From a99754b2d8e6cb0841b13b93d4af20a676993a07 Mon Sep 17 00:00:00 2001 From: navaneethsnair1 Date: Thu, 14 May 2026 11:17:53 +0530 Subject: [PATCH] first draft of 26.0.0.5 GA blog --- posts/2026-05-19-26.0.0.5.adoc | 360 +++++++++++++++++++++++++++++++++ 1 file changed, 360 insertions(+) create mode 100644 posts/2026-05-19-26.0.0.5.adoc diff --git a/posts/2026-05-19-26.0.0.5.adoc b/posts/2026-05-19-26.0.0.5.adoc new file mode 100644 index 000000000..946d85061 --- /dev/null +++ b/posts/2026-05-19-26.0.0.5.adoc @@ -0,0 +1,360 @@ +--- +layout: post +title: "Jakarta EE 11, SpringBoot 4.0, and more in 26.0.0.5" +# Do NOT change the categories section +categories: blog +author_picture: https://avatars3.githubusercontent.com/navaneethsnair1 +author_github: https://github.com/navaneethsnair1 +seo-title: Jakarta EE 11, SpringBoot 4.0, and more in 26.0.0.5- OpenLiberty.io +seo-description: This release adds support for Jakarta EE 11 and Spring Boot 4.0, including MicroProfile 7 compatibility with Jakarta EE 11 and support for deploying Spring Boot 4.x applications in both JAR and WAR formats. +blog_description: This release adds support for Jakarta EE 11 and Spring Boot 4.0, including MicroProfile 7 compatibility with Jakarta EE 11 and support for deploying Spring Boot 4.x applications in both JAR and WAR formats. +open-graph-image: https://openliberty.io/img/twitter_card.jpg +open-graph-image-alt: Open Liberty Logo +--- += Jakarta EE 11, SpringBoot 4.0, and more in 26.0.0.5 +Navaneeth S Nair +:imagesdir: / +:url-prefix: +:url-about: / +//Blank line here is necessary before starting the body of the post. + +// // // // // // // // +// In the preceding section: +// Do not insert any blank lines between any of the lines. +// Do not remove or edit the variables on the lines beneath the author name. +// +// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it +// can be left empty which will set it to the default +// +// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to +// a custom picture, you must provide a custom string for "open-graph-image-alt". +// +// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4 +// Replace GITHUB_USERNAME with your GitHub username eg: lauracowen +// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post). +// Replace AUTHOR_NAME with your name as you'd like it to be displayed, eg: Laura Cowen +// +// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc +// +// If adding image into the post add : +// ------------------------- +// [.img_border_light] +// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"] +// ------------------------- +// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not +// around diagrams. Then double check how it looks. +// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark +// backgrounds. +// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog +// change the "IMAGE CAPTION" to a couple words of what the image is +// // // // // // // // + +This release adds support for Jakarta EE 11 and Spring Boot 4.0, including MicroProfile 7 compatibility with Jakarta EE 11 and support for deploying Spring Boot 4.x applications in both JAR and WAR formats. + +// // // // // // // // +// In the preceding section: +// Leave any instances of `tag::xxxx[]` or `end:xxxx[]` as they are. +// +// Replace RELEASE_SUMMARY with a short paragraph that summarises the release. Start with the lead feature but also summarise what else is new in the release. You will agree which will be the lead feature with the reviewers so you can just leave a placeholder here until after the initial review. +// // // // // // // // + +// // // // // // // // +// Replace the following throughout the document: +// Replace RELEASE_VERSION with the version number of Open Liberty, eg: 22.0.0.2 +// Replace RELEASE_VERSION_NO_PERIODS with the version number of Open Liberty wihtout the periods, eg: 22002 +// // // // // // // // + +In link:{url-about}[Open Liberty] 26.0.0.5: + +* <> +* <> +* <> +* <> + +// // // // // // // // +// In the preceding section: +// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3 +// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3 +// Where the updates are grouped as sub-headings under a single heading +// (eg all the features in a MicroProfile release), provide sub-entries in the list; +// eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with +// Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4) +// // // // // // // // + +View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26005+label%3A%22release+bug%22[26.0.0.5]. + +Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts]. + + +[#run] + +// // // // // // // // +// LINKS +// +// OpenLiberty.io site links: +// link:{url-prefix}/guides/maven-intro.html[Maven] +// +// Off-site links: +//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions] +// +// IMAGES +// +// Place images in ./img/blog/ +// Use the syntax: +// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"] +// // // // // // // // + +== Develop and run your apps using 26.0.0.5 + +If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file: + +[source,xml] +---- + + io.openliberty.tools + liberty-maven-plugin + 3.12.0 + +---- + +Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file: + +[source,gradle] +---- +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0' + } +} +apply plugin: 'liberty' +---- +// // // // // // // // +// In the preceding section: +// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin +// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin +// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins +// // // // // // // // + +Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: + +[source] +---- +FROM icr.io/appcafe/open-liberty +---- + +Or take a look at our link:{url-prefix}/start/[Downloads page]. + +If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. + +[link=https://stackoverflow.com/tags/open-liberty] +image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"] + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34848 +// Contact/Reviewer: jhanders34 +// // // // // // // // +[#jakarta_ee] +== Jakarta EE 11 Core Profile, Web Profile, and Platform + +Jakarta EE 11 Core Profile, Web Profile and Platform are now officially supported in Open Liberty! We’d like to start by thanking all those who provided feedback throughout our various betas. + +Jakarta EE 11 marks a major milestone. It is the first Jakarta release to add a new specification to the platform since Java EE 8 in 2017 and, therefore, the first to provide a new component specification since the platform was taken over by the Eclipse Foundation. Among the many updates to existing spJavaecifications, it also removes all optional specifications and functions from the Platform. Liberty continues to support those optional specifications and functions when combined with Jakarta EE 11 features. + +The Core Profile specification was introduced in Jakarta EE 10 to provide a profile for lightweight cloud native applications such as MicroProfile-based applications. With the introduction of Jakarta EE 11 support in this release, the MicroProfile 7.0 and 7.1 features also now work with Jakarta EE 11 so that you can run your MicroProfile 7 applications using either Jakarta EE 10 or Jakarta EE 11 features. + +The following specifications make up the Jakarta Platform and the Core and Web profiles: + +=== Jakarta EE Core Profile 11 + +[cols="3,1,3"] +|=== +| Specification |Updates |Liberty Feature Documentation + +| link:https://jakarta.ee/specifications/annotations/3.0/[Annotations 3.0] |Major update |link:https://openliberty.io/docs/latest/reference/feature/cdi-4.1.html[cdi-4.1] +| link:https://jakarta.ee/specifications/restful-ws/4.0/[RESTful Web Services 4.0] |Major update | link:https://openliberty.io/docs/latest/reference/feature/restfulWS-4.0.html[restfulWS-4.0], link:https://openliberty.io/docs/latest/reference/feature/restfulWSClient-4.0.html[restfulWSClient-4.0] +| link:https://jakarta.ee/specifications/cdi/4.1/[Context