Null Precedence: Adds support for specifying null precedence when ordering Jakarta Persistence QL and criteria queries
Query Methods: Adds getSingleResultOrNull() to Query, TypedQuery, StoredProcedureQuery
Named Queries: Adds entities(), classes() and columns() to NamedNativeQuery
Lock Mode: Adds lockMode() to EntityResult with the default being OPTIMISTIC
Transaction Helpers: Adds runInTransaction() and callInTransaction() convenience methods for executing code within transactions
EntityManager Connection Access: Adds runWithConnection() and callWithConnection() methods for direct JDBC connection access
Programmatic Configuration API: Adds PersistenceConfiguration for programmatic persistence unit configuration
Schema Management API: Adds SchemaManager for schema creation, validation, truncation, and dropping
DDL Generation Enhancements: Adds support for comments, check constraints, table options, and second precision in generated DDL
Enum Mapping Enhancements: Adds @EnumeratedValue for custom enum value mapping
Named Query and Graph Factory Access: Adds APIs for factory-based named query and entity graph creation/access

Deprecations:

Temporal Types: Deprecates usage of Calendar, Date, Time, Timestamp, Temporal, MapKeyTemporal, and TemporalType in favor of java.time API
multiselect Methods: Deprecates multiselect methods in CriteriaQuery in favor of array or tuple methods defined in CriteriaBuilder
Byte[] and Character[] Arrays: Deprecates use of Byte[] and Character[] arrays for basic attributes, in favor of primitive array types
Subgraph Methods for Removal: Deprecates addSubclassSubgraph() in EntityGraph for removal; addTreatedSubgraph() method should be used as direct replacement
Attribute and Class Subgraph Methods: Deprecates addSubgraph(Attribute, Class) and addKeySubgraph() in Graph/EntityGraph/SubGraph for removal
Transaction Methods: Deprecates jakarta.persistence.spi.PersistenceUnitTransactionType and jakarta.persistence.PersistenceUnitUtil.getTransactionType() methods for removal

import jakarta.persistence.*;
import java.time.Instant;
import java.time.Year;
import java.util.List;

// NEW in 3.2: Java Record as Embeddable
@Embeddable
public record Address(
    String street,
    String city,
    String state,
    String zipCode
) {}

@Entity
@Table(name = "customers")
@NamedQuery(name = "Customer.findByEmail",
            query = "SELECT c FROM Customer c WHERE c.email = :email")
public class Customer {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    @Version
    private Long version;

    @Column(nullable = false)
    private String name;

    @Column(unique = true, nullable = false)
    private String email;

    private String phone;

    private String status;  // e.g., "ACTIVE", "INACTIVE"

    private Integer vipLevel;  // VIP tier level

    // NEW in 3.2: Embedded record type
    @Embedded
    private Address address;

    // NEW in 3.2: java.time.Instant support
    private Instant createdAt;

    // NEW in 3.2: java.time.Year support
    private Year memberSince;

    @OneToMany(mappedBy = "customer", cascade = CascadeType.ALL)
    private List orders;

    // Constructors, getters, setters
}

@Stateless
public class CustomerRepository {

    @PersistenceContext
    private EntityManager em;

    public Customer findById(Long id) {
        return em.find(Customer.class, id);
    }

    public Customer findByEmail(String email) {
        return em.createNamedQuery("Customer.findByEmail", Customer.class)
                 .setParameter("email", email)
                 .getSingleResult();
    }

    // NEW in 3.2: getSingleResultOrNull() method
    public Customer findByEmailOrNull(String email) {
        return em.createQuery("SELECT c FROM Customer c WHERE c.email = :email", Customer.class)
                 .setParameter("email", email)
                 .getSingleResultOrNull();  // Returns null instead of throwing exception
    }

    // NEW in 3.2: String concatenation with || operator
    public List<String> getFullNames() {
        return em.createQuery(
            "SELECT c.name || ' (' || c.email || ')' FROM Customer c",
            String.class
        ).getResultList();
    }

    // NEW in 3.2: UNION operator
    public List findActiveAndVIPCustomers() {
        return em.createQuery(
            "SELECT c FROM Customer c WHERE c.status = 'ACTIVE' " +
            "UNION " +
            "SELECT c FROM Customer c WHERE c.vipLevel > 5",
            Customer.class
        ).getResultList();
    }

    // NEW in 3.2: Null precedence in ordering
    public List findCustomersOrderedByCity() {
        return em.createQuery(
            "SELECT c FROM Customer c ORDER BY c.address.city NULLS LAST",
            Customer.class
        ).getResultList();
    }

    public List findCustomersWithOrders() {
        // Using JOIN FETCH for efficient loading
        return em.createQuery(
            "SELECT DISTINCT c FROM Customer c LEFT JOIN FETCH c.orders",
            Customer.class
        ).getResultList();
    }

    public void save(Customer customer) {
        if (customer.getId() == null) {
            em.persist(customer);
        } else {
            em.merge(customer);
        }
    }
}
// NEW in 3.2: Criteria API Enhancements
@Stateless
public class CustomerCriteriaRepository {

    @PersistenceContext
    private EntityManager em;

    // NEW in 3.2: Using CriteriaSelect for type-safe queries
    public List findCustomersByCityUsingCriteria(String city) {
        CriteriaBuilder cb = em.getCriteriaBuilder();
        CriteriaQuery cq = cb.createQuery(Customer.class);
        Root customer = cq.from(Customer.class);

        // CriteriaSelect provides enhanced type safety
        cq.select(customer)
          .where(cb.equal(customer.get("address").get("city"), city));

        return em.createQuery(cq).getResultList();
    }

    // NEW in 3.2: subquery(EntityType) for correlated subqueries
    public List findCustomersWithMultipleOrders() {
        CriteriaBuilder cb = em.getCriteriaBuilder();
        CriteriaQuery cq = cb.createQuery(Customer.class);
        Root customer = cq.from(Customer.class);

        // Create a correlated subquery using the new subquery(EntityType) method
        Subquery<Long> subquery = cq.subquery(Long.class);
        Root order = subquery.correlate(customer).join("orders");
        subquery.select(cb.count(order));

        cq.select(customer)
          .where(cb.greaterThan(subquery, 1L));

        return em.createQuery(cq).getResultList();
    }

    // NEW in 3.2: Joins on EntityType
    public List findCustomersWithRecentOrders(Instant since) {
        CriteriaBuilder cb = em.getCriteriaBuilder();
        CriteriaQuery cq = cb.createQuery(Customer.class);
        Root customer = cq.from(Customer.class);

        // Join directly on EntityType
        Join orders = customer.join("orders");

        cq.select(customer)
          .where(cb.greaterThanOrEqualTo(orders.get("orderDate"), since))
          .distinct(true);

        return em.createQuery(cq).getResultList();
    }
}

// NEW in 3.2: Advanced Query Operators
@Stateless
public class AdvancedQueryRepository {

    @PersistenceContext
    private EntityManager em;

    // NEW in 3.2: INTERSECT operator
    public List findCustomersInBothActiveAndVIP() {
        return em.createQuery(
            "SELECT c FROM Customer c WHERE c.status = 'ACTIVE' " +
            "INTERSECT " +
            "SELECT c FROM Customer c WHERE c.vipLevel > 5",
            Customer.class
        ).getResultList();
    }

    // NEW in 3.2: EXCEPT operator (set difference)
    public List findActiveCustomersExceptVIP() {
        return em.createQuery(
            "SELECT c FROM Customer c WHERE c.status = 'ACTIVE' " +
            "EXCEPT " +
            "SELECT c FROM Customer c WHERE c.vipLevel > 5",
            Customer.class
        ).getResultList();
    }

    // NEW in 3.2: CAST operator for type conversion
    public List<String> getCustomerIdsAsStrings() {
        return em.createQuery(
            "SELECT CAST(c.id AS STRING) FROM Customer c",
            String.class
        ).getResultList();
    }

    // NEW in 3.2: LEFT and RIGHT string functions
    public List<String> getEmailPrefixes() {
        return em.createQuery(
            "SELECT LEFT(c.email, 5) FROM Customer c",
            String.class
        ).getResultList();
    }

    public List<String> getEmailDomains() {
        return em.createQuery(
            "SELECT RIGHT(c.email, 10) FROM Customer c",
            String.class
        ).getResultList();
    }

    // NEW in 3.2: REPLACE function for string manipulation
    public List<String> normalizePhoneNumbers() {
        return em.createQuery(
            "SELECT REPLACE(c.phone, '-', '') FROM Customer c",
            String.class
        ).getResultList();
    }

    // NEW in 3.2: id() function to access entity identifier
    public List<Long> getCustomerIds() {
        return em.createQuery(
            "SELECT id(c) FROM Customer c WHERE c.status = 'ACTIVE'",
            Long.class
        ).getResultList();
    }

    // NEW in 3.2: version() function to access entity version
    public List<Object[]> getCustomerVersionInfo() {
        return em.createQuery(
            "SELECT c.name, version(c) FROM Customer c",
            Object[].class
        ).getResultList();
    }
}

// NEW in 3.2: NamedNativeQuery with entities(), classes(), and columns()
@Entity
@Table(name = "products")
@NamedNativeQuery(
    name = "Product.findWithDetails",
    query = "SELECT p.id, p.name, p.price, c.name as category_name " +
            "FROM products p JOIN categories c ON p.category_id = c.id",
    resultSetMapping = "ProductDetailsMapping"
)
@SqlResultSetMapping(
    name = "ProductDetailsMapping",
    entities = @EntityResult(
        entityClass = Product.class,
        fields = {
            @FieldResult(name = "id", column = "id"),
            @FieldResult(name = "name", column = "name"),
            @FieldResult(name = "price", column = "price")
        },
        // NEW in 3.2: lockMode() on EntityResult
        lockMode = LockModeType.OPTIMISTIC
    ),
    columns = @ColumnResult(name = "category_name", type = String.class)
)
public class Product {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String name;
    private Double price;

    @Version
    private Long version;

    @ManyToOne
    @JoinColumn(name = "category_id")
    private Category category;

    // Constructors, getters, setters
}

@Entity
@Table(name = "categories")
public class Category {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    private String name;

    @OneToMany(mappedBy = "category")
    private List products;

    // Constructors, getters, setters
}

@Stateless
public class ProductRepository {

    @PersistenceContext
    private EntityManager em;

    // NEW in 3.2: Using NamedNativeQuery with enhanced result mapping
    public List<Object[]> findProductsWithDetails() {
        return em.createNamedQuery("Product.findWithDetails")
                 .getResultList();
    }

    // NEW in 3.2: Combining multiple new features in one query
    // Demonstrates: CAST, LEFT, REPLACE, ||, UNION, NULLS LAST, id()
    public List findFeaturedProducts(String categoryPrefix) {
        return em.createQuery(
            // First set: Premium products with name manipulation
            "SELECT p FROM Product p " +
            "WHERE CAST(p.price AS STRING) LIKE '%.99' " +  // CAST operator
            "AND LEFT(p.category.name, 3) = :prefix " +     // LEFT function
            "AND REPLACE(p.name, '-', ' ') IS NOT NULL " +  // REPLACE function
            "UNION " +                                       // UNION operator
            // Second set: Discounted products with concatenation
            "SELECT p FROM Product p " +
            "WHERE (p.name || ' - ' || p.category.name) LIKE '%Sale%' " +  // || concatenation
            "ORDER BY p.price NULLS LAST, id(p)",           // NULLS LAST + id() function
            Product.class
        )
        .setParameter("prefix", categoryPrefix)
        .getResultList();  // Returns list of all matching products
    }


// NEW in 3.2: Transaction Helpers
@Stateless
public class TransactionHelperExample {

    @PersistenceContext
    private EntityManager em;

    // NEW in 3.2: runInTransaction() - Execute code within a transaction
    public void processOrderWithTransaction(Order order) {
        em.runInTransaction(entityManager -> {
            // All operations here run in a transaction
            entityManager.persist(order);

            // Update inventory
            for (OrderItem item : order.getItems()) {
                Product product = entityManager.find(Product.class, item.getProductId());
                product.setStockQuantity(product.getStockQuantity() - item.getQuantity());
                entityManager.merge(product);
            }

            // No need to explicitly commit - handled automatically
        });
    }

    // NEW in 3.2: callInTransaction() - Execute code and return a result
    public Order createOrderWithTransaction(OrderRequest request) {
        return em.callInTransaction(entityManager -> {
            Order order = new Order();
            order.setCustomerId(request.getCustomerId());
            order.setItems(request.getItems());
            order.setTotal(calculateTotal(request.getItems()));

            entityManager.persist(order);
            return order;  // Return value from transaction
        });
    }

    private double calculateTotal(List items) {
        return items.stream()
                   .mapToDouble(item -> item.getPrice() * item.getQuantity())
                   .sum();
    }
}

// NEW in 3.2: EntityManager Connection Access
@Stateless
public class ConnectionAccessExample {

    @PersistenceContext
    private EntityManager em;

    // NEW in 3.2: runWithConnection() - Direct JDBC access
    public void executeBatchUpdate(List<Long> productIds) {
        em.runWithConnection(connection -> {
            String sql = "UPDATE products SET last_updated = ? WHERE id = ?";
            try (PreparedStatement stmt = connection.prepareStatement(sql)) {
                Instant now = Instant.now();
                for (Long id : productIds) {
                    stmt.setObject(1, now);
                    stmt.setLong(2, id);
                    stmt.addBatch();
                }
                stmt.executeBatch();
            }
        });
    }

    // NEW in 3.2: callWithConnection() - Direct JDBC access with return value
    public int getProductCount() {
        return em.callWithConnection(connection -> {
            String sql = "SELECT COUNT(*) FROM products WHERE active = true";
            try (PreparedStatement stmt = connection.prepareStatement(sql);
                 ResultSet rs = stmt.executeQuery()) {
                if (rs.next()) {
                    return rs.getInt(1);
                }
                return 0;
            }
        });
    }
}

