First draft of 26.0.0.4-beta blog#4772
Merged
navaneethsnair1 merged 3 commits intostagingfrom Apr 7, 2026
Merged
Conversation
navaneethsnair1
requested review from
Arunkumar-Kallyodan,
Azquelt,
benjamin-confino,
daveywebster,
isaacrivriv,
jhanders34,
mrsaldana,
pnicolucci,
tbitonti and
volosied
and removed request for
isaacrivriv,
mrsaldana,
pnicolucci and
volosied
tbitonti
requested changes
Apr 2, 2026
Member
There was a problem hiding this comment.
Reviewing only the Jandex BLOG section.
The text "read-only" should not be hyphenated. Maybe a comma is needed here? Or the order should be "only read"? The meaning is that a read of the index is performed only if jandex use is enabled. Otherwise, the text looks good.
Maybe: Would a different order to the BLOG entries be better? At the very least, the EE11 post should be first and the jandex post should be at the end. The jandex post is much smaller and less splashy than the other posts.
Member
|
For https://blogs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/blog/2026/04/07/26.0.0.4-beta.html#jakarta_security (Jakarta 4.0 section)
|
jhanders34
requested changes
Apr 2, 2026
Comment on lines
+28
to
+33
| * <<jakarta_auth, Jakarta Authentication 3.1>> | ||
| * <<jakarta_authz, Jakarta Authorization 3.0>> | ||
| * <<java_26, Beta support for Java 26>> | ||
| * <<mcp, Updates to `mcpServer-1.0`>> | ||
| * <<jakarta_data, Preview of some Jakarta Data 1.1 M2 capability>> | ||
| * <<jakarta_security, Jakarta Security 4.0>> |
Member
There was a problem hiding this comment.
Suggested change
| * <<jakarta_auth, Jakarta Authentication 3.1>> | |
| * <<jakarta_authz, Jakarta Authorization 3.0>> | |
| * <<java_26, Beta support for Java 26>> | |
| * <<mcp, Updates to `mcpServer-1.0`>> | |
| * <<jakarta_data, Preview of some Jakarta Data 1.1 M2 capability>> | |
| * <<jakarta_security, Jakarta Security 4.0>> | |
| ** <<jakarta_auth, Application Authentication 3.1 (Jakarta Authentication 3.1)>> | |
| ** <<jakarta_authz, Application Authorization 3.0 (Jakarta Authorization 3.0)>> | |
| ** <<jakarta_security, Application Security 6.0 (Jakarta Security 4.0)>> | |
| * <<java_26, Beta support for Java 26>> | |
| * <<mcp, Updates to `mcpServer-1.0`>> | |
| * <<jakarta_data, Preview of some Jakarta Data 1.1 M2 capability>> |
I am basing these changes to align with how this was done in the past for the 22.0.0.13-beta blog post.
Member
There was a problem hiding this comment.
Also the order should be updated below to have all of the EE 11 security features together instead of having the security one off by itself.
| // Contact/Reviewer: jhanders34 | ||
| // // // // // // // // | ||
| [#jakarta_auth] | ||
| == Jakarta Authentication 3.1 |
Member
There was a problem hiding this comment.
Suggested change
| == Jakarta Authentication 3.1 | |
| == Application Authentication 3.1 (Jakarta Authentication 3.1) |
| // Contact/Reviewer: jhanders34 | ||
| // // // // // // // // | ||
| [#jakarta_authz] | ||
| == Jakarta Authorization 3.0 |
Member
There was a problem hiding this comment.
Suggested change
| == Jakarta Authorization 3.0 | |
| == Application Authorization 3.0 (Jakarta Authorization 3.0) |
| // Contact/Reviewer: daveywebster | ||
| // // // // // // // // | ||
| [#jakarta_security] | ||
| == Jakarta Security 4.0 |
Member
There was a problem hiding this comment.
Suggested change
| == Jakarta Security 4.0 | |
| == Application Security 6.0 (Jakarta Security 4.0) |
|
|
||
| Support for reading Jandex indexes under WEB-INF/classes is enabled by a new property of application and application manager elements: | ||
|
|
||
| * Property: *useJandexUnderClasses* |
Member
There was a problem hiding this comment.
One thing I thought would have been done is to edit the blog content to be consistent. We now have use of bold and highlight in different parts of the file. I figured they would have all be converted to highlight's because I think that is more widely used in our blog formatting, but you can correct me if I am wrong.
| * 517: link:https://openjdk.org/jeps/517[HTTP/3 for the HTTP Client API] | ||
| * 522: link:https://openjdk.org/jeps/522[G1 GC: Improve Throughput by Reducing Synchronization] | ||
|
|
||
| A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation by using deep reflection. |
Member
There was a problem hiding this comment.
