Apache Server and Connectors

mod_snmp and mod_rt now available on ppc64

As of JBoss EAP 6.4, mod_snmp and mod_rt are available on ppc64 Red Hat Enterprise Linux systems.

API

Enable configuration of the global session timeout for the web container through the management APIs

The global HTTP session timeout may now be configured using the Management APIs.

Expose public API for WebSockets use cases.

All classes in the javax.websocket and javax.websocket.server packages of the Websockets API are now publicly exposed.

Authentication Manager

A logout() method was added to org.jboss.security.AuthenticationManager interface

A logout method has been added to org.jboss.security.AuthenticationManager interface. Be aware of this if you have implemented a custom org.jboss.security.ServerAuthenticationManager, like the following example.

<valve>
 <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
 <param>
  <param-name>serverAuthenticationManagerClass</param-name>
  <param-value>com.acme.ServerAuthenticationManager</param-value>
 </param>
</valve>

Clustering

fail_on_status for mod_cluster

Support for fail_on_status has been added to mod_cluster. fail_on_status can be used to specify one or more HTTP status codes, so that if a worker node in a cluster returns one of the specified status codes, it will cause that worker to fail. The load balancer will then send future requests to another worker node in the cluster.

Domain Management

Support nested expressions

Expressions may be nested, which allows for more advanced use of expressions in place of fixed values. Nested expressions are permitted anywhere that expressions are permitted, with the exception of Management CLI commands. As for normal expressions, the supported sources for resolving nested expressions are: system properties, environment variables and the Vault.

Ability to read boot errors via the admin APIs

A new Management CLI command has been created, which outputs details of any errors which occurred on bootup. The command is read-boot-errors and has no parameters.

Kerberos auth for management over HTTP/HTTPS

It is now possible to configure authentication of management operations made via HTTP/HTTPS using Kerberos. This means it is now possible to authenticate to the Management Console using Kerberos.

EE

Ability to specify a resource adapter reference in jboss-ejb3.xml without the ear name

In the jboss-ejb3.xml deployment descriptor you can specify a resource adapter for a message driven bean (MDB) to use, without specifying the name of the EAR, in cases where the deployment descriptor is in the same EAR as the resource adapter.

EJB

New implementation of StrictMaxPool

Contention within the EJB StrictMaxPool has been eliminated by changing the underlying data structure.

Ability to use alternate persistent stores for unclustered EJB timers

EJB timers' data may now be stored in a database and shared between clustered server instances. Advantages of this method include suitability to high availability.

Enable wildcard for <ejb-name> in jboss-ejb3.xml

Support for use of wildcards (*) has been enabled for <ejb-name> in jboss-ejb3.xml.

Hibernate

Deliver new Hibernate Dialect for MySQL 5.7

A new dialect has been added to Hibernate to support MySQL 5.7. To prevent issues as a result of rounding fractional digits in date and time, the dialect currently has the following limitations: Hibernate will assume datetime(6) for "timestamp" columns, and Hibernate will assume time(0) for "time" columns.

HornetQ

Ability to close all consumers on a destination and the connections for these consumers

The ability to close all consumers on a destination and the connections for those consumers has been added. This command is available via the Management CLI, management API and JMX.

Abort slow HornetQ consumers

The rate of consumption for message consumers may now be monitored automatically, and action taken if the rate does not meet specific criteria. A minimum consumption rate is specified in messages per second and if it is not met, either the consumer's connection is killed or a management notification is raised, which can be handled by an application. By default this feature is disabled.

Ability to terminate a connection by JMS User

HornetQ now supports termination of connections with the JMS user as the criteria. Previously it was only possible to terminate connections according to the client ID or IP address.

Hibernate Search

Deliver Hibernate Search as a default module

Hibernate Search is now a standard component of JBoss EAP.

Installer

Test datasource and LDAP connections in the installer

When installing JBoss EAP in either GUI or console mode, the installer now provides the option to verify LDAP and datasource connectivity during the installation process. This ensures that the parameters provided during installation are valid.

JBoss Web

Load taglibs from jars in a JBoss Module

Tag Library Descriptors (TLDs) may be separated from their respective applications, allowing for easier additions and updates. To use this feature, create a custom JBoss EAP 6 module that contains the TLD JARs, and declare a dependency on that module in the applications.