// NEW in 3.2: Programmatic Configuration API
public class ProgrammaticConfigurationExample {

    public EntityManagerFactory createEntityManagerFactory() {
        // NEW in 3.2: PersistenceConfiguration for programmatic setup
        PersistenceConfiguration config = new PersistenceConfiguration("myPersistenceUnit");

        config.provider("org.hibernate.jpa.HibernatePersistenceProvider")
              .jtaDataSource("java:comp/env/jdbc/MyDataSource")
              .managedClass(Product.class)
              .managedClass(Category.class)
              .managedClass(Order.class)
              .property("hibernate.dialect", "org.hibernate.dialect.PostgreSQLDialect")
              .property("hibernate.show_sql", "true")
              .property("hibernate.format_sql", "true");

        return Persistence.createEntityManagerFactory(config);
    }
}

// NEW in 3.2: Schema Management API
@Stateless
public class SchemaManagementExample {

    @PersistenceContext
    private EntityManager em;

    public void manageSchema() {
        // NEW in 3.2: SchemaManager for schema operations
        SchemaManager schemaManager = em.getSchemaManager();

        // Create schema
        schemaManager.create(false);  // false = don't drop existing

        // Validate schema
        schemaManager.validate();

        // Truncate all tables (useful for testing)
        schemaManager.truncate();

        // Drop schema
        // schemaManager.drop();
    }
}

// NEW in 3.2: Enum Mapping Enhancements with @EnumeratedValue
public enum OrderStatus {

    PENDING("P"),
    CONFIRMED("C"),
    SHIPPED("S"),
    DELIVERED("D"),
    CANCELLED("X");

    @EnumeratedValue
    private final String code;

    OrderStatus(String code) {
        this.code = code;
    }

    public String getCode() {
        return code;
    }
}

@Entity
@Table(name = "orders")
public class Order {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    // NEW in 3.2: Custom enum mapping with @EnumeratedValue
    @Enumerated(EnumType.STRING)
    private OrderStatus status;  // Stored as "P", "C", "S", "D", "X" in database

    private Instant orderDate;
    private Double total;

    @OneToMany(mappedBy = "order", cascade = CascadeType.ALL)
    private List items;

    // Constructors, getters, setters
}

// NEW in 3.2: DDL Generation Enhancements
@Entity
@Table(name = "products",
       comment = "Product catalog table",  // NEW in 3.2: Table comments
       options = "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4")  // NEW in 3.2: Table options
@CheckConstraint(name = "price_positive",
                constraint = "price > 0")  // NEW in 3.2: Check constraints
public class Product {

    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;

    @Column(nullable = false, comment = "Product name")  // NEW in 3.2: Column comments
    private String name;

    @Column(nullable = false)
    @CheckConstraint(name = "price_range",
                    constraint = "price BETWEEN 0.01 AND 999999.99")
    private Double price;

    @Column(name = "created_at", precision = 6)  // NEW in 3.2: Second precision for timestamps
    private Instant createdAt;

    @Column(name = "updated_at", precision = 6)
    private Instant updatedAt;

    // Constructors, getters, setters
}

// NEW in 3.2: Named Query Factory Access
@Stateless
public class NamedQueryFactoryExample {

    @PersistenceContext
    private EntityManager em;

    public void demonstrateNamedQueryFactory() {
        // NEW in 3.2: Factory-based named query access
        EntityManagerFactory emf = em.getEntityManagerFactory();

        // Get named query from factory
        TypedQuery query = emf.createNamedQuery("Customer.findByEmail", Customer.class);
        query.setParameter("email", "user@example.com");
        Customer customer = query.getSingleResultOrNull();

        // Get named entity graph from factory
        EntityGraph graph = emf.createEntityGraph(Customer.class);
        graph.addAttributeNodes("orders", "address");

        // Use the graph in a query
        List customers = em.createQuery("SELECT c FROM Customer c", Customer.class)
                                     .setHint("jakarta.persistence.fetchgraph", graph)
                                     .getResultList();
    }
}

Pages 4.0

Jakarta Pages defines a template engine for web applications. This release removes deprecated code and provides updates necessary to align with changes in the Jakarta Servlet and Expression Language specifications.

New features and enhancements in Pages 4.0:

Enhanced ErrorData: Updated ErrorData to add support for new servlet error attributes:
jakarta.servlet.error.query_string - Access the query string from error pages
jakarta.servlet.error.method - Access the HTTP method from error pages

Removals and deprecations:

All code deprecated as of Jakarta Server Pages 3.1 has been removed:

ELResolver methods: Removed methods that override ELResolver.getFeatureDescriptors() as that method is removed in EL 6.0
isThreadSafe directive: Removed the isThreadSafe page directive attribute as the related Servlet API interface SingleThreadModel has been removed in Servlet 6.0
jsp:plugin action: Removed the jsp:plugin action and related actions as the associated HTML elements are no longer supported by any major browser
JspException.getRootCause(): Removed deprecated JspException.getRootCause()method

Enhanced Error Handling with ErrorData

Jakarta Pages 4.0 adds new error attributes to ErrorData for better error page diagnostics:

<%@ page contentType="text/html;charset=UTF-8" language="java" isErrorPage="true" %>



    Error Page - Jakarta Pages 4.0


    An Error Occurred

    
    Status Code: ${pageContext.errorData.statusCode}
    Request URI: ${pageContext.errorData.requestURI}
    Servlet Name: ${pageContext.errorData.servletName}

    
    HTTP Method: ${pageContext.request.getAttribute('jakarta.servlet.error.method')}

    
    Query String: ${pageContext.request.getAttribute('jakarta.servlet.error.query_string')}

    
    
        Exception Details
        Type: ${pageContext.errorData.throwable.class.name}
        Message: ${pageContext.errorData.throwable.message}

WebSocket 2.2

Jakarta WebSocket defines an API for Server and Client Endpoints for the WebSocket protocol (RFC6455). This release removes references to the SecurityManager and provides some minor updates and clarifications.

New features in WebSocket 2.2:

Clarified ping/pong responsibilities: The specification now clearly defines the responsibilities for sending ping and pong messages between client and server
New getSession() method: Added getSession() method to SendResult class to retrieve the session associated with a send operation
Clarified maxMessageSize behavior: Clarified the behavior when @OnMessage.maxMessageSize is set to a value larger than Integer.MAX_VALUE

Removals:

All references to the SecurityManager have been removed

Using the new getSession() method in SendResult

The new getSession() method allows you to retrieve the WebSocket session associated with a send operation, which is particularly useful when handling asynchronous message sending:

import jakarta.websocket.*;
import jakarta.websocket.server.ServerEndpoint;
import jakarta.websocket.server.PathParam;
import java.io.IOException;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import java.util.concurrent.Future;

@ServerEndpoint("/notifications/{userId}")
public class NotificationWebSocket {

    private static final Set sessions = new CopyOnWriteArraySet<>();

    @OnOpen
    public void onOpen(Session session, @PathParam("userId") String userId) {
        sessions.add(session);
        session.getUserProperties().put("userId", userId);
        System.out.println("User " + userId + " connected");
    }

    @OnMessage
    public void onMessage(String message, Session session) {
        String userId = (String) session.getUserProperties().get("userId");
        System.out.println("Received message from " + userId + ": " + message);

        // Echo the message back
        sendAsyncMessage(session, "Echo: " + message);
    }

    @OnClose
    public void onClose(Session session, @PathParam("userId") String userId) {
        sessions.remove(session);
        System.out.println("User " + userId + " disconnected");
    }

    @OnError
    public void onError(Session session, Throwable throwable) {
        System.err.println("WebSocket error: " + throwable.getMessage());
        throwable.printStackTrace();
    }

    // Demonstrates the new getSession() method in SendResult
    private void sendAsyncMessage(Session session, String message) {
        try {
            RemoteEndpoint.Async asyncRemote = session.getAsyncRemote();
            Future<Void> future = asyncRemote.sendText(message);

            // Add a callback to handle the send result
            future.get(); // Wait for completion

            // In a real application, you might use a SendHandler instead
            asyncRemote.sendText(message, new SendHandler() {
                @Override
                public void onResult(SendResult result) {
                    // NEW in WebSocket 2.2: getSession() method
                    Session resultSession = result.getSession();

                    if (result.isOK()) {
                        String userId = (String) resultSession.getUserProperties().get("userId");
                        System.out.println("Message sent successfully to user: " + userId);
                    } else {
                        System.err.println("Failed to send message to session: " +
                            resultSession.getId());
                        System.err.println("Error: " + result.getException().getMessage());
                    }
                }
            });
        } catch (Exception e) {
            System.err.println("Error sending async message: " + e.getMessage());
        }
    }

    // Broadcast message to all connected sessions
    public void broadcastToAll(String message) {
        sessions.forEach(session -> {
            if (session.isOpen()) {
                session.getAsyncRemote().sendText(message, new SendHandler() {
                    @Override
                    public void onResult(SendResult result) {
                        // Use the new getSession() method to identify which session
                        Session resultSession = result.getSession();
                        if (!result.isOK()) {
                            System.err.println("Failed to broadcast to session: " +
                                resultSession.getId());
                        }
                    }
                });
            }
        });
    }
}

Ping/Pong Message Handling

WebSocket 2.2 clarifies the responsibilities for ping and pong messages:

import jakarta.websocket.*;
import jakarta.websocket.server.ServerEndpoint;
import java.io.IOException;
import java.nio.ByteBuffer;

@ServerEndpoint("/ping-pong")
public class PingPongWebSocket {

    @OnOpen
    public void onOpen(Session session) {
        System.out.println("WebSocket opened: " + session.getId());

        // Send a ping message to the client
        try {
            session.getBasicRemote().sendPing(ByteBuffer.wrap("ping".getBytes()));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @OnMessage
    public void onPongMessage(PongMessage pong, Session session) {
        // Handle pong messages received from the client
        ByteBuffer data = pong.getApplicationData();
        byte[] bytes = new byte[data.remaining()];
        data.get(bytes);
        String pongData = new String(bytes);

        System.out.println("Received pong from " + session.getId() + ": " + pongData);
    }

    @OnMessage
    public void onTextMessage(String message, Session session) {
        System.out.println("Received text message: " + message);

        // Send a pong message in response
        try {
            session.getBasicRemote().sendPong(ByteBuffer.wrap("pong".getBytes()));
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @OnClose
    public void onClose(Session session) {
        System.out.println("WebSocket closed: " + session.getId());
    }

    @OnError
    public void onError(Session session, Throwable throwable) {
        System.err.println("WebSocket error: " + throwable.getMessage());
    }
}

Validation 3.1

Jakarta Validation defines a metadata model and API for JavaBean and method validation. This release has clarified support for Records introduced by JEP 395.

Key changes in Validation 3.1:

Clarify Java Records support for validation
Update dependencies for Jakarta EE 11
No removals, deprecations, or backwards incompatible changes

import jakarta.validation.constraints.*;
import jakarta.validation.Constraint;
import jakarta.validation.ConstraintValidator;
import jakarta.validation.ConstraintValidatorContext;
import jakarta.validation.Payload;
import jakarta.validation.Valid;
import jakarta.validation.Validator;
import jakarta.validation.ConstraintViolation;
import jakarta.inject.Inject;
import jakarta.ws.rs.*;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.lang.annotation.*;
import java.time.LocalDate;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

// NEW in 3.1: Java Record with validation support
public record UserProfile(
    @NotNull(message = "Username is required")
    @Size(min = 3, max = 20, message = "Username must be between 3 and 20 characters")
    @Pattern(regexp = "^[a-zA-Z0-9_]+$", message = "Username can only contain letters, numbers, and underscores")
    String username,

    @NotNull(message = "Email is required")
    @Email(message = "Invalid email format")
    String email,

    @NotNull(message = "Age is required")
    @Min(value = 18, message = "Must be at least 18 years old")
    @Max(value = 120, message = "Age must be realistic")
    Integer age
) {}

// Traditional class with validation
public class UserRegistration {

    @NotNull(message = "Username is required")
    @Size(min = 3, max = 20, message = "Username must be between 3 and 20 characters")
    @Pattern(regexp = "^[a-zA-Z0-9_]+$", message = "Username can only contain letters, numbers, and underscores")
    private String username;

    @NotNull(message = "Email is required")
    @Email(message = "Invalid email format")
    private String email;

    @NotNull(message = "Password is required")
    @Size(min = 8, message = "Password must be at least 8 characters")
    @StrongPassword
    private String password;

    @NotNull(message = "Age is required")
    @Min(value = 18, message = "Must be at least 18 years old")
    @Max(value = 120, message = "Age must be realistic")
    private Integer age;

    @Future(message = "Subscription end date must be in the future")
    private LocalDate subscriptionEndDate;

    // Getters and setters
}

// Custom validation annotation
@Target({ElementType.FIELD, ElementType.PARAMETER})
@Retention(RetentionPolicy.RUNTIME)
@Constraint(validatedBy = StrongPasswordValidator.class)
@Documented
public @interface StrongPassword {
    String message() default "Password must contain at least one uppercase letter, one lowercase letter, one digit, and one special character";
    Class[] groups() default {};
    Classextends Payload>[] payload() default {};
}

// Custom validator implementation
public class StrongPasswordValidator
        implements ConstraintValidatorString> {

    @Override
    public boolean isValid(String password, ConstraintValidatorContext context) {
        if (password == null) {
            return false;
        }

        boolean hasUppercase = password.chars().anyMatch(Character::isUpperCase);
        boolean hasLowercase = password.chars().anyMatch(Character::isLowerCase);
        boolean hasDigit = password.chars().anyMatch(Character::isDigit);
        boolean hasSpecial = password.chars()
            .anyMatch(ch -> "!@#$%^&*()_+-=[]{}|;:,.<>?".indexOf(ch) >= 0);

        return hasUppercase && hasLowercase && hasDigit && hasSpecial;
    }
}

// Using validation in a REST endpoint
@Path("/users")
public class UserResource {

    @Inject
    private Validator validator;

    @POST
    @Path("/register")
    @Consumes(MediaType.APPLICATION_JSON)
    public Response registerUser(@Valid UserRegistration user) {
        // Validation happens automatically via @Valid
        // If validation fails, a ConstraintViolationException is thrown

        // Process registration
        return Response.status(Response.Status.CREATED)
                      .entity("User registered successfully")
                      .build();
    }

    // Manual validation example
    @POST
    @Path("/validate")
    @Consumes(MediaType.APPLICATION_JSON)
    public Response validateUser(UserRegistration user) {
        Set> violations =
            validator.validate(user);

        if (!violations.isEmpty()) {
            List<String> errors = violations.stream()
                .map(ConstraintViolation::getMessage)
                .collect(Collectors.toList());

            return Response.status(Response.Status.BAD_REQUEST)
                          .entity(errors)
                          .build();
        }

        return Response.ok("Validation passed").build();
    }
}

Getting Started with Jakarta EE 11 on Open Liberty

To use Jakarta EE 11 features in Open Liberty 26.0.0.5, you can enable the Jakarta EE 11 Platform feature in your server.xml:


    
        jakartaee-11.0
    

    ...

