Skip to content

Commit 21c41f6

Browse files
Merge pull request #4812 from OpenLiberty/26.0.0.4-post
Update 26.0.0.4-post into draft
2 parents f2a33e6 + 7639dc0 commit 21c41f6

1 file changed

Lines changed: 10 additions & 10 deletions

File tree

posts/2026-04-21-26.0.0.4.adoc

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,11 @@ This release introduces support for selecting JWT signature algorithms from JOSE
2525

2626
In link:{url-about}[Open Liberty] 26.0.0.4:
2727

28-
* <<file_transfer, File Transfer changes for 26.0.0.4>>
28+
* <<file_transfer, Blocklist added to `FileService` MBean>>
2929
* <<ltpa, Default LTPA keys password removal>>
3030
* <<jwt, Support selecting JWT signature and decryption algorithms from JOSE header>>
3131
* <<java_26, Support for Java 26>>
32-
* <<displayCustomizedExceptionText, displayCustomizedExceptionText property>>
32+
* <<displayCustomizedExceptionText, Documentation for `displayCustomizedExceptionText` property in Web Container>>
3333
* <<CVEs, Security Vulnerability (CVE) Fixes>>
3434

3535

@@ -115,8 +115,8 @@ If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[In
115115
image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
116116

117117
[#file_transfer]
118-
=== File Transfer changes for 26.0.0.4
119-
Liberty's FileService MBean provided by the `restConnector-2.0` feature now includes an extra `blocklist` attribute. This attribute is configured by the `<blockDir>` config element in the `server.xml` file. The default value of this attribute is `${server.output.dir}/resources/security`. This behavior change resolves the security vulnerability link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915], by restricting default FileTransfer access to `${server.output.dir}/resources/security`.
118+
== Blocklist added to `FileService` MBean
119+
The `FileService` MBean provided by the `restConnector-2.0` feature in Liberty now includes a `blocklist` attribute. This attribute is configured by the `<blockDir>` config element in the `server.xml` file. The default value of this attribute is `${server.output.dir}/resources/security`. This enhancement resolves the security vulnerability link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915] by restricting file transfer access to `${server.output.dir}/resources/security` by default.
120120

121121
If FileTransfer access to `${server.output.dir}/resources/security` is required, the original behavior can be restored by setting an empty blocklist.
122122

@@ -127,7 +127,7 @@ For more information, see the link:https://www.ibm.com/docs/en/was-liberty/nd?to
127127

128128
The default LTPA keys password is removed to resolve the security vulnerability link:https://www.ibm.com/support/pages/node/7266845[CVE-2025-14917].
129129

130-
Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, the default password is no longer supported.
130+
Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, a default password is no longer used when the `keysPassword` attribute is not set.
131131

132132
For existing servers, if the LTPA keys password is not configured in the `server.xml` file, the `keystore_password` in the `server.env` file is used. This value re-encrypts the LTPA keys in the `ltpa.keys` file. The LTPA keys themselves are not impacted. The `keystore_password` is configured in the `server.env` file during server creation unless the `--no-password` option is used with the `server create` command.
133133

@@ -156,7 +156,7 @@ keystore_password=your-desired-password
156156
+
157157
* The `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
158158

159-
For new servers, a new `ltpa_keys_password` is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element.
159+
For new servers, an `ltpa_keys_password` value is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element.
160160

161161
For more information, see the link:https://openliberty.io/docs/latest/reference/config/ltpa.html[LTPA] configuration element.
162162

@@ -174,7 +174,7 @@ To enable signature algorithm selection from the header, set the `signatureAlgor
174174

175175
If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384`, and `ES512`.
176176

177-
When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the `trustedAlias` attribute (for `jwtConsumer`) or `trustAliasName` attribute (for `openidConnectClient`, `oidcLogin` and `mpJwt`), if configured.
177+
When using `FROM_HEADER` with asymmetric algorithms and a truststore setup, the aliases for the corresponding public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. The remainder of the alias name does not matter as long as it begins with the signature algorithm string. During validation, the server searches the truststore for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the `trustedAlias` attribute (for `jwtConsumer`) or `trustAliasName` attribute (for `openidConnectClient`, `oidcLogin` and `mpJwt`), if configured. If multiple aliases with the signature algorithm prefix exist within the truststore, Liberty uses the first one found.
178178

179179
See the following `server.xml` file configurations for examples on how to apply these settings to the supported elements:
180180

@@ -263,16 +263,16 @@ For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/re
263263
// Contact/Reviewer: ncpibm
264264
// // // // // // // //
265265
[#displayCustomizedExceptionText]
266-
== displayCustomizedExceptionText property
267-
This release adds documentation and tests for the `displayCustomizedExceptionText` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.
266+
== Documentation for `displayCustomizedExceptionText` property in Web Container
267+
This release adds documentation for the `displayCustomizedExceptionText` attribute in the `<webContainer>` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.
268268

269269
The feature is enabled through simple `server.xml` file configuration, where custom messages can be mapped to specific HTTP status codes (`403` and `500`).
270270

271271
Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.
272272

273273
[source,xml]
274274
----
275-
<webContainer displaycustomizedexceptiontext="Custom error message"/>
275+
<webContainer displayCustomizedExceptionText="Custom error message"/>
276276
----
277277

278278
// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>

0 commit comments

Comments
 (0)