Differences between Jakarta EE 10 and 9.1

Jakarta EE 9.1 features can run with Java SE versions 8 and later. All Jakarta EE 10 features require Java 11 or later, as outlined by the Jakarta EE 10 specification.

Jakarta EE 10 introduces a new profile called Core Profile. The Liberty features that provide the Core Profile function are Jakarta Contexts and Dependency Injection 4.0 (cdi-4.0), Jakarta JSON Binding 3.0 (jsonb-3.0), Jakarta JSON Processing 2.1 (jsonp-2.1), and Jakarta RESTful Web Services 3.1 (restfulWS-3.1). No convenience feature is provided for Core Profile. However, you can easily enable all Jakarta 10 Core Profile features by including both the restfulWS-3.1 (which includes both cdi-4.0 and jsonp-2.1) and jsonb-3.0 Liberty features in your server.xml file.

Several Jakarta EE 9.1 Liberty features include a dependency on the Jakarta XML Binding 3.0 (xmlBinding-3.0) feature, even though the specification doesn’t call for those features to depend on or expose XML Binding APIs. Furthermore, many of these features are part of the Jakarta Web Profile subset of features, which does not include the XML Binding feature.

The following Jakarta EE 10 Liberty features do not expose the XML Binding 4.0 APIs where their equivalent Jakarta EE 9.1 features expose the XML Binding 3.0 APIs:

For Open Liberty applications that require the XML Binding APIs, you must now add the Jakarta XML Binding 4.0 (xmlBinding-4.0) Liberty feature to your server.xml file.

The Jakarta EE Platform 9.1 (jakartaee-9.1) Liberty convenience feature includes the Admin Rest Connector 2.0 (restConnector-2.0) Liberty feature. The Jakarta EE Platform 10.0 (jakartaee-10.0) Liberty convenience feature does not include this Liberty feature.

If you use the jakartaee-10.0 convenience feature and your application requires the Admin Rest Connector function, you must add the restConnector-2.0 feature to your server.xml file.

In Jakarta EE 10, the combination of the Jakarta Connectors 2.1 (connectors-2.1) and Application Security 5.0 (appSecurity-5.0) Liberty features replaces what the Jakarta Connectors Inbound Security 2.0 (connectorsInboundSecurity-2.0) Liberty feature provided in Jakarta EE 9.1.

When you enable the JSON Web Token 1.0 (jwt-1.0) Liberty feature with Jakarta EE 10 Liberty features, the Servlet APIs are no longer available by default. For Open Liberty applications that require Servlet APIs, you must add the Jakarta Servlet 6.0 (servlet-6.0) feature to your server.xml file.

Similarly, the com.ibm.wsspi.rest.handler, com.ibm.wsspi.rest.handler.helper, and com.ibm.wsspi.wab.configure SPIs are no longer available to user features when the jwt-1.0 feature is enabled with Jakarta EE 10 Liberty features. For Open Liberty user features that require these SPIs, you must add the com.ibm.websphere.appserver.restHandler-1.0 or com.ibm.wsspi.appserver.webBundle-1.0 feature to your user feature mf file.

The jakarta.security.jacc.PolicyConfigurationFactory abstract class implements the following two new methods to retrieve the Policy Configuration interface (PolicyConfiguration):

These methods are available in addition to the following getPolicyConfiguration method that was available in previous versions.

public abstract PolicyConfiguration getPolicyConfiguration(String contextID, boolean remove);

The jakarta.security.jacc.PolicyConfiguration interface defines three new methods to read permissions:

For more information, see the Jakarta Authorization 2.1 Javadoc.

The @BatchProperty annotation is expanded to enable the injection of the following types: Boolean, Short, Integer, Long, Float, and Double. Previously, this annotation could inject only a String value. The following example demonstrates the newly added injection types:

Previously, the default JobOperator interface was made available only from the BatchRuntime.getJobOperator() static factory method. In Jakarta Batch 2.1 and later, if an injection point for a JobOperator interface exists and no user-supplied implementation is found, the default JobOperator instance is injected automatically. The following example demonstrates the default injection for the JobOperator interface:

CDI provides portable extensions to customize the CDI application initialization lifecycle. In CDI 4.0, build compatible extensions make implementing extensions amenable to build-time processing.

To implement a build compatible extension, provide an implementation of the BuildCompatibleExtension interface that is declared in the META-INF/services directory. The implementation can provide methods that are annotated with one of the following extension annotations, each of which corresponds to an extension execution phase:

For example, as part of the Enhancement phase, the implementation in the following example adds a MyQualifier annotation to the MyService type:

Two new observable container state events are available in CDI 4.0: Startup and Shutdown. Applications can listen for these events to be notified when the CDI container is starting up or shutting down. The following example listens for Startup and Shutdown events and prints a notification for each to the console when it receives the event:

You can control the order among multiple observable container state methods by using the @Priority annotation.

