Chapter 4. New features and enhancements

Inclusive language, label changes

Toward Red Hat’s commitment to replacing problematic language in our code, documentation, and web properties, beginning with 8.0 Beta, the JBoss EAP management console will display more inclusive wording and labels. Specifically, you will notice the following changes to the management console resource addresses and user interface elements:

Adding, editing, and removing constant HTTP headers to response messages

In the JBoss EAP 8.0 Beta management console, you can now add, edit, or remove constant HTTP response headers. To add a new path and header, from the Server page, select Constant Headers, then click Add. To edit or remove an existing path header, select the path whose header you want to modify, then click either Edit or Remove.

Displaying Java Message Service bridge statistics for processed messages

A message bridge consumes messages from a source queue or topic, then sends them on to a target queue or topic, usually on a different server. A bridge can also send messages from one cluster to another. The Java Message Service (JMS) bridge provides statistics about messages that the bridge processed. Specifically, it collects the following data:

With this update, the JBoss EAP 8.0 Beta management console includes a new JMS Bridge column to display these statistics in the Runtime section. Note that this new feature affects the /subsystem=messaging-activemq/jms-bridge=* resource.

Configuring enhanced audit logging

In the JBoss EAP 8.0 Beta management console, you can configure the following two additional audit logging attributes in your /subsystem=elytron/syslog-audit-log=* resource:

Starting servers in suspended mode

You can now use the JBoss EAP 8.0 Beta management console to start servers in suspended mode. Select the new Start in suspended mode option, available in the following drop-down menus:

Configuring the certificate-authority attribute for the certificate-authority-account resource

With JBoss EAP 8.0 Beta, you can use any certificate authority for your certificate-authority-account Elytron resource. Previously, JBoss EAP supported only the Let’s Encrypt certificate authority, and the certificate-authority attribute was not configurable.

With this update, you can add, configure, or remove any certificate authority by opening the JBoss EAP management console and clicking Configuration > Subsystems > Security > Other Settings > Other Settings > Certificate Authority. From there, click Add to add a new certificate authority. To modify one you already have, select it, then click Edit. To remove a certificate authority, select it, then click Remove.

Configuring the OCSP as an Elytron trust manager

With JBoss EAP 8.0 Beta, you can configure the Online Certificate Status Protocol (OCSP) as the trust manager for the Elytron undertow subsystem. Previously, JBoss EAP supported only a certificate revocation list (CRL) as trust manager.

With this update, you can configure the OCSP as your trust manager by opening the JBoss EAP management console and clicking Configuration > Subsystems > Elytron > Other Settings > SSL > Trust Manager. Next, either select or create a trust manager and then, from the Trust Manager window, select the OCSP tab and click Add.

Pausing Java Message Service topics

From the JBoss EAP 8.0 Beta management console, you can now navigate to Runtime > Messaging > Server > Server Name > Destination to select and then pause a Java Message Service (JMS) topic. After you address the related messaging issue, you can also resume the paused topic. JMS previously sent messages to all active subscribers without any way to interrupt them.

Non-heap memory usage added to server status preview

With JBoss EAP 8.0 Beta, you can see more information in the server status preview about the memory consumption of your server. Previously, the preview displayed only heap memory usage: Used and Committed. With this update, it also displays the same information for non-heap memory usage.

Automatically add or update credential store passwords when you add or update a datasource

Beginning with JBoss EAP 8.0 Beta, when you create a datasource from the management console, you can automatically add a password for that datasource to your credential store. From the management console, select Configuration > Subsystems > Datasources, then click Add to add a new datasource. Next, enter the credential store name where you want to save the password for the new datasource, an alias for the credential, and the plain text password you want to use. To modify an existing datasource, select it, then click Edit.

Create, read, update, and delete Elytron resources

From the JBoss EAP 8.0 Beta management console, you can now create, read, update, or delete any of the following four evidence decoders:

To take one of these actions, navigate to Configuration > Subsystems > Security > Mappers & Decoders > Evidence Decoder.

Viewing the deployment hash value

The JBoss EAP 8.0 Beta management console can now display your deployment hash value in the deployment preview. This means that you can determine at a glance whether your deployment was valid and successful.

Adding and configuring interceptors in the EJB 3 subsystem

From the JBoss EAP 8.0 Beta management console, you can now add and configure system-wide, server-side interceptors in the ejb3 subsystem. From the console, select Configuration > EJB > Container to make your additions or changes.