You can also enable individual features as needed:


    jakartaee-11.0
    servlet
    cdi
    persistence
    faces
    data
    websocket
    validation

Maven Dependencies

Add Jakarta EE 11 dependencies to your pom.xml:


    
    
        jakarta.platform
        jakarta.jakartaee-api
        11.0.0
        provided
    

    
    
        jakarta.data
        jakarta.data-api
        1.0.0
        provided

Check out 26.0.0.5 blog to learn more on the full details of Jakarta EE 11 on Open Liberty 26.0.0.5.

Integration with MicroProfile

This Open Liberty release provides a great ecosystem of enabling Jakarta EE 11 working with MicroProfile 7.0 and 7.1, allowing you to take advantage of the latest microservices features. You can enable MicroProfile and Jakarta EE 11 features in your server.xml as needed:


    microprofile-7.1
    jakartaee-11.0

Spring Boot 4.0

Open Liberty also enables Spring Boot 4.0 applications, allowing you to leverage the latest features and improvements in the Jakarta EE 11 release. You can enable the Spring Boot 4.0 feature in your server.xml:


    springBoot-4.0
    servlet-6.1

Migration Considerations

When migrating from Jakarta EE 10 to Jakarta EE 11, review the updated specifications to understand the changes and enhancements. Most applications should migrate smoothly, but it’s important to test thoroughly, especially if you’re using features that have been updated.

Key areas to review:

Jakarta Data 1.0: Consider migrating existing DAO/repository code to Jakarta Data for improved productivity and reduced boilerplate
Annotations 3.0: Migrate from @ManagedBean to CDI beans
Authentication 3.1: Remove any SecurityManager dependencies from authentication modules
Authorization 3.0: Switch to use the new PolicyFactory and Policy interfaces for your authorization modules
CDI 4.1: Review dependency injection configurations, especially if using custom interceptors or producers
Servlet 6.1: Remove any SecurityManager dependencies; test redirect handling and error dispatches
Persistence 3.2: Leverage Java records for embeddable types; update queries to use new operators; test java.time types
Validation 3.1: Leverage Java Records for validated data structures
Concurrency 3.1: Test async operations, especially if using Java 21 Virtual Threads

Conclusion

Jakarta EE 11 in Open Liberty 26.0.0.5 represents a significant advancement in enterprise Java development. The introduction of Jakarta Data 1.0 alone is a game-changer, dramatically reducing boilerplate code and improving developer productivity. Combined with updates across all major specifications, enhanced performance through Java 21 support, and a comprehensive set of modern APIs, Jakarta EE 11 provides a solid foundation for building cloud-native enterprise applications.

The combination of Open Liberty’s lightweight, fast runtime and Jakarta EE 11’s powerful features makes this an excellent choice for organizations looking to modernize their enterprise Java applications while maintaining compatibility with industry standards.

What’s more? Jakarta EE 11 also works with MicroProfile 7.0 and 7.1 in Open Liberty, allowing you to take advantage of the latest microservices features alongside the core Jakarta EE platform. Whether you’re building new applications or migrating existing ones, Open Liberty and Jakarta EE 11 provide the tools and capabilities you need to succeed in today’s fast-paced development environment.

If you are using Spring Boot, Open Liberty 26.0.0.5 and later release also enables you to use Spring Boot 4.0 with Jakarta EE 11 features, providing even more flexibility in how you build your applications.

Acknowledgements

Many thanks to the Jakarta EE community for their hard work in bringing Jakarta EE 11 to life and to the Open Liberty teams for ensuring it runs smoothly on Open Liberty. The contributions from the community, including feedback, testing, and code contributions, have been invaluable in making this release a success. I also want to thank my colleagues in the Open Liberty team who provided valuable feedback to this blog: Andrew Rouse, Anija K A, David Webster, Jared Anderson, Nathan Rauh, Paul Nicolucci, Mark Swatosh, Kyle Aure, Jim Krueger, Neena P Jacob, Volodymyr Siedlecki, Phu Dinh and many others.

Learn More

Open Liberty is an open-source, lightweight, and fast Java runtime that implements Jakarta EE and MicroProfile specifications. It’s designed for cloud-native applications and provides a flexible, modular architecture that allows you to use only the features you need.

Jakarta EE 11, Spring Boot 4.0, and more in 26.0.0.5

2026-05-19T00:00:00+00:00

This release introduces official support for Jakarta EE 11, Spring Boot 4.0 applications, and updated TLS/SSL cipher handling in Open Liberty, including enhanced Spring Boot deployment support and simplified SSL cipher configuration.

In Open Liberty 26.0.0.5:

Jakarta EE 11 Core Profile, Web Profile, and Platform
Spring Boot 4.0
Update to TLS/SSL Cipher support
Security Vulnerability (CVE) Fixes
Notable bug fixes

View the list of fixed bugs in 26.0.0.5.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.5

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

Jakarta EE 11 Core Profile, Web Profile, and Platform

Jakarta EE 11 Core Profile, Web Profile and Platform are now officially supported in Open Liberty! We’d like to start by thanking all those who provided feedback throughout our various betas.

Jakarta EE 11 marks a major milestone. It is the first Jakarta release to add a new specification to the platform since Java EE 8 in 2017 and, therefore, the first to provide a new component specification since the platform was taken over by the Eclipse Foundation. Among the many updates to existing Java specifications, it also removes all optional specifications and functions from the Platform. Liberty continues to support those optional specifications and functions when combined with Jakarta EE 11 features.

The Core Profile specification was introduced in Jakarta EE 10 to provide a profile for lightweight cloud native applications such as MicroProfile-based applications. With the introduction of Jakarta EE 11 support in this release, the MicroProfile 7.0 and 7.1 features also now work with Jakarta EE 11. You can run your MicroProfile 7 applications using either Jakarta EE 10 or Jakarta EE 11 features.

The following specifications make up the Jakarta Platform and the Core and Web profiles:

Jakarta EE Core Profile 11

Specification	Updates	Liberty Feature Documentation
Annotations 3.0	Major update	cdi-4.1
RESTful Web Services 4.0	Major update	restfulWS-4.0, restfulWSClient-4.0
Context and Dependency Injection 4.1 Lite	Minor update	cdi-4.1
Interceptors 2.2	Minor update	cdi-4.1
Dependency Injection 2.0	Unchanged	cdi-4.1
JSON Binding 3.0	Unchanged	jsonb-3.0
JSON Processing 2.1	Unchanged	jsonp-2.1

Specification

Updates

Liberty Feature Documentation

Annotations 3.0

Major update

cdi-4.1

RESTful Web Services 4.0

Major update

restfulWS-4.0, restfulWSClient-4.0

Context and Dependency Injection 4.1 Lite

Minor update

cdi-4.1

Interceptors 2.2

Minor update

cdi-4.1

Dependency Injection 2.0

Unchanged

Unchanged

Unchanged

Jakarta EE Web Profile 11

Specification	Updates	Liberty Feature Documentation
Jakarta EE Core Profile 11	Major Update	See previous table
Data 1.0	New	data-1.0
Expression Language 6.0	Major update	expressionLanguage-6.0
Pages 4.0	Major update	pages-4.0
Security 4.0	Major update	appSecurity-6.0
Authentication 3.1	Minor update	appAuthentication-3.1
Concurrency 3.1	Minor update	concurrent-3.1
Context and Dependency Injection 4.1	Minor update	cdi-4.1
Faces 4.1	Minor update	faces-4.1
Persistence 3.2	Minor update	persistence-3.2
Servlet 6.1	Minor update	servlet-6.1
Validation 3.1	Minor update	validation-3.1
WebSocket 2.2	Minor update	websocket-2.2
Debugging Support for Other Languages 2.0	Unchanged	Not applicable
Enterprise Beans 4.0 Lite	Unchanged	enterpriseBeansLite-4.0
Standard Tag Library 3.0	Unchanged	pages-4.0
Transactions 2.0	Unchanged	Not applicable

Specification

Updates

Liberty Feature Documentation

Jakarta EE Core Profile 11

Major Update

See previous table

Data 1.0

New

data-1.0

Expression Language 6.0

Major update

expressionLanguage-6.0

Major update

Major update

Minor update

appAuthentication-3.1

Concurrency 3.1

Minor update

concurrent-3.1

Context and Dependency Injection 4.1

Minor update

Minor update

Minor update

Minor update

Minor update

Minor update

Debugging Support for Other Languages 2.0

Unchanged

Not applicable

Enterprise Beans 4.0 Lite

Unchanged

enterpriseBeansLite-4.0

Standard Tag Library 3.0

Unchanged

pages-4.0

Transactions 2.0

Unchanged

Not applicable

Jakarta EE Platform 11

Specification	Updates	Liberty Feature Documentation
Jakarta EE Web Profile 11	Major update	See previous table
Authorization 3.0	Major update	appAuthorization-3.0
Activation 2.1	Unchanged	mail-2.1
Batch 2.1	Unchanged	batch-2.1
Connectors 2.1	Unchanged	connectors-2.1
Enterprise Beans 4.0	Unchanged	enterpriseBeans-4.0
Mail 2.1	Unchanged	mail-2.1
Messaging 3.1	Unchanged	messaging-3.1

Specification

Updates

Liberty Feature Documentation

Jakarta EE Web Profile 11

Major update

See previous table

Major update

Unchanged

Unchanged

Unchanged

Unchanged

Unchanged

Unchanged

Enterprise Beans 4.0 is unchanged, but the optional EJB 2.x function is no longer enabled when the enterpriseBeans-4.0 feature is configured with other Jakarta EE 11 features. Users who want to use EJB 2.x APIs must also add the enterpriseBeansHome-4.0 feature.

Liberty provides convenience features for running all of the component specifications that are contained in the Jakarta EE 11 Web Profile (webProfile-11.0) and the Jakarta EE 11 Platform (jakartaee-11.0). These convenience features enable you to rapidly develop applications using all of the APIs contained in their respective specifications. For Jakarta EE 11 features in the application client, use the jakartaeeClient-11.0 Liberty feature.

To enable the Jakarta EE Platform 11 features, add the jakartaee-11.0 feature to your server.xml file:

  
    jakartaee-11.0

Alternatively, to enable the Jakarta EE Web Profile 11 features, add the webProfile-11.0 feature to your server.xml file:

  
    webProfile-11.0

Although no convenience feature exists for the Core Profile, you can enable its equivalent by adding the following features to your server.xml file:

  
    jsonb-3.0
    jsonp-2.1
    cdi-4.1
    restfulWS-4.0

To run Jakarta EE 11 features on the Application Client Container, add the following entry in your client.xml file:

  
    jakartaeeClient-11.0

For more information reference:

Differences between Jakarta EE 11 and 10
Jakarta EE Platform 11, Jakarta EE Web Profile 11, and Jakarta EE Core Profile 11 specifications.
Jakarta EE 11 Javadoc

Spring Boot 4.0

Open Liberty currently supports running Spring Boot 1.5.x, 2.x, and 3.x applications. With the introduction of the new springBoot-4.0 feature, users can now deploy Spring Boot 4.x applications. While Liberty has consistently supported Spring Boot applications packaged as WAR files, this enhancement extends support to both JAR and WAR formats for Spring Boot 4.x applications.

The springBoot-4.0 feature provides complete support for running a Spring Boot 4.x application on Open Liberty, as well as the ability to thin the application when building containerized applications.

To use this feature, users must be running Java 17 or later with Jakarta EE 11 features enabled. If the application uses servlets, it must be configured to use servlet-6.1. Include the following features in your server.xml file to configure the server.


   springBoot-4.0
   servlet-6.1

The server.xml configuration for deploying a Spring Boot application follows the same approach used in earlier Liberty Spring Boot versions.

 id="spring-boot-app" location="spring-boot-app-0.1.0.jar" name="spring-boot-app" />

As in earlier versions, the Spring Boot application JAR can be deployed by placing it in the /dropins/spring folder. The springBootApplication configuration in the server.xml file can be omitted when this deployment method is used.

Update to TLS/SSL Cipher support

Liberty now uses the effective cipher list from the JDK for SSL configuration. The securityLevel attribute in the SSL configuration is not used anymore. In addition, the enabledCiphers attribute in the SSL config is updated to customize the SSL ciphers in a more flexible way.