Suggested change
| A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation by using deep reflection. | |
| A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation when using deep reflection. |
| * 522: link:https://openjdk.org/jeps/522[G1 GC: Improve Throughput by Reducing Synchronization] | ||
|
|
||
| A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation by using deep reflection. | ||
| In JDK 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement. |
Member
There was a problem hiding this comment.
Suggested change
| In JDK 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement. | |
| In Java 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement. |
|
|
||
| Take advantage of trying out the new changes now and gain more time to preview how your applications and microservices run with Java 26. | ||
|
|
||
| Just link:https://jdk.java.net/26/[download the latest release of Java 26], download and install the link:https://openliberty.io/downloads/#runtime_betas[26.0.0.4-beta] version of Open Liberty, edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing! |
Member
There was a problem hiding this comment.
Suggested change
| Just link:https://jdk.java.net/26/[download the latest release of Java 26], download and install the link:https://openliberty.io/downloads/#runtime_betas[26.0.0.4-beta] version of Open Liberty, edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing! | |
| Just download the latest release of link:https://developer.ibm.com/languages/java/semeru-runtimes/downloads/[IBM Semeru Runtime 26] or link:https://adoptium.net/temurin/releases/?version=26[Temurin 26], download and install the link:https://openliberty.io/downloads/#runtime_betas[26.0.0.4-beta] version of Open Liberty, edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing! |
Since both Semeru and Temurin are available, we should reference both I think or just Semeru.
|
|
||
| Just link:https://jdk.java.net/26/[download the latest release of Java 26], download and install the link:https://openliberty.io/downloads/#runtime_betas[26.0.0.4-beta] version of Open Liberty, edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing! | ||
|
|
||
| For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/release-notes[release notes page], link:https://download.java.net/java/early_access/jdk26/docs/api/[API Javadoc page] or link:https://jdk.java.net/26/[download page]. |
Member
There was a problem hiding this comment.
Suggested change
| For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/release-notes[release notes page], link:https://download.java.net/java/early_access/jdk26/docs/api/[API Javadoc page] or link:https://jdk.java.net/26/[download page]. | |
| For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/release-notes[release notes page] and link:https://docs.oracle.com/en/java/javase/26/docs/api/index.html[API Javadoc page]. |
| Just link:https://jdk.java.net/26/[download the latest release of Java 26], download and install the link:https://openliberty.io/downloads/#runtime_betas[26.0.0.4-beta] version of Open Liberty, edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing! | ||
|
|
||
| For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/release-notes[release notes page], link:https://download.java.net/java/early_access/jdk26/docs/api/[API Javadoc page] or link:https://jdk.java.net/26/[download page]. | ||
| For more information on Open Liberty, see our link:https://openliberty.io/docs[documentation page]. |
Member
There was a problem hiding this comment.
Suggested change
| For more information on Open Liberty, see our link:https://openliberty.io/docs[documentation page]. |
Should this just be removed as suggested?
There was a problem hiding this comment.
I guess this can be removed
jhanders34
reviewed
Apr 2, 2026
| === Learn More | ||
|
|
||
| * link:https://smallrye.io/jandex/jandex/3.5.3/index.html[Jandex Documentation] | ||
| * link:https://openliberty.io/docs/latest/reference/config/applicationManager.html[Application Manager Documentation] |
Member
There was a problem hiding this comment.
Do all of the openliberty.io references in the beta blog need to be changed to {url-prefix}?
jhanders34
reviewed
Apr 2, 2026
| * link:https://smallrye.io/jandex/jandex/3.5.3/index.html[Jandex Documentation] | ||
| * link:https://openliberty.io/docs/latest/reference/config/applicationManager.html[Application Manager Documentation] | ||
| * link:https://openliberty.io/docs/latest/reference/config/applicationManager.html[Application Documentation] | ||
| * link:https://github.com/OpenLiberty/open-liberty/issues/34231[Open Liberty Jandex Index Format Update] |
Member
There was a problem hiding this comment.
@tbitonti shouldn't this point to OpenLiberty/open-liberty#32438 instead of the jandex 3 issue? I assume the link description also should change to match.
Member
There was a problem hiding this comment.
Yeah. 32438 is the correct link. Then:
|
@navaneethsnair1 for Beta support for Java 26 , kindly make the changes Jared suggested. |
jhanders34
reviewed
Apr 7, 2026
|
|
||
| Finally, the 3.0 API adds a new `jakarta.security.jacc.PrincipalMapper` class that you can obtain from the `PolicyContext` class when authorization processing is done in your `Policy` implementation. From this class, you can obtain the roles that are associated with a specific Subject to be able to determine whether the Subject is in the required role. | ||
|
|
||
| You can use the `PrincipalMapper` class in your `Policy` implementation's `impliesByRole`(or `implies`) method, as shown in the following example: |
Member
There was a problem hiding this comment.
