OpenLiberty · navaneethsnair1 · Apr 17, 2026 · Apr 14, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/posts/2026-04-21-26.0.0.4.adoc b/posts/2026-04-21-26.0.0.4.adoc
@@ -0,0 +1,341 @@
+---
+layout: post
+title: "Enhanced JWT validation, Java 26 support, and more in 26.0.0.4"
+# Do NOT change the categories section
+categories: blog
+author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
+author_github: https://github.com/navaneethsnair1
+seo-title: Enhanced JWT validation, Java 26 support, and more in 26.0.0.4- OpenLiberty.io
+seo-description: This release introduces support for selecting JWT signature algorithms from JOSE headers and adds Java 26 support. It also removes the default LTPA keys password for enhanced security, and includes file transfer restrictions and security vulnerability fixes.
+blog_description: This release introduces support for selecting JWT signature algorithms from JOSE headers and adds Java 26 support. It also removes the default LTPA keys password for enhanced security, and includes file transfer restrictions and security vulnerability fixes.
+open-graph-image: https://openliberty.io/img/twitter_card.jpg
+open-graph-image-alt: Open Liberty Logo
+---
+= Enhanced JWT validation, Java 26 support, and more in 26.0.0.4
+Navaneeth S Nair <https://github.com/navaneethsnair1>
+:imagesdir: /
+:url-prefix:
+:url-about: /
+//Blank line here is necessary before starting the body of the post.
+
+This release introduces support for selecting JWT signature algorithms from JOSE headers and adds Java 26 support. It also removes the default LTPA keys password for enhanced security, and includes file transfer restrictions and security vulnerability fixes.
+
+In link:{url-about}[Open Liberty] 26.0.0.4:
+
+* <<TAG_1, File Transfer changes for 26.0.0.4>>
+* <<ltpa, Default LTPA keys password removal>>
+* <<jwt,  Support selecting JWT signature and decryption algorithms from JOSE header>>
+* <<java_26, Support for Java 26>>
+* <<displayCustomizedExceptionText, displayCustomizedExceptionText property>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
+
+
+// // // // // // // //
+// In the preceding section:
+// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
+// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3
+// Where the updates are grouped as sub-headings under a single heading 
+//   (eg all the features in a MicroProfile release), provide sub-entries in the list; 
+//   eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with 
+//   Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4)
+// // // // // // // //
+
+View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26004+label%3A%22release+bug%22[26.0.0.4].
+
+Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].
+
+
+[#run]
+
+// // // // // // // //
+// LINKS
+//
+// OpenLiberty.io site links:
+// link:{url-prefix}/guides/maven-intro.html[Maven]
+// 
+// Off-site links:
+//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions]
+//
+// IMAGES
+//
+// Place images in ./img/blog/
+// Use the syntax:
+// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"]
+// // // // // // // //
+
+== Develop and run your apps using 26.0.0.4
+
+If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:
+
+[source,xml]
+----
+<plugin>
+    <groupId>io.openliberty.tools</groupId>
+    <artifactId>liberty-maven-plugin</artifactId>
+    <version>3.12.0</version>
+</plugin>
+----
+
+Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:
+
+[source,gradle]
+----
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
+    }
+}
+apply plugin: 'liberty'
+----
+// // // // // // // //
+// In the preceding section:
+// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin
+// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin
+// TODO: Update GHA to automatically do the above.  If the maven.org is problematic, then could fallback to using the GH Releases for the plugins
+// // // // // // // //
+
+Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
+
+[source]
+----
+FROM icr.io/appcafe/open-liberty
+----
+
+Or take a look at our link:{url-prefix}/start/[Downloads page].
+
+If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. 
+
+[link=https://stackoverflow.com/tags/open-liberty]
+image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
+
+[#TAG_1]
+=== File Transfer changes for 26.0.0.4
+Liberty's FileService MBean provided by the `restConnector-2.0` feature now includes an extra attribute `blocklist`. This attribute can be configured by the `server.xml` config element `<blockDir>`. The default value of this attribute is `${server.output.dir}/resources/security`. This behavior change resolves link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915], by restricting default FileTransfer access to `${server.output.dir}/resources/security`. 
+
+If FileTransfer access to `${server.output.dir}/resources/security` is required, the original behavior can be restored by setting an empty blocklist.
+
+For more information, see
+ link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileService[]
+ link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileTransfer__title__1[]
+ link:https://www.ibm.com/docs/en/was-liberty/nd?topic=manually-file-transfer[]
+
+[#ltpa]
+== Default LTPA keys password removal
+
+The default LTPA keys password is removed to resolve the link:https://www.ibm.com/support/pages/node/7266845[CVE-2025-14917].
+
+Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, the default password is no longer supported.