Liberty’s securityLevel based cipher categories no longer provide meaningful value. The MEDIUM and LOW categories contain no remaining ciphers.

The enabledCiphers attribute now has two mutually exclusive modes: (1) Specify a custom list of ciphers separated by spaces, or (2) Specify filter criteria to add (+) or remove (-) cipher suites from the effective JDK cipher list. If the value set in enabledCiphers contains a static entry and a +/- entry, an error is logged, and the server ignores the enabledCiphers value by returning the effective JDK cipher list.

Existing Usage: A user sets securityLevel as HIGH

 id="defaultSSL" securityLevel=HIGH/>

The securityLevel attribute is now ignored, so the previous configuration is treated equivalently to the configuration shown here where there is no securityLevel attribute configured.

 id="defaultSSL"/>

Existing Usage: A user specifies all ciphers from the effective JDK list, excluding all TLS_RSA ciphers except for one (TLS_RSA_WITH_AES_128_GCM_SHA256)

 id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256">

Example with new syntax: Use wildcards to achieve the same logic

 id="defaultSSL" enabledCiphers="-TLS_RSA* +TLS_RSA_WITH_AES_128_GCM_SHA256"/>

To learn more about Transport Security, see SSL Constants Javadoc, JSSEProvider Javadoc, and SSL Configuration Reference.

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2026-3621	7.5	Identity spoofing	17.0.0.3-26.0.0.4

CVE

CVSS Score

Vulnerability Assessment

Versions Affected

Notes

CVE-2026-3621

7.5

Identity spoofing

17.0.0.3-26.0.0.4

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.5.

Get Open Liberty 26.0.0.5 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Enabling hardware cryptography for Liberty for Linux on distributed environment with Semeru Java 17

2026-05-19T00:00:00+00:00

Hardware cryptography, through hardware security modules (HSM), provides enhanced security for applications that are running on Liberty on distributed Linux environments. The following instructions to integrate Liberty on distributed Linux with hardware cryptographic devices were successfully tested by a customer who was using a Thales Luna HSM with Semeru Java 17. These instructions should also be applicable to other Java versions; see Java version considerations for potential modifications needed. The configuration should be adaptable to other hardware security modules that support the PKCS#11 interface.

Example use cases

The HSM integration with Liberty enables enhanced security for various cryptographic operations. Here are some example use cases:

Secure Web Services with HSM-Protected Keys: Liberty serves as a secure web service endpoint using TLS with the server’s private key stored in the HSM. The TLS handshake uses the HSM-protected key, ensuring the private key never leaves the secure hardware boundary, even if the Liberty server is compromised.
Mutual TLS Authentication for Microservices: Liberty stores client certificates in the HSM for outbound connections requiring mutual TLS. The HSM handles the cryptographic operations for client authentication, protecting the private key material.
Digital Signature Services: Applications can use the HSM to sign data (like JSON Web Tokens) with keys that are generated and stored within the HSM. The signing operation occurs inside the hardware, maintaining the integrity of the signing process.
Secure Data Encryption and Decryption: Encryption keys are securely stored in the HSM, and encryption/decryption operations are performed by the hardware, providing an additional layer of security for sensitive data.
Certificate Authority Operations: Organizations running their own CA can store root and intermediate certificate private keys in the HSM, with certificate signing operations performed within the hardware to ensure the highest level of protection for these critical security assets.

Steps

Install HSM client libraries that enable communication between your application and the HSM.
Configure authentication between the Linux server and the HSM to establish secure communication. Create and register a self-signed client certificate, establishing mutual TLS as the authentication method.

Create a PKCS#11 configuration file that defines how Java will interact with the HSM through the PKCS#11 interface.

For example, the following PKCS11Config.cfg file was created with assistance from Luna Support and saved in the Liberty server configuration directory:

description = Thales Luna HSM/PKCS11 Configuration
 name = PKCS11Config
 library = /opt/safenet/lunaclient/lib/libCryptoki2_64.so
 slot = 0
 showInfo = true
 attributes(*,CKO_SECRET_KEY,*) = {
 CKA_CLASS=4
 CKA_PRIVATE= true
 CKA_KEY_TYPE = 21
 CKA_SENSITIVE= true
 CKA_ENCRYPT= true
 CKA_DECRYPT= true
 CKA_WRAP= true
 CKA_UNWRAP= true
 }
 attributes(*,CKO_PRIVATE_KEY,*) = {
 CKA_CLASS=3
 CKA_LABEL=true
 CKA_PRIVATE = true
 CKA_DECRYPT=true
 CKA_SIGN=true
 CKA_UNWRAP=true
 }
 attributes(*,CKO_PUBLIC_KEY,*) = {
 CKA_CLASS=2
 CKA_LABEL=true
 CKA_ENCRYPT = true
 CKA_VERIFY=true
 CKA_WRAP=true
 }

Update the Java security configuration to include the PKCS#11 provider.

For example, create a java.security file in the same directory as the server.xml file with the following content to add the SunPKCS11 provider pointing to the PKCS11Config.cfg file:

security.provider.1=SunPKCS11 ${server.config.dir}/PKCS11Config.cfg
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL

Also create, a jvm.options file in the same directory with the following content to point to the custom java.security file:

-Djava.security.properties=${server.config.dir}/java.security

Set up a hardware-based keystore/truststore, a file-based keystore/truststore, or both:
- For a HSM (hardware-based keystore/truststore), create or import the necessary certificates for your application’s security requirements. (i.e. TLS server certificate and client certificates for various use cases).
- For a file-based keystore/truststore, create a standard file-based truststore to hold trusted CA certificates. For example, a traditional PKCS12 file-based keystore can be created to serve as the general "truststore" in Liberty, which includes the CA certificates to be trusted.
Edit the Liberty server.xml file to use the HSM-backed keystore, the file-based truststore, or both by adding the relevant configuration snippets:
```
 
```
```
transportSecurity-1.0

ssl-1.0
```
Configure the Liberty server environment variables.

For example, edit the Liberty server.env file with the following configuration:
```
JAVA_HOME=/etc/alternatives/jre_17
 JVM_ARGS="--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED"
```
- Where: The --add-exports JVM argument is necessary because in Java 17, the Java module system restricts access to internal packages. The PKCS#11 implementation requires access to classes in the sun.security.pkcs11 package, which is part of the jdk.crypto.cryptoki module. This argument explicitly allows Liberty to access these internal classes that are needed for the HSM integration to work properly.
  - Similar JVM arguments might be required for other Java versions that use the module system (Java 9 and later). The specific arguments might vary slightly depending on the Java version.
Configure any JVM options that are required for your specific HSM compatibility. For example, to disable unsupported algorithms, add the list of algorithms to the Liberty jvm.options file:
```
-Djdk.tls.disabledAlgorithms=RSASSA-PSS,RSAPSS
```
Start the Liberty server and verify that the HSM integration is working correctly.

Troubleshooting

If you encounter issues with your HSM integration, consider enabling PKCS#11 debug logging by adding to jvm.options:

-Djava.security.debug=sunpkcs11,pkcs11

For specific HSM-related issues, consult your HSM vendor’s documentation and support resources.

Java version considerations

While these steps were written and tested with Semeru Java 17, they should be applicable to other Java versions with potential minor adjustments:

The module-related JVM arguments (--add-exports) may vary depending on the Java version
The exact path to the Java installation will differ
Security provider configurations may have slight differences between Java versions

Acknowledgements

We would like to sincerely thank a valued customer who, while choosing to remain anonymous, generously shared his expertise with us. Access to this level of specialized hardware and configuration experience is rare. Through collaboration, persistence, and thoughtful experimentation, he helped validate solutions and provided the practical steps documented here. His willingness to share these insights will benefit many others in the WAS community facing similar challenges. We deeply appreciate his generosity and the meaningful impact of his contribution.

Enabling hardware cryptography for Liberty for Linux on distributed environment with Semeru Java 17

2026-05-11T00:00:00+00:00

Example use cases

The HSM integration with Liberty enables enhanced security for various cryptographic operations. Here are some example use cases:

Secure Web Services with HSM-Protected Keys: Liberty serves as a secure web service endpoint using TLS with the server’s private key stored in the HSM. The TLS handshake uses the HSM-protected key, ensuring the private key never leaves the secure hardware boundary, even if the Liberty server is compromised.
Mutual TLS Authentication for Microservices: Liberty stores client certificates in the HSM for outbound connections requiring mutual TLS. The HSM handles the cryptographic operations for client authentication, protecting the private key material.
Digital Signature Services: Applications can use the HSM to sign data (like JSON Web Tokens) with keys that are generated and stored within the HSM. The signing operation occurs inside the hardware, maintaining the integrity of the signing process.
Secure Data Encryption and Decryption: Encryption keys are securely stored in the HSM, and encryption/decryption operations are performed by the hardware, providing an additional layer of security for sensitive data.
Certificate Authority Operations: Organizations running their own CA can store root and intermediate certificate private keys in the HSM, with certificate signing operations performed within the hardware to ensure the highest level of protection for these critical security assets.

Steps

Install HSM client libraries that enable communication between your application and the HSM.
Configure authentication between the Linux server and the HSM to establish secure communication. Create and register a self-signed client certificate, establishing mutual TLS as the authentication method.

Create a PKCS#11 configuration file that defines how Java will interact with the HSM through the PKCS#11 interface.

For example, the following PKCS11Config.cfg file was created with assistance from Luna Support and saved in the Liberty server configuration directory:

description = Thales Luna HSM/PKCS11 Configuration
 name = PKCS11Config
 library = /opt/safenet/lunaclient/lib/libCryptoki2_64.so
 slot = 0
 showInfo = true
 attributes(*,CKO_SECRET_KEY,*) = {
 CKA_CLASS=4
 CKA_PRIVATE= true
 CKA_KEY_TYPE = 21
 CKA_SENSITIVE= true
 CKA_ENCRYPT= true
 CKA_DECRYPT= true
 CKA_WRAP= true
 CKA_UNWRAP= true
 }
 attributes(*,CKO_PRIVATE_KEY,*) = {
 CKA_CLASS=3
 CKA_LABEL=true
 CKA_PRIVATE = true
 CKA_DECRYPT=true
 CKA_SIGN=true
 CKA_UNWRAP=true
 }
 attributes(*,CKO_PUBLIC_KEY,*) = {
 CKA_CLASS=2
 CKA_LABEL=true
 CKA_ENCRYPT = true
 CKA_VERIFY=true
 CKA_WRAP=true
 }

Update the Java security configuration to include the PKCS#11 provider.

For example, create a java.security file in the same directory as the server.xml file with the following content to add the SunPKCS11 provider pointing to the PKCS11Config.cfg file:

security.provider.1=SunPKCS11 ${server.config.dir}/PKCS11Config.cfg
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL

Also create, a jvm.options file in the same directory with the following content to point to the custom java.security file:

-Djava.security.properties=${server.config.dir}/java.security

Set up a hardware-based keystore/truststore, a file-based keystore/truststore, or both:
- For a HSM (hardware-based keystore/truststore), create or import the necessary certificates for your application’s security requirements. (i.e. TLS server certificate and client certificates for various use cases).
- For a file-based keystore/truststore, create a standard file-based truststore to hold trusted CA certificates. For example, a traditional PKCS12 file-based keystore can be created to serve as the general "truststore" in Liberty, which includes the CA certificates to be trusted.
Edit the Liberty server.xml file to use the HSM-backed keystore, the file-based truststore, or both by adding the relevant configuration snippets:
```
 
```
```
transportSecurity-1.0

ssl-1.0
```
Configure the Liberty server environment variables.

For example, edit the Liberty server.env file with the following configuration:
```
JAVA_HOME=/etc/alternatives/jre_17
 JVM_ARGS="--add-exports=jdk.crypto.cryptoki/sun.security.pkcs11=ALL-UNNAMED"
```
- Where: The --add-exports JVM argument is necessary because in Java 17, the Java module system restricts access to internal packages. The PKCS#11 implementation requires access to classes in the sun.security.pkcs11 package, which is part of the jdk.crypto.cryptoki module. This argument explicitly allows Liberty to access these internal classes that are needed for the HSM integration to work properly.
  - Similar JVM arguments might be required for other Java versions that use the module system (Java 9 and later). The specific arguments might vary slightly depending on the Java version.
Configure any JVM options that are required for your specific HSM compatibility. For example, to disable unsupported algorithms, add the list of algorithms to the Liberty jvm.options file:
```
-Djdk.tls.disabledAlgorithms=RSASSA-PSS,RSAPSS
```
Start the Liberty server and verify that the HSM integration is working correctly.

Troubleshooting

If you encounter issues with your HSM integration, consider enabling PKCS#11 debug logging by adding to jvm.options:

-Djava.security.debug=sunpkcs11,pkcs11

For specific HSM-related issues, consult your HSM vendor’s documentation and support resources.

Java version considerations

While these steps were written and tested with Semeru Java 17, they should be applicable to other Java versions with potential minor adjustments:

The module-related JVM arguments (--add-exports) may vary depending on the Java version
The exact path to the Java installation will differ
Security provider configurations may have slight differences between Java versions

Acknowledgements

Updates to MCP Server and TLS/SSL Cipher Support in 26.0.0.5-beta

2026-05-05T00:00:00+00:00

This beta release updates the mcpServer-1.0 feature and simplifies SSL cipher configuration by using the effective JDK cipher list by default and flexible enabledCiphers syntax.

The Open Liberty 26.0.0.5-beta includes the following beta features (along with all GA features):

Updates to mcpServer-1.0
Update to TLS/SSL Cipher support

Updates to `mcpServer-1.0`

The Model Context Protocol (MCP) is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature mcpServer-1.0 allows developers to expose the business logic or data from their applications, allowing it to be integrated into agentic AI workflows.

