diff --git a/posts/2025-09-09-25.0.0.9.adoc b/posts/2025-09-09-25.0.0.9.adoc index ba3bf9c54..b600148f9 100644 --- a/posts/2025-09-09-25.0.0.9.adoc +++ b/posts/2025-09-09-25.0.0.9.adoc @@ -13,6 +13,8 @@ open-graph-image-alt: Open Liberty Logo blog-available-in-languages: - lang: zh-Hans path: /zh-Hans/blog/2025/09/09/25.0.0.9.html +- lang: ja + path: /ja/blog/2025/09/09/25.0.0.9.html --- = ECDH-ES support added to JWT Builder in 25.0.0.9 Ismath Badsha diff --git a/posts/2025-10-23-mcp-standalone-blog.adoc b/posts/2025-10-23-mcp-standalone-blog.adoc index 452d5b1a0..a097296d6 100644 --- a/posts/2025-10-23-mcp-standalone-blog.adoc +++ b/posts/2025-10-23-mcp-standalone-blog.adoc @@ -32,7 +32,15 @@ Consider a scenario where your company provides weather forecasting services tha A more effective solution is to enable the AI to access current weather data through tools exposed by your Liberty application. This allows the AI to retrieve up-to-date forecast information whenever needed, ensuring responses are always based on the most current data available, without the need for AI model retraining. == How to Use the Liberty MCP Server Feature -The Liberty MCP Server feature enables a Liberty server to communicate with agentic AI workflows using the MCP protocol with https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http[streamable HTTP]. Using the MCP protocol provides a standardized way for any AI application to be able to discover and utilize the business logic within your application. +The Liberty MCP Server feature enables a Liberty server to communicate with agentic AI workflows through the MCP protocol. This protocol provides a standardized way for AI applications to discover and utilize the business logic within your application. + +The MCP endpoint is available at `/mcp` under your application's context root. For example, if you see this in your logs: +``` +CWWKT0016I: Web application available (default_host): http://localhost:9080/myMcpApp/ +``` +Then your MCP endpoint can be accessed at `http://localhost:9080/myMcpApp/mcp`. You can connect any MCP client that supports the https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http[Streamable HTTP transport]. + +To test your MCP server, you can use the https://modelcontextprotocol.io/docs/tools/inspector[MCP Inspector]. With `npm` installed, simply run `npx @modelcontextprotocol/inspector` to download and run it. === Declaring an MCP Tool To expose your business logic to authorized AI applications, you'll need to declare it as an https://modelcontextprotocol.io/specification/2025-06-18/server/tools[MCP tool]. In this context, a tool is a function or operation that the AI can invoke to perform a specific task. diff --git a/posts/2025-11-18-25.0.0.12-beta.adoc b/posts/2025-11-18-25.0.0.12-beta.adoc new file mode 100644 index 000000000..8142cdf69 --- /dev/null +++ b/posts/2025-11-18-25.0.0.12-beta.adoc @@ -0,0 +1,467 @@ +--- +layout: post +title: "SpringBoot 4.0, preview of Jakarta Data 1.1 and more in 25.0.0.12-beta" +# Do NOT change the categories section +categories: blog +author_picture: https://avatars3.githubusercontent.com/navaneethsnair1 +author_github: https://github.com/navaneethsnair1 +seo-title: "SpringBoot 4.0, preview of Jakarta Data 1.1 and more in 25.0.0.12-beta- OpenLiberty.io" +seo-description: This beta release adds Spring Boot 4.x support, previews Jakarta Data 1.1 capabilities, and enhances the Netty-based HTTP transport. It also updates Model Context Protocol Server 1.0 and introduces the option to use your own AES-256 key for Liberty password encryption. +blog_description: This beta release adds Spring Boot 4.x support, previews Jakarta Data 1.1 capabilities, and enhances the Netty-based HTTP transport. It also updates Model Context Protocol Server 1.0 and introduces the option to use your own AES-256 key for Liberty password encryption. +open-graph-image: https://openliberty.io/img/twitter_card.jpg +open-graph-image-alt: Open Liberty Logo +--- += SpringBoot 4.0, preview of Jakarta Data 1.1 and more in 25.0.0.12-beta +Navaneeth S Nair +:imagesdir: / +:url-prefix: +:url-about: / +//Blank line here is necessary before