Configuring Infinispan distributed web session affinity

With JBoss EAP 8.0 Beta, in the distributable-web subsystem, you now have more control over the affinity, or load balancer "stickiness", of a distributed web session. To change your session affinity to something other than the Primary-owner default, in the management console, click Configuration > Distributable Web > View > Infinispan Session. Next, choose a session and select Affinity to make your changes. Affinity options now include the following:

Previously, the only available affinity was Primary-owner.

Configuring global directories in EE subsystem

With the JBoss EAP 8.0 Beta management console, you can now configure a new ee subsystem resource, /subsystem=ee/global-directory=*. You can use a global directory to add content to a deployment class path without listing the contents of the directory. To configure a global directory resource, navigate to Configuration > Subsystems > EE > Globals.

Configuring cipher suites in Elytron

With the JBoss EAP 8.0 Beta management console, you can now enable TLS 1.3 cipher suites using the cipher-suite-names attribute to secure your network connection. Specifically, you can now configure the following elytron subsystem resources:

To configure the cipher-suite-names attribute for the /subsystem=elytron/client-ssl-context=* resource from the management console, navigate to Configuration > Subsystems > Security > Other Settings > SSL > Client SSL Context.

To configure the cipher-suite-names attribute for the /subsystem=elytron/server-ssl-context=* resource from the management console, navigate to Configuration > Subsystems > Security > Other Settings > SSL > Server SSL Context.

JAAS realm in the elytron subsystem

In JBoss EAP 8.0 Beta, the legacy security subsystem has been removed. To continue using your custom login modules with the elytron subsystem, use the new Java Authentication and Authorization Service (JAAS) security realm, jaas-realm.

Although elytron subsystem provides jaas-realm, it is preferable to use other existing security realms that the subsystem provides. These include jdbc-realm, ldap-realm, token-realm, and others. You can also combine different security realms by configuring aggregate-realm, distributed-realm, or failover-realm. If none of these suits your purpose, implement a custom security realm and use it instead of custom login module.

The following are cases where you should use jaas-realm instead of implementing a custom security realm:

For more information, see Creating a JAAS realm in the Securing applications and management interfaces using multiple identity stores guide.

Configure multiple certificate revocation lists in Elytron and Elytron client

You can now configure multiple certificate revocation lists (CRL) in the elytron subsystem and WildFly Elytron client when you use several Certificate Authorities (CA). You can specify the list of CRLs to use in the certificate-revocation-lists attribute in the trust-manager.

For more information, see Configuring certificate revocation checks in Elytron in the Configuring SSL/TLS in JBoss EAP guide.

Native OpenID Connect client

You can now secure applications deployed to JBoss EAP with OpenID Connect (OIDC) using the new native support for OIDC instead of installing the previously required Red Hat Single Sign-On Client Adapter. The new elytron-oidc-client subsystem provides the native support. The Red Hat Single Sign-On Client Adapter is not provided in this release.

For more information, see OpenID Connect configuration in JBoss EAP in the Using single sign-on with JBoss EAP guide.

New hash-encoding and hash-charset attributes for hashed passwords

You can now specify the character set and the string format for the hashed passwords that are stored in elytron subsystem security realms by using the hash-charset and hash-encoding attributes. The default hash-charset value is UTF-8. You can set the hash-encoding value to either base64 or hex; base64 is the default for all realms except the properties-realm where hex is the default.

The new attributes are included in the following security realms:

For more information, see the Securing applications and management interfaces using an identity store guide.

SSLv2Hello

Beginning with JBoss EAP 8.0 Beta, you can specify the SSLv2Hello protocol for server-ssl-context and client-ssl-context in the elytron subsystem.

Updates to filesystem-realm

You can now encrypt the clear passwords, hashed passwords, and attributes associated with identities in a filesystem-realm for better security. You can do this in two ways:

You can now also enable integrity checks for a filesystem-realm to ensure that the identities in the filesystem-realm were not tampered with since the last authorized write. You can do this by referencing a key pair when you create the filesystem-realm using the add operation. WildFly Elytron generates a signature for the identity file using the key pair. An integrity check runs whenever an identity file is read.

For more information, see Filesystem realm in Elytron in the Securing applications and management interfaces using an identity store guide.

Configuring web session replication using a ProtoStream

You can now configure web session replication using a ProtoStream instead of JBoss Marshalling in JBoss EAP 8.0 Beta.

