Merge pull request #4360 from OpenLiberty/25.0.0.4-post

navaneethsnair1 · web-flow · commit 8b5cd303b24d · 2025-04-21T20:23:06.000+05:30
25.0.0.4 staging
diff --git a/blog_tags.json b/blog_tags.json
@@ -2,7 +2,8 @@
     "blog_tags": [
         {
             "name": "announcements",
-            "posts": ["25.0.0.4-beta", "25.0.0.3", "open-liberty-cloud-hosted-guides-multi-languages",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", 
+                      "25.0.0.3", "open-liberty-cloud-hosted-guides-multi-languages",
                       "25.0.0.3-beta", "25.0.0.2",
                       "25.0.0.2-beta", "25.0.0.1",
                       "25.0.0.1-beta", "24.0.0.12",
@@ -89,7 +90,7 @@
             "featured": "true"
         },{
             "name": "microprofile",
-            "posts": ["25.0.0.4-beta", "microprofile-telemetry-20",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", "microprofile-telemetry-20",
                       "25.0.0.2-beta", "cloudant-with-open-liberty",
                       "microprofile-7", "24.0.0.12",
                       "24.0.0.10", "24.0.0.9",
@@ -161,7 +162,7 @@
         },
         {
             "name": "java-se",
-            "posts": ["25.0.0.4-beta", "24.0.0.10",
+            "posts": ["25.0.0.4", "25.0.0.4-beta", "24.0.0.10",
                       "24.0.0.10-beta", "24.0.0.4",
                       "24.0.0.4-beta", "24.0.0.3",
                       "24.0.0.1", "Java21-Images",
@@ -179,7 +180,7 @@
         },
         {
             "name": "release",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "25.0.0.3", "25.0.0.3-beta",
                       "25.0.0.2", "25.0.0.2-beta",
                       "25.0.0.1", "25.0.0.1-beta",
@@ -566,7 +567,7 @@
         },
         {
             "name": "monitoring",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "microprofile-telemetry-20", "25.0.0.2-beta",
                       "microprofile-7", "24.0.0.9",
                       "24.0.0.8", "24.0.0.8-beta",
@@ -640,7 +641,7 @@
         },
         {
             "name": "java-ee",
-            "posts": ["25.0.0.4-beta",
+            "posts": ["25.0.0.4", "25.0.0.4-beta",
                       "24.0.0.8", "24.0.0.8-beta",
                       "history-maker-projects", "space-sentry-challenge",
                       "jakarta-ee-9.1-210012", "KevinSutter_MeetTheTeam",
diff --git a/posts/2025-04-22-25.0.0.4.adoc b/posts/2025-04-22-25.0.0.4.adoc
@@ -0,0 +1,286 @@
+---
+layout: post
+title: "Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4"
+# Do NOT change the categories section
+categories: blog
+author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
+author_github: https://github.com/navaneethsnair1
+seo-title: Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4 - OpenLiberty.io
+seo-description: The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+blog_description: The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+open-graph-image: https://openliberty.io/img/twitter_card.jpg
+open-graph-image-alt: Open Liberty Logo
+---
+= Support for Java 24, collect Liberty audit logs with OpenTelemetry and more in 25.0.0.4
+Navaneeth S Nair <https://github.com/navaneethsnair1>
+:imagesdir: /
+:url-prefix:
+:url-about: /
+//Blank line here is necessary before starting the body of the post.
+
+// // // // // // // //
+// In the preceding section:
+// Do not insert any blank lines between any of the lines.
+// Do not remove or edit the variables on the lines beneath the author name.
+//
+// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it
+// can be left empty which will set it to the default
+//
+// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to
+// a custom picture, you must provide a custom string for "open-graph-image-alt".
+//
+// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4
+// Replace navaneethsnair1 with your GitHub username eg: lauracowen
+// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post).
+// Replace Navaneeth S Nair with your name as you'd like it to be displayed, eg: Laura Cowen
+//
+// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc
+//
+// If adding image into the post add :
+// -------------------------
+// [.img_border_light]
+// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"]
+// -------------------------
+// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not           
+// around diagrams. Then double check how it looks.
+// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark
+// backgrounds.
+// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog
+// change the "IMAGE CAPTION" to a couple words of what the image is
+// // // // // // // //
+The 25.0.0.4 release introduces support for Java 24 and expands InstantOn capabilities to include J2EEManagement, AppClientSupport, and WsSecurity. It also enables Liberty audit logs to be exported to OpenTelemetry using MicroProfile Telemetry 2.0 for unified observability.
+
+In link:{url-about}[Open Liberty] 25.0.0.4:
+
+* <<support, InstantOn Support for J2EEManagement, AppClientSupport and WsSecurity>>
+* <<java, Support for Java 24 in Open Liberty>>
+* <<telemetry, Providing Liberty audit logs to OpenTelemetry using MicroProfile Telemetry 2.0>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
+
+
+// // // // // // // //
+// If there were updates to guides since last release, keep the following, otherwise remove section.
+// // // // // // // //
+Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>.
+
+// // // // // // // //
+// In the preceding section:
+// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
+// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3
+// Where the updates are grouped as sub-headings under a single heading 
+//   (eg all the features in a MicroProfile release), provide sub-entries in the list; 
+//   eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with 
+//   Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4)
+// // // // // // // //
+
+View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A25004+label%3A%22release+bug%22[25.0.0.4].
+
+Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].
+
+[#run]
+
+// // // // // // // //
+// LINKS
+//
+// OpenLiberty.io site links:
+// link:{url-prefix}/guides/maven-intro.html[Maven]
+// 
+// Off-site links:
+//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions]
+//
+// IMAGES
+//
+// Place images in ./img/blog/
+// Use the syntax:
+// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"]
+// // // // // // // //
+
+== Develop and run your apps using 25.0.0.4
+
+If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:
+
+[source,xml]
+----
+<plugin>
+    <groupId>io.openliberty.tools</groupId>
+    <artifactId>liberty-maven-plugin</artifactId>
+    <version>3.11.3</version>
+</plugin>
+----
+
+Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:
+
+[source,gradle]
+----
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.3'
+    }
+}
+apply plugin: 'liberty'
+----
+
+Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
+
+[source]
+----
+FROM icr.io/appcafe/open-liberty
+----
+
+Or take a look at our link:{url-prefix}/start/[Downloads page].
+
+If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. 
+
+[link=https://stackoverflow.com/tags/open-liberty]
+image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31256
+// Contact/Reviewer: SmithaSubbarao
+// // // // // // // // 
+[#support]
+== InstantOn Support for J2EEManagement, AppClientSupport and WsSecurity
+
+Open Liberty link:{url-prefix}/docs/latest/instanton.html[InstantOn] provides fast startup times for MicroProfile and Jakarta EE applications. With InstantOn, your applications can start in milliseconds, without compromising on throughput, memory, development-production parity, or Java language features. InstantOn uses the Checkpoint/Restore In Userspace (link:https://criu.org/[CRIU]) feature of the Linux kernel to take a checkpoint of the JVM that can be restored later. InstantOn supports link:{url-prefix}/docs/latest/instanton.html#supported-features[a subset of Open Liberty features]. Any public features that are enabled outside of the supported set of features for InstantOn cause the checkpoint to fail with an error message. As of the 25.0.0.4 release, the following features are enhanced to support InstantOn.
+
+- link:{url-prefix}/docs/latest/reference/feature/j2eeManagement-1.1.html[J2EE Management 1.1 (j2eeManagement-1.1)]
+- link:{url-prefix}/docs/latest/reference/feature/appClientSupport-1.0.html[Application Client Support for Server 1.0 (appClientSupport-1.0)]
+- link:{url-prefix}/docs/latest/reference/feature/appClientSupport-2.0.html[Jakarta Application Client Support for Server 2.0 (appClientSupport-2.0)]
+- link:{url-prefix}/docs/latest/reference/feature/wsSecurity-1.1.html[Web Service Security 1.1 (wsSecurity-1.1)]
+   
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31244
+// Contact/Reviewer: gjwatts
+// // // // // // // // 
+[#java]
+== Support for Java 24 in Open Liberty
+
+Released on 18 March 2025, Java 24 introduces many new features and enhancements over previous versions of Java. However, since Java 24 is not a Long-Term Support (LTS) release, support for it will end when the next version of Java is supported. It offers many features worth checking out.
