Merge pull request #4363 from OpenLiberty/staging

Update prod

Author: navaneethsnair1

blog_tags.json

@@ -2,7 +2,8 @@
     "blog_tags": [
         {
             "name": "announcements",
-            "posts": ["25.0.0.4-beta", "25.0.0.3", "open-liberty-cloud-hosted-guides-multi-languages",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", 
+                      "25.0.0.3", "open-liberty-cloud-hosted-guides-multi-languages",
                       "25.0.0.3-beta", "25.0.0.2",
                       "25.0.0.2-beta", "25.0.0.1",
                       "25.0.0.1-beta", "24.0.0.12",
@@ -89,7 +90,7 @@
             "featured": "true"
         },{
             "name": "microprofile",
-            "posts": ["25.0.0.4-beta", "microprofile-telemetry-20",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", "microprofile-telemetry-20",
                       "25.0.0.2-beta", "cloudant-with-open-liberty",
                       "microprofile-7", "24.0.0.12",
                       "24.0.0.10", "24.0.0.9",
@@ -161,7 +162,7 @@
         },
         {
             "name": "java-se",
-            "posts": ["25.0.0.4-beta", "24.0.0.10",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", "24.0.0.10",
                       "24.0.0.10-beta", "24.0.0.4",
                       "24.0.0.4-beta", "24.0.0.3",
                       "24.0.0.1", "Java21-Images",
@@ -179,7 +180,7 @@
         },
         {
             "name": "release",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "25.0.0.3", "25.0.0.3-beta",
                       "25.0.0.2", "25.0.0.2-beta",
                       "25.0.0.1", "25.0.0.1-beta",
@@ -566,7 +567,7 @@
         },
         {
             "name": "monitoring",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "microprofile-telemetry-20", "25.0.0.2-beta",
                       "microprofile-7", "24.0.0.9",
                       "24.0.0.8", "24.0.0.8-beta",
@@ -640,7 +641,7 @@
         },
         {
             "name": "java-ee",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "24.0.0.8", "24.0.0.8-beta",
                       "history-maker-projects", "space-sentry-challenge",
                       "jakarta-ee-9.1-210012", "KevinSutter_MeetTheTeam",