In CDI 4.0, a beans.xml file that does not specify the bean-discovery-mode attribute is treated as if the attribute is set to bean-discovery-mode="annotated". In CDI 3.0 and earlier, a beans.xml file that does not specify the bean-discovery-mode attribute is treated as if the attribute is set to bean-discovery-mode="all". These settings apply to both empty and non-empty beans.xml files.

For an empty beans.xml file in CDI 4.0, you can set the emptyBeansXmlCDI3Compatibility attribute for the cdi element to enable compatibility with previous versions. If you set this attribute to true in your server.xml file, any archives that contain an empty beans.xml file are treated as explicit beans archives. For more information, see Server.xml configuration element and attribute updates.

The best practice is to always specify a version for non-empty beans.xml files, as shown in the following example:

In CDI 4.0, a new Handle API is available to simplify the programmatic inspection of bean metadata. This API avoids the need to create instances before they are required. You can obtain a Handle instance by using the Instance API, which uses the following syntax:

The following previously deprecated CDI APIs are removed in CDI 4.0:

In the Liberty Jakarta Contexts and Dependency Injection 4.0 feature, the cdi12 configuration element is superseded by the cdi element, which applies to CDI versions 1.2 and later. The following server.xml file example shows the cdi element with two configuration attributes:

The enableImplicitBeanArchives attribute works the same as it did with the cdi12 element in previous versions. If this attribute is set to true, which is the default, then archives with no beans.xml file are treated as implicit bean archives and scanned for classes that have bean-defining annotations. If this attribute is set to false, then archives that do not contain a beans.xml file are not scanned for annotated classes.

The emptyBeansXmlCDI3Compatibility attribute applies only to CDI 4.0. If this attribute is set to true, an archive that contains an empty beans.xml file is treated as an explicit bean archive, as it was in CDI 3.0 and earlier. If this attribute set to false, which is the default, then an archive that contains an empty beans.xml file is treated as an implicit bean archive.

For more information, see the Jakarta Contexts and Dependency Injection 4.0 Javadoc

The 5.0 release adds support for Java Generics throughout the API, wherever they are appropriate. This update removes the need to cast from an Object instance to a specific object type in many API calls.

The 5.0 release implements support for coercing Lambda Expressions to a functional interface method invocation and clarifies the specification for coercing arrays. However, Liberty use of the Tomcat API and implementation of the Expression Language specification already followed these clarifications to the specification for coercing arrays. Therefore, no functional changes for array coercion are added in the Expression Language 5.0 feature.

The BeanELResolver class is updated to also consider default method implementations when it looks for property getters, property setters, and methods. The documented behavior of the StaticFieldELResolver class is updated to explicitly document that the ELResolver.getType() method must return null if either the ELResolver class or the resolved property is read-only.

A new MethodReference class provides access to details of the method to which a MethodExpression instance resolves, including any annotations that are present on the method.

The ELResolver getFeatureDescriptors() method is deprecated in Expression Language 5.0, with removal planned for Expression Language 6.0. A new default implementation that returns null is added. This update ensures that custom ELResolver implementations do not need to implement the method.

The deprecated and misspelled MethodExpression.isParmetersProvided() method is removed from the API.

For more information, see the Jakarta Expression Language 5.0 Javadoc.

As of the 4.0 release, Facelets no longer need to exist as XML files and can now be programmatically created with Java. For an example, see this specification issue.

You can now configure Facelets to be reached without any extensions by setting the jakarta.faces.AUTOMATIC_EXTENSIONLESS_MAPPING context parameter to true. For example, when this parameter is set to true, the somePage.xhtml facelet can be reached by specifying <context-root>/somePage because the FacesServlet class maps to the `/somePage`instance automatically.

The http://xmlns.jcp.org/jsf/* URIs are updated to the jakarta.faces.* URN. For example, any URI in the http://xmlns.jcp.org/jsf/* pattern now uses the jakarta.faces.* URN pattern and any URI in the http://xmlns.jcp.org/jsp/jstl/* pattern now uses the jakarta.tags.* URN pattern. However, Faces 4.0 is still compatible with the older URIs.

Although the 4.0 release includes no new deprecations, many previously deprecated methods and classes are removed. Links for the following removals reference the Faces 3.0 API Docs for convenience as these are removed from Faces 4.0.

For all other non-specification changes, see the MyFaces release notes.

In previous versions, support for sending and receiving multipart/form-data parts was provided by the Liberty-specific IAttachment and IMultipartBody APIs, which are deprecated in this release. This support is now provided by the EntityPart API that is defined in the RESTful Web Services specification. For more information, see section 3.5.2 of the Jakarta Restful Web Services specification.