+
+If LTPA keys password is not configured in `server.xml`, the `keystore_password` in `server.env` is used to reencrypt the LTPA keys in the `ltpa.keys` file. The LTPA keys themselves are not impacted. The `keystore_password` is configured in the `server.env` file during server creation unless the `--no-password` option is used with the `server create` command.
+
+If a keysPassword is not defined in the `<ltpa />`` element in the `server.xml` file and a `keystore_password` is not defined in the `server.env` file, the LTPA service fails.
+The following error message is displayed:
+
+[source,text]
+----
+CWWKS4118E: LTPA configuration error. A keysPassword attribute is not configured on the <ltpa /> element, the 'ltpa_keys_password' environment variable is not set, and the 'keystore_password' environment variable is not set.
+----
+
+For existing servers, confirm that an LTPA keys password is set up by doing the following steps:
+
+. Check to see whether a `keysPassword` attribute is provided for the `<ltpa />` element in the `server.xml` file (for example, `<ltpa keysPassword="myKeysPassword" />`).
+* If it is provided, this update does not affect you and no further action is needed.
+* If it is not provided, do *not* add it and proceed to the next step.
+. Check to see whether the `keystore_password` environment variable exists in the `server.env` file (for example, `keystore_password=myKeystorePassword`).
+* If it exists, then `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
+* If it does not exist, proceed to the next step.
+. Add the following environment variable to the `server.env` file:
++
+[source,properties]
+----
+keystore_password=(your-desired-password)
+----
++
+* The `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
+
+For new servers, a new `ltpa_keys_password` is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element. Do *not* use the `ltpa_keys_password` in place of the `keystore_password` in step 3 of the previous section for existing servers.
+
+For more information, see the link:https://openliberty.io/docs/latest/reference/config/ltpa.html[LTPA] configuration element.
+
+
+[#jwt]
+==  Support selecting JWT signature and decryption algorithms from JOSE header
+
+JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token.
+
+Earlier, developers and administrators were restricted to configuring a single signature algorithm (for example, `RS256`) in the `server.xml` file. If the incoming JWT was signed with a different algorithm, validation would fail. This update allows the signature algorithm from the JWT header to be used for validation. It provides the flexibility of using different signature algorithms within a single configuration.
+
+=== How to use
+
+To enable signature algorithm selection from the header, set the `signatureAlgorithm` attribute to `FROM_HEADER` and optionally configure the `allowedSignatureAlgorithms` attribute to specify which algorithms are permitted.
+
+If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512`.
+
+When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured.
+
+See the following `server.xml` file example:
+
+[source,xml]
+----
+<jwtConsumer
+    signatureAlgorithm="FROM_HEADER"
+    allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
+
+...
+
+<mpJwt
+    signatureAlgorithm="FROM_HEADER"
+    allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
+
+...
+
+<openidConnectClient
+    signatureAlgorithm="FROM_HEADER"
+    allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
+
+...
+
+<oidcLogin
+    signatureAlgorithm="FROM_HEADER"
+    allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
+----
+
+=== Learn more
+
+*Server configurations:*
+
+* link:https://openliberty.io/docs/latest/reference/config/openidConnectClient.html[openidConnectClient]
+* link:https://openliberty.io/docs/latest/reference/config/jwtConsumer.html[jwtConsumer]
+* link:https://openliberty.io/docs/latest/reference/config/mpJwt.html[mpJwt]
+* link:https://openliberty.io/docs/latest/reference/config/oidcLogin.html[oidcLogin]
+
+*Documentation:*
+
+* link:https://openliberty.io/docs/latest/reference/feature/openidConnectClient-1.0.html[OpenID Connect Client 1.0]
+* link:https://openliberty.io/docs/latest/reference/feature/jwt-1.0.html[JSON Web Token 1.0]
+* link:https://openliberty.io/docs/latest/reference/feature/mpJwt-2.1.html[MicroProfile JWT 2.1]
+* link:https://openliberty.io/docs/latest/reference/feature/socialLogin-1.0.html[Social Media Login 1.0]
+
+[#java_26]
+=== Support for Java 26
+Java 26 is a recent Java release that introduces new features and enhancements over earlier versions that can be useful to review. This release is not a long-term support (LTS) release.
+
+There are 10 new features (JEPs) in link:https://openjdk.org/projects/jdk/26/[Java 26]. Five are test features and five are fully delivered.