This beta release of Liberty includes important updates to the mcpServer-1.0 feature, including configurable endpoint paths and notable bug fixes.

Prerequisites

To use the mcpServer-1.0 feature, it is required to have Java 17 or later installed on your system.

Configure custom MCP endpoint paths

Previously, the MCP endpoint was hard-coded to /mcp under the web application context root. You can now configure custom endpoint paths to better suit your application architecture and naming conventions.

Single Application Configuration

For a single application, configure the endpoint path directly in the element:

 description="Configurable Mcp Path Liberty server">

  
    servlet-6.0
    cdi-4.0
    mcpServer-1.0
  

   location="configurableMcpPathTests.war">
           path="/custom-mcp"/>

With this configuration, MCP server can be accessed at /custom-mcp instead of the default /mcp path.

Configuration Options

The element supports the following attributes:

path (single app): The custom path for the MCP endpoint (for example, /custom-mcp)

Notable bug fixes in this release for `mcpServer-1.0`

1) Structured content output schemas now comply with MCP specification

The MCP specification requires that structured content output schemas must have an object type at the root level. Previously, when arrays of objects are returned, the schema incorrectly placed the array at the root level.

Previous Behavior (Incorrect):

{
  "outputSchema": {
    "description": "Returns list of person object",
    "type": "array",
    "items": {
      "$ref": "#/$defs/Person"
    }
  }
}

Current Behavior (Correct):

{
  "outputSchema": {
    "description": "Returns Persons object",
    "type": "object",
    "properties": {
      "persons": {
        "type": "array",
        "items": {
          "$ref": "#/$defs/Person"
        }
      }
    }
  }
}

This helps ensure that all structured content responses comply with the MCP structured content specification and improves compatibility with MCP clients and conformance tests.

2) Authentication failures now return correct HTTP status code

Previously, failed authentication attempts returned a 403 Forbidden response, which might be confusing as it typically indicates authorization (permission) failures rather than authentication (identity verification) failures.

Now, failed authentication attempts correctly return a 401 Unauthorized response, making it immediately clear that the issue is with authentication credentials rather than permissions. This behavior follows HTTP specification best practices and makes it easier to troubleshoot authentication configuration problems.

3) Fixed encoder bean isolation in multi-application deployments

Previously, encoder beans from multiple applications were stored in a static list within McpCdiExtension, causing beans from different applications to interfere with each other. This behavior could result in encoder beans from one application being incorrectly called in another application, unpredictable behavior in multi-application deployments, and potential security issues with cross-application bean access.

This has been fixed to ensure proper isolation of encoder beans per application, preventing cross-application interference and helping ensure that each application uses only its own encoder beans.

Update to TLS/SSL Cipher support

Liberty’s securityLevel based cipher categories no longer provide meaningful value. The MEDIUM and LOW categories contain no remaining ciphers.

Existing Usage: A user sets securityLevel as HIGH

 id="defaultSSL" securityLevel=HIGH/>

The securityLevel attribute is now ignored, so the previous configuration is treated equivalently to the configuration shown here where there is no securityLevel attribute configured.

 id="defaultSSL"/>

Existing Usage: A user specifies all ciphers from the effective JDK list, excluding all TLS_RSA ciphers except for one (TLS_RSA_WITH_AES_128_GCM_SHA256)

 id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256">

Example with new syntax: Use wildcards to achieve the same logic

 id="defaultSSL" enabledCiphers="-TLS_RSA* +TLS_RSA_WITH_AES_128_GCM_SHA256"/>

To learn more about Transport Security, see SSL Constants Javadoc, JSSEProvider Javadoc, and SSL Configuration Reference.

Try it now

To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. To enable the MCP server feature, follow the instructions from MCP standalone blog. The beta works with Java SE 25, Java SE 21, Java SE 17, Java SE 11, and Java SE 8.

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.5-beta
          zip

You must also add dependencies to your pom.xml file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs:


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.5-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Enhanced JWT validation, Java 26 support, and more in 26.0.0.4

2026-04-21T00:00:00+00:00

This release introduces support for selecting JWT signature algorithms from JOSE headers and adds Java 26 support. It also removes the default LTPA keys password for enhanced security, and includes file transfer restrictions and security vulnerability fixes.

In Open Liberty 26.0.0.4:

Blocklist added to FileService MBean
Default LTPA keys password removal
Support selecting JWT signature and decryption algorithms from JOSE header
Support for Java 26
Documentation for displayCustomizedExceptionText property in Web Container
Security Vulnerability (CVE) Fixes

View the list of fixed bugs in 26.0.0.4.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.4

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code, or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging, and application management all from within your IDE.

Blocklist added to `FileService` MBean

The FileService MBean provided by the restConnector-2.0 feature in Liberty now includes a blocklist attribute. This attribute is configured by the config element in the server.xml file. The default value of this attribute is ${server.output.dir}/resources/security. This enhancement resolves the security vulnerability CVE-2025-14915 by restricting file transfer access to ${server.output.dir}/resources/security by default.

If FileTransfer access to ${server.output.dir}/resources/security is required, the original behavior can be restored by setting an empty blocklist.

For more information, see the documentation.

Default LTPA keys password removal

The default LTPA keys password is removed to resolve the security vulnerability CVE-2025-14917.

Previously, a default password for the LTPA keys was used when the keysPassword attribute was not defined in the element. With this change, a default password is no longer used when the keysPassword attribute is not set.

For existing servers, if the LTPA keys password is not configured in the server.xml file, the keystore_password in the server.env file is used. This value re-encrypts the LTPA keys in the ltpa.keys file. The LTPA keys themselves are not impacted. The keystore_password is configured in the server.env file during server creation unless the --no-password option is used with the server create command.

If a keysPassword is not defined in the element in the server.xml file and a keystore_password is not defined in the server.env file, the LTPA service fails. The following error message is displayed:

CWWKS4118E: LTPA configuration error. A keysPassword attribute is not configured on the  element, the 'ltpa_keys_password' environment variable is not set, and the 'keystore_password' environment variable is not set.

Confirm that an LTPA keys password is set up by doing the following steps:

Check to see whether a keysPassword attribute is provided for the element in the server.xml file (for example, ).
- If it is provided, this update does not affect you and no further action is needed.
- If it is not provided, do not add it and proceed to the next step.
Check to see whether the keystore_password environment variable exists in the server.env file (for example, keystore_password=myKeystorePassword).
- If it exists, then the keystore_password is used to reencrypt the LTPA keys that were previously encrypted with the default keysPassword when the server starts.
- If it does not exist, proceed to the next step.
Add the following environment variable to the server.env file (ensure you use the keystore_password here and not the ltpa_keys_password described in the next section for new servers):
```
keystore_password=your-desired-password
```
- The keystore_password is used to reencrypt the LTPA keys that were previously encrypted with the default keysPassword when the server starts.

For new servers, an ltpa_keys_password value is randomly generated during server creation. It is stored in the server.env file unless the --no-password option is specified with the server create command. The randomly generated ltpa_keys_password is used if the keysPassword attribute is not defined for the element.

For more information, see the LTPA configuration element.

Support selecting JWT signature and decryption algorithms from JOSE header

JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token header.

Previously, only one single signature algorithm (for example, RS256) was able to be configured for each configuration in the server.xml file. If the incoming JWT was signed with a different algorithm, validation would fail. This update allows the signature algorithm from the JWT header to be used for validation. It provides the flexibility of using different signature algorithms within a single configuration.

How to use

To enable signature algorithm selection from the header, set the signatureAlgorithm attribute to FROM_HEADER and optionally configure the allowedSignatureAlgorithms attribute to specify which algorithms are permitted.

If allowedSignatureAlgorithms is not configured, the default list contains all Open Liberty-supported signature algorithms: RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, and ES512.

When using FROM_HEADER with asymmetric algorithms and a truststore setup, the aliases for the corresponding public keys must be prefixed with their corresponding algorithm (e.g., RS256_keyalias) for automatic selection. The remainder of the alias name does not matter as long as it begins with the signature algorithm string. During validation, the server searches the truststore for an alias that begins with the algorithm specified in the JWT’s header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the trustedAlias attribute (for jwtConsumer) or trustAliasName attribute (for openidConnectClient, oidcLogin and mpJwt), if configured. If multiple aliases with the signature algorithm prefix exist within the truststore, Liberty uses the first one found.

See the following server.xml file configurations for examples on how to apply these settings to the supported elements:


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>


    signatureAlgorithm="FROM_HEADER"
    allowedSignatureAlgorithms="RS256, ES384, HS512"
    ...
/>

Learn more

Server configurations:

Documentation:

Support for Java 26

Java 26 is a recent Java release that introduces new features and enhancements over earlier versions that can be useful to review. This release is not a long-term support (LTS) release.

There are 10 new features (JEPs) in Java 26. Five are test features and five are fully delivered.

Test Features:

Delivered Features:

500: Prepare to Make Final Mean Final
504: Remove the Applet API
516: Ahead-of-Time Object Caching with Any GC
517: HTTP/3 for the HTTP Client API
522: G1 GC: Improve Throughput by Reducing Synchronization

A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation when using deep reflection. In Java 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement. Future releases would likely throw exceptions instead, making the final truly nonmutable.

Developers can opt in early to this stricter behavior by using a JVM flag (for example, --illegal-final-field-mutation=deny) to detect issues sooner. This change improves program correctness, security, and JVM optimizations.

Take advantage of these changes now to gain more time to evaluate how your applications and microservices behave on Java 26.

Get started today by downloading the latest release of IBM Semeru Runtime 26 or Temurin 26, then download and install the Open Liberty 26.0.0.4. Update your Liberty server’s server.env file with JAVA_HOME set to your Java 26 installation directory and start testing.

For more information on Java 26, see the Java 26 release notes page and API Javadoc page.

Documentation for `displayCustomizedExceptionText` property in Web Container

This release adds documentation for the displayCustomizedExceptionText attribute in the configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.

The feature is enabled through simple server.xml file configuration, where custom messages can be mapped to specific HTTP status codes (403 and 500).

Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.

 displayCustomizedExceptionText="Custom error message"/>

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-14915	6.5	Privilege escalation	17.0.0.3-26.0.0.3	Affects the `restConnector-2.0` feature
CVE-2025-14917	6.7	Weaker security	17.0.0.3-26.0.0.3	Affects the `appSecurity-1.0`, `appSecurity-2.0`, `appSecurity-3.0`, `appSecurity-4.0`, and `appSecurity-5.0` features
CVE-2026-1561	5.4	Server-side request forgery	17.0.0.3-26.0.0.3	Affects the `samlWeb-2.0` feature
CVE-2026-29063	8.7	Prototype pollution	17.0.0.3-26.0.0.3	Affects the `openapi-3.1`, `mpOpenAPI-1.0`, `mpOpenAPI-1.1`, `mpOpenAPI-2.0`, `mpOpenAPI-3.0`, `mpOpenAPI-3.1`, `mpOpenAPI-4.0` and `mpOpenAPI-4.1` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Get Open Liberty 26.0.0.4 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Jakarta EE 11 Platform, Java 26, and more in 26.0.0.4-beta

2026-04-07T00:00:00+00:00

This beta introduces Jakarta EE 11 Platform and Web Profile, and delivers enhancements across Jakarta Authentication 3.1, Jakarta Authorization 3.0, and Jakarta Security 4.0. In addition, it provides a preview of Jakarta Data 1.1 M2, support for Java 26, MCP Server updates, and Jandex index improvements.

The Open Liberty 26.0.0.4-beta includes the following beta features (along with all GA features):

Jakarta EE 11 Platform and Web Profile
Beta support for Java 26
Updates to mcpServer-1.0
Preview of some Jakarta Data 1.1 M2 capability
Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules

Jakarta EE 11 Platform and Web Profile

Open Liberty 24.0.0.11-beta was one of the ratifying implementations for Jakarta EE 11 Core Profile. Building on that foundation, the 26.0.0.4-beta release completes Jakarta EE 11 beta support, including Jakarta EE Application Client 11.0, Jakarta EE Web Profile 11.0, and Jakarta EE Platform 11.0.

Liberty provides convenience features that bundle all component specifications in the Jakarta EE Web Profile and Jakarta EE Platform. The webProfile-11.0 Liberty feature includes all Jakarta EE Web Profile functions, including the new Jakarta Data 1.0 component. The jakartaee-11.0 Liberty feature provides the Jakarta EE Platform version 11 implementation. For Jakarta EE 11 features in the application client, use the jakartaeeClient-11.0 Liberty feature.

These convenience features enable developers to rapidly develop applications using all APIs in the Web Profile and Platform specifications. Unlike the jakartaee-10.0 Liberty feature, the jakartaee-11.0 Liberty feature does not enable the Managed Beans specification function any longer, as this specification was removed from the platform which includes removal of the jakarta.annotation.ManagedBean annotation API. Applications relying on the @ManagedBean annotation must migrate to use CDI annotations.

The Jakarta EE 11 Platform specification removes all optional specifications from the platform, meaning Jakarta SOAP with Attachments, XML Binding, XML Web Services, and Enterprise Beans 2.x APIs functions are not included with the jakartaee-11.0 Liberty feature. To use these capabilities, explicitly add Liberty features to your server.xml feature list: xmlBinding-4.0 for XML Binding, xmlWS-4.0 for SOAP with Attachments and XML Web Services, and enterpriseBeansHome-4.0 for Jakarta Enterprise Beans 2.x APIs. Alternatively, use the equivalent versionless features with the jakartaee-11.0 platform.

When using the Liberty application client with the jakartaeeClient-11.0 feature, Jakarta SOAP with Attachments, XML Binding, and XML Web Services client functions are not available. To continue using these functions in your Liberty application client, enable the xmlBinding-4.0 and the new xmlWSClient-4.0 features in your client.xml file.

