WildFly 18 adds security enhancements & runs on JDK 13
Welcome WildFly 18! The latest release is here and available for download. It includes several new security upgrades, including SSL certificate revocation using OCSP and support for audit logging with RFC5424/RFC3164. WildFly also now runs with JDK 13. See all the latest changes made to this fast, lightweight managed application runtime.
WildFly, the Java EE8 application server, reaches a new milestone.
Version 18 Final is here, live, and ready for download!
WildFly 18 features
According to Brian Stansberry at Red Hat, this release, in particular, is a big effort relative to the time window. So let’s say a big thank you to everyone who worked on this release and brought it to light. 👏
View the full release notes by Brian Stansberry, lead of the WildFly application server project.
Some of the release features include:
JDK 13 support
While it is not perfect yet, WildFly 18 runs with JDK 13. According to the release notes, it runs the main testsuite with minimal failures in “areas not expected to be commonly used”.
WildFly 18 is heavily tested on Java 8 and will support Java 8 well into WildFly 21 and likely even beyond. It encourages its users to use the most recent long-term support version of Java.
Both the Jakarta EE 8 Full Platform and Web Profile are compatible with the latest version as well.
— Brian Stansberry (@bestansberry) October 3, 2019
- Ranked routing:
JSESSIONIDin clustered web apps can now be annotated with multiple routes, ranked by preference order. Routes configured with ranked routing will contain: the primary owner, the backup owners, and the local node if not already present.
- Remote cache metrics: Infinispan subsystem exposes management metrics for remote HotRod caches.
This release also amps up security in several different areas.
According to the release notes and proposals on GitHub these security upgrades include:
- SSL certification using OCSP
- Elytron subsystem supports audit logging with RFC5424/RFC3164
- Enhanced mapping of X509Certficiate to the underlying identity
- Elytron subsystem supports aggregation of SecurityRealms for Attribute Loading
- CLI SSL high-level security commands can obtain a server certificate from Let’s Encrypt certificate authority
- Added principal-transformer in aggregate-realm to the Elytron subsystem. This allows transformers to be applied to the principal before and after loading the authentication identity.
- Support for masking passwords in Elytron’s client XML config added.
- Certificate authority used by certificate-authority-account resource made configurable.
For more information about the latest security enhancements, read the JBossDeveloper blog by Farah Juma.
Furthermore, read about all the resolved issues on Jira.
Grab the latest version
Grab the download here. Prerequisites include JDK 8 or newer and Maven 3.3.1 or newer.