img/blog/OPENAPI-1.png

@@ -0,0 +1,203 @@
+---
+layout: post
+title: "Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4"
+categories: blog
+author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
+author_github: https://github.com/navaneethsnair1
+seo-title: Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4 - OpenLiberty.io
+seo-description: The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+blog_description: The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+open-graph-image: https://openliberty.io/img/twitter_card.jpg
+open-graph-image-alt: Open Liberty Logo
+---
+= Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4
+Navaneeth S Nair <https://github.com/navaneethsnair1>
+:imagesdir: /
+:url-prefix:
+:url-about: /
+
+The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+
+In link:{url-about}[Open Liberty] 25.0.0.4:
+
+* <<support, InstantOn Support for J2EEManagement, AppClientSupport and WsSecurity>>
+* <<java, Support for Java 24 in Open Liberty>>
+* <<telemetry, Providing Liberty audit logs to OpenTelemetry using MicroProfile Telemetry 2.0>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
+
+View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A25004+label%3A%22release+bug%22[25.0.0.4].
+
+Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].
+
+[#run]
+
+== Develop and run your apps using 25.0.0.4
+
+If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:
+
+[source,xml]
+----
+<plugin>
+    <groupId>io.openliberty.tools</groupId>
+    <artifactId>liberty-maven-plugin</artifactId>
+    <version>3.11.3</version>
+</plugin>
+----
+
+Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:
+
+[source,gradle]
+----
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.3'
+    }
+}
+apply plugin: 'liberty'
+----
+
+Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
+
+[source]
+----
+FROM icr.io/appcafe/open-liberty
+----
+
+Or take a look at our link:{url-prefix}/start/[Downloads page].
+
+If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. 
+
+[link=https://stackoverflow.com/tags/open-liberty]
+image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31256
+// Contact/Reviewer: SmithaSubbarao
+// // // // // // // // 
+[#support]
+== InstantOn Support for J2EEManagement, AppClientSupport and WsSecurity
+
+Open Liberty link:{url-prefix}/docs/latest/instanton.html[InstantOn] provides fast startup times for MicroProfile and Jakarta EE applications. With InstantOn, your applications can start in milliseconds, without compromising on throughput, memory, development-production parity, or Java language features. InstantOn uses the Checkpoint/Restore In Userspace (link:https://criu.org/[CRIU]) feature of the Linux kernel to take a checkpoint of the JVM that can be restored later. InstantOn supports link:{url-prefix}/docs/latest/instanton.html#supported-features[a subset of Open Liberty features]. Any public features that are enabled outside of the supported set of features for InstantOn cause the checkpoint to fail with an error message. As of the 25.0.0.4 release, the following features are enhanced to support InstantOn.
+
+- link:{url-prefix}/docs/latest/reference/feature/j2eeManagement-1.1.html[J2EE Management 1.1 (j2eeManagement-1.1)]
+- link:{url-prefix}/docs/latest/reference/feature/appClientSupport-1.0.html[Application Client Support for Server 1.0 (appClientSupport-1.0)]
+- link:{url-prefix}/docs/latest/reference/feature/appClientSupport-2.0.html[Jakarta Application Client Support for Server 2.0 (appClientSupport-2.0)]
+- link:{url-prefix}/docs/latest/reference/feature/wsSecurity-1.1.html[Web Service Security 1.1 (wsSecurity-1.1)]
+   
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31244
+// Contact/Reviewer: gjwatts
+// // // // // // // // 
+[#java]
+== Support for Java 24 in Open Liberty
+
+Released on 18 March 2025, Java 24 introduces many new features and enhancements over previous versions of Java. However, since Java 24 is not a Long-Term Support (LTS) release, support for it will end when the next version of Java is supported. It offers many features worth checking out.
+
+Here are the link:https://openjdk.org/projects/jdk/24/[JEP changes in Java 24]:
+
+* 404: 	link:https://openjdk.org/jeps/404[Generational Shenandoah (Experimental)]
+* 450: 	link:https://openjdk.org/jeps/450[Compact Object Headers (Experimental)]
+* 472: 	link:https://openjdk.org/jeps/472[Prepare to Restrict the Use of JNI]
+* 475: 	link:https://openjdk.org/jeps/475[Late Barrier Expansion for G1]
+* 478: 	link:https://openjdk.org/jeps/478[Key Derivation Function API (Preview)]
+* 479: 	link:https://openjdk.org/jeps/479[Remove the Windows 32-bit x86 Port]
+* 483: 	link:https://openjdk.org/jeps/483[Ahead-of-Time Class Loading & Linking]
+* 484: 	link:https://openjdk.org/jeps/484[Class-File API]
+* 485: 	link:https://openjdk.org/jeps/485[Stream Gatherers]
+* 486: 	link:https://openjdk.org/jeps/486[Permanently Disable the Security Manager]
+* 487: 	link:https://openjdk.org/jeps/487[Scoped Values (Fourth Preview)]
+* 488: 	link:https://openjdk.org/jeps/488[Primitive Types in Patterns, instanceof, and switch (Second Preview)]
+* 489: 	link:https://openjdk.org/jeps/489[Vector API (Ninth Incubator)]
+* 490: 	link:https://openjdk.org/jeps/490[ZGC: Remove the Non-Generational Mode]
+* 491: 	link:https://openjdk.org/jeps/491[Synchronize Virtual Threads without Pinning]