To enable the Jakarta EE 11 beta features in your Liberty server’s server.xml:

  
    jakartaee-11.0

Or you can add the Web Profile convenience feature to enable all of the Jakarta EE 11 Web Profile beta features at once:

  
    webProfile-11.0

You can enable the Jakarta EE 11 features on the Application Client Container in the client.xml:

 
       jakartaeeClient-11.0

For more information, see the Jakarta EE Platform 11 Specification and the Jakarta EE Web Profile 11 Specification.

Application Authentication 3.1 (Jakarta Authentication 3.1)

Jakarta Authentication defines a general SPI for authentication mechanisms, which are controllers that interact with a caller and the container’s environment to obtain and validate the caller’s credentials. It then passes an authenticated identity (such as name and groups) to the container.

The 3.1 version of the Jakarta Authentication API removes the deprecated Permission-related fields in the jakarta.security.auth.message.config.AuthConfigFactory class. The methods in the class no longer do permission checking also. These changes are part of Jakarta EE 11’s removal of SecurityManager support.

You can enable the Jakarta Authentication 3.1 feature by adding the appAuthentication-3.1 Liberty feature in the server.xml file:

    
        appAuthentication-3.1

For more information, see the Jakarta Authentication 3.1 specification and javadoc.

Application Authorization 3.0 (Jakarta Authorization 3.0)

Jakarta Authorization defines an SPI for authorization modules, which are repositories of permissions that facilitate subject-based security by determining whether a subject has a specific permission. It also defines algorithms that transform security constraints for specific containers, such as Jakarta Servlet or Jakarta Enterprise Beans, into these permissions.

The 3.0 API introduces the new jakarta.security.jacc.PolicyFactory and jakarta.security.jacc.Policy classes for doing authorization decisions. These classes are added to remove the dependency on the java.security.Policy class, which is deprecated in newer versions of Java. With the new PolicyFactory API, now you can have a Policy per policy context instead of having a global policy. This design allows separate policies to be maintained for each application.

Additionally, the 3.0 specification defines a mechanism to define PolicyConfigurationFactory and PolicyFactory classes in your application by using a web.xml file. This design allows for an application to have a different configuration than the server-scoped one, but still allow for it to delegate to a server scoped factory for any other applications. Authorization modules can do this delegation by using decorator constructors for both PolicyConfigurationFactory and PolicyFactory classes.

To configure your authorization modules in your application’s web.xml file, add specification defined context parameters:


 xmlns="https://jakarta.ee/xml/ns/jakartaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_1.xsd"
  version="6.1">

  
    jakarta.security.jacc.PolicyConfigurationFactory.provider
    com.example.MyPolicyConfigurationFactory
  

  
    jakarta.security.jacc.PolicyFactory.provider
    com.example.MyPolicyFactory

Due to Jakarta Authorization 3.0 no longer using the java.security.Policy class and introducing a new configuration mechanism for authorization modules, the com.ibm.wsspi.security.authorization.jacc.ProviderService Liberty API is no longer available with the appAuthorization-3.0 feature. If a Liberty user feature configures authorization modules, the OSGi service that provided a ProviderService implementation must be updated to use the PolicyConfigurationFactory and PolicyFactory set methods. These methods configure the modules in the OSGi service. Alternatively you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a web.xml file.

You can use the PrincipalMapper class in your Policy implementation’s impliesByRole (or implies) method, as shown in the following example:

    public boolean impliesByRole(Permission p, Subject subject) {
        Map<String, PermissionCollection> perRolePermissions =
            PolicyConfigurationFactory.get().getPolicyConfiguration(contextID).getPerRolePermissions();
        PrincipalMapper principalMapper = PolicyContext.get(PolicyContext.PRINCIPAL_MAPPER);

        // Check to see if the Permission is in the all authenticated users role (**)
        if (!principalMapper.isAnyAuthenticatedUserRoleMapped() && !subject.getPrincipals().isEmpty()) {
            PermissionCollection rolePermissions = perRolePermissions.get("**");
            if (rolePermissions != null && rolePermissions.implies(p)) {
                return true;
            }
        }

        // Check to see if the roles for the Subject provided imply the permission
        Set<String> mappedRoles = principalMapper.getMappedRoles(subject);
        for (String mappedRole : mappedRoles) {
            PermissionCollection rolePermissions = perRolePermissions.get(mappedRole);
            if (rolePermissions != null && rolePermissions.implies(p)) {
                return true;
            }
        }
        return false;
    }

You can enable the Jakarta Authorization 3.0 feature by adding the appAuthorization-3.0 Liberty feature in the server.xml file:

    
        appAuthorization-3.0

For more information, see the Jakarta Authorization 3.0 specification and javadoc.

Application Security 6.0 (Jakarta Security 4.0)

An In-memory Identity Store is a developer-defined store of credential information that is used during the Open Liberty authentication and authorization work flow. It provides a quick, simple, and convenient authentication mechanism for Liberty application testing, debugging, demos, and more.

Multiple HTTP Authentication Mechanisms (HAMs) can now be defined within the same application. These mechanisms can be specified through built-in Jakarta annotations such as @FormAuthenticationMechanismDefinition or through custom implementations of the HttpAuthenticationMechanism interface.
A new method is added to the SecurityContext interface called getAllDeclaredCallerRoles(), which returns a list of all static (declared) application roles that the authenticated caller is in.
References to the IdentityStorePermission class are removed as it was previously deprecated.

All features are available as part of appSecurity-6.0.

All feature use cases are targeted towards Jakarta EE web application developers who want to move to a modern Jakarta version and use implementations of the Jakarta Security 4.0 specification.

In-memory identity store

Developers can also implement custom identity stores, but doing so requires bespoke code to collect, validate, and manage credential information. This effort can divert attention from core application development. A built-in, in-memory identity store reduces this burden for non-production use cases such as testing, debugging, and demonstrations.

Multiple HAMs

It is now possible for multiple authentication mechanisms to logically act as a single HTTP Authentication Mechanism (HAM), providing a more flexible, dynamic, and configurable approach to the authentication workflow.

Access to the HttpAuthenticationMechanism is now abstracted by an internal implementation of the new Jakarta HttpAuthenticationMechanismHandler interface. This implementation prioritizes custom‑defined HAMs first and then falls back to the built‑in (annotation‑defined) HAMs, in the following order: OpenID, custom form, form, and basic authentication mechanisms.

Developers are free to provide their own implementation of the HttpAuthenticationMechanismHandler, allowing them to define a custom prioritization strategy for selecting HAMs. They must supply such an implementation if any built‑in HAMs are defined with the optional qualifiers attribute set.

getAllDeclaredCallerRoles()

The SecurityContext interface implementation is updated to include a new method, getAllDeclaredCallerRoles(), which returns a list of the declared application roles for an authenticated caller. If the caller is not authenticated or has no declared roles, the method returns an empty list.

How to use

Enable Jakarta Security 4.0 features within the server.xml file by adding the appSecurity-6.0 feature as shown in the following example:

 description = "Liberty server">

    . . .

    
        appSecurity-6.0
    

     allowInMemoryIdentityStores="true"/>

    . . .

As shown in the preceding example, when an application defines an in‑memory identity store in code, its use must also be explicitly enabled in the server.xml configuration. By default, the allowInMemoryIdentityStores attribute is set to false, which instructs the Liberty authentication workflows not to use in‑memory identity stores, even when a custom identity store handler is present. For applications that rely on multiple HAMs, the allowInMemoryIdentityStores attribute does not need to be set.

In-Memory Identity Store

. . .

@InMemoryIdentityStoreDefinition (
    priority = 10,
    priorityExpression = "${80/20}",
    useFor = {VALIDATE, PROVIDE_GROUPS},
    useForExpression = "#{'VALIDATE'}",
    value = {
        @Credentials(callerName = "jasmine", password = "secret1", groups = { "caller", "user" } )
    }
)

The example demonstrates a single caller definition with credential information that uses a plain-text password. However, it is highly recommended that passwords be supplied that uses an Open Liberty–supported encoding mechanism, as illustrated in the next example.

@InMemoryIdentityStoreDefinition (
    value = {
        @Credentials(callerName = "jasmine",  password = "{xor}LDo8LTorbg==", groups = { "caller", "user" } ),
        @Credentials(callerName = "frank", groups = { "user" }, password = "{hash}ARAAA  Fyyw=="),
        @Credentials(callerName = "sally", groups = { "user" }, password = "{aes}ARAFIYJ  WRQNA==")
    }
)

wlp/bin/securityUtility encode --encoding=xor
Enter text: 
Re-enter text:
{xor}PTA9Lyg

Multiple HAMs

Application Specification

The Jakarta Security 4.0 specification allows multiple HTTP Authentication Mechanisms (HAMs) to be defined within a single application, as shown in the following example:

@BasicAuthenticationMechanismDefinition(realmName="basicAuth")

@FormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/form-login-error.html",
                loginPage = "/form-login.html"))

@CustomFormAuthenticationMechanismDefinition(
                loginToContinue = @LoginToContinue(errorPage = "/custom-login-error.html",
                loginPage = "/custom-login.html"))

This example demonstrates how three HTTP Authentication Mechanisms (HAMs) can be defined within a single application.

Custom HAMs can also be defined in the same application by implementing the HttpAuthenticationMechanism interface in one or more classes, as shown in the following example:

@ApplicationScoped
// @Priority is optional and used to control selection priority if multiple custom definitions exist
@Priority(100)
public class CustomHAM implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest(
        HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext httpMessageContext) throws AuthenticationException {

            // implement custom logic here, and return an AuthenticationStatus
            return AuthenticationStatus.NOT_DONE;
    }
}

HAM resolution

The order in which HAMs are considered (when present) is as follows:

Custom (developer‑provided) HAMs
- If multiple custom HAMs are defined, their relative order is resolved by using @Priority.
OpenIdAuthenticationMechanismDefinition
CustomFormAuthenticationMechanismDefinition
FormAuthenticationMechanismDefinition
BasicAuthenticationMechanismDefinition

Given this ordering, the Custom HAM is always selected in the authentication workflow if all five HAM types are defined in the application.

Qualifiers

HAMs - whether defined through annotations or as custom defined - can also include an optional class‑level qualifier to simplify HAM injection into a custom HAM handler. For example, if you want to define qualified HAMs, you would first declare qualifier interfaces such as:

@Qualifier
@Retention(RUNTIME)
@Target({TYPE, METHOD, FIELD, PARAMETER})
public @interface Admin {
}

(Not shown is the qualifier definitions for User, Fallback which follow an identical pattern, and are used below).

Then, import and use the qualifiers in your in-built or custom HAM specifications, such as:

@CustomFormAuthenticationMechanismDefinition(, qualifiers={Admin.class})

@BasicAuthenticationMechanismDefinition(, qualifiers={User.class})

and

@ApplicationScoped
@Fallback   // add custom qualifier to be used during injection
public class CustomHAM implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest (. . .)  {
         . . .
    }
}

The three HAMs defined in the example are available for injection into a custom HAM handler based on their qualifier names. This scenario represents the typical use case for applications that define multiple HAMs.

If qualifiers are specified in any of the built-in HAM definitions, a custom HAM handler must be provided; otherwise, an error is raised. This requirement comes directly from the Jakarta Security specification. Details about creating and using a custom HAM handler are explained in the next section.

To implement a custom HAM handler, define a public class that is annotated with @ApplicationScoped that implements the HttpAuthenticationMechanismHandler interface. Also, inject the qualified HAMs by using standard CDI syntax, as shown in the following section:

@Default
@ApplicationScoped
public class CustomHAMHandler implements HttpAuthenticationMechanismHandler {

    @Inject @Admin // this will be the FormHAM
    private HttpAuthenticationMechanism adminHAM;

    @Inject @User // this will be the BasicHAM
    private HttpAuthenticationMechanism userHAM;

    @Inject @Fallback // this will be the Custom HAM
    private HttpAuthenticationMechanism fallbackHAM;

    public AuthenticationStatus validateRequest(
        HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext context
    ) throws AuthenticationException {

        String path = request.getRequestURI();

        // route to appropriate mechanism based on path, default to my-realm
        if (path.startsWith("/admin")) { // FormHAM
            return adminHAM.validateRequest(request, response, context);
        } else if (path.startsWith("/user")) { // BasicHAM
            return userHAM.validateRequest(request, response, context);
        } else { // Custom HAM
            return fallbackHAM.validateRequest(request, response, context);
    }
}

This custom HAM handler takes priority over the internal HAM handler, allowing a different prioritisation algorithm to be implemented.

getAllDeclaredCallerRoles()

To use the new SecurityContext method, inject the SecurityContext implementation into your application and call the method directly, as shown in the following section:

    @Inject
    private SecurityContext securityContext;

. . .

    Set<String> allDeclaredCallerRoles = securityContext.getAllDeclaredCallerRoles();

    System.out.println("All declared caller roles for caller ["
        + securityContext.getCallerPrincipal().getName()
        + "] are "
        + allDeclaredCallerRoles.toString());

Learn more

Further information can be found in the Jakarta Security Specification 4.0:

For more information about the securityUtility command, see the WAS Liberty base topic.

Beta support for Java 26

Java 26 is a recent Java release that introduces new features and enhancements over earlier versions that can be useful to review. This release is not a long-term support (LTS) release.

There are 10 new features (JEPs) in Java 26. Five are test features and five are fully delivered.

Test Features:

Delivered Features:

500: Prepare to Make Final Mean Final
504: Remove the Applet API
516: Ahead-of-Time Object Caching with Any GC
517: HTTP/3 for the HTTP Client API
522: G1 GC: Improve Throughput by Reducing Synchronization

Take advantage of these changes now to gain more time to evaluate how your applications and microservices behave on Java 26.

