Chapter 4. New features and enhancements
4.1. Management console
Inclusive language, label changes
Toward Red Hat’s commitment to replacing problematic language in our code, documentation, and web properties, beginning with 8.0 Beta, the JBoss EAP management console will display more inclusive wording and labels. Specifically, you will notice the following changes to the management console resource addresses and user interface elements:
|New term||Previous term|
Adding, editing, and removing constant HTTP headers to response messages
In the JBoss EAP 8.0 Beta management console, you can now add, edit, or remove constant HTTP response headers. To add a new path and header, from the Server page, select Constant Headers, then click Add. To edit or remove an existing path header, select the path whose header you want to modify, then click either Edit or Remove.
Displaying Java Message Service bridge statistics for processed messages
A message bridge consumes messages from a source queue or topic, then sends them on to a target queue or topic, usually on a different server. A bridge can also send messages from one cluster to another. The Java Message Service (JMS) bridge provides statistics about messages that the bridge processed. Specifically, it collects the following data:
- number of messages successfully committed (message count)
- number of messages aborted (messages aborted)
With this update, the JBoss EAP 8.0 Beta management console includes a new JMS Bridge column to display these statistics in the Runtime section. Note that this new feature affects the
Configuring enhanced audit logging
In the JBoss EAP 8.0 Beta management console, you can configure the following two additional audit logging attributes in your
Define the format for your audit log messages. Supported values are
RFC5424. ("RFC" stands for "request for comments.")
Define the maximum number of failed attempts JBoss EAP should make to connect to the syslog server before closing the endpoint.
Starting servers in suspended mode
You can now use the JBoss EAP 8.0 Beta management console to start servers in suspended mode. Select the new Start in suspended mode option, available in the following drop-down menus:
- Runtime > Topology
- Runtime > Server Groups
- Runtime > Server Groups > Server
- Runtime > Host > Server
Configuring the certificate-authority attribute for the certificate-authority-account resource
With JBoss EAP 8.0 Beta, you can use any certificate authority for your
certificate-authority-account Elytron resource. Previously, JBoss EAP supported only the Let’s Encrypt certificate authority, and the
certificate-authority attribute was not configurable.
With this update, you can add, configure, or remove any certificate authority by opening the JBoss EAP management console and clicking Configuration > Subsystems > Security > Other Settings > Other Settings > Certificate Authority. From there, click Add to add a new certificate authority. To modify one you already have, select it, then click Edit. To remove a certificate authority, select it, then click Remove.
Configuring the OCSP as an Elytron trust manager
With JBoss EAP 8.0 Beta, you can configure the Online Certificate Status Protocol (OCSP) as the trust manager for the Elytron
undertow subsystem. Previously, JBoss EAP supported only a certificate revocation list (CRL) as trust manager.
With this update, you can configure the OCSP as your trust manager by opening the JBoss EAP management console and clicking Configuration > Subsystems > Elytron > Other Settings > SSL > Trust Manager. Next, either select or create a trust manager and then, from the Trust Manager window, select the OCSP tab and click Add.
Pausing Java Message Service topics
From the JBoss EAP 8.0 Beta management console, you can now navigate to Runtime > Messaging > Server > Server Name > Destination to select and then pause a Java Message Service (JMS) topic. After you address the related messaging issue, you can also resume the paused topic. JMS previously sent messages to all active subscribers without any way to interrupt them.
Non-heap memory usage added to server status preview
With JBoss EAP 8.0 Beta, you can see more information in the server status preview about the memory consumption of your server. Previously, the preview displayed only heap memory usage: Used and Committed. With this update, it also displays the same information for non-heap memory usage.
Automatically add or update credential store passwords when you add or update a datasource
Beginning with JBoss EAP 8.0 Beta, when you create a datasource from the management console, you can automatically add a password for that datasource to your credential store. From the management console, select Configuration > Subsystems > Datasources, then click Add to add a new datasource. Next, enter the credential store name where you want to save the password for the new datasource, an alias for the credential, and the plain text password you want to use. To modify an existing datasource, select it, then click Edit.
Create, read, update, and delete Elytron resources
From the JBoss EAP 8.0 Beta management console, you can now create, read, update, or delete any of the following four evidence decoders:
- Aggregate Evidence Decoders
- Custom Evidence Decoders
- X500 Subject Evidence Decoders
- X509 Subject Alt Name Evidence Decoder
To take one of these actions, navigate to Configuration > Subsystems > Security > Mappers & Decoders > Evidence Decoder.
Viewing the deployment hash value
The JBoss EAP 8.0 Beta management console can now display your deployment hash value in the deployment preview. This means that you can determine at a glance whether your deployment was valid and successful.
Adding and configuring interceptors in the EJB 3 subsystem
From the JBoss EAP 8.0 Beta management console, you can now add and configure system-wide, server-side interceptors in the
ejb3 subsystem. From the console, select Configuration > EJB > Container to make your additions or changes.
