Skip to content

Commit 51a0aae

Browse files
Merge pull request #4798 from OpenLiberty/26.0.0.5-beta-post
26.0.0.5 beta post
2 parents 105b016 + 274f089 commit 51a0aae

1 file changed

Lines changed: 325 additions & 0 deletions

File tree

Lines changed: 325 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,325 @@
1+
---
2+
layout: post
3+
title: "MCP server updates and Transport Security in 26.0.0.5-beta"
4+
# Do NOT change the categories section
5+
categories: blog
6+
author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
7+
author_github: https://github.com/navaneethsnair1
8+
seo-title: "MCP server updates and Transport Security in 26.0.0.5-beta- OpenLiberty.io"
9+
seo-description: This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher configuration using JDK defaults and flexible `enabledCiphers` syntax.
10+
blog_description: This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher configuration using JDK defaults and flexible `enabledCiphers` syntax.
11+
open-graph-image: https://openliberty.io/img/twitter_card.jpg
12+
open-graph-image-alt: Open Liberty Logo
13+
---
14+
= MCP server updates and Transport Security in 26.0.0.5-beta
15+
Navaneeth S Nair <https://github.com/navaneethsnair1>
16+
:imagesdir: /
17+
:url-prefix:
18+
:url-about: /
19+
//Blank line here is necessary before starting the body of the post.
20+
21+
This beta release updates the `mcpServer-1.0` feature and simplifies SSL cipher configuration using JDK defaults and flexible `enabledCiphers` syntax.
22+
23+
// // // // // // // //
24+
// Change the RELEASE_SUMMARY to an introductory paragraph. This sentence is really
25+
// important because it is supposed to grab the readers attention. Make sure to keep the blank lines
26+
//
27+
// Throughout the doc, replace RELEASE_VERSION with the version number of Open Liberty, eg: 22.0.0.2-beta
28+
// // // // // // // //
29+
30+
The link:{url-about}[Open Liberty] 26.0.0.5-beta includes the following beta features (along with link:{url-prefix}/docs/latest/reference/feature/feature-overview.html[all GA features]):
31+
32+
* <<mcp, Updates to `mcpServer-1.0`>>
33+
* <<transportSecurity, Transport Security>>
34+
35+
// // // // // // // //
36+
// In the preceding section:
37+
// Change SUB_FEATURE_TITLE to the feature that is included in this release and
38+
// change the SUB_TAG_1/2/3 to the heading tags
39+
//
40+
// However if there's only 1 new feature, delete the previous section and change it to the following sentence:
41+
// "The link:{url-about}[Open Liberty] RELEASE_VERSION includes SUB_FEATURE_TITLE"
42+
// // // // // // // //
43+
44+
See also link:{url-prefix}/blog/?search=beta&key=tag[previous Open Liberty beta blog posts].
45+
46+
// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // //
47+
// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33838
48+
// Contact/Reviewer: martindrozdz
49+
// // // // // // // //
50+
[#mcp]
51+
== Updates to `mcpServer-1.0`
52+
53+
The link:https://modelcontextprotocol.io/docs/getting-started/intro[Model Context Protocol (MCP)] is an open standard that enables AI applications to access real-time information from external sources. The Liberty MCP Server feature `mcpServer-1.0` allows developers to expose the business logic of their applications, allowing it to be integrated into agentic AI workflows.
54+
55+
This beta release of Liberty includes important updates to the `mcpServer-1.0` feature including configurable endpoint paths and notable bug fixes.
56+
57+
=== Prerequisites
58+
To use the `mcpServer-1.0` feature, it is required to have `Java 17`` or later installed on your system.
59+
60+
=== Configure custom MCP endpoint paths (Currently under review as this is not working as intended after testing with multiple modules)
61+
62+
Previously, the MCP endpoint was hard-coded to `/mcp` under the web application context root. You can now configure custom endpoint paths to better suit your application architecture and naming conventions.
63+
64+
==== Single Application Configuration
65+
66+
For a single application, configure the endpoint path directly in the `<mcpServer>` element:
67+
68+
[source,xml]