and Dependency Injection 4.1 Lite] | Minor update | link:https://openliberty.io/docs/latest/reference/feature/cdi-4.1.html[cdi-4.1] +| link:https://jakarta.ee/specifications/interceptors/2.2/[Interceptors 2.2] |Minor update |link:https://openliberty.io/docs/latest/reference/feature/cdi-4.1.html[cdi-4.1] +| link:https://jakarta.ee/specifications/dependency-injection/2.0/[Dependency Injection 2.0] |Unchanged |link:https://openliberty.io/docs/latest/reference/feature/cdi-4.1.html[cdi-4.1] +| link:https://jakarta.ee/specifications/jsonb/3.0/[JSON Binding 3.0] | Unchanged |link:https://openliberty.io/docs/latest/reference/feature/jsonb-3.0.html[jsonb-3.0] +| link:https://jakarta.ee/specifications/jsonp/2.1/[JSON Processing 2.1] |Unchanged | link:https://openliberty.io/docs/latest/reference/feature/jsonp-2.1.html[jsonp-2.1] +|=== + +=== Jakarta EE Web Profile 11 + +[cols="3,1,3"] +|=== +| Specification |Updates |Liberty Feature Documentation + +| link:https://jakarta.ee/specifications/coreprofile/11/[Jakarta EE Core Profile 11] |Major Update |See previous table +| link:https://jakarta.ee/specifications/data/1.0/[Data 1.0] |*New* | link:https://openliberty.io/docs/latest/reference/feature/data-1.0.html[data-1.0] +| link:https://jakarta.ee/specifications/expression-language/6.0/[Expression Language 6.0] |Major update |link:https://openliberty.io/docs/latest/reference/feature/expressionLanguage-6.0.html[expressionLanguage-6.0] +| link:https://jakarta.ee/specifications/pages/4.0/[Pages 4.0] |Major update | link:https://openliberty.io/docs/latest/reference/feature/pages-4.0.html[pages-4.0] +| link:https://jakarta.ee/specifications/security/4.0/[Security 4.0] |Major update |link:https://openliberty.io/docs/latest/reference/feature/appSecurity-6.0.html[appSecurity-6.0] +| link:https://jakarta.ee/specifications/authentication/3.1/[Authentication 3.1] |Minor update | link:https://openliberty.io/docs/latest/reference/feature/appAuthentication-3.1.html[appAuthentication-3.1] +| link:https://jakarta.ee/specifications/concurrency/3.1/[Concurrency 3.1] |Minor update | link:https://openliberty.io/docs/latest/reference/feature/concurrent-3.1.html[concurrent-3.1] +| link:https://jakarta.ee/specifications/cdi/4.1/[Context and Dependency Injection 4.1] |Minor update |link:https://openliberty.io/docs/latest/reference/feature/cdi-4.1.html[cdi-4.1] +| link:https://jakarta.ee/specifications/faces/4.1/[Faces 4.1] |Minor update | link:https://openliberty.io/docs/latest/reference/feature/faces-4.1.html[faces-4.1] +| link:https://jakarta.ee/specifications/persistence/3.2/[Persistence 3.2] |Minor update | link:https://openliberty.io/docs/latest/reference/feature/persistence-3.2.html[persistence-3.2] +| link:https://jakarta.ee/specifications/servlet/6.1/[Servlet 6.1] |Minor update |link:https://openliberty.io/docs/latest/reference/feature/servlet-6.1.html[servlet-6.1] +| link:https://jakarta.ee/specifications/bean-validation/3.1/[Validation 3.1] |Minor update | link:https://openliberty.io/docs/latest/reference/feature/validation-3.1.html[validation-3.1] +| link:https://jakarta.ee/specifications/websocket/2.2/[WebSocket 2.2] |Minor update |link:https://openliberty.io/docs/latest/reference/feature/websocket-2.2.html[websocket-2.2] +| link:https://jakarta.ee/specifications/debugging/2.0/[Debugging Support for Other Languages 2.0] |Unchanged |Not applicable +| link:https://jakarta.ee/specifications/enterprise-beans/4.0/[Enterprise Beans 4.0 Lite] |Unchanged |link:/docs/latest/reference/feature/enterpriseBeansLite-4.0.html[enterpriseBeansLite-4.0] +| link:https://jakarta.ee/specifications/tags/3.0/[Standard Tag Library 3.0] | Unchanged | link:https://openliberty.io/docs/latest/reference/feature/pages-4.0.html[pages-4.0] +| link:https://jakarta.ee/specifications/transactions/2.0/[Transactions 2.0] |Unchanged |Not applicable (see link:https://openliberty.io/docs/latest/reference/javadoc/liberty-jakartaee11-javadoc.html?package=allclasses-frame.html&class=jakarta/transaction/package-summary.html[Javadoc]) +|=== + +=== Jakarta EE Platform 11 + +[cols="3,1,3"] +|=== +| Specification |Updates |Liberty Feature Documentation + +| link:https://jakarta.ee/specifications/webprofile/11/[Jakarta EE Web Profile 11] |Major update |See previous table +| link:https://jakarta.ee/specifications/authorization/3.0/[Authorization 3.0] |Major update | link:https://openliberty.io/docs/latest/reference/feature/appAuthorization-3.0.html[appAuthorization-3.0] +| link:https://jakarta.ee/specifications/activation/2.1/[Activation 2.1] |Unchanged |link:https://openliberty.io/docs/latest/reference/feature/mail-2.1.html[mail-2.1] +| link:https://jakarta.ee/specifications/batch/2.1/[Batch 2.1] |Unchanged | link:https://openliberty.io/docs/latest/reference/feature/batch-2.1.html[batch-2.1] +| link:https://jakarta.ee/specifications/connectors/2.1/[Connectors 2.1] |Unchanged | link:https://openliberty.io/docs/latest/reference/feature/connectors-2.1.html[connectors-2.1] +| link:https://jakarta.ee/specifications/enterprise-beans/4.0/[Enterprise Beans 4.0] |Unchanged* |link:https://openliberty.io/docs/latest/reference/feature/enterpriseBeans-4.0.html[enterpriseBeans-4.0] +| link:https://jakarta.ee/specifications/mail/2.1/[Mail 2.1] |Unchanged |link:https://openliberty.io/docs/latest/reference/feature/mail-2.1.html[mail-2.1] +| link:https://jakarta.ee/specifications/messaging/3.1/[Messaging 3.1] |Unchanged | link:https://openliberty.io/docs/latest/reference/feature/messaging-3.1.html[messaging-3.1] +|=== + +* Enterprise Beans 4.0 is unchanged, but the optional EJB 2.x function is no longer enabled when the `enterpriseBeans-4.0` feature is configured with other Jakarta EE 11 features and now requires the user to also add `enterpriseBeansHome-4.0` feature if they want to use EJB 2.x APIs. + +Liberty provides convenience features for running all of the component specifications that are contained in the Jakarta EE 11 Web Profile (link:https://openliberty.io/docs/latest/reference/feature/webProfile-11.0.html[webProfile-11.0]) and the Jakarta EE 11 Platform (link:https://openliberty.io/docs/latest/reference/feature/jakartaee-11.0.html[jakartaee-11.0]). These convenience features enable you to rapidly develop applications using all of the APIs contained in their respective specifications. For Jakarta EE 11 features in the application client, use the link:https://openliberty.io/docs/latest/reference/feature/jakartaeeClient-11.0.html[jakartaeeClient-11.0] Liberty feature. + +To enable the Jakarta EE Platform 11 features, add the `jakartaee-11.0` feature to your `server.xml` file: + +[source,xml] +---- + + jakartaee-11.0 + +---- + +Alternatively, to enable the Jakarta EE Web Profile 11 features, add the `webProfile-11.0` feature to your `server.xml` file: + +[source,xml] +---- + + webProfile-11.0 + +---- + +Although no convenience feature exists for the Core Profile, you can enable its equivalent by adding the following features to your `server.xml` file: + +[source,xml] +---- + + jsonb-3.0 + jsonp-2.1 + cdi-4.1 + restfulWS-4.0 + +---- + +To run Jakarta EE 11 features on the Application Client Container, add the following entry in your application's `client.xml` file: + +[source,xml] +---- + + jakartaeeClient-11.0 + +---- + +*For more information reference*: + +* link:https://jakarta.ee/specifications/platform/11/[Jakarta EE Platform 11], link:https://jakarta.ee/specifications/webprofile/11/[Jakarta EE Web Profile 11], and link:https://jakarta.ee/specifications/coreprofile/11/[Jakarta EE Core Profile 11] specifications. + +* Liberty Jakarta EE 11 blog - link to Emily's standalone blog, see https://github.com/OpenLiberty/blogs/pull/4803 +* link:https://openliberty.io/docs/latest/reference/javadoc/liberty-jakartaee11-javadoc.html[Jakarta EE 11 