Payara Platform Community 5.2021.8

Release Notes - Payara Platform Community 5.2021.8

Supported APIs and Applications

• Jakarta EE 8
• Java EE 8 Applications
• Jakarta EE 9
• MicroProfile 4.1

Breaking Changes

Client Certificate Validation Checks

After upgrading to Payara Community 5.2021.8, a certificate that was accepted in earlier versions might be rejected now. It is no longer enough that the client certificates are included within the Payara Keystore. See Certificate Expiration Validation :: Payara Community Documentation

Improvements

[FISH-5687] Integrate HotSwap Agent in Payara Platform

[FISH-5686] Log Warning When Not Running on a Supported LTS JDK Version

[FISH-5658] Add Placeholder for Instance Names in Custom Vendor Metrics

[FISH-5645] Add Validity Checks on Client Certificates in the Trust Store

[FISH-5636] Performance Optimizations to Remote EJB Tracing Feature

[FISH-1467] Reload the Web Application Container and Deployer

[FISH-376] Allow Configuration Details of HTTP GZIP Compression

Security Fixes

[FISH-5697] Upgrade H2 Database Engine to 1.4.200

Bug Fixes

[FISH-5768] Clustered CDI Events Not Being Received

[FISH-5736] Fix Unknown Exclude Field Provided Warning on Startup

[FISH-5734] Recursive Update Exception when Reading a MicroProfile Config Value After Server Restart

[FISH-5724] Deployment Failure Due to 'The lifecycle method [postConstruct] Must Not Throw a Checked Exception'

[FISH-5678] Jakarta Named Properties in 'persistence.xml' Are Not Recognized

[FISH-5675] (Community Contribution - phillipross) Full State Saving with Mojarra Results in ArrayIndexOutOfBoundsException

[FISH-470] NullPointerException when Deploying MDB into a Customized MDB Pool

Component Upgrades

[FISH-5776] Upgrade to Mojarra 2.3.14.payara-p3

[FISH-5751] Upgrade ASM to 9.1

[FISH-5750] Upgrade Felix to 7.0.1

[FISH-5698] Upgrade Apache Commons IO to Version 2.11

[FISH-261] Upgrade 'tini' to 0.19.0 in Docker Images

Payara Server Community Edition 5.2021.7

Release Notes - Payara Platform Community 5.2021.7

Supported APIs and Applications

• Jakarta EE 8
• Java EE 8 Applications
• Jakarta EE 9
• MicroProfile 4.1

Note

Security Vulnerability

IMPORTANT: We recently discovered and fixed an important security vulnerability within the Payara Server and Payara Micro products. A path Traversal security issue was found when the application is deployed under the root context which allowed a hacker to read from the file system of the server running the application. We highly recommend that you upgrade to this version to avoid the security issue.

New Features

• [FISH-5646] Add Client Certificate Validation API

Bug Fixes

• [FISH-5711] Fix Could Not Load Formatter Class Error in Payara Micro
• [FISH-5701] Application Does not Deploy Anymore on Payara Server Docker Image
• [FISH-5695] (Community Contribution - Empressia) ArrayIndexOutOfBoundsException When the ConfigProperty Value Ends in a Dollar Sign
• [FISH-5693] Delimiter for Configuring Multiple KeyStores and TrustStores Must use JVM Platform Delimiter
• [FISH-5691] Do not Propagate Non-Transactional EM to Managed Tasks
• [FISH-5690] Remove Duplicate postInvoke Handler Invocation on Failure
• [FISH-5660] Deployment Failure on Payara Micro
• [FISH-1058] Payara Micro - Wrong ClassLoader with Multiple Apps
• [FISH-966] Fix Asadmin stop-domain Help Text
• [FISH-81] Fix Incorrect Error "No valid EE environment for injection" for CDI Reported for Events

Component Upgrades

• [FISH-5655] Update Jersey to 2.34.payara-p1

Security Fixes

• [FISH-5702] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') When Context Root is /