+
+Here are the link:https://openjdk.org/projects/jdk/24/[JEP changes in Java 24]:
+
+* 404: 	link:https://openjdk.org/jeps/404[Generational Shenandoah (Experimental)]
+* 450: 	link:https://openjdk.org/jeps/450[Compact Object Headers (Experimental)]
+* 472: 	link:https://openjdk.org/jeps/472[Prepare to Restrict the Use of JNI]
+* 475: 	link:https://openjdk.org/jeps/475[Late Barrier Expansion for G1]
+* 478: 	link:https://openjdk.org/jeps/478[Key Derivation Function API (Preview)]
+* 479: 	link:https://openjdk.org/jeps/479[Remove the Windows 32-bit x86 Port]
+* 483: 	link:https://openjdk.org/jeps/483[Ahead-of-Time Class Loading & Linking]
+* 484: 	link:https://openjdk.org/jeps/484[Class-File API]
+* 485: 	link:https://openjdk.org/jeps/485[Stream Gatherers]
+* 486: 	link:https://openjdk.org/jeps/486[Permanently Disable the Security Manager]
+* 487: 	link:https://openjdk.org/jeps/487[Scoped Values (Fourth Preview)]
+* 488: 	link:https://openjdk.org/jeps/488[Primitive Types in Patterns, instanceof, and switch (Second Preview)]
+* 489: 	link:https://openjdk.org/jeps/489[Vector API (Ninth Incubator)]
+* 490: 	link:https://openjdk.org/jeps/490[ZGC: Remove the Non-Generational Mode]
+* 491: 	link:https://openjdk.org/jeps/491[Synchronize Virtual Threads without Pinning]
+* 492: 	link:https://openjdk.org/jeps/492[Flexible Constructor Bodies (Third Preview)]
+* 493: 	link:https://openjdk.org/jeps/493[Linking Run-Time Images without JMODs]
+* 494: 	link:https://openjdk.org/jeps/494[Module Import Declarations (Second Preview)]
+* 495: 	link:https://openjdk.org/jeps/495[Simple Source Files and Instance Main Methods (Fourth Preview)]
+* 496: 	link:https://openjdk.org/jeps/496[Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism]
+* 497: 	link:https://openjdk.org/jeps/497[Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm]
+* 498: 	link:https://openjdk.org/jeps/498[Warn upon Use of Memory-Access Methods in sun.misc.Unsafe]
+* 499: 	link:https://openjdk.org/jeps/499[Structured Concurrency (Fourth Preview)]
+* 501: 	link:https://openjdk.org/jeps/501[Deprecate the 32-bit x86 Port for Removal]
+
+**With the disabling of the Security Manager, you can no longer attempt to start Java with a Security Manager, install one during runtime nor use `AccessController::checkPermission`, `Policy::setPolicy`, `SecurityManager::check*` or `Subject::getSubject`**. Make sure to fully test your applications for this big change and refer to link:https://openjdk.org/jeps/486#Description[the description section of JEP 486] for more information.
+
+Take advantage of the changes in Java 24 in Open Liberty now and get more time to review your applications, microservices, and runtime environments on your favorite server runtime!
+
+To start using Java 24 with Open Liberty, just link:https://adoptium.net/temurin/releases/?version=24[download the latest release of Java 24], download and install the link:https://openliberty.io/start/#runtime_releases[25.0.0.4] or later version of Open Liberty. Then edit your Liberty server's link:https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env file] and set JAVA_HOME to your Java 24 installation and start testing!