+* 492: 	link:https://openjdk.org/jeps/492[Flexible Constructor Bodies (Third Preview)]
+* 493: 	link:https://openjdk.org/jeps/493[Linking Run-Time Images without JMODs]
+* 494: 	link:https://openjdk.org/jeps/494[Module Import Declarations (Second Preview)]
+* 495: 	link:https://openjdk.org/jeps/495[Simple Source Files and Instance Main Methods (Fourth Preview)]
+* 496: 	link:https://openjdk.org/jeps/496[Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism]
+* 497: 	link:https://openjdk.org/jeps/497[Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm]
+* 498: 	link:https://openjdk.org/jeps/498[Warn upon Use of Memory-Access Methods in sun.misc.Unsafe]
+* 499: 	link:https://openjdk.org/jeps/499[Structured Concurrency (Fourth Preview)]
+* 501: 	link:https://openjdk.org/jeps/501[Deprecate the 32-bit x86 Port for Removal]
+
+With the disabling of the Security Manager, you can no longer attempt to start Java with a Security Manager, install one during runtime nor use `AccessController::checkPermission`, `Policy::setPolicy`, `SecurityManager::check*` or `Subject::getSubject`. Make sure to fully test your applications for this big change and refer to link:https://openjdk.org/jeps/486#Description[the description section of JEP 486] for more information.
+
+Take advantage of the changes in Java 24 in Open Liberty now and get more time to review your applications, microservices, and runtime environments on your favorite server runtime!
+
+To start using Java 24 with Open Liberty, just link:https://adoptium.net/temurin/releases/?version=24[download the latest release of Java 24], download and install the link:https://openliberty.io/start/#runtime_releases[25.0.0.4] or later version of Open Liberty. Then edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env file] and set JAVA_HOME to your Java 24 installation and start testing!
+
+For more information on Java 24, please visit the Java 24 link:https://jdk.java.net/24/release-notes[release notes page], link:https://docs.oracle.com/en/java/javase/24/docs/api/index.html[API Javadoc page] or link:https://adoptium.net/temurin/releases/?version=24[download page].
+For more information on Open Liberty, please visit our link:https://openliberty.io/docs[documentation page].
+
+   
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31143
+// Contact/Reviewer: pgunapal
+// // // // // // // // 
+[#telemetry]
+== Providing Liberty audit logs to OpenTelemetry using MicroProfile Telemetry 2.0
+
+MicroProfile Telemetry 2.0 delivers the latest OpenTelemetry technology, enabling the collection and export of metrics and logs in addition to distributed tracing.
+
+The Open Liberty link:{url-prefix}/docs/latest/reference/feature/audit-2.0.html[Audit] feature captures security-related events from the runtime environment and emits human-readable audit records to a file-based log. You can now collect Liberty audit logs and send them to your configured OpenTelemetry exporter by using the link:{url-prefix}/docs/latest/reference/feature/mpTelemetry-2.0.html[MicroProfile Telemetry 2.0] feature (`mpTelemetry-2.0`) with the Audit feature (`audit-1.0` or `audit-2.0`). This update builds on existing capabilities for other Open Liberty runtime log sources (message, trace, and ffdc) and application logs generated by the `java.util.logging` (JUL) component.
+
+To collect audit logs, add either the `audit-1.0` or `audit-2.0` feature and the `mpTelemetry-2.0` feature to your `server.xml` file. Configure the new `audit` log source to the `source` attribute for the `mpTelemetry` server configuration element, as shown in the following example:
+
+[source,xml]
+----
+<featureManager>
+   <feature>audit-2.0</feature>
+   <feature>mpTelemetry-2.0</feature>
+</featureManager>
+
+<mpTelemetry source="audit"/>
+----
+
+You can also configure which audit events are captured and routed to OpenTelemetry by specifying audit events and outcomes in the `auditFileHandler` element, as shown in the following example:
+
+[source,xml]
+----
+<auditFileHandler maxFiles="5" maxFileSize="20" compact="true">
+    <events name="AuditEvent_1" eventName="SECURITY_AUTHN" outcome="SUCCESS"/>
+    <events name="AuditEvent_2" eventName="SECURITY_AUTHN" outcome="REDIRECT"/>
+    <events name="AuditEvent_3" eventName="SECURITY_AUTHN" outcome="FAILURE"/>
+    <events name="AuditEvent_4" eventName="SECURITY_AUTHZ"/>
+</auditFileHandler>
+----
+
+For more information about the Audit feature, see the link:{url-prefix}/docs/latest/reference/feature/audit-1.0.html[feature documentation]. For more information about using OpenTelemetry as a comprehensive observability solution, see link:{url-prefix}/docs/latest/microprofile-telemetry.html[Collect logs, metrics, and traces with OpenTelemetry].
+
+
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
+
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-25193[CVE-2025-25193]
+|5.5
+|Denial of service
+|21.0.0.2 - 25.0.0.3
+|Affects the `grpc-1.0` and `grpcClient-1.0` features
+
+|https://www.cve.org/CVERecord?id=CVE-2025-23184[CVE-2025-23184]
+|5.9
+|Denial of service
+|17.0.0.3 - 25.0.0.3
+|Affects the `jaxws-2.2`, `xmlWS-3.0` and `xmlWS-4.0` features
+|===
+
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+== Get Open Liberty 25.0.0.4 now
+
+Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.