In previous Liberty feature versions of RESTful Web Services (JAXRS) and XML Web Services (JAXWS), the com.ibm.wsspi.webservices.handler Web Services Global Handler SPI package was automatically enabled.

Starting in Jakarta EE 10, Global Handlers are disabled by default. As with previous versions, you must create a user feature to configure a Global Handler. However, as of this release, you must also add the io.openliberty.globalhandler-1.0 protected Liberty feature to your user feature manifest file to enable the SPI package.

Add io.openliberty.globalhandler-1.0; type="osgi.subsystem.feature" to your user feature manifest file, as shown in the following manifest file example:

If you see an error message in your logs that is similar to the following example, you need to add the io.openliberty.globalhandler-1.0 feature to your user feature manifest file:

When previous Liberty feature versions of RESTful Web Services (JAXRS) and RESTful Web Services Client were enabled, the Servlet APIs were available to any Open Liberty application by default.

Starting with RESTful Web Services 3.1 and RESTful Web Services Client 3.1, the Servlet APIs are no longer available by default when you enable these features. For Open Liberty applications that require Servlet APIs, you must also add the servlet-6.0 feature to the server.xml file.

When the restfulWS-3.0 and restfulWSClient-3.0 Liberty features are enabled, the Concurrency APIs are available to any Open Liberty application by default.

Starting with RESTful Web Services 3.1 and RESTful Web Services Client 3.1, the Concurrency APIs are no longer available by default. For Open Liberty applications that require Concurrency APIs, you must also add the concurrent-3.0 feature to the server.xml file.

With the service loader, Jakarta Rest providers can now be detected and registered automatically, unless the jakarta.ws.rs.loadServices property is set to Boolean.FALSE by using an application subclass getProperties() method. For more information, see section 4.1.2 of the Jakarta Restful Web Services specification.

A default exception mapper is added in version 3.1. With this addition, all exceptions that are not mapped to an existing exception mapper are handled. If the exception is a WebApplicationException exception, the response object is returned with whatever status code is set. For all other unmapped exceptions, the response status code is set to 500.

Support for array types as parameters is added to the following field and bean property annotations:

The Response.created(URI) method now resolves relative URIs into an absolute URI against the base URI. In previous releases, the method resolved against the request URI.

Constructors of the Cookie class are deprecated in favor of the Cookie.Builder class. Constructors of the NewCookie class are deprecated in favor of the NewCookie.Builder class.

This release adds a new option to find unknown Expression Language identifiers. When this option is enabled, a PropertyNotFoundException occurs if an unknown identifier is found. Previously, unknown identifiers were rendered as empty strings ("") and were difficult to identify. You can enable this option by using page directives, tag directives, or as a JSP Property Group in the web.xml file.

To enable this option by using page or tag directives, set the errorOnELNotFound attribute to true, as shown in the following example:

To enable this option by using a JSP Property Group in the web.xml file, set the error-on-el-not-found element to true, as shown in the following example:

For more information, see Unknown EL Identifiers in the Jakarta Server Pages specification.

Expression Language Resolvers are updated to improve handling of imports and unresolved variables. Two new resolvers are available in this release:

Default and implicit imports for the scripting environment now also apply to the expression language environment. These default imports are java.lang.*, jakarta.servlet.*, jakarta.servlet.jsp.*, and jakarta.servlet.http.*.

The Jakarta Tag URIs now use the jakarta.tags.* pattern. Although support for the previous http://xmlns.jcp.org/jsp/jstl/* pattern is maintained for compatibility with earlier versions, it is recommended to update your applications to use these new URIs. The following example shows the taglib directive with the new URIs:

For more information, see the Jakarta Tags doc.

The isThreadSafe directive is deprecated due to the removal of the SingleThreadModel interface in the Servlet 6.0 API. A workaround is implemented, but significant performance impacts might occur. Use of the isThreadSafe directive in Pages 3.1 is discouraged.

The jsp:plugin, jsp:params, and jsp:fallback actions are deprecated and are not operational. Current browsers no longer support the elements that are generated by the jsp:plugin and related actions.

In Jakarta Servlet 6.0, you can set attributes on a response cookie either from a deployment descriptor file, at application startup with the jakarta.servlet.ServletContainerInitializer API, or at request time.

To set cookie attributes in a web.xml deployment descriptor file, specify the attribute element within the cookie-config element, as shown in the following example:

You can also set cookie attributes dynamically from an application during application startup by using the jakarta.servlet.ServletContainerInitializer API, as shown in the following example:

Alternatively, you can set attributes from the application at request time, as shown in the following example:

If conflicts arise among different sources for the cookie configuration, the following precedence order applies to resolve the conflict, from highest to lowest precedence:

Servlet 6.0 implements the HTTP request cookie behavior by following the rfc6265 standard, which states that HTTP client agents such as browsers do not send back cookie attributes to the application server.