starting the body of the post. + +This beta release adds Spring Boot 4.x support, previews Jakarta Data 1.1 capabilities, and enhances the Netty-based HTTP transport. It also updates Model Context Protocol Server 1.0 and introduces the option to use your own AES-256 key for Liberty password encryption. + +The link:{url-about}[Open Liberty] 25.0.0.12-beta includes the following beta features (along with link:{url-prefix}/docs/latest/reference/feature/feature-overview.html[all GA features]): + + +* <> +* <> +* <> +* <> +* <> + + +See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts]. + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33154 +// Contact/Reviewer: anjumfatima90 +// // // // // // // // +[#springboot] +== SpringBoot 4.0 +Open Liberty currently supports running Spring Boot 1.5, 2.x, and 3.x applications. With the introduction of the new `springBoot-4.0` feature, users can now deploy Spring Boot 4.x applications by enabling this feature. While Liberty consistently supports Spring Boot applications packaged as `WAR` files, this enhancement extends support to both `JAR` and `WAR` formats for Spring Boot 4.x applications. + +The springBoot-4.0 feature provides a complete support for running a Sprint Boot 4.x application on Open Liberty as well as having the capability to thin the application when creating applications in containers. + +To use this feature, the user must be running `Java 17` or later with EE11 features enabled. If the application uses servlets, it must be configured to use `Servlet 6.1`. Include the following features in your `server.xml` file to define settings. + +[source, xml] +---- + + springboot-4.0 + servlet-6.1 + +---- + +The `server.xml` configuration for deploying a Spring Boot application follows the same approach as in earlier Liberty Spring Boot versions. + +[source, xml] +---- + +---- + +As in earlier versions, the Spring Boot application JAR can be deployed by placing it in the `/dropins/spring` folder. The `springBootApplication` configuration in the `server.xml` file can be omitted when using this deployment method. + +// DO NOT MODIFY THIS LINE. + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33132 +// Contact/Reviewer: njr-11 +// // // // // // // // +[#data1.1] +== Early preview of Jakarta Data 1.1 +This release reviews three new features of Jakarta Data 1.1: retrieving a subset or projection of entity attributes, the `@Is` annotation, and `Constraint` subtype parameters for repository methods that apply basic constraints to repository `@Find` and `@Delete` operations. + +Previously, repository methods couldn't limit retrieval of results to subsets of entity attributes (commonly referred to as projections). Now, repository methods can return Java records that represent a subset of an entity. In addition, parameter-based `@Find` and `@Delete` methods earlier were not able to filter on conditions other than equality. Now more advanced filtering can be done in two different ways: typing the repository method parameter with a `Constraint` subtype or indicating the `Constraint` subtype by using the `@Is` annotation. + +In Jakarta Data, you write simple Java objects called *Entities* to represent data, and you write interfaces called *Repositories* to define operations on data. You inject a Repository into your application and use it. The implementation of the *Repository* is automatically provided for you! + +Start by defining an entity class that corresponds to your data. With relational databases, the entity class corresponds to a database table and the entity properties (public methods and fields of the entity class) generally correspond to the columns of the table. An entity class can be: + +- annotated with `jakarta.persistence.Entity` and related annotations from Jakarta Persistence +- a Java class without entity annotations, in which case the primary key is inferred from an entity property named `id` or ending with `Id` and an entity property named `version` designates an automatically incremented version column. + +Here's a simple entity, + +```java +@Entity +public class Product { + @Id + public long id; + public String name; + public float