Payara Server Community Edition 5.2021.6

Release Notes - Payara Platform Community 5.2021.6

Supported APIs and Applications

• Jakarta EE 8
• Java EE 8 Applications
• Jakarta EE 9
• MicroProfile 4.1

New Features

• [FISH-1372] - MicroProfile Health 3.1
• [FISH-385] - OpenID Connect: Per-session configuration and multitenancy
• [FISH-384] - Support Bearer authentication for OpenID authentication mechanism

Bug Fixes

• [FISH-5654] - NullPointerException when setting server log format to JSON
• [FISH-1530] - Fix OpenAPI TCK Tag Collection Test
• [FISH-1521] - Fix Incorrect Group/Role Mapping in OIDC Provider
• [FISH-1520] - Fix MicroProfile JWT-Auth TCK Failures
• [FISH-1345] - EE9 Transformer does not recognize the CDI 3.0 namespace in beans.xml; interceptor ignored.
• [FISH-1312] - MP OpenAPI schema property hidden is ignored
• [FISH-1278] - Jakarta namespace transformation ignored for JSP packaged in the EAR

Component Upgrades

• [FISH-786] - Integrate Security Connector with the Payara Platform

Security Fixes

• [FISH-5545] - Upgrade jackson-databind to 2.12.3
• [FISH-5544] - Upgrade json-smart dependency to 2.4.7

Payara Server Community Edition 5.2021.5

Release notes - Payara Platform Development - Version 5.2021.5

New Feature

• [FISH-1342] Support for loading certificates from multiple keystores

Improvement

• [FISH-5488] - Change default blocking behavior in Tenant Control
• [FISH-1509] - Entries in logging.properties file is pre-determined
• [FISH-1497] - Improve deploying an application from a Maven repository feature to support snapshot version
• [FISH-1423] - Disable escaping events in Asadmin CLI
• [FISH-1375] - (Community - avpinchuk) Improve remote archive deployment
• [FISH-1296] - Log Levels in UI must be sorted by default
• [FISH-862] - Make MPCONFIG usable in all DataSourceDefinition properties
• [FISH-380] - Allow JDBC Connection Pools to set min-size to zero
• [FISH-371] - Improve handling of custom POSTBOOT and PREBOOT file in Docker container
• [FISH-123] - Add an option to configure the URL for MP OpenAPI endpoint

Bug Fixes

• [FISH-1510] - Cannot configure MicroProfile Config Ordinal for JNDI
• [FISH-1418] - JMX Service doesn't start on JDK 8u292 and 11.0.11
• [FISH-1416] - MicroProfile Health Component Not Displaying in the Admin Console
• [FISH-1415] - Write updated log information all at once to logging.properties file.
• [FISH-1346] - Hazelcast / JCache not working for EARs
• [FISH-1341] - ConcurrentModificationException when creating OpenApi document
• [FISH-1204] - Missing example values in OpenApi components schema definition using nested objects
• [FISH-1167] - Fix Inconsistent Synchronization in Password Alias Alterations for Remote Instances
• [FISH-1083] - (Community - peculater) NPE in OpenAPI around visitPost() parameter type discovery
• [FISH-1068] - Parameter Serialization error in open api document for query parameter
• [FISH-995] - Fix JAX-WS Not working after http listener is "restarted"
• [FISH-758] - Fault Tolerance annotations not applied to Rest Client interface
• [FISH-229] - Can't enable monitoring on JDK11

Component Upgrade

• [FISH-1504] - Upgrade MicroProfile JWT-Auth to 1.2.1

Security

• [FISH-1421] - ELParserTokenManager enables invalid EL expressions to be evaluated

Payara Server Community Edition 6.2021.1.Alpha1

Payara Community 6.2021.1.Alpha1 Release Notes

Supported APIs and Applications

• Jakarta EE 9.1

• Jakarta EE 8

• Java EE 8 Applications

Payara Server Community Edition 5.2021.4

Payara Community 5.2021.4 Release Notes 

Supported APIs and Applications 

• Jakarta EE 8 

• Java EE 8 Applications 

• MicroProfile 4.0

Payara Server Community Edition 5.2021.3

Release notes - Payara Platform Development - Version 5.2021.3

Notes

Metro (JAX-WS implementation) remote code vulnerability

We have fixed a remote code vulnerability in the Metro framework. If you have an application deployed on the Payara Server that makes use of the JAX-WS features, please update your environment.