Get started today by downloading the latest release of IBM Semeru Runtime 26 or Temurin 26, then download and install the Open Liberty 26.0.0.4-beta. Update your Liberty server’s server.env file with JAVA_HOME set to your Java 26 installation directory and start testing.

For more information on Java 26, see the Java 26 release notes page and API Javadoc page.

Updates to `mcpServer-1.0`

The Model Context Protocol (MCP) is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature mcpServer-1.0 allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows.

This beta release of Open Liberty includes updates to the mcpServer-1.0 feature including dynamic registration of tools and support for version 2025-11-25 of the protocol.

Dynamically register MCP tools

Tools can now be registered dynamically through an API. This capability allows the set of available tools on the server to be adjusted based on configuration or environment.

Tools can be registered by injecting ToolManager and calling its methods to add, remove, and list the available tools on the server. The full Javadoc for ToolManager can be found within the Liberty beta in dev/api/ibm/javadoc/io.openliberty.mcp_1.0-javadoc.zip.

Tools can be registered when the application starts through the CDI Startup event. See the following example where the Startup event is used to register a weather forecast tool only if a WeatherClient bean is available.

    @Inject
    ToolManager toolManager;

    @Inject
    Instance weatherClientInstance;

    private void createWeatherTool(@Observes Startup startup) {
        if (weatherClientInstance.isResolvable()) {
            WeatherClient weatherClient = weatherClientInstance.get();
            toolManager.newTool("getForecast")
                       .setTitle("Weather Forecast Provider")
                       .setDescription("Get weather forecast for a location")
                       .addArgument("latitude", "Latitude of the location", true, Double.class)
                       .addArgument("longitude", "Longitude of the location", true, Double.class)
                       .setHandler(toolArguments -> {
                           Double latitude = (Double) toolArguments.args().get("latitude");
                           Double longitude = (Double) toolArguments.args().get("longitude");
                           String result = weatherClient.getForecast(
                                     latitude,
                                     longitude,
                                     4,
                                     "temperature_2m,snowfall,rain,precipitation,precipitation_probability");
                           return ToolResponse.success(result);
                       })
                       .register();
        }
    }

Tool registration starts with newTool(), then the information about the tool is added, including its title, description, and arguments. The handler supplies the code to run when the tool is called. It has one parameter, which is a ToolArguments object, which provides access to the arguments and other information about the tool call request. The handler must always create and return a ToolResponse.

Accept the 2025-11-25 MCP protocol

The mcpServer-1.0 feature now accepts version 2025-11-25 of the Model Context Protocol (MCP), although it does not support any new features introduced in this version of the protocol.

Supporting MCP 2025-11-25 introduces two notable behavior changes:

Tool name restrictions: Tool names are now limited to ASCII letters ('A–Z, a–z'), digits ('0–9'), and the underscore ('_'), hyphen ('-'), and dot ('.') characters.
Improved handling of invalid tool arguments: Invalid arguments passed when invoking a tool are now treated as tool execution errors rather than protocol errors. This change allows the LLM to receive feedback that the tool was called incorrectly and to retry with corrected arguments.

Paginated results

The result of a tools/list call is now paginated with a page size of 20. This means that if there are more than 20 tools deployed on the server, clients make several small calls to retrieve the list of tools, rather than one large call.

Bug fixes

During cancellation of a tool call, we check that both the session id and the authenticated user match the session id and the user that made the tool call. Previously only the session id was checked.
Messages that are returned to the MCP client no longer contain Open Liberty message codes.
Structured content is only returned when client is using protocol version 2025-06-18 or later.

Further information

For more information about the mcpServer-1.0 feature and how to get started using the beta, see our dedicated blog post.
For more information about the Model Context Protocol, see modelcontextprotocol.io

Preview of some Jakarta Data 1.1 M2 capability

Previews some new capability at the Jakarta Data 1.1 Milestone 2 level: Constraint subtype parameters for repository methods that constrain to repository @Find operations and limited use of Restriction with repository @Find operations. Also included from the prior beta are: retrieving a subset/projection of entity attributes and the @Is annotation.

Previously, parameter-based @Find reposotory methods could filter results only using equality conditions. This limitation has now been removed, allowing additional filtering options to be defined.

Filtering can now be specified in several ways. One approach is to define the repository method parameter as a Constraint subtype, or to indicate the constraint subtype by using the @Is annotation. Alternatively, a repository @Find method can include a special parameter of type Restriction, allowing the application to supply one or more restrictions dynamically at runtime when the method is invoked.

In Jakarta Data, you define simple Java objects called entities to represent data, and interfaces called repositories to define data operations. You inject a repository into your application and use it. The implementation of the repository is automatically provided.

Start by defining an entity class that corresponds to your data. With relational databases, the entity class corresponds to a database table and the entity properties (public methods and fields of the entity class) generally correspond to the columns of the table. An entity class can be:

annotated with jakarta.persistence.Entity and related annotations from Jakarta Persistence
a Java class without entity annotations, in which case the primary key is inferred from an entity property named id or ending with Id and an entity property named version designates an automatically incremented version column.

Here’s a simple entity:

@Entity
public class Product {
    @Id
    public long id;

    public String name;

    public double price;

    public double weight;
}

After you define the entity to represent the data, it is usually helpful to have your IDE generate a static metamodel class for it. By convention, static metamodel classes begin with the underscore ('_') character, followed by the entity name.

Because this beta is available well before the release of Jakarta Data 1.1, IDE support for this generation cannot be expected yet. However, a static metamodel class can be provided in the same form that an IDE would generate for the Product entity.

@StaticMetamodel(Product.class)
public interface _Product {
    String ID = "id";
    String NAME = "name";
    String PRICE = "price";
    String WEIGHT = "weight";

    NumericAttributeLong> id = NumericAttribute.of(
            Product.class, ID, long.class);
    TextAttribute name = TextAttribute.of(
            Product.class, NAME);
    NumericAttributeDouble> price = NumericAttribute.of(
            Product.class, PRICE, double.class);
    NumericAttributeDouble> weight = NumericAttribute.of(
            Product.class, WEIGHT, double.class);
}

The first half of the static metamodel class includes constants for each of the entity attribute names so that you don’t need to otherwise hardcode string values into your application. The second half of the static metamodel class provides a special instance for each entity attribute, from which you can build restrictions and sorting to apply to queries at run time. This capability enables many powerful operations with repository queries, but those features are deferred to a future beta.

A repository defines operations that are related to the Product entity. Your repository interface can inherit from built-in interfaces such as BasicRepository and CrudRepository to gain various general-purpose repository methods for inserting, updating, deleting, and querying for entities. In addition to these capabilities, the repository can define custom operations by using the static metamodel and annotations such as @Find or @Delete.

@Repository(dataStore = "java:app/jdbc/my-example-data")
public interface Products extends CrudRepositoryLong> {

    // Filtering is pre-defined at development time by the @Is annotation,
    @Find
    @OrderBy(_Product.PRICE)
    @OrderBy(_Product.NAME)
    List costingUpTo(@By(_Product.PRICE) @Is(AtMost.class) double maxPrice);

    // Constraint types, such as Like, can also pre-define filtering.
    // Allow additional filtering at run time by including a Restriction,
    @Find
    Page named(@By(_Product.Name) Like namePattern,
                        Restriction filter,
                        Order sorting,
                        PageRequest pageRequest);

    // Retrieve a single entity attribute, identified by @Select,
    @Find
    @Select(_Product.PRICE)
    Optional<Double> priceOf(@By(_Product.ID) long productNum);

    // Retrieve multiple entity attributes as a Java record,
    @Find
    @Select(_Product.WEIGHT)
    @Select(_Product.NAME)
    Optional weightAndNameOf(@By(_Product.ID) long productNum);

    static record WeightInfo(double itemWeight, String itemName) {}
}

Here is an example of using the repository and static metamodel:

@DataSourceDefinition(name = "java:app/jdbc/my-example-data",
                      className = "org.postgresql.xa.PGXADataSource",
                      databaseName = "ExampleDB",
                      serverName = "localhost",
                      portNumber = 5432,
                      user = "${example.database.user}",
                      password = "${example.database.password}")
public class MyServlet extends HttpServlet {
    @Inject
    Products products;

    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
            throws ServletException, IOException {
        // Insert:
        Product prod = ...
        prod = products.insert(prod);

        // Filter by supplying values only:
        List found = products.costingUpTo(50.0, "%keyboard%");

        // Compute filtering at run time,
        Page page1 = products.named(
                        Like.suffix("printer"),
                        Restrict.all(_Product.price.times(taxRate).plus(shipping).lessThan(250.0),
                                     _Product.weight.times(kgToPounds).between(10.0, 20.0)),
                        Order.by(_Product.price.desc(),
                                 _Product.name.asc(),
                                 _Product.id.asc()),
                        PageRequest.ofSize(10));

        // Find one entity attribute:
        price = products.priceOf(prod.id).orElseThrow();

        // Find multiple entity attributes as a Java record:
        WeightInfo info = products.getWeightAndName(prod.id);
        System.out.println(info.itemName() + " weighs " + info.itemWeight() + " kg.");

        ...
    }
}

Learn more

Jakarta Data 1.1 API Javadoc
Jakarta Data 1.1 overview page

Maven coordinates for Data 1.1 Milestone 2:


    jakarta.data
    jakarta.data-api
    1.1.0-M2

This beta includes only the Data 1.1 features for entity subsets and projections, the @Is annotation, and Constraint subtypes as parameters for repository Find methods. It also includes limited support for Restriction as a special parameter for repository Find methods. The navigate operations are not implemented for restrictions and constraints. Other new Data 1.1 features are not included in this beta.

Support for Reading Jandex Indexes from WEB-INF/classes in Web Modules.

Previously, Jandex indexes across all module types were read only from META-INF/jandex.idx. This update extends support for web modules to also read indexes from WEB-INF/classes/META-INF/jandex.idx, bringing it in line with industry practices.

Jandex indexes are read from the original or the new location only when Jandex use is enabled. For compatibility with earlier versions, reading indexes from the new location must be enabled using a new application property.

Benefits

Improved Compatibility: Improve compatibility with industry standard practices.
Faster Startup Times: Continue to benefit from Jandex’s efficient annotation indexing.

Target Persona

Customers who wish to place Jandex indexes at industry standard locations in their web modules.

Target Features

This update applies to the scanning of classes within applications. Class scanning (which includes annotation scanning) is a general purpose function that is used by many features.

Problem Description

To gather information about application classes, including annotation data, the classes must be scanned. This scanning process is expensive because the entire application must be read and processed.

To improve performance, class scanning can be performed during application packaging, with the scan results stored in an index within the application. Jandex provides this capability.

Jandex scan results are typically written to META-INF/jandex.idx.

For JAR files, this path is relative to the root of the JAR. For WAR files, however, the META-INF/jandex.idx path can have two interpretations: it can be relative to the root of the WAR file, or relative to the WEB-INF/classes directory.

Before this update, Liberty used the location relative to the root of the WAR file. However, industry-standard practices place the location relative to the WEB-INF/classes directory. This update enables Liberty to also use the WEB-INF/classes location.

How to Use

Support for reading Jandex indexes under WEB-INF/classes is enabled by a new property on the application and applicationManager elements:

Property: useJandexUnderClasses
Description: Enables use of a Jandex index for WAR WEB-INF/classes under /WEB-INF/classes/META-INF/jandex.idx.
Possible values: true | false
Default value: false

Example: applicationManager

 useJandex="true" useJandexUnderClasses="true"/>

Example: application

 location="TestServlet40.ear" useJandex="true" useJandexUnderClasses="true"/>

When the new property is placed on an application manager element, it applies to all web modules of all applications. When the new property is placed on an application element, the property applies to only that application. If the property is set on both the application manager element and an application element, the value on the application element overrides the value on the application manager element for that application.

Limitation

Jandex index support requires explicit enablement. See the useJandex property on applicationManager and on application elements. The new useJandexUnderClasses property is meaningful only if the useJandex property is true.

For compatibility with earlier versions, reads of Jandex from the new location require explicit enablement. See the new useJandexUnderClasses property, as documented previously. Explicit enablement is required to prevent applications from accidentally reading an out of date Jandex index from the new location. An out of date Jandex index might cause application errors that are hard to detect.

The name of the new property, useJandexUnderClasses, is subject to revision.

Learn More

Try it now

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.4-beta
          zip


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.4-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

UserRegistry Attribute Reader Enhancement, Jandex Index Format Support Update and more in 26.0.0.3

2026-03-24T00:00:00+00:00

This release introduces UserRegistry Attribute Reader APIs for retrieving user attributes from LDAP and custom registries, and adds support for Jandex index formats 11-13 to improve application startup performance. Other highlights include changes to AES encoding and fixes for security vulnerabilities and bugs.

In Open Liberty 26.0.0.3:

UserRegistry Attribute Reader Enhancement
Jandex Index Format Support Update
AES encoding changes
Security Vulnerability (CVE) Fixes
Notable bug fixes

View the list of fixed bugs in 26.0.0.3.

Check out previous Open Liberty GA release blog posts.

Develop and run your apps using 26.0.0.3

If you’re using Maven, include the following in your pom.xml file:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0

Or for Gradle, include the following in your build.gradle file:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

UserRegistry Attribute Reader Enhancement

The UserRegistry API provides applications with the ability to retrieve specific user attributes and search for users based on attribute values directly from LDAP and custom user registries.

What’s New?

Previously, the UserRegistry API supported only basic user lookups such as searching by userSecurityName or by using wildcard pattern matching. However, it did not allow applications to retrieve specific user attributes or search for users based on attribute values. These capabilities were available in traditional WebSphere through the VMM API. The introduction of these two new APIs now enables applications to search for users and retrieve attributes from LDAP and custom user registries.