69+
----
70+
<server description="Liberty server with custom MCP endpoint">
71+
72+
<featureManager>
73+
<feature>servlet-6.0</feature>
74+
<feature>cdi-4.0</feature>
75+
<feature>mcpServer-1.0</feature>
76+
</featureManager>
77+
78+
<httpEndpoint id="defaultHttpEndpoint"
79+
httpPort="9080"
80+
httpsPort="9443"/>
81+
82+
<!-- Configure custom MCP endpoint path -->
83+
<mcpServer endpoint="/custom-mcp"/>
84+
85+
</server>
86+
----
87+
88+
With this configuration, MCP server can be accessed at `/custom-mcp` instead of the default `/mcp` path.
89+
90+
==== Multiple Application Configuration
91+
92+
For applications with multiple modules or when you need different endpoint paths for different parts of your application, configure the MCP server settings under the `<application>` element:
93+
94+
[source,xml]
95+
----
96+
<server description="Liberty server with multiple MCP endpoints">
97+
98+
<featureManager>
99+
<feature>servlet-6.0</feature>
100+
<feature>cdi-4.0</feature>
101+
<feature>mcpServer-1.0</feature>
102+
</featureManager>
103+
104+
<httpEndpoint id="defaultHttpEndpoint"
105+
httpPort="9080"
106+
httpsPort="9443"/>
107+
108+
<application name="myApp" location="myApp.ear" type="ear">
109+
<!-- Configure MCP endpoint for specific module -->
110+
<mcpServer moduleName="module1" name="default" path="/api/mcp"/>
111+
<mcpServer moduleName="module2" name="default" path="/services/mcp"/>
112+
</application>
113+
114+
</server>
115+
----
116+
117+
This configuration supports the following:
118+
119+
* Define different endpoint paths for different modules within the same application
120+
* Use descriptive paths that align with your API structure
121+
* Support future extensibility for multiple MCP endpoints within a single module
122+
123+
==== Configuration Options
124+
125+
The `<mcpServer>` element supports the following attributes:
126+
127+
* *endpoint* (single app): The custom path for the MCP endpoint (e.g., `/custom-mcp`)
128+
* *moduleName* (multi-app): The name of the module to configure
129+
* *name* (multi-app): The identifier for the MCP server configuration (typically "default")
130+
* *path* (multi-app): The custom path for the MCP endpoint
131+
132+
==== Benefits
133+
134+
Configurable endpoint paths provide:
135+
136+
* *Flexibility*: Align MCP endpoints with your existing API structure
137+
* *Multi-tenancy support*: Different paths for different applications or modules
138+
* *Future-proofing*: Foundation for supporting multiple MCP endpoints per application
139+
* *Better organization*: Descriptive paths that reflect the purpose of each endpoint
140+
141+
=== Notable bug fixes in this release for `mcpServer-1.0`
142+
143+
==== 1) Structured content output schemas now comply with MCP specification
144+
145+
The MCP specification requires that structured content output schemas must have an object type at the root level. Previously, when arrays of objects are returned, the schema incorrectly placed the array at the root level.
146+
147+
*Previous Behavior (Incorrect):*
148+
[source,json]
149+
----
150+
{
151+
"outputSchema": {
152+
"description": "Returns list of person object",
153+
"type": "array",
154+
"items": {
155+
"$ref": "#/$defs/Person"
156+
}
157+
}
158+
}
159+
----
160+
161+
*Current Behavior (Correct):*
162+
[source,json]
163+
----
164+
{
165+
"outputSchema": {
166+
"description": "Returns Persons object",
167+
"type": "object",
168+
"properties": {
169+
"persons": {
170+
"type": "array",
171+
"items": {
172+
"$ref": "#/$defs/Person"
173+
}
174+
}
175+
}
176+
}
177+
}
178+
----
179+
180+
This ensures all structured content responses comply with the link:https://modelcontextprotocol.io/specification/2025-11-25/server/tools#structured-content[MCP structured content specification] and improves compatibility with MCP clients and conformance tests.
181+
182+
==== 2) Authentication failures now return correct HTTP status code
183+
184+
Previously, failed authentication attempts returned a `403 Forbidden` response, which might be confusing as it typically indicates authorization (permission) failures rather than authentication (identity verification) failures.