See How to configure web session replication to use ProtoStream instead of JBoss Marshalling in JBoss EAP 8.0 Beta.

Configuring custom exception-sorter or valid-connection-checker for a datasource

You can now configure a custom exception-sorter or valid-connection-checker for a datasource using a JBoss Module.

See How to configure a custom exception-sorter or valid-connection-checker for a datasource in JBoss EAP 8.

JBoss EAP 8.0 Beta server interoperability with JBoss EAP 7 and JBoss EAP 6

In JBoss EAP 8.0 Beta you can enable interoperability between JBoss EAP 8.0 Beta and older versions of your JBoss EAP server. JBoss EAP supports Jakarta EE 10 whose API class uses the jakarta package namespace. However, older versions of JBoss EAP use the javax package namespace.

For more information about how to enable interoperability between JBoss EAP 8.0 Beta and older versions of JBoss EAP see, how to enable interoperability.

Infinispan-based distributed timers

In JBoss EAP 8.0 Beta, you can now use Infinispan-based distributed timers to schedule persistent Jakarta Enterprise Bean timers within a cluster, which you can scale to large clusters. For more information, see EAP 8 - how to configure Infinispan based distributed timers.

Distributable EJB subsystem

Use the distributable-ejb subsystem to configure clustering abstractions providers required for ejb3 subsystem functionalities, such as:

You can currently define these providers at a system-wide level. It is planned to develop functionality to enable deployment-specific providers by customizing the ejb3 subsystem. For more information, see What is the distributable-ejb subsystem in EAP 8.

RH-SSO SAML support for JBoss EAP 8.0 Beta

Using Red Hat Single Sign-On SAML adapters with JBoss EAP 8.0 Beta Source-to-Image (S2I) image will be supported when the adapters are released. For more information, see OpenShift, SSO SAML support for EAP 8.

Provisioning a JBoss EAP server using the Maven plug-in

You can now use the JBoss EAP Maven plug-in on OpenShift to:

For more information, see Provisioning a JBoss EAP server using the Maven plug-in.

OpenID Connect support for JBoss EAP source-to-image

You can now secure applications deployed to JBoss EAP with OpenID Connect (OIDC) using the new elytron-oidc-client subsystem instead of installing the previously required Red Hat Single Sign-On Client Adapter. You can configure an elytron-oidc-client subsystem by using the environment variables to secure the application with OIDC. The Red Hat Single Sign-On Client Adapter is not provided in this release. For more information, see Using OpenID Connect to secure JBoss EAP applications on OpenShift.

Building application images using Source-to-Image

In JBoss EAP 8.0 Beta, an installed server has been removed from Source-to-Image (S2I) builder images. Galleon feature-packs and layers are now used to provision the server during the S2I build phase. To provision the server, include and configure the JBoss EAP Maven plug-in in the pom.xml file of your application. For more information, see Building application images using source-to-image in OpenShift.

Override management attributes with environment variables

To more easily adapt your JBoss EAP server configuration to your server environment, you can use an environment variable to override the value of any management attribute, without editing your configuration file. You cannot override management attributes of type LIST, OBJECT, or PROPERTY. In JBoss EAP 8.0 Beta OpenShift runtime image, this feature is enabled by default. For more information, see Overriding management attributes with environment variables.

Environment variable checks for resolving management model expressions

JBoss EAP now supports environment variable checks when resolving management model expressions. In previous versions of JBoss EAP, the JBoss EAP server only checked for Java system properties in the management expression. Now, the server will check for a relevant environment variable in addition to the system property. If you use both, JBoss EAP observes and uses the Java system property rather than the environment variable to resolve the management model expression. For more information about using environment variables to resolve management model expressions, see Environment variables and model expression resolution.

Supported EAP 8 quickstarts

All supported JBoss EAP 8 quickstarts are located at jboss-eap-quickstarts.

New JBoss EAP BOMs for Maven

JBoss EAP BOMs provide the Maven BOM files that specify the versions of JBoss EAP dependencies that are needed for building or testing your Maven projects. In addition, Jakarta EE 10 BOMs provide dependency management for related frameworks such as Hibernate, RESTasy, and proprietary components like Infinispan and Client BOMs.

JBoss EAP Server Migration Tool

The Server Migration Tool is now a standalone migration tool and is no longer included with JBoss EAP 8.0 Beta. You can download the migration tool separately.