price; + public float weight; +} +``` + +After you define the entity to represent the data, it is usually helpful to have your IDE generate a static metamodel class for it. By convention, static metamodel classes begin with the underscore character, followed by the entity name. Because this beta is being made available well before the release of Jakarta Data 1.1, we cannot expect IDEs to generate for us yet. However, we can provide the static metamodel class that an IDE would be expected to generate for the `Product` entity: + +```java +@StaticMetamodel(Product.class) +public interface _Product { + String ID = "id"; + String NAME = "name"; + String PRICE = "price"; + String WEIGHT = "weight"; + + NumericAttribute id = NumericAttribute.of( + Product.class, ID, long.class); + TextAttribute name = TextAttribute.of( + Product.class, NAME); + NumericAttribute price = NumericAttribute.of( + Product.class, PRICE, float.class); + NumericAttribute weight = NumericAttribute.of( + Product.class, WEIGHT, float.class); +} +``` + +The first half of the static metamodel class includes constants for each of the entity attribute names so that you don't need to otherwise hardcode string values into your application. The rest half of the static metamodel class provides a special instance for each entity attribute, from which you can build restrictions and sorting to apply to queries at run time. + +The following example is a repository that defines operations that are related to the `Product` entity. Your repository interface can inherit from built-in interfaces such as `BasicRepository` and `CrudRepository`. These interfaces contain various general-purpose repository methods for inserting, updating, deleting, and querying for entities. In addition, you can compose your own operations using the static metamodel and annotations such as `@Find` or `@Delete`. + +```java +@Repository(dataStore = "java:app/jdbc/my-example-data") +public interface Products extends CrudRepository { + + // Retrieving the whole entity, + @Find + Optional find(@By(_Product.ID) long productNum); + + // The Select annotation can identify a single entity attribute to retrieve, + @Find + @Select(_Product.PRICE) + Optional getPrice(@By(_Product.ID) long productNum); + + // You can return multiple entity attributes as a Java record, + @Find + @Select(_Product.WEIGHT) + @Select(_Product.NAME) + Optional getWeightAndName(@By(_Product.ID) long productNum); + + static record WeightInfo(float itemWeight, String itemName) {} + + // The Select annotation can be omitted if the record component names match the entity attribute names, + @Find + List getWeightAndPrice(@By(_Product.Name) String name); + + static record WeightPriceInfo(float weight, float price) {} + + // Constraint subtypes (such as Like) for method parameters offer different types of filtering, + @Find + Page named(@By(_Product.Name) Like namePattern, + Order sorting, + PageRequest pageRequest); + + // The @Is annotation also allows you to specify Constraint subtypes, + @Find + @OrderBy(_Product.PRICE) + @OrderBy(_Product.NAME) + List pricedBelow(@By(_Product.PRICE) @Is(LessThan.class) float maxPrice, + @By(_Product.Name) @Is(Like.class) String namePattern); + + @Delete + long removeHeaviest(@By(_Product.WEIGHT) @Is(GreaterThan.class) float maxWeightAllowed); +} +``` + +Following is an example of the repository and static metamodel being used. + +```java +@DataSourceDefinition(name = "java:app/jdbc/my-example-data", + className = "org.postgresql.xa.PGXADataSource", + databaseName = "ExampleDB", + serverName = "localhost", + portNumber = 5432, + user = "${example.database.user}", + password = "${example.database.password}") +public class MyServlet extends HttpServlet { + @Inject + Products products; + + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + // Insert: + Product prod = ... + prod = products.insert(prod); + + // Find one entity attribute: + price = products.getPrice(prod.id).orElseThrow(); + + // Find multiple entity attributes as a Java record: + WeightInfo info = products.getWeightAndName(prod.id); + System.out.println(info.itemName() + " weighs " + info.itemWeight() + " kg."); + + // Filter