Configuring Infinispan distributed web session affinity
With JBoss EAP 8.0 Beta, in the
distributable-web subsystem, you now have more control over the affinity, or load balancer "stickiness", of a distributed web session. To change your session affinity to something other than the Primary-owner default, in the management console, click Configuration > Distributable Web > View > Infinispan Session. Next, choose a session and select Affinity to make your changes. Affinity options now include the following:
Previously, the only available affinity was Primary-owner.
Configuring global directories in EE subsystem
With the JBoss EAP 8.0 Beta management console, you can now configure a new
ee subsystem resource,
/subsystem=ee/global-directory=*. You can use a global directory to add content to a deployment class path without listing the contents of the directory. To configure a global directory resource, navigate to Configuration > Subsystems > EE > Globals.
Configuring cipher suites in Elytron
With the JBoss EAP 8.0 Beta management console, you can now enable TLS 1.3 cipher suites using the
cipher-suite-names attribute to secure your network connection. Specifically, you can now configure the following
elytron subsystem resources:
To configure the
cipher-suite-names attribute for the
/subsystem=elytron/client-ssl-context=* resource from the management console, navigate to Configuration > Subsystems > Security > Other Settings > SSL > Client SSL Context.
To configure the
cipher-suite-names attribute for the
/subsystem=elytron/server-ssl-context=* resource from the management console, navigate to Configuration > Subsystems > Security > Other Settings > SSL > Server SSL Context.
JAAS realm in the
In JBoss EAP 8.0 Beta, the legacy security subsystem has been removed. To continue using your custom login modules with the
elytron subsystem, use the new Java Authentication and Authorization Service (JAAS) security realm,
jaas-realm only supports JAAS-compatible login modules. For information about JAAS, see Java Authentication and Authorization Service (JAAS) Reference Guide.
jaas-realm does not support custom login modules that extend or are dependent upon PicketBox APIs.
elytron subsystem provides
jaas-realm, it is preferable to use other existing security realms that the subsystem provides. These include
token-realm, and others. You can also combine different security realms by configuring
failover-realm. If none of these suits your purpose, implement a custom security realm and use it instead of custom login module.
The following are cases where you should use
jaas-realm instead of implementing a custom security realm:
You are migrating to the
elytronsubsystem from legacy security and already have custom login modules implemented.
- You are migrating from other application servers to JBoss EAP and already have the login modules implemented.
You require combining multiple login modules with various flags and options provided to those login modules. These flags and options might not be configurable for the provided security realms in the
For more information, see Creating a JAAS realm in the Securing applications and management interfaces using multiple identity stores guide.
Configure multiple certificate revocation lists in Elytron and Elytron client
You can now configure multiple certificate revocation lists (CRL) in the
elytron subsystem and WildFly Elytron client when you use several Certificate Authorities (CA). You can specify the list of CRLs to use in the
certificate-revocation-lists attribute in the
For more information, see Configuring certificate revocation checks in Elytron in the Configuring SSL/TLS in JBoss EAP guide.
Native OpenID Connect client
You can now secure applications deployed to JBoss EAP with OpenID Connect (OIDC) using the new native support for OIDC instead of installing the previously required Red Hat Single Sign-On Client Adapter. The new
elytron-oidc-client subsystem provides the native support. The Red Hat Single Sign-On Client Adapter is not provided in this release.
For more information, see OpenID Connect configuration in JBoss EAP in the Using single sign-on with JBoss EAP guide.
hash-charset attributes for hashed passwords
You can now specify the character set and the string format for the hashed passwords that are stored in
elytron subsystem security realms by using the
hash-encoding attributes. The default
hash-charset value is
UTF-8. You can set the
hash-encoding value to either
base64 is the default for all realms except the
hex is the default.
The new attributes are included in the following security realms:
For more information, see the Securing applications and management interfaces using an identity store guide.
Beginning with JBoss EAP 8.0 Beta, you can specify the
SSLv2Hello protocol for
client-ssl-context in the
You must configure another encryption protocol if you want to configure
SSLv2Hellobecause the purpose of the latter is to determine which encryption protocols the connected server supports.
IBM JDKdoes not support
SSLv2Helloin its client, although a server-side connection always accepts this protocol.
You can now encrypt the clear passwords, hashed passwords, and attributes associated with identities in a
filesystem-realm for better security. You can do this in two ways:
Create an encrypted
filesystem-realmby referencing a secret key in the
Encrypt an existing
filesystem-realmusing the new
filesystem-realm-encryptcommand in the WildFly Elytron Tool.
You can now also enable integrity checks for a
filesystem-realm to ensure that the identities in the
filesystem-realm were not tampered with since the last authorized write. You can do this by referencing a key pair when you create the
filesystem-realm using the
add operation. WildFly Elytron generates a signature for the identity file using the key pair. An integrity check runs whenever an identity file is read.
For more information, see Filesystem realm in Elytron in the Securing applications and management interfaces using an identity store guide.
Configuring web session replication using a ProtoStream
You can now configure web session replication using a ProtoStream instead of JBoss Marshalling in JBoss EAP 8.0 Beta.