Suggested change
| You can use the `PrincipalMapper` class in your `Policy` implementation's `impliesByRole`(or `implies`) method, as shown in the following example: | |
| You can use the `PrincipalMapper` class in your `Policy` implementation's `impliesByRole` (or `implies`) method, as shown in the following example: |
A space is missing.
jhanders34
reviewed
Apr 7, 2026
Comment on lines
+146
to
+148
| Due to Jakarta Authorization 3.0 no longer using the `java.security.Policy` class and introducing a new configuration mechanism for authorization modules, the `com.ibm.wsspi.security.authorization.jacc.ProviderService` Liberty API is no longer available with the appAuthorization-3.0 feature. | ||
|
|
||
| If a Liberty user feature configures authorization modules, the OSGi service that provided a `ProviderService` implementation must be updated to use the `PolicyConfigurationFactory` and `PolicyFactory` `set` methods. These methods configure the modules in the OSGi service. Alternatively you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a `web.xml` file. |
Member
There was a problem hiding this comment.
Suggested change
| Due to Jakarta Authorization 3.0 no longer using the `java.security.Policy` class and introducing a new configuration mechanism for authorization modules, the `com.ibm.wsspi.security.authorization.jacc.ProviderService` Liberty API is no longer available with the appAuthorization-3.0 feature. | |
| If a Liberty user feature configures authorization modules, the OSGi service that provided a `ProviderService` implementation must be updated to use the `PolicyConfigurationFactory` and `PolicyFactory` `set` methods. These methods configure the modules in the OSGi service. Alternatively you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a `web.xml` file. | |
| Due to Jakarta Authorization 3.0 no longer using the `java.security.Policy` class and introducing a new configuration mechanism for authorization modules, the `com.ibm.wsspi.security.authorization.jacc.ProviderService` Liberty API is no longer available with the appAuthorization-3.0 feature. If a Liberty user feature configures authorization modules, the OSGi service that provided a `ProviderService` implementation must be updated to use the `PolicyConfigurationFactory` and `PolicyFactory` `set` methods. These methods configure the modules in the OSGi service. Alternatively you can use a Web Application Bundle (WAB) in your user feature to specify your security modules in a `web.xml` file. |
These were meant to be in the same paragraph since they are about the same thing. The first sentence introduces the change and the follow on sentences explains the user's action due to that change.
jhanders34
reviewed
Apr 7, 2026
|
|
||
| These convenience features enable developers to rapidly develop applications using all APIs in the Web Profile and Platform specifications. Unlike the `jakartaee-10.0` Liberty feature, the `jakartaee-11.0` Liberty feature does not enable the Managed Beans specification function any longer, as this specification was removed from the platform which includes removal of the `jakarta.annotation.ManagedBean` annotation API. Applications relying on the `@ManagedBean` annotation must migrate to use CDI annotations. | ||
|
|
||
| The Jakarta EE 11 Platform specification removes all optional specifications from the platform, meaning Jakarta SOAP with Attachments, XML Binding, XML Web Services, and Enterprise Beans 2.x APIs functions are not included with the `jakartaee-11.0` Liberty feature. To use these capabilities, explicitly add Liberty features to your `server.xml` feature list: `xmlBinding-4.0` for XML Binding, `xmlWS-4.0` for SOAP with Attachments and XML Web Services, and `enterpriseBeansHome-4.0` for Jakarta Enterprise Beans 2.x APIs. Alternatively, use the equivalent versionless features with the `jakartaee-11.0` platform specification. |
Member
There was a problem hiding this comment.
Suggested change
| The Jakarta EE 11 Platform specification removes all optional specifications from the platform, meaning Jakarta SOAP with Attachments, XML Binding, XML Web Services, and Enterprise Beans 2.x APIs functions are not included with the `jakartaee-11.0` Liberty feature. To use these capabilities, explicitly add Liberty features to your `server.xml` feature list: `xmlBinding-4.0` for XML Binding, `xmlWS-4.0` for SOAP with Attachments and XML Web Services, and `enterpriseBeansHome-4.0` for Jakarta Enterprise Beans 2.x APIs. Alternatively, use the equivalent versionless features with the `jakartaee-11.0` platform specification. | |
| The Jakarta EE 11 Platform specification removes all optional specifications from the platform, meaning Jakarta SOAP with Attachments, XML Binding, XML Web Services, and Enterprise Beans 2.x APIs functions are not included with the `jakartaee-11.0` Liberty feature. To use these capabilities, explicitly add Liberty features to your `server.xml` feature list: `xmlBinding-4.0` for XML Binding, `xmlWS-4.0` for SOAP with Attachments and XML Web Services, and `enterpriseBeansHome-4.0` for Jakarta Enterprise Beans 2.x APIs. Alternatively, use the equivalent versionless features with the `jakartaee-11.0` platform. |
specifications isn't right. It is just called platform when you configure versionless features.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://blogs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/blog/2026/04/07/26.0.0.4-beta.html
Let me know your review comments! Thanks in advance!