+
+*Test Features:*
+
+* 524: link:https://openjdk.org/jeps/524[PEM Encodings of Cryptographic Objects (Second Preview)]
+* 525: link:https://openjdk.org/jeps/525[Structured Concurrency (Sixth Preview)]
+* 526: link:https://openjdk.org/jeps/526[Lazy Constants (Second Preview)]
+* 529: link:https://openjdk.org/jeps/529[Vector API (Eleventh Incubator)]
+* 530: link:https://openjdk.org/jeps/530[Primitive Types in Patterns, instanceof, and switch (Fourth Preview)]
+
+*Delivered Features:*
+
+* 500: link:https://openjdk.org/jeps/500[Prepare to Make Final Mean Final]
+* 504: link:https://openjdk.org/jeps/504[Remove the Applet API]
+* 516: link:https://openjdk.org/jeps/516[Ahead-of-Time Object Caching with Any GC]
+* 517: link:https://openjdk.org/jeps/517[HTTP/3 for the HTTP Client API]
+* 522: link:https://openjdk.org/jeps/522[G1 GC: Improve Throughput by Reducing Synchronization]
+
+A new change JEP 500 ("Prepare to Make Final Mean Final") in Java 26 starts enforcing true immutability of final fields by restricting their mutation when using deep reflection.
+In Java 26, such mutations still work but trigger runtime warnings by default, preparing developers for stricter enforcement.
+Future releases would likely throw exceptions instead, making the final truly nonmutable.
+
+Developers can opt in early to this stricter behavior by using a JVM flag (for example, `--illegal-final-field-mutation=deny`) to detect issues sooner.
+This change improves program correctness, security, and JVM optimizations.
+
+Take advantage of these changes now to gain more time to evaluate how your applications
+and microservices behave on Java 26.
+
+Get started today by downloading the latest release of  link:https://developer.ibm.com/languages/java/semeru-runtimes/downloads/[IBM Semeru Runtime 26] or link:https://adoptium.net/temurin/releases/?version=26[Temurin 26], then download and install the Open Liberty link:{url-prefix}/start/#runtime_releases[26.0.0.4]. Update your Liberty server's link:{url-prefix}/docs/latest/reference/config/server-configuration-overview.html#server-env[server.env] file with `JAVA_HOME` set to your Java 26 installation directory and start testing.
+
+For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/release-notes[release notes page] and link:https://docs.oracle.com/en/java/javase/26/docs/api/index.html[API Javadoc page].
+
+
+// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // 
+// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33622
+// Contact/Reviewer: ncpibm
+// // // // // // // // 
+[#displayCustomizedExceptionText]
+== displayCustomizedExceptionText property 
+This release adds documentation and tests for the `displayCustomizedExceptionText` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages. 
+
+The feature is enabled through simple `server.xml` file configuration, where custom messages can be mapped to specific HTTP status codes (403 and 500). 
+
+Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.
+
+[source,xml]
+----
+<webContainer displaycustomizedexceptiontext="Custom error message"/>
+----
+
+// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
+
+For more details, check the LINK[LINK_DESCRIPTION].
+
+// // // // // // // //
+// In the preceding section:
+// Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list
+// Replace SUB_FEATURE_TITLE/FEATURE_X_TITLE with the given title from the contents list 
+// Replace FEATURE with the feature name for the server.xml file e.g. mpHealth-1.4
+// Replace LINK with the link for extra information given for the feature
+// Replace LINK_DESCRIPTION with a readable description of the information
+// // // // // // // //
+
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14915[CVE-2025-14915]
+|6.5
+|Privilege escalation
+|17.0.0.3-26.0.0.3
+|Affects the `restConnector-2.0` feature
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14917[CVE-2025-14917]
+|6.7
+|Weaker security
+|17.0.0.3-26.0.0.3
+|Affects the `appSecurity-1.0`, `appSecurity-2.0`, `appSecurity-3.0`, `appSecurity-4.0`, and `appSecurity-5.0` features
+
+|https://www.cve.org/CVERecord?id=CVE-2026-1561[CVE-2026-1561]
+|5.4
+|Server-side request forgery
+|17.0.0.3-26.0.0.3
+|Affects the `samlWeb-2.0` feature
+
+|https://www.cve.org/CVERecord?id=CVE-2026-29063[CVE-2026-29063]
+|8.7
+|Prototype pollution
+|17.0.0.3-26.0.0.3
+|Affects the `openapi-3.1`, `mpOpenAPI-1.0`, `mpOpenAPI-1.1`, `mpOpenAPI-2.0`, `mpOpenAPI-3.0`, `mpOpenAPI-3.1`, `mpOpenAPI-4.0` and `mpOpenAPI-4.1` features
+
+|===
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [26.0.0.4]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
+// // // // // // // //
+// In the preceding section:
+// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release.
+// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution.
+// If the issue on Github is missing any information, leave a comment in the issue along the lines of:
+// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)" 
+// Feel free to message the owner(s) directly as well, especially if no action has been taken by them.
+// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs)
+// // // // // // // //
+
+
+
+== Get Open Liberty 26.0.0.4 now
+
+Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.