Ability to configure HttpOnly SSO cookies

A new attribute has been added to the SSO configuration of a virtual server: http-only. When set to true, this attribute adds HttpOnly to the Cookie header, indicating that the browser should restrict access from non-HTTP APIs.

Users should be aware that the option to support this restriction rests with the client (the web browser).

This action may mitigate the risk of security vulnerabilities by restricting access from non-HTTP APIs (such as JavaScript).

JCA

Support enabled for "datasource_class" system property

By default, when a database driver JAR contains a services/javax.sql.Driver file, the datasource_class attribute in the datasource definition is ignored and the Driver class in the JAR used instead. To override this default behavior and use the datasource_class attribute, set the property -Dironjacamar.jdbc.prefer_datasource_class=true.

Detect and throw deployment exception for JCA 1.7 resource adapters

An exception is thrown if JCA 1.7 deployments are detected as they belong in an EE 7 based platform.

Add leak detector pool

IronJacamar now features a connection pool implementation which monitors connections and provides feedback if they are never released by the application. When either the pool is shut down or flushed, a stack trace is output to the system logs. To enable the connection pool, set the system value ironjacamar.mcp to org.jboss.jca.core.connectionmanager.pool.mcp.LeakDumperManagedConnectionPool. To have the stack trace output to a separate file, set the system value ironjacamar.leaklog to the name and path of the desired file.

-Dironjacamar.mcp=org.jboss.jca.core.connectionmanager.pool.mcp.LeakDumperManagedConnectionPool

-Dironjacamar.leaklog=leaks.txt

JMS Operations

Add remove-jndi operation for JMS resources

The remove-jndi operation is now enabled for JMS resources.

JMX

Enable JMX MBean Registration and Unregistration notifications for JBoss' facade MBeans in EAP 6

MBeans in the jboss.as and jboss.as.expr domains are not truly MBeans but instead facades. As a result, MBean registration and unregistration events were not available. Registration and unregistration events for these domains have now been enabled, allowing these events to be monitored.

Logging

Requesting suffix support for size-based log file rotation

Size-based log file rotation has been enhanced with support for a timestamp suffix which is appended to each log file when it is rotated. The format of the timestamp is configurable according to your requirements. Previously it was only possible to have a numeric suffix added to rotated log files, which made finding the relevant log file difficult in some circumstances.

Implement java.util.logging.LogManager.getLoggerNames() in JBoss Logging

A getLoggerNames() method has been added to java.util.logging.LogManager which returns the names of all loggers.

Audit syslog handler should be able to automatically reconnect

The audit syslog handler has been enhanced with a new attribute - reconnect-timeout - which specifies the time period between attempts to reconnect to the syslog server.

Make PeriodicSizeRotatingFileHandler configurable directly via CLI/web console

The PeriodicSizeRotatingFileHandler is now able to be configured via either the Management Console or Management CLI. Previously such a handler was only able to be configured by using a custom handler. The new configuration methods are easier and less prone to error.

Mask "password" System Properties

Any system property which contains the text password (regardless of case) is replaced with the text redacted when output via logging. This improves security by avoiding having passwords output in plain text in log files.

Management CLI

The CLI should support property substitution for names of elements and not only for parameters

Property substitution for names of elements has been added. Previously the Management CLI only supported property substitution for parameters.

Add echo command for use in CLI scripting

A new management CLI command - echo - has been added. It outputs verbatim any text which follows the command.

Management Console

Display server logs in graphical console

You can now view server and application logs in the JBoss EAP Management Console to help diagnose errors, performance problems, and other issues. For a log to be viewable in the Management Console Log Viewer, it must be located in the server's jboss.server.log.dir directory. The Log Viewer also respects user RBAC role assignments, so a user logged in to the Management Console can only view logs that they are authorized to access.

Access Red Hat plugin

Access to commonly used features of the Red Hat Customer Portal are now available from within the Management Console. The top navigation bar of the Management Console contains a drop-down menu: Red Hat Access. Clicking on this menu will reveal three task-specific links to the Customer Portal: Search Customer Portal, Open Case and Modify Case.

Expose web container global session timeout in the Console

The global HTTP session timeout may now be configured using the Management Console.

Naming

Use external-context for remote TIBCO ems lookup

When using the generic JMS resource adapter to connect to an external messaging server, an external context may be used instead of writing a custom ObjectFactory. The following is an extract of an example use of <external-context>. Replace the example properties with those appropriate for your JMS provider.