by supplying a Like constraint, returning only the first 10 results: + Page page1 = products.named( + Like.pattern("%computer%"), + Order.by(_Product.price.desc(), + _Product.name.asc(), + _Product.id.asc()), + PageRequest.ofSize(10)); + + // Filter by supplying values only: + List found = pricedBelow(50.0f, "%keyboard%"); + + ... + } +} +``` +For more information about Jakarta Data 1.1, see the following resources: + +* link:https://jakarta.ee/specifications/data/1.1/apidocs[Jakarta Data 1.1 API Javadoc] +* link:https://jakarta.ee/specifications/data/1.1/jakarta-data-1.1.0-m1[Jakarta Data 1.1 specification] +* link:https://jakarta.ee/specifications/data/1.1/[Jakarta Data 1.1 overvi ew page] + +*Note* +This beta includes only the Data 1.1 features for entity subsets or projections, the `@Is` annotation, and `Constraint` subtypes as repository method parameters that accept basic constraint values. Other new Data 1.1 features are not included in this beta. + +// DO NOT MODIFY THIS LINE. + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33198 +// Contact/Reviewer: habiblawal1 +// // // // // // // // +[#mcp] +== Model Context Protocol Server 1.0 updates + +The link:https://modelcontextprotocol.io/docs/getting-started/intro[Model Context Protocol (MCP)] is an open standard for AI applications to access real-time information from external sources. The Liberty MCP Server feature `mcpServer-1.0` allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows. + +This beta release of Liberty includes important updates to the `mcpServer-1.0` feature, including session management and easier discovery of the MCP endpoint. + +=== Prerequisites +To use the `mcpServer-1.0` feature, it is required to have `Java 17` installed on your system. + +=== MCP Session Management +This beta version includes support for the link:https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management[session management] function of the MCP specification. This feature enables stateful sessions between client and server, allowing the server to securely correlate multiple requests in the same session for features like tool call cancellation. + +When a client connects to the MCP server, a unique session ID is assigned to the client during the link:https://modelcontextprotocol.io/specification/2025-06-18/basic/lifecycle#initialization[initialization phase] and returned in the `Mcp-Session-Id` HTTP response header. For subsequent requests, the client must include the session ID in the `Mcp-Session-Id` request header. + +=== MCP Endpoint Discoverability +The MCP endpoint is made available at `/mcp` under the context root of your application, e.g., `http://localhost:9080/myMcpApp/mcp`. For ease of discovery, the URL of the MCP endpoint for your Liberty hosted application is now output to the server logs on application startup. + +The following example shows what you would see in your logs if you have an application called `myMcpApp`: + +``` +I MCP server endpoint: http://localhost:9080/myMcpApp/mcp +``` + +In this beta version, the MCP server endpoint is also accessible with a trailing slash(`/`) at the end, for example, `http://localhost:9080/myMcpApp/mcp/`. + +=== Liberty MCP Server API Documentation +You can now find API documentation for the Liberty MCP Server feature. The javadoc is located in the `io.openliberty.mcp_1.0-javadoc.zip` file within your `wlp/dev/api/ibm/javadoc` directory. + +Attach the Liberty MCP Server feature’s Javadoc to your IDE to view descriptions of the API's methods and class details. + +*Note*: The following packages and interfaces that are documented in the Javadoc are not yet implemented: + +* `io.openliberty.mcp.encoders` +* `io.openliberty.mcp.annotations.OutputSchemaGenerator` +* `io.openliberty.mcp.annotations.Tool.OutputSchema` + +For more information about Liberty MCP Server feature `mcpServer-1.0`, including how to get started with it, see the link:https://openliberty.io/blog/2025/10/23/mcp-standalone-blog.html[blog post]. + +// DO NOT MODIFY THIS LINE. + + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33186 +// Contact/Reviewer: isaacrivriv,mrsaldana,pnicolucci,volosied +// // // // // // // // +[#netty] +== Updates to Netty‑based HTTP transport on Open Liberty + +Open Liberty intoduced Netty-based HTTP transport for 25.0.0.11-beta preview. This change replaced the underlying transport implementation for HTTP/1.1, HTTP/2, WebSocket, JMS, and SIP communications. In this beta release, there are some updates added to this feature. It is designed for zero migration impact—your applications and the `server.xml` file continue to behave as before. We are looking forward and counting on your feedback before GA! + +Netty’s event‑driven I/O gives us a modern foundation for long‑term scalability, easier maintenance, and future performance work, all without changing APIs or configuration! + +No changes are required to effectively use the current 'All Beta Features' runtime for this release. +To help us evaluate parity and performance with real-world scenarios, you can try the following things: + +* HTTP/1.1 and HTTP/2: large uploads or downloads, chunked transfers, compression-enabled content, keep-alive behavior. +* WebSocket: long-lived communications, backpressure scenarios +* Timeouts: read/write/keep-alive timeouts under load +* Access logging: verify formatting and log results compared to previous builds +* JMS communications: message send/receive throughput, durable subscriptions + +=== Limitations of the Beta release: +==== HTTP +* HTTP requests with content length greater than the maximum integer value fails due to internal limitations on request size with Netty. +* When the http option `maxKeepAliveRequests` has no limit, HTTP 1.1 limits pipelined requests to 50. +* Http option `resetFramesWindow` is reduced from millisecond to second precision due to limitations in the Netty library. +* Due to internal limitations of the Netty library, the http option `MessageSizeLimit` is now adjusted to be capped at the maximum integer value for HTTP/2.0 connections. +* Due to internal differences with Netty, the http option `ThrowIOEForInboundConnections` could behave differently from the Channel Framework implementation. +* Due to internal limitations of Netty, `acceptThread` and `waitToAccept` TCP options are currently not implemented and are ignored for the current Beta if set. +* As of the moment, clear text upgrade requests for HTTP 2.0 with request data is rejected with a 'Request Entity Too Large' status code. A fix is in progress. + +==== WebSocket +Websocket inbound requests can generate FFDC `RuntimeExceptions` on connection cleanup when a connection is closed from the client side. + +==== SIP +SIP Resolver transport does not use a Netty transport implementation until this release. This issue is resolved in the current beta! + +==== ALPN +Currently, our Netty implementation supports only the native JDK ALPN implementation. Additional information for the ALPN implementations that are currently supported by the Channel Framework but not our Netty beta can be found link:https://www.ibm.com/docs/en/was-liberty/base?topic=40-alpn-support[here] + +// DO NOT MODIFY THIS LINE. + + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33031 +// Contact/Reviewer: arkarkala +// // // // // // // // +[#aes256] +== Bring Your Own AES-256 Key + +The *Bring Your Own AES-256 Key* feature allows you to provide a *Base64-encoded 256-bit AES key* for password encryption in Liberty. + +=== What’s New? +Previously, Liberty supported the `wlp.password.encryption.key` property, which accepted a password and derived an AES key through a computationally intensive process. This derivation involved repeated hashing with a salt over many iterations, which added overhead during server startup. + +With *Bring Your Own AES-256 Key*, you can now supply a pre-generated AES key directly. This eliminates the derivation step, resulting in *faster startup times and improved runtime performance* when encrypting and decrypting passwords. + +=== Why It Matters +This feature not only improves performance but also prepares for *migration from traditional WebSphere (tWAS)*. The encoded password format remains the same, and future migration tools will allow you to export keys from tWAS for use in Liberty. + +--- + +=== How