See How to configure web session replication to use ProtoStream instead of JBoss Marshalling in JBoss EAP 8.0 Beta.
4.4. Datasource subsystem
valid-connection-checker for a datasource
You can now configure a custom
valid-connection-checker for a datasource using a JBoss Module.
See How to configure a custom exception-sorter or valid-connection-checker for a datasource in JBoss EAP 8.
JBoss EAP 8.0 Beta server interoperability with JBoss EAP 7 and JBoss EAP 6
In JBoss EAP 8.0 Beta you can enable interoperability between JBoss EAP 8.0 Beta and older versions of your JBoss EAP server. JBoss EAP supports Jakarta EE 10 whose API class uses the
jakarta package namespace. However, older versions of JBoss EAP use the
javax package namespace.
- The older versions supported are JBoss EAP 6 and JBoss EAP 7
interoperability between JBoss EAP 6 and JBoss EAP 7 is not affected by this issue as both servers support the
For more information about how to enable interoperability between JBoss EAP 8.0 Beta and older versions of JBoss EAP see, how to enable interoperability.
Infinispan-based distributed timers
In JBoss EAP 8.0 Beta, you can now use Infinispan-based distributed timers to schedule persistent Jakarta Enterprise Bean timers within a cluster, which you can scale to large clusters. For more information, see EAP 8 - how to configure Infinispan based distributed timers.
Distributable EJB subsystem
distributable-ejb subsystem to configure clustering abstractions providers required for
ejb3 subsystem functionalities, such as:
- Stateful session beans (SFSB) cache factories
- Client mappings registries for EJB client applications
- Distributed EJB timers
You can currently define these providers at a system-wide level. It is planned to develop functionality to enable deployment-specific providers by customizing the
ejb3 subsystem. For more information, see What is the distributable-ejb subsystem in EAP 8.
RH-SSO SAML support for JBoss EAP 8.0 Beta
Using Red Hat Single Sign-On SAML adapters with JBoss EAP 8.0 Beta Source-to-Image (S2I) image will be supported when the adapters are released. For more information, see OpenShift, SSO SAML support for EAP 8.
Provisioning a JBoss EAP server using the Maven plug-in
You can now use the JBoss EAP Maven plug-in on OpenShift to:
- Provision a trimmed server using Galleon.
- Install your application on the provisioned server.
- Tune the server configuration using the JBoss EAP management CLI.
Package extra files into the server installation, such as a
- Integrate the plug-in into your JBoss EAP 8.0 Beta source-to-image application build.
For more information, see Provisioning a JBoss EAP server using the Maven plug-in.
OpenID Connect support for JBoss EAP source-to-image
You can now secure applications deployed to JBoss EAP with OpenID Connect (OIDC) using the new
elytron-oidc-client subsystem instead of installing the previously required Red Hat Single Sign-On Client Adapter. You can configure an
elytron-oidc-client subsystem by using the environment variables to secure the application with OIDC. The Red Hat Single Sign-On Client Adapter is not provided in this release. For more information, see Using OpenID Connect to secure JBoss EAP applications on OpenShift.
Building application images using Source-to-Image
In JBoss EAP 8.0 Beta, an installed server has been removed from Source-to-Image (S2I) builder images. Galleon feature-packs and layers are now used to provision the server during the S2I build phase. To provision the server, include and configure the JBoss EAP Maven plug-in in the
pom.xml file of your application. For more information, see Building application images using source-to-image in OpenShift.
Override management attributes with environment variables
To more easily adapt your JBoss EAP server configuration to your server environment, you can use an environment variable to override the value of any management attribute, without editing your configuration file. You cannot override management attributes of type
PROPERTY. In JBoss EAP 8.0 Beta OpenShift runtime image, this feature is enabled by default. For more information, see Overriding management attributes with environment variables.
Environment variable checks for resolving management model expressions
JBoss EAP now supports environment variable checks when resolving management model expressions. In previous versions of JBoss EAP, the JBoss EAP server only checked for Java system properties in the management expression. Now, the server will check for a relevant environment variable in addition to the system property. If you use both, JBoss EAP observes and uses the Java system property rather than the environment variable to resolve the management model expression. For more information about using environment variables to resolve management model expressions, see Environment variables and model expression resolution.
4.7. Quickstarts and BOMs
Supported EAP 8 quickstarts
All supported JBoss EAP 8 quickstarts are located at jboss-eap-quickstarts.
New JBoss EAP BOMs for Maven
JBoss EAP BOMs provide the Maven BOM files that specify the versions of JBoss EAP dependencies that are needed for building or testing your Maven projects. In addition, Jakarta EE 10 BOMs provide dependency management for related frameworks such as Hibernate, RESTasy, and proprietary components like Infinispan and Client BOMs.
4.8. Server Migration Tool
JBoss EAP Server Migration Tool
The Server Migration Tool is now a standalone migration tool and is no longer included with JBoss EAP 8.0 Beta. You can download the migration tool separately.