Release Notes

New Feature

• [FISH-1021] - Add Support for Setting the HSTS Header

Improvement

• [FISH-1311] - (Community Contribution - AngelTG2) asadmin create-password-alias is very slow when there are many aliases created
• [FISH-1304] - (Community Contribution - avpinchuk) Basic Auth support for the remote GAV retrieval during uber jar creation for Payara Micro
• [FISH-1295] - Code cleanup in security-core module
• [FISH-1287] - Admin console responds very slowly when remote instances are slow to respond
• [FISH-1286] - Add missing JDK 11 packages to OSGI
• [FISH-987] - Add option to disable evaluating Class references in EL in JSPs

Bug Fixes

• [FISH-1297] - Payara fails to start in certain network configurations
• [FISH-1293] - Disassociate ClusteredStore from tenants
• [FISH-1289] - Race condition in Payara Micro initialization
• [FISH-1214] - Fix ConfigParser Throws Exception when Parsing Domain.xml From CLICommand.
• [FISH-84] - ELResolver cannot handle a null base Object with identifier in EAR

Component Upgrade

• [FISH-858] - Upgrade Hazelcast 4.1 > 4.2 with Tenant Control

Security

• [FISH-1274] - Vulnerability in Metro's WSDL Code Importing/Parsing - Remote Code Execution

Payara Server Community Edition 5.2021.2

Release notes - Payara Platform Development - Version 5.2021.2

Notes

Jakarta EE 9 Support

In this release, we have fixed several issues relating to our Jakarta EE 9 Web Component (Servlet, JSTL and JSF) support through Eclipse Transformer. This is as a part of our ongoing effort to close the migration gap between major Jakarta versions before we provide full support for Jakarta EE 9. We encourage users to try updating their applications to Jakarta EE 9 with Eclipse Transformer, and raising any discovered bugs on our Github issue tracker.

New Feature

• [FISH-1064] - Asadmin to clear out old job executions of JBatch in all supported databases

Improvement

• [FISH-1079] - (Community - poikilotherm) Make MPCONFIG in TranslatedConfigView debugable
• [FISH-1094] - (Community - avpinchuk) Make Micro boot-time deployment more reliable
• [FISH-1171] - Make Enabled Parameter of set-healthcheck-configuration Command Optional
• [FISH-1172] - Make Enabled Parameter of set-admin-audit-configuration Command Optional
• [FISH-1186] - Support server-node Docker Image within Kubernetes
• [FISH-1213] - Remove "Data Grid Group Password" as no longer used with Hazelcast 4.x

Bug Fixes

• [FISH-514] - Fix Inconsistent behaviour when a domain backup is created
• [FISH-625] - Jakarta EE 9: Jakarta Faces Sevlet definition not supported
• [FISH-760] - MicroProfile OpenAPI application not detected
• [FISH-984] - Max Wait Time isn't respected when the JDBC pool is locked for a long time
• [FISH-1014] - [Community Contribution] Variables in @DatasourceDefinition not applied to 'className'
• [FISH-1061] - Fix NullPointer when Configuring a Notifier against a non-DAS Instance or Config
• [FISH-1069] - Fix Fault Tolerance service parameters and documentation
• [FISH-1084] - NullPointerException when getting monitoring data for JDBC
• [FISH-1158] - OpenAPI document creation failed when using @Schema annotation with Enum missing a nullcheck
• [FISH-1173] - Fix NullPointerException on Boot
• [FISH-1177] - Undeploy servlet NPE race condition
• [FISH-1178] - Failure to load resources by applications in parallel
• [FISH-1181] - Fix Conflicting --port Parameters in set-snmp-notifier-configuration/notification-snmp-configure Command
• [FISH-1182] - Fix Conflicting --port Parameters in set-xmpp-notifier-configuration/notification-xmpp-configure Command
• [FISH-1192] - Jakarta EE 9: Duplicate entry ZipException is thrown on transforming web application servlet_plu_singlethreadmodel_web.war
• [FISH-1193] - Jakarta EE 9: jakarta.servlet.http.* imports ignored by Payara transformer in JSP files
• [FISH-1194] - Jakarta EE 9: IllegalArgumentException jakarta.mail.Session is not an allowed property value type
• [FISH-1196] - Jakarta EE 9: Servlet Constant value namespace transformation ignored e.g jakarta.servlet.context.tempdir
• [FISH-1205] - Jakarta EE9: JSTL classes transformation is ignored in tld file
• [FISH-1206] - Jakarta EE9: JSF constants transformation is ignored