<external-context name="java:global/tibco" module="com.tibco.tibjms" class="javax.naming.InitialContext">
 <environment>
  <property name="java.naming.factory.initial" value="com.tibco.tibjms.naming.TibjmsInitialContextFactory"/>
  <property name="java.naming.provider.url" value="TIBCO_EMS_SERVER_HOST_NAME:PORT"/>
  <property name="java.naming.factory.url.pkgs" value="com.tibco.tibjms.naming"/>
  <property name="org.jboss.as.naming.lookup.by.string" value="true"/>
 </environment>
</external-context>

Patching

Access to details of patches has been improved

The Management CLI command patch has two additional arguments: inspect and info. The info argument outputs information on installed patches. The inspect argument outputs information about a downloaded patch.

The Patch Management panel of the Management Console has been improved to include a brief description of each patch and a link to a more detailed article.

Performance

Backport AbstractPool initLock() synchronization elimination from 1.2

A lock was created when calling to register a transaction after getting a connection from the pool. Since the transaction registry already handled locking, as it already used a concurrent collection, the additional lock handling was unnecessary, and so removed.

New managed connection pool

A new managed connection pool in JCA subsystem has been created that improves performance and eliminates thread contention within the server.

PicketLink

Console plugin to integrate PicketLink subsystems into EAP console

PicketLink's subsystems are now configurable via the JBoss EAP Management Console, resulting in easier configuration.

Modify the PicketLink IDP to support SAML 2.0 unsolicited responses

The PicketLink Identity Provider (IDP) has been enhanced so that it can now send SAML 2.0 unsolicited responses to the Service Provider.

PicketLink should be configurable to ignore ajax calls

In case the user is not authenticated and sends a request to both IdP and SP using AJAX, PicketLink will respond with a 403 HTTP status code instead of the login page. AJAX requests are identified by checking the presence of the X-Requested-With header with value XMLHttpRequest.

RESTEasy

RESTEasy logging through JBossLogging

RESTEasy logging functionality is now handled by JBossLogging. The benefits of this change include support for internationalization of log messages.

New security parameters

RESTEasy has two new parameters intended to improve security in processing org.w3c.dom.Document documents. Both parameters are context-param parameters and can be set up in the web.xml of the application.

The parameter resteasy.document.secure.processing.feature imposes security constraints in processing org.w3c.dom.Document documents and JAXB object representations.

The parameter resteasy.document.secure.disableDTDs prohibit DTDs in org.w3c.dom.Document documents and JAXB object representations.

The default value for resteasy.document.secure.processing.feature and resteasy.document.secure.disableDTDs is true. To disable one of them or both, add following to the application's web.xml file.

<context-param>
 <param-name>resteasy.document.secure.processing.feature</param-name>
 <param-value>false</param-value>
</context-param>
<context-param>
 <param-name>resteasy.document.secure.disableDTDs</param-name>
 <param-value>false</param-value>
</context-param>

RPM Installation and Updates

There is now a choice of RPM channels or repositories to which to subscribe for installation and updates of JBoss EAP via RPM. The current JBoss EAP channel provides the latest version, while a minor channel provides a specific minor release and all applicable patches. This allows you to maintain the same minor version of JBoss EAP 6, while still staying current with high severity and security patches. For further details of the available channels, see https://access.redhat.com/solutions/1346093.

Security

SSLValve allows for user-configurable header names

The names of HTTP headers that SSLValve uses for passing SSL/TLS information from the originator were predefined, for example: ssl_client_cert, ssl_cipher, ssl_session_id and ssl_cipher_usekeysize. With this change, the names of the headers are now customizable so that the originator can use an arbitrary name of the HTTP header, with the name specified in the SSLValve configuration.

Kerberos based authentication for Remoting

Support for Kerberos authentication for EJBs and EJB clients has now been enabled.

Management security realms should cache LDAP data

The management security realm now caches LDAP data, which helps reduce the number of LDAP requests.

Authorization with static Kerberos credentials to Oracle DB on Oracle JVM

Authorization using static Kerberos credentials in an Oracle DB datasource on Oracle JVM has been added. Note that Oracle DB driver version 11.2.0.3 or newer is required, also security domain cache must be enabled.