to Enable It + +. *Obtain a 256-bit AES key* - Generate a 256-bit AES key using your own infrastructure and encode it in Base64, or by using securityUtility. ++ +To generate a 256-bit AES key using securityUtility, run the new securityUtility generateAESKey task to: + +* Generate a random AES key: ++ +```bash +./securityUtility generateAESKey +``` +* Derive a key from a passphrase: ++ +```bash +./securityUtility generateAESKey --key= +``` + +. *Configure the key in Liberty* ++ +Add the following variable in `server.xml` or an included file: ++ +[source, xml] +---- + +---- + +. *Encode your passwords* ++ +Use `securityUtility encode` with one of these options: + +* Provide the key directly: ++ +```bash +./securityUtility encode --encoding=aes --base64Key= +``` +* Specify an XML or properties file containing `wlp.aes.encryption.key` or `wlp.password.encryption.key`. *Note:* The aesKeyFile parameter now allows users to encode with either of the aes properties: ++ +```bash +./securityUtility encode --encoding=aes --aesConfigFile= +``` + +. *Update configuration* ++ +Copy the new encoded values into your server configuration. + + +*Performance Tip:* For best results, re-encode all passwords using the new key. Mixed usage of old and new formats is supported for backward compatibility, but full migration ensures optimal performance. + +Other command line tasks have been updated to accept base64 keys and aes configuration files in a similar fashion: + +. securityUtility + * createSSLCertificate + * createLTPAKeys + * encode +. configUtility + * install +. collective + * create + * join + * replicate + +// DO NOT MODIFY THIS LINE. + + +[#run] +=== Try it now + +To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 25, Java SE 21, Java SE 17, Java SE 11, and Java SE 8. + +If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package using: + +[source,xml] +---- + + io.openliberty.tools + liberty-maven-plugin + 3.11.5 + + + io.openliberty.beta + openliberty-runtime + 25.0.0.12-beta + zip + + + +---- + +You must also add dependencies to your `pom.xml` file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs: + +[source,xml] +---- + + org.example.spec + exampleApi + 7.0 + pom + provided + + + example.platform + example.example-api + 11.0.0 + provided + +---- + +Or for link:{url-prefix}/guides/gradle-intro.html[Gradle]: + +[source,gradle] +---- +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.5' + } +} +apply plugin: 'liberty' +dependencies { + libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[25.0.0.12-beta,)' +} +---- + +Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: + +[source] +---- +FROM icr.io/appcafe/open-liberty:beta +---- + +Or take a look at our link:{url-prefix}/downloads/#runtime_betas[Downloads page]. + +If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. + +For more information on using a beta release, refer to the link:{url-prefix}docs/latest/installing-open-liberty-betas.html[Installing Open Liberty beta releases] documentation. + +[#feedback] +== We welcome your feedback + +Let us know what you think on link:https://groups.io/g/openliberty[our mailing list]. If you hit a problem, link:https://stackoverflow.com/questions/tagged/open-liberty[post a question on StackOverflow]. If you hit a bug, link:https://github.com/OpenLiberty/open-liberty/issues[please raise an issue]. diff --git a/posts/ja/2025-09-09-25.0.0.9.adoc b/posts/ja/2025-09-09-25.0.0.9.adoc new file mode 100755 index 000000000..fba2f0be2 --- /dev/null +++ b/posts/ja/2025-09-09-25.0.0.9.adoc @@ -0,0 +1,248 @@ +--- +layout: post +title: "25.0.0.9でJWT BuilderにECDH-ESサポートが追加されました" +# Do NOT change the categories section +categories: blog +author_picture: https://avatars3.githubusercontent.com/IsmathBadsha +author_github: https://github.com/IsmathBadsha +seo-title: ECDH-ES サポートを 25.0.0.9 の JWT Builder に追加 — OpenLiberty.io +seo-description: 'このリリースでは、JWT Builder に鍵管理アルゴリズムとして ECDH-ES のサポートを導入し、RSA-OAEP に代わるより安全な選択肢を提供します。' +blog_description: 'このリリースでは、JWT Builder に鍵管理アルゴリズムとして ECDH-ES のサポートを導入し、RSA-OAEP に代わるより安全な選択肢を提供します。' +open-graph-image: https://openliberty.io/img/twitter_card.jpg +open-graph-image-alt: Open Liberty Logo +additional_authors: +- name: 佐野 剛(翻訳) + github: https://github.com/TSA0001 + image: https://avatars.githubusercontent.com/u/56730221 +blog-available-in-languages: +- lang: en + path: /blog/2025/09/09/25.0.0.9.html +--- += ECDH-ES サポートを 25.0.0.9 の JWT Builder に追加 +Ismath Badsha +:imagesdir: / +:url-prefix: +:url-about: / +//Blank line here is necessary before starting the body of the post. + +// // // // // // // // +// In the preceding section: +// Do not insert any blank lines between any of the lines. +// Do not remove or edit the variables on the lines beneath the author name. +// +// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it +// can be left empty which will set it to the default +// +// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to +// a custom picture, you must provide a custom string for "open-graph-image-alt". +// +// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4 +// Replace IsmathBadsha with your GitHub username eg: lauracowen +// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post). +// Replace Ismath Badsha with your name as you'd like it to be displayed, eg: Laura Cowen +// +// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc +// +// If adding image into the post add : +// ------------------------- +// [.img_border_light] +// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"] +// ------------------------- +// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not +// around diagrams. Then double check how it looks. +// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark +// backgrounds. +// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog +// change the "IMAGE CAPTION" to a couple words of what the image is +// // // // // // // // + +本リリースでは、JWT Builderに鍵管理アルゴリズムとしてECDH-ESのサポートが導入され、RSA-OAEPに代わるより安全な選択肢を提供します。 + +// // // // // // // // +// In the preceding section: +// Leave any instances of `tag::xxxx[]` or `end:xxxx[]` as they are. +// +// Replace RELEASE_SUMMARY with a short paragraph that summarises the release. Start with the lead feature but also summarise what else is new in the release. You will agree which will be the lead feature with the reviewers so you can just leave a placeholder here until after the initial review. +// // // // // // // // + +// // // // // // // // +// Replace the following throughout the document: +// Replace 25.0.0.9 with the version number of Open Liberty, eg: 22.0.0.2 +// Replace 25009 with the version number of Open Liberty wihtout the periods, eg: 22002 +// // // // // // // // + +In link:{url-about}[Open Liberty] 25.0.0.9: + +* <> +* <> + +// // // // // // // // +// In the preceding section: +// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3 +// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3 +// Where the updates are grouped as sub-headings under a single heading +// (eg all the features in a MicroProfile release), provide sub-entries in the list; +// eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with +// Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4) +// // // // // // // // + +修正されたバグの一覧は、link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A25009+label%3A%22release+bug%22[25.0.0.9のリリースノート]で確認できます。 + +その他の情報は、link:{url-prefix}/blog/?search=release&search!=beta[過去のOpen Liberty GAリリースブログ記事]をチェックしてください。 + + +[#run] + +// // // // // // // // +// LINKS +// +// OpenLiberty.io site links: +// link:{url-prefix}/guides/maven-intro.html[Maven] +// +// Off-site links: +//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions] +// +// IMAGES +// +// Place images in ./img/blog/ +// Use the syntax: +// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"] +// // // // // // // // + +== 25.0.0.9 を使いアプリを開発・実行するには + +link:{url-prefix}/guides/maven-intro.html[Maven] を使っている場合は、pom.xml に以下を含めてください: + +[source,xml] +---- + + io.openliberty.tools + liberty-maven-plugin + 3.11.5 + +---- + +link:{url-prefix}/guides/gradle-intro.html[Gradle] を使っている場合は、build.gradleに以下のように含めてください: + +[source,gradle] +---- +buildscript { + repositories { + mavenCentral() + } + dependencies { + classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.5' + } +} +apply plugin: 'liberty' +---- +// // // // // // // // +// In the preceding section: +// Replace the Maven `3.8.