Javadoc] +* link:https://openliberty.io/docs/latest/reference/diff/jakarta-ee11-diff.html[Differences between Jakarta EE 11 and 10] + + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33154 +// Contact/Reviewer: anjumfatima90 +// // // // // // // // +[#springboot] +== SpringBoot 4.0 +Open Liberty currently supports running Spring Boot 1.5, 2.x, and 3.x applications. With the introduction of the new `springBoot-4.0` feature, users can now deploy Spring Boot 4.x applications by enabling this feature. While Liberty consistently supports Spring Boot applications packaged as `WAR` files, this enhancement extends support to both `JAR` and `WAR` formats for Spring Boot 4.x applications. + +The `springBoot-4.0` feature provides complete support for running a Sprint Boot 4.x application on Open Liberty as well as having the capability to thin the application when creating applications in containers. + +To use this feature, the user must be running `Java 17` or later with EE11 features enabled. If the application uses servlets, it must be configured to use `Servlet 6.1`. Include the following features in your `server.xml` file to define the settings. + +[source, xml] +---- + + springboot-4.0 + servlet-6.1 + +---- + +The `server.xml` configuration for deploying a Spring Boot application follows the same approach as in earlier Liberty Spring Boot versions. + +[source, xml] +---- + +---- + +As in earlier versions, the Spring Boot application JAR can be deployed by placing it in the `/dropins/spring` folder. The `springBootApplication` configuration in the `server.xml` file can be omitted when using this deployment method. + +// DO NOT MODIFY THIS LINE. + + +[#CVEs] +== Security vulnerability (CVE) fixes in this release +[cols="5*"] +|=== +|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes + +|https://www.cve.org/CVERecord?id=CVE-2026-3621[CVE-2026-3621] +|7.5 +|Identity spoofing +|17.0.0.3-26.0.0.4 +| + +|=== +// // // // // // // // +// In the preceding section: +// If there were any CVEs addressed in this release, fill out the table. For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc. If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz. +// Note: When linking to features, use the +// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and +// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[]) +// +// If there are no CVEs fixed in this release, replace the table with: +// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]." +// // // // // // // // +For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list]. + + +[#bugs] +== Notable bugs fixed in this release + + +We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26005+label%3A%22release+bug%22[full list of bugs fixed in 26.0.0.5]. + +* link:https://github.com/OpenLiberty/open-liberty/issues/34716[Subject Leak When a feature that use Security Service is Enabled, and appSecurity Disabled (CVE-2026-3621)] +* link:https://github.com/OpenLiberty/open-liberty/issues/34664[java.lang.ClassCastException: org.apache.jasper.runtime.JspApplicationContextImpl in multi module JSP Application] +* link:https://github.com/OpenLiberty/open-liberty/pull/34657[Fix classloading conflict with cached JspApplicationContext] +* link:https://github.com/OpenLiberty/open-liberty/issues/34642[PKCE is being enforced by the oauthProvider even when the Authorization Code Grant isn't used] + +// // // // // // // // +// In the preceding section: +// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release. +// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution. +// If the issue on Github is missing any information, leave a comment in the issue along the lines of: +// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)" +// Feel free to message the owner(s) directly as well, especially if no action has been taken by them. +// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs) +// // // // // // // // + + +== Get Open Liberty 26.0.0.5 now + +Available through <>.