You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* <<displayCustomizedExceptionText, Documentation for `displayCustomizedExceptionText` property in Web Container>>
33
33
* <<CVEs, Security Vulnerability (CVE) Fixes>>
34
34
35
35
@@ -115,8 +115,8 @@ If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[In
115
115
image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
116
116
117
117
[#file_transfer]
118
-
=== File Transfer changes for 26.0.0.4
119
-
Liberty's FileService MBean provided by the `restConnector-2.0` feature now includes an extra `blocklist` attribute. This attribute is configured by the `<blockDir>` config element in the `server.xml` file. The default value of this attribute is `${server.output.dir}/resources/security`. This behavior change resolves the security vulnerability link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915], by restricting default FileTransfer access to `${server.output.dir}/resources/security`.
118
+
== Blocklist added to `FileService` MBean
119
+
The `FileService` MBean provided by the `restConnector-2.0` feature in Liberty now includes a `blocklist` attribute. This attribute is configured by the `<blockDir>` config element in the `server.xml` file. The default value of this attribute is `${server.output.dir}/resources/security`. This enhancement resolves the security vulnerability link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915] by restricting file transfer access to `${server.output.dir}/resources/security` by default.
120
120
121
121
If FileTransfer access to `${server.output.dir}/resources/security` is required, the original behavior can be restored by setting an empty blocklist.
122
122
@@ -127,7 +127,7 @@ For more information, see the link:https://www.ibm.com/docs/en/was-liberty/nd?to
127
127
128
128
The default LTPA keys password is removed to resolve the security vulnerability link:https://www.ibm.com/support/pages/node/7266845[CVE-2025-14917].
129
129
130
-
Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, the default password is no longer supported.
130
+
Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, a default password is no longer used when the `keysPassword` attribute is not set.
131
131
132
132
For existing servers, if the LTPA keys password is not configured in the `server.xml` file, the `keystore_password` in the `server.env` file is used. This value re-encrypts the LTPA keys in the `ltpa.keys` file. The LTPA keys themselves are not impacted. The `keystore_password` is configured in the `server.env` file during server creation unless the `--no-password` option is used with the `server create` command.
* The `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
158
158
159
-
For new servers, a new `ltpa_keys_password` is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element.
159
+
For new servers, an `ltpa_keys_password` value is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element.
160
160
161
161
For more information, see the link:https://openliberty.io/docs/latest/reference/config/ltpa.html[LTPA] configuration element.
162
162
@@ -174,7 +174,7 @@ To enable signature algorithm selection from the header, set the `signatureAlgor
174
174
175
175
If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384`, and `ES512`.
176
176
177
-
When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the `trustedAlias` attribute (for `jwtConsumer`) or `trustAliasName` attribute (for `openidConnectClient`, `oidcLogin` and `mpJwt`), if configured.
177
+
When using `FROM_HEADER` with asymmetric algorithms and a truststore setup, the aliases for the corresponding public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. The remainder of the alias name does not matter as long as it begins with the signature algorithm string. During validation, the server searches the truststore for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the `trustedAlias` attribute (for `jwtConsumer`) or `trustAliasName` attribute (for `openidConnectClient`, `oidcLogin` and `mpJwt`), if configured. If multiple aliases with the signature algorithm prefix exist within the truststore, Liberty uses the first one found.
178
178
179
179
See the following `server.xml` file configurations for examples on how to apply these settings to the supported elements:
180
180
@@ -263,16 +263,16 @@ For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/re
263
263
// Contact/Reviewer: ncpibm
264
264
// // // // // // // //
265
265
[#displayCustomizedExceptionText]
266
-
== displayCustomizedExceptionText property
267
-
This release adds documentation and tests for the `displayCustomizedExceptionText` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.
266
+
== Documentation for `displayCustomizedExceptionText` property in Web Container
267
+
This release adds documentation for the `displayCustomizedExceptionText` attribute in the `<webContainer>` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.
268
268
269
269
The feature is enabled through simple `server.xml` file configuration, where custom messages can be mapped to specific HTTP status codes (`403` and `500`).
270
270
271
271
Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.
0 commit comments