Authorization with static Kerberos credentials to SQLServer on Oracle JVM

Authorization using static Kerberos credentials in a Microsoft SQL Server datasource has been added. Note that this feature is only supported for non-XA connections.

Add support for external password of keystore to PicketBoxVault implementation

The Vault feature now supports the option of having the keystore password provided via an external command or a custom class.

Add "remove vault entry" option to vault tool

The Vault CLI tool has been improved with the addition of the ability to remove a value stored in a vault.

Use of the -secmgr flag for the configuration of a Java Security Manager

Running JBoss EAP within the Java Security Manager is now enabled by either adding the -secmgr parameter to the startup script, or enabling the option SECMGR="true" in the configuration file. Enabling the Java Security Manager with the -Djava.security.manager Java system property is no longer possible. As a result of this change, custom security managers cannot be used. Starting JBoss EAP with a custom security manager enabled will result in JBoss EAP exiting with a non-zero exit code on startup. See the Security Guide for details of the changes required to enable the Java Security Manager.

Supported Configurations

Oracle JDK 8

Oracle Java Platform, Standard Edition 1.8 (JDK 8) has been added to the list of supported configurations.

IBM JDK 8

IBM JDK 8 has been added to the list of supported configurations.

DBMS

The following DBMS have been certified and are now fully supported:

• Enterprise DB Postgres Plus Advanced Server 9.3
• MySQL 5.7
• IBM DB2 10.5
• Microsoft SQL Server 2014
• PostgreSql 9.3

Deliver mod_snmp for tested RHEL versions on PPC

The Simple Network Management Protocol (SNMP) module mod_snmp is now supported on PowerPC64 Architecture running Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

WebSockets 1.0

The WebSocket 1.0 protocol provides two way communication between web clients and servers. Communications between clients and the server are event-based, allowing for faster processing and smaller bandwidth compared with polling-based methods.

The JBoss EAP 6.4 WebSocket implementation provides full dependency injection support for server endpoints, however, it does not provide CDI services for client endpoints. CDI support is limited to that required by the EE6 platform, and as a result, EE7 features such as interceptors on endpoints are not supported.

Installer

BZ#1169462 - Installer should look automatically look for variables file during automated installs

In JBoss EAP 6.4 the installer now automatically looks for a variables file during installation.

The installer will look for the .variables file only if an automated installation is being run and no variables are passed in through the -variables or -variablefile tags.

The installer will look in the location of the auto.xml file first. If nothing is found there it will look in the current working directory for the user.

If the user specifies a remote auto.xml file the installer will only look for the .variables file in the location user's current working directory.

The .variables file will also only be detected if it follows this naming convention; <NAME_OF_AUTO.xml>.variable.

Transaction Manager

BZ#1168973 - JTS participants are not showing up in the tooling

This release of JBoss EAP 6 contains an enhancement to the Transaction Manger component. Previously, not all particpants were appearing in the log viewer.

Now, the following types of participants will be shown:

• AssumedCompleteHeuristicTransaction

• AssumedCompleteHeuristicServerTransaction

• AssumedCompleteTransaction

• AssumedCompleteServerTransaction

See http://bugzilla.redhat.com/show_bug.cgi?id=1168973

WS-Trust/STS with JBoss Web Services

JBoss Web Services now exposes WS-Trust/STS capabilities from the underlying CXF implementation.

Apache CXF 2.7.13 changes SAML/WS-Trust

The Security Token Service (STS) now validates ActAs tokens too, while it was previously validating OnBehalfOf tokens only; as a consequence, valid username/password have to be specified in the UsernameToken that is provided as ActAs token.

The SAML Bearer tokens are now required to have an internal signature; additionally, the org.apache.ws.security.validate.SamlAssertionValidator has a setRequireBearerSignature method to enable/disable this signature verification.

Adding and Removing Modules with the JBoss CLI

The CLI offers new commands to add and remove modules.

RestEasy Validation with the Hibernate Validator

RestEasy now includes a validation provider to support the Hibernate Validator delivered with JBoss EAP 6.

Multi-JSF

This feature enables a user to replace the JSF implementation provided with JBoss EAP 6 with a user-supplied JSF implementation.

mod_jk and IPv6

The mod_jk version has been updated. This new version contains support for IPv6, however this feature has not been fully tested.