With this enhancement, you can now retrieve specific attributes for a user by using the getAttributesForUser() method. This method supports retrieval of individual attributes such as email or phoneNumber, or "*" to retrieve all available attributes for a user.

You can also search for users based on attribute values by using the getUsersByAttribute() method, enabling applications to locate users by matching specific attribute criteria. These methods are supported for LDAP user registries. Custom user registry implementations can also implement and support these methods.

How to Use It

New API methods added to UserRegistry.java:

default Map getAttributesForUser(String userSecurityName, Set attributeNames)

Description: Returns a Map containing the specified attributesNames and their corresponding values for the given userSecurityName, as configured in the LDAP user registry.

UserRegistry ur = RegistryHelper.getUserRegistry("realmName");

// valid ldap attribute names
Set<String> attributeNames = Set.of("telephoneNumber", "uid", "mail");  // or "*" for retrieving all attributes
Map<String, Object> result = ur.getAttributesForUser("testuser", attributeNames);

// output in trace.log
> getAttributesForUser Entry
  testuser
  [telephoneNumber, uid, mail]

< getAttributesForUser Exit
  {uid=testuser, mail=testuser@example.com, telephoneNumber=}

default SearchResult getUsersByAttribute(String attributeName, String value, int limit)

Description: Returns a SearchResult object that contains a list of users that match an attributeName with specified value that is configured in the LDAP user registry.

UserRegistry ur = RegistryHelper.getUserRegistry("realmName");

SearchResult searchResult = ur.getUsersByAttribute("email", "testuser@example.com", 1);

// output in trace.log
> getUsersByAttribute Entry
  email
  testuser@example.com
  1

< getUsersByAttribute Exit
  SearchResult hasMore=false [testuser]

To learn more about the user registry, see the following resources:

Jandex Index Format Support Update

Open Liberty now supports the latest Jandex index formats, allowing the use of Jandex indexes that are created with Jandex version 3.1.0 and later. Jandex is a space‑efficient Java annotation indexer and offline reflection library that improves application startup performance by pre‑indexing class metadata.

This feature targets application developers and DevOps engineers who work with Jakarta EE and MicroProfile applications. It is designed to optimize application startup times and reduce runtime costs.

What’s New?

With this update, Open Liberty supports Jandex index formats 11, 12, and 13. Jandex versions 3.1.0 through the current latest version, 3.5.3, generate indexes that use these formats.

Previously, Open Liberty supported Jandex index format versions only up to and including version 10. This index format limitation meant that applications packaged with Jandex indexes could not use index formats beyond version 10 while retaining the expected performance improvements. To preserve these performance benefits, build tooling had to continue using a Jandex version prior to 3.1.0, or explicitly configure Jandex index generation to produce indexes that use index format up to and including version 10.

Benefits

The added support for Jandex index formats has several benefits:

Improved Compatibility: Works seamlessly with the latest versions of build tools and frameworks that use newer Jandex versions
Faster Startup Times: Continue to benefit from Jandex’s efficient annotation indexing without version constraints
Reduced Maintenance: No need to maintain multiple Jandex versions or regenerate indexes for compatibility
Future-Proof: Stay current with the Jandex ecosystem as it evolves

Limitations

When using Jandex indexes, ensure that the index files are kept up to date with the application classes. If a Jandex index is not synchronized with the application classes, it can contain incorrect annotation data, which can cause the application to function incorrectly. Out‑of‑date Jandex indexes cannot be reliably detected.

Open Liberty does not read index formats higher than index format 13. If a new version of Jandex adds a higher index format version, Open Liberty requires an update before it can read Jandex indexes that use the higher index format version.

The Open Liberty feature mpGraphQL, which is obtained from an external source, is limited to reading Jandex index formats no higher than index format 10. If the feature mpGraphQL is used, Jandex indexes should be generated by using index format 10. This limitation applies to all current versions of mpGraphQL, including the current highest version, mpGraphQL-2.0.

Lifting Restriction

Previously, when Jandex usage was enabled and an application included Jandex indexes that used formats 11 through 13, Open Liberty displayed an error message and ignored those indexes. In such cases, annotation scanning was performed by using Liberty’s internal annotation scanning mechanism.

With the addition of support for Jandex index formats 11 through 13, Open Liberty now uses indexes that are generated in these formats. These indexes must be kept up to date with the application classes. Ensure that the Jandex indexes packaged with your application accurately reflect the current application classes.

How to Use

No configuration changes are required in the server.xml file to enable support for the new Jandex index formats. Open Liberty automatically detects the Jandex index format and selects the appropriate index reader for that format. It reads indexes that use formats 11, 12, and 13, and continues to support indexes that use format up to version 10.

By default, Jandex usage is disabled. To enable Jandex, set the useJandex property to true in either an application element or the applicationManager element.

If you are generating Jandex indexes as part of your build process, you can now use the latest Jandex Maven plugin or Gradle plugin versions:

Maven Example:


    io.smallrye
    jandex-maven-plugin
    3.5.3
    
        
            make-index
            
                jandex

Gradle Example:

plugins {
    id 'org.kordamp.gradle.jandex' version '2.3.0'
}

Open Liberty automatically detects and recognizes the generated META-INF/jandex.idx file for any supported index format version.

For more information, see the Jandex Documentation

AES encoding changes

The securityUtility encode command now requires a key to be specified for AES encodings. Specify a key by including one of the following options: --key, --base64Key, --aesConfigFile, or --keyring. This update resolves CVE-2025-14923.

The following command now results in an error because a key is not specified in the command.

securityUtility encode --encoding=aes "password"

When using AES encoding, one of the following arguments must be specified: --key, --base64Key, --aesConfigFile, or --keyring.

The following is an example of a valid usage with the new requirement.

securityUtility encode --encoding=aes --key=mycustomkey "password"
{aes}ARArmkfkgGyE1eiN8mKKjnkUDrFUFuuq2FlpDqrJKBgTAEYeN+PLP45wChLvIhlnWEDHnSA4zJI9KA3k5R9e/QDC+O2tzr3EwD3IMMAfvfOYxxqNPmoXqIeRVPD8TPZWnIIPmCnvyROw5A8=

For more information, see the full documentation for securityUtility encode and password encryption.

Security vulnerability (CVE) fixes in this release

CVE	CVSS Score	Vulnerability Assessment	Versions Affected	Notes
CVE-2025-14923	4.7	Weaker security	17.0.0.3-26.0.0.2
CVE-2024-29371	7.5	Denial of service	21.0.0.3-26.0.0.2	Affects the `openidConnectClient-1.0`, `socialLogin-1.0`, `mpJwt-1.2`, `mpJwt-2.0`, `mpJwt-2.1`, and `jwt-1.0` features

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in 26.0.0.3.

Get Open Liberty 26.0.0.3 now

Available through Maven, Gradle, Docker, and as a downloadable archive.

Model Context Protocol Server 1.0 updates in 26.0.0.3-beta

2026-03-10T00:00:00+00:00

The 26.0.0.3-beta release updates the mcpServer-1.0 feature with response encoders and provides request ID access to tools for logging and auditing.

The Open Liberty 26.0.0.3-beta includes the following beta features (along with all GA features):

Encode responses with ContentEncoder and ToolResponseEncoder
Access the request ID from a tool

The Model Context Protocol (MCP) is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature (mcpServer-1.0) allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows.

Encode responses with ContentEncoder and ToolResponseEncoder

When a client calls a tool, the object that is returned by the tool method is converted to a ToolResponse, which usually contains one or more Content objects. The ToolResponse maps directly to the result returned in the response.

If you need more control over the response from your tool, you can return a ToolResponse or Content object directly. Now, it is also possible to register encoders to control how other objects are converted into a response.

Use ToolResponseEncoder to convert an object into a ToolResponse, which gives you complete control over the whole response.
Use ContentEncoder when you only need to convert an object into a Content that is included in the response. You can also return a list of objects, and each object is individually converted into a Content and included in the response.

If a tool method returns an object for which no encoder is provided, JSON-B encodes the object as JSON, which is returned as text content.

Example

Consider a tool that does a search over some datastore:

@Tool(description = "search the data store")
public SearchResult search(@ToolArg(name="query", description="the query to run") String query) {
    SearchResult result = datastore.runQuery(query);
    return result;
}

In this scenario, the SearchResult object encapsulates a list of individual results. Each entry contains a summary, associated metadata, and a relevance score that indicates its relationship to the query.

By default, the SearchResult object that is returned is encoded as JSON by using JSON-B and placed into a TextContent. However, to return each search result summary as an individual TextContent and map the relevance score to a priority annotation, a ToolResponseEncoder is to be used.

Create a CDI bean that implements the ToolResponseEncoder interface and implement:

the encode method to create a ToolResponse from a SearchResult
the supports method to indicate that your encoder can be used for any SearchResult

@ApplicationScoped
public class SearchResultEncoder implements ToolResponseEncoder<SearchResult> {

    public boolean supports(Class runtimeType) {
        // This encoder can encode SearchResult and any subtypes
        return SearchResult.class.isAssignableFrom(runtimeType);
    }

    public ToolResponse encode(SearchResult searchResult) {
        if (searchResult.results().isEmpty()) {
            return ToolResponse.error("No results");
        }

        ArrayList contents = new ArrayList<>();
        for (var result : searchResult.results()) {
            // Set the priority annotation based on the relevance
            Annotations annotations = new Annotations(null, null, result.relevance());
            // Create a TextContent from the summary, and add the annotations
            contents.add(new TextContent(result.summary(), null, annotations));
        }

        // Create a successful response, using the created TextContents
        return ToolResponse.success(contents);
    }
}

This encoder is used for any tools in the application that return a SearchResult

Access the request ID from a tool

Each request from an MCP client includes a unique session-based Request ID, which is now accessible to tools and is useful for logging and auditing.

To access the ID, add a RequestId parameter to the tool method:

@Tool(description = "search the data store")
public SearchResult search(@ToolArg(name="query") String query, RequestId requestId) {
    logger.log(INFO, "Running search (" + requestId.asString() + ") for query: " + query);
    // ....
}

Notable bug fixes

The following bugs have been fixed:

Output schemas were not generated correctly for asynchronous tool methods which have structuredContent = true
Omitting the arguments object when calling a tool would result in an error. The arguments object is optional if the tool does not require any arguments

Try it now

If you’re using Maven, you can install the All Beta Features package using:


    io.openliberty.tools
    liberty-maven-plugin
    3.12.0
    
        
          io.openliberty.beta
          openliberty-runtime
          26.0.0.3-beta
          zip


    org.example.spec
    exampleApi
    7.0
    pom
    provided


    example.platform
    example.example-api
    11.0.0
    provided

Or for Gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.10.0'
    }
}
apply plugin: 'liberty'
dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.3-beta,)'
}

Or if you’re using container images:

FROM icr.io/appcafe/open-liberty:beta

Or take a look at our Downloads page.

For more information on using a beta release, refer to the Installing Open Liberty beta releases documentation.

We welcome your feedback

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.

Open Liberty

Netty‑based HTTP transport in 26.0.0.6-beta

Netty‑based HTTP transport

How to use it:

Limitations of the Beta release:

Try it now

We welcome your feedback

Jakarta EE 11 from Newbie to Pro with Open Liberty

What’s New in Jakarta EE 11?

Jakarta Data 1.0: A Game Changer for Data Access

What is Jakarta Data?

Key Features of Jakarta Data 1.0

Jakarta Data Code Examples

Defining an Entity

Creating a Repository Interface

REST Endpoint Using Jakarta Data

Benefits of Jakarta Data

Updated Specifications with Code Examples

Authentication 3.1

Authentication 3.1 Code Example

Authorization 3.0

Concurrency 3.1

Annotations 3.0

Migrating from @ManagedBean

Interceptors 2.2

CDI 4.1

Specification Restructuring

Retrieve Interceptor Binding Information

Method Invokers

@Priority on Producer Methods and Fields

Programmatic Access to Assignability Rules

Expression Language 6.0

Using the new length property for arrays

Using RecordELResolver for Java Records

Using OptionalELResolver for Java Optional

Using EL 6.0 in Faces/Facelets

Faces 4.1

Using the new UUIDConverter

Injecting the current Flow

Using rowStatePreserved in UIRepeat

Using setResponseContentLengthLong for large files

Generic FacesMessage with improved type safety

Security 4.0

In-memory Identity Store

Multiple HTTP Authentication Mechanisms

HAM Resolution

Qualifiers

getAllDeclaredCallerRoles()

Servlet 6.1

Custom Redirect with Status Code Control

Using Charset Methods

UTF-8 Encoded Response

ByteBuffer Support

Error Dispatch with Query String

Error Handler

RESTful Web Services 4.0

Basic REST Resource Example

Using getMatchedResourceTemplate (NEW in 4.0)

JSON Merge Patch Support (NEW in 4.0)

Multipart Form Data Handling

Persistence 3.2

Pages 4.0

Enhanced Error Handling with ErrorData

An Error Occurred

Exception Details

WebSocket 2.2

Using the new getSession() method in SendResult

Ping/Pong Message Handling

Validation 3.1

Getting Started with Jakarta EE 11 on Open Liberty

Maven Dependencies

Integration with MicroProfile

Spring Boot 4.0

Migration Considerations

Conclusion

Acknowledgements

Learn More

Jakarta EE 11, Spring Boot 4.0, and more in 26.0.0.5

Develop and run your apps using 26.0.0.5

Jakarta EE 11 Core Profile, Web Profile, and Platform

Using the new `length` property for arrays

Updates to `mcpServer-1.0`

Notable bug fixes in this release for `mcpServer-1.0`

Blocklist added to `FileService` MBean

Documentation for `displayCustomizedExceptionText` property in Web Container

Updates to `mcpServer-1.0`