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin +// Replace the Gradle `3.6.2` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin +// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins +// // // // // // // // + + さらに、link:{url-prefix}/docs/latest/container-images.html[コンテナイメージ]を使う場合はこちら: + +[source] +---- +FROM icr.io/appcafe/open-liberty +---- + +あるいは、link:{url-prefix}/start/[ダウンロードページ]をご覧ください。 + +link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA]、 link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code]、link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE]に対しても、に対しても、link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Open Liberty の開発者ツール]を使って IDE内からの開発・テスト・デバッグ・アプリ管理が可能です。 + +[link=https://stackoverflow.com/tags/open-liberty] +image::img/blog/blog_btn_stack_ja.svg[Stack Overflowで質問する, align="center"] + +// // // // DO NOT MODIFY THIS COMMENT BLOCK // // // // +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/32660 +// Contact/Reviewer: tloodu +// // // // // // // // +[#ECDH_ES] +== JWT Builder に ECDH-ES サポートを追加する + +Open Liberty は JSON Web Token 1.0 (jwt-1.0) 機能を拡張し、jwtBuilder の鍵管理アルゴリズムとして ECDH-ES をサポートするようになりました。これにより、アプリ開発者は JSON Web Encryption (JWE) トークンの Content Encryption Key (CEK) を決定する際に、楕円曲線暗号を使えるようになります。これまでサポートされていた RSA-OAEP に比べ、よりモダンな代替手段を提供します。 + +ECDH-ES を使うには、keyManagementKeyAlias 属性で楕円曲線 (EC) 公開鍵のエイリアスを定義しておく必要があります。EC 公開鍵/秘密鍵ペアは securityUtility や keytool を使って作成できます。例えば次のコマンド: + +---- +./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password +---- + +---- +keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password +---- + +jwtBuilder 要素の keyManagementKeyAlgorithm 属性に ECDH-ES を指定して設定できます(この属性は JSON Web Token 1.0 (jwt-1.0) 機能の一部です)。 +ECDH-ES 鍵管理アルゴリズムで使われる EC(楕円曲線)公開鍵は、keyManagementKeyAlias 属性でそのエイリアスを参照し、trustStoreRef 属性でキーストアを指定します。 + +jwtBuilder 要素の設定例(server.xml 内): +[source, xml] +---- + +---- + +jwtBuilderの設定方法の詳細は、link:https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Libertyのドキュメント]を参照してください。 + +// DO NOT MODIFY THIS LINE. + +// // // // // // // // +// In the preceding section: +// Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list +// Replace SUB_FEATURE_TITLE/FEATURE_X_TITLE with the given title from the contents list +// Replace FEATURE with the feature name for the server.xml file e.g. mpHealth-1.4 +// Replace LINK with the link for extra information given for the feature +// Replace LINK_DESCRIPTION with a readable description of the information +// // // // // // // // + +[#CVEs] +== このリリースでのセキュリティ脆弱性 (CVE) 修正 +[cols="5*"] +|=== +|CVE |CVSS スコア |脆弱性内容 |影響を受けるバージョン |備考 + +|https://www.cve.org/CVERecord?id=CVE-2025-36000[CVE-2025-36000] +|4.4 +|ストアド型クロスサイトスクリプティング (Stored XSS) +|17.0.0.3-25.0.0.8 +|adminCenter-1.0 機能に影響 + +|https://www.cve.org/CVERecord?id=CVE-2025-36047[CVE-2025-36047] +|5.3 +|DoS(サービス拒否) +|18.0.0.2-25.0.0.8 +|servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0 機能に影響 + +|https://www.cve.org/CVERecord?id=CVE-2025-48976[CVE-2025-48976] +|7.5 +|DoS(サービス拒否) +|17.0.0.3-25.0.0.8 +|上記と同じ + +|https://www.cve.org/CVERecord?id=CVE-2025-36124[CVE-2025-36124] +|5.9 +|セキュリティのバイパス +|17.0.0.3-25.0.0.8 +|wasJmsServer‐1.0, wasJmsSecurity‐1.0, wasJmsClient‐2.0, messagingServer‐3.0, messagingSecurity‐3.0, messagingClient‐3.0 機能に関連 +|=== +// // // // // // // // +// In the preceding section: +// If there were any CVEs addressed in this release, fill out the table. For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc. If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz. +// Note: When linking to features, use the +// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and +// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[]) +// +// If there are no CVEs fixed in this release, replace the table with: +// "There are no security vulnerability fixes in Open Liberty [25.0.0.9]." +// // // // // // // // +過去の脆弱性修正の一覧については、Open Liberty の link:{url-prefix}/docs/latest/security-vulnerabilities.html[セキュリティ脆弱性(CVE)のリスト]を参照してください。 + +== Open Liberty 25.0.0.9を今すぐ入手 + +このバージョンは<>からダウンロード可能です。