+
+For more information on Java 24, please visit the Java 24 link:https://jdk.java.net/24/release-notes[release notes page], link:https://docs.oracle.com/en/java/javase/24/docs/api/index.html[API Javadoc page] or link:https://adoptium.net/temurin/releases/?version=24[download page].
+For more information on Open Liberty, please visit our link:https://openliberty.io/docs[documentation page].
+
+   
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/31143
+// Contact/Reviewer: pgunapal
+// // // // // // // // 
+[#telemetry]
+== Providing Liberty audit logs to OpenTelemetry using MicroProfile Telemetry 2.0
+
+MicroProfile Telemetry 2.0 delivers the latest OpenTelemetry technology, enabling the collection and export of metrics and logs in addition to distributed tracing.
+
+The Open Liberty link:{url-prefix}/docs/latest/reference/feature/audit-2.0.html[Audit] feature captures security-related events from the runtime environment and emits human-readable audit records to a file-based log. You can now collect Liberty audit logs and send them to your configured OpenTelemetry exporter by using the link:{url-prefix}/docs/latest/reference/feature/mpTelemetry-2.0.html[MicroProfile Telemetry 2.0] feature (`mpTelemetry-2.0`) with the Audit feature (`audit-1.0` or `audit-2.0`). This update builds on existing capabilities for other Open Liberty runtime log sources (message, trace, and ffdc) and application logs generated by the `java.util.logging` (JUL) component.
+
+To collect audit logs, add either the `audit-1.0` or `audit-2.0` feature and the `mpTelemetry-2.0` feature to your `server.xml` file. Configure the new `audit` log source to the source attribute for the `mpTelemetry` server configuration element, as shown in the following example:
+
+[source,xml]
+----
+<featureManager>
+   <feature>audit-2.0</feature>
+   <feature>mpTelemetry-2.0</feature>
+</featureManager>
+
+<mpTelemetry source="audit"/>
+----
+
+You can also configure which audit events are captured and routed to OpenTelemetry by specifying audit events and outcomes in the `auditFileHandler` element, as shown in the following example:
+
+[source,xml]
+----
+<auditFileHandler maxFiles="5" maxFileSize="20" compact="true">
+    <events name="AuditEvent_1" eventName="SECURITY_AUTHN" outcome="SUCCESS"/>
+    <events name="AuditEvent_2" eventName="SECURITY_AUTHN" outcome="REDIRECT"/>
+    <events name="AuditEvent_3" eventName="SECURITY_AUTHN" outcome="FAILURE"/>
+    <events name="AuditEvent_4" eventName="SECURITY_AUTHZ"/>
+</auditFileHandler>
+----
+
+For more information about the Audit feature, see the link:{url-prefix}/docs/latest/reference/feature/audit-1.0.html[feature documentation]. For more information about using OpenTelemetry as a comprehensive observability solution, see link:{url-prefix}/docs/latest/microprofile-telemetry.html[Collect logs, metrics, and traces with OpenTelemetry].
+
+
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
+
+For more details, check the LINK[LINK_DESCRIPTION].
+
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-25193[CVE-2025-25193]
+|5.5
+|Denial of service
+|21.0.0.2 - 25.0.0.3
+|Affects the `grpc-1.0` and `grpcClient-1.0` features
+
+|https://www.cve.org/CVERecord?id=CVE-2025-23184[CVE-2025-23184]
+|5.9
+|Denial of service
+|17.0.0.3 - 25.0.0.3
+|Affects the `jaxws-2.2`, `xmlWS-3.0` and `xmlWS-4.0` features
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [25.0.0.4]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+// // // // // // // //
+// In the following section, list any new guides, or changes/updates to existing guides.  
+// The following is an example of how the list can be structured (similar to the bugs section):
+// * link:{url-prefix}/guides/[new/updated guide].html[Guide Title]
+//  ** Description of the guide or the changes made to the guide.
+// // // // // // // //
+
+
+== Get Open Liberty 25.0.0.4 now
+
+Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.