Payara Server Community Edition 5.2021.1

Payara Community 5.2021.1 Release Notes

Supported APIs and Applications

• Jakarta EE 8
• Java EE 8 Applications

Notes

MicroProfile 4.0

Following the 5.2021.1 release, we’ve upgraded Payara Platform to be compatible with the specifications present in version 4.0 of MicroProfile. You should be able to test your MicroProfile 4.0 compatible applications using this Community release. If you discover any issues, or have any related questions, please raise them on our GitHub repository.

Asadmin Command to Clear old JBatch Executions

A new command has been introduced with FISH-108 to remove old JBatch executions left around in the database. It is a known issue that this command currently only works with H2 database. In a future iteration, this will be generalised to cover a broader range of databases.

Hazelcast 4.0 Upgrade

It is important to note in this release that with the upgrade of Hazelcast to version 4.0, support for rolling updates from previous versions of Payara Community Edition to 5.2021.1 will not be supported.

New Features

• [FISH-105] - Migrate EJB Timers from Live Instances
• [FISH-108] - Asadmin to clear out old job executions of JBatch in H2
• [FISH-658] - MP Config 2.0 Upgrade
• [FISH-659] - MP Fault Tolerance 3.0 Upgrade
• [FISH-662] - MP Metrics 3.0 Upgrade
• [FISH-663] - MP OpenAPI 2.0 Upgrade
• [FISH-664] - MP OpenTracing 2.0 Upgrade
• [FISH-665] - MP Rest Client 2.0 Upgrade
• [FISH-753] - Remove Production Domain Template From Community Version
• [FISH-788] - [Community - poikilotherm] Support sub-directories for MPCONFIG SecretDirConfigSource
• [FISH-868] - [Community - ghunteranderson] MP-JWT public key location respects HTTP cache headers

Improvements

• [FISH-374] - Remove Support Portal integration from Community Edition
• [FISH-427] - Configure MP Config cache duration through System properties or ENV variables
• [FISH-759] - [Community - sgflt] Sort Instance names in alphabetical order in the Admin Console 'Instances' drop down
• [FISH-886] - [Community - avpinchuk] Deploy GAV from local repository
• [FISH-992] - [Community - cfiguera] Default values in data source definitions when translating values
• [FISH-1006] - Cleanup of glassfish-batch-connector