Previously, you could include request cookie attributes by adding the dollar sign ($) as a prefix to a valid attribute name. For example, $Domain=myDomain.com was treated as the Domain attribute for the request cookie. Starting in Servlet 6.0, $Domain is treated as a new cookie that is named $Domain. The dollar sign is also part of the cookie name. The only exception to this rule is the $Version value.

For example, consider the following HTTP request, which includes a cookie header:

Before Servlet 6.0, the server created the following three request cookies from this request:

In Servlet 6.0 and later, the server creates the following five request cookies from the same HTTP request:

New jakarta.servlet.ServletRequest APIs and a new jakarta.servlet.ServletConnection class are available to help you debug requests to your application. With the enhancement, you can track or refer to a request or obtain details of the network connection that is used by the request by using the request ID.

The following Jakarta.servlet.ServletRequest APIs are available in Servlet 6.0:

A new jakarta.servlet.ServletConnection object is retrieved from the getServletConnection() servlet request. It includes the following APIs:

Beginning with the Servlet 6.0 release, if any of the following sequences are present in a URI, a direct request is rejected with a 400 Bad Request status:

Note: the URI path verification is not applied to the query string.

You can skip the verification of encoded characters by setting the skipEncodedCharVerification property true. The default value is false.

To opt out of the encoded characters verification in the request URI for a servlet, you can configure this property as a context-param element in the application web.xml file.

Alternatively, you can set it as an attribute for the webContainer element in the server.xml file to skip the verification for all deployed applications.

The application-level context-param setting takes precedence over the server-level webContainer setting.

By default, the X-Powered-By header is not included in the response header. Beginning with Servlet 6.0, no configuration option is available to add the X-Powered-By header to the response header.

The following previously deprecated APIs and their corresponding constructors and methods are removed:

The following previously deprecated classes are removed:

For more information, see the Jakarta Servlet 6.0 Javadoc.

In Jakarta WebSocket 2.1, you can programmatically upgrade your HTTP requests to a WebSocket connection by using the new jakarta.websocket.server.ServerContainer#upgradeHttpToWebSocket() API method. This method replaces the com.ibm.websphere.wsoc.WsWsocServerContainer SPI, which is now deprecated, with plans to remove it in the next WebSocket release. However, this SPI is still available with the Jakarta WebSocket feature version 2.0 and earlier.

The WebSocket 2.1 release includes changes for user properties. The user properties for server sessions are initially populated by the ServerEndpointConfig.getUserProperties() method. This method enables endpoints to retrieve properties that might be set in an overridden ServerEndpointConfig.Configurator#modifyHandshake call for the incoming request​.

Similarly, user properties for client sessions are populated with the EndpointConfig.getUserProperties() method. These initial contents are shallow copies, which means that ClientEndpointConfig#getUserProperties and ServerEndpointConfig#getUserProperties() instances are now handled per endpoint, per WebSocket session. Properties are no longer global between all endpoint instances as they were in previous WebSocket versions.

Starting with WebSocket 2.1, applications can set their SSLContext class by using a jakarta.websocket.ClientEndpointConfig.Builder#sslContext​ instance, which Liberty uses to establish the wss connection to a server. This option overrides all Liberty server SSL configurations and must be used with caution. It is recommended to enable SSL communication in the server.xml file by enabling the Transport Security feature. Also, you can configure SSL by setting the WAS WebSocket Outbound element in the server.xml file.

The following changes are effective starting with WebSocket 2.1.

For more information, see the Jakarta WebSocket 2.1 specification.

In Jakarta XML Binding 4.0, you can specify the jakarta.xml.bind.JAXBContextFactory property to switch to a preferred third-party implementation. The xmlBinding-4.0 feature then uses the specified implementation instead of the reference implementation. Consider the following notes when you choose a third-party implementation.

If you set the jakarta.xml.bind.JAXBContextFactory property, you must add the specified third-party implementation to the application class path. Otherwise, a java.lang.ClassNotFoundException exception occurs. Furthermore, the third-party implementation must be shared between all applications that are running on the JVM. Any application that is running on the JVM that does not have the implementation added to its class path encounters a java.lang.ClassNotFoundException exception.

The xmlBinding-4.0 feature does not support the jakarta.xml.bind.Validator APIs. Any application that uses this API must either remove it or replace it with a SchemaValidation instance. The following examples demonstrate how to use a SchemaValidation instance as a replacement for a Validator API:

For more information, see the Jakarta XML Binding 4.0 specification.