### Bug Fixes

• [FISH-222] - HTTP2 tests from h2spec fail with timeout on HTTPS listener
• [FISH-462] - TLSv1.3 is not listed as a supported SSL Protocol
• [FISH-464] - Race condition in Grizzly's HTTP/2
• [FISH-505] - Server instance tries to load Application not assigned to instance
• [FISH-515] - HTTP POST request returns 500 on Zulu JDK8
• [FISH-631] - Infinite loop in Grizzly SSL handshake causing deadlock
• [FISH-642] - Application Logging not performed on Payara 5 Cluster instances
• [FISH-652] - Error in MP JWT validation when retrieving JWKS key from remote location
• [FISH-743] - HK2 Class Parsing ClassCastException
• [FISH-744] - When creating a Resource Adapter Config via Admin Console only thread pools from 'Server-Config' is listed under Thread Pool ID
• [FISH-765] - [Community - sgflt] WebModule doesn't respect virtual server configuration
• [FISH-790] - Refactor, fix bugs and make immutable JavaEEContextUtil
• [FISH-796] - Fix Clustered Singleton bugs / add tests
• [FISH-876] - Incorrect Hashicorp Vault MP Config source blocks deployment and usage of MP Config
• [FISH-877] - Cloud MP Config Sources ignore ordinal defined in Domain
• [FISH-885] - OpenAPI document creation failed when using @Schema annotation with Enum
• [FISH-892] - Hashicorp vault secret value not picked up by MicroProfile after restart domain
• [FISH-990] - OpenTracing Active Span is NULL when retrieved in EJB tracer on remote execution
• [FISH-994] - [Community - sgflt] Package jaxws opentracing to embedded Payara
• [FISH-1007] - [Community - sgflt] Payara logback libs produce NPE
• [FISH-1015] - [Community - avpinchuk] Add appropriate application name to GAV deployments
• [FISH-1017] - [Community - bjetal] Payara can close JarFile instances used by current URLClassLoaders
• [FISH-1018] - Class Loader leaks on redeploy
• [FISH-1019] - [Community - bhanuunrivalled] GlassFishProperties NPE when initialised with null properties

Component Upgrades

• [FISH-791] - Upgrade to Hazelcast 4

Payara Server Community Edition 5.2020.7

Payara Community 5.2020.7 Release Notes

Supported APIs and Applications

• Jakarta EE 8
• Java EE 8 Applications

Notes

MicroProfile 4.0

As MicroProfile moves toward the 4.0 final release, the Payara team has simultaneously been working to ready the Payara Platform for MicroProfile 4.0 compatibility. In this Payara Platform Community Release, you can give two of the MicroProfile specification release candidates a try: MP Health 3.0 and MP JWT Auth 1.2. This technically breaks MicroProfile 3.3 support, although functionally the MicroProfile 3.3 TCK will only fail on the @Health annotation removal.

Production Domain Removal

As part of our ongoing effort to reduce bloat in Payara Community
Edition, we have removed the production domain from the distributions.
The template for this domain
(common/templates/gf/production-domain.jar) is still available,
although this too will be removed in a future release. Note that Payara
Enterprise Edition will still contain the production domain.

New Features

• [FISH-330] - Implement
  LDAP MicroProfile Config Source
• [FISH-338] - Create
  Hashicorp Cloud Vault MicroProfile Config Source
• [FISH-660] - MP Health 3.0
  Upgrade
• [FISH-661] - MP JWT Auth
  1.2 Upgrade

Improvements

• [FISH-327] - Implement
  MicroProfile Sniffer and Engine
• [FISH-375] - Remove
  production domain from community version
• [FISH-651] - Allow JWT
  verification to skip type validation
• [FISH-732] - Improve
  message when same name is used in metrics.xml for exposed AMX bean.

Security fixes

• [FISH-731] - Upgrade
  Hibernate Validator to 6.1.5.Final

Bug Fixes

• [FISH-206] - @RolesAllowed
  annotation in method prevents unauthenticated calls to other methods in
  remote EJB
• [FISH-275] - Deployment
  fails if system properties in persistence.xml are only defined in the
  target config and not in DAS config
• [FISH-431] - OpenAPI
  document shows ejb-timer-service-app as server URL when EJB timer
  available
• [FISH-657] - no
  element When deploy WebServices
• [FISH-747] - Azure Secret
  Secret Configuration screen on Web Admin console fails
• [FISH-761] - [Community -
  bjetal] Deployment of unpacked WAB fails when
  using Felix fileinstall
• [FISH-763] - [Community -
  sgflt] Embedded Payara is unable to start
• [FISH-766] - [Community -
  sgflt] Improper synchronization of session map
• [FISH-767] - Missing
  ejb-opentracing.jar in manifest of gf-client.jar
• [FISH-777] - [Community -
  avpinchuk] Exclude OpenAPI rest endpoint
  from tracing