185+
186+
Now, failed authentication attempts correctly return a `401 Unauthorized` response, making it immediately clear that the issue is with authentication credentials rather than permissions. This behavior follows HTTP specification best practices and makes it easier to troubleshoot authentication configuration problems.
187+
188+
==== 3) Fixed encoder bean isolation in multi-application deployments
189+
190+
Previously, encoder beans from multiple applications were stored in a static list within `McpCdiExtension`, causing beans from different applications to interfere with each other. This behaviour could result in encoder beans from one application being incorrectly called in another application, unpredictable behavior in multi-application deployments, and potential security issues with cross-application bean access.
191+
192+
This has been fixed to ensure proper isolation of encoder beans per application, preventing cross-application interference and ensuring each application uses only its own encoder beans.
193+
194+
// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
195+
196+
// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // //
197+
// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/33838
198+
// Contact/Reviewer: martindrozdz
199+
// // // // // // // //
200+
[#transportSecurity]
201+
== Transport Security
202+
203+
Liberty uses the default cipher list from the JDK. The `securityLevel` attribute in the SSL configuration is not used anymore. In addition, the `enabledCiphers` attribute in the SSL config is updated to customize the SSL ciphers in a more flexible way.
204+
205+
This change modifies the existing attribute `enabledCiphers` in the `ssl` config.
206+
207+
Liberty's `securityLevel` based cipher categories no longer provide meaningful value. The `MEDIUM` and `LOW` categories contain no remaining ciphers and `securityLevel` `HIGH` does not sync up (or not the same) with/as the JDK defaults.
208+
209+
The `enabledCiphers` attribute includes a new syntax option to add '+' or remove '–' specific ciphers from the JDK default list without redefining everything. A static list and +/- syntax in the same `enabledCiphers` entry is not allowed. If the value set in `enabledCiphers` contains a static entry and a +/- entry, an error is logged, and the server ignores the `enabledCiphers` value by returning the JDK default list.
210+
211+
*Example Usage*
212+
213+
[source,xml]
214+
----
215+
<ssl id="defaultSSL" securityLevel="HIGH"/>
216+
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ..."/>
217+
<ssl id="defaultSSL" securityLevel="CUSTOM" enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384..../">
218+
<!-- basically everything except TLS_RSA ciphers from the effective jdk list -->
219+
----
220+
221+
*Example with proposed change*
222+
223+
[source,xml]
224+
----
225+
<ssl id="defaultSSL"/>
226+
<ssl id="defaultSSL" enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>
227+
<ssl id="defaultSSL" enabledCiphers="-TLS_RSA*"/>
228+
----
229+
230+
To learn more about Transport Security, see link:https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/Constants.html[SSL Constants Javadoc], link:https://openliberty.io/docs/modules/reference/23.0.0.6/com.ibm.websphere.appserver.api.ssl_1.5-javadoc/com/ibm/websphere/ssl/JSSEProvider.html[JSSEProvider Javadoc], and link:https://openliberty.io/docs/latest/reference/config/ssl.html[SSL Configuration Reference].
231+
232+
// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
233+
234+
[#run]
235+
=== Try it now
236+
237+
To try out these features, update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 21, Java SE 17, Java SE 11, and Java SE 8.
238+
// // // // // // // //
239+
// In the preceding section:
240+
// Check if a new non-LTS Java SE version is supported that needs to be added to the list (21, 17, 11, and 8 are LTS and will remain for a while)
241+
// https://openliberty.io/docs/latest/java-se.html
242+
//
243+
// In the following section:
244+
// Check if a new MicroProfile or Jakarta version is in beta that could replace the example values in the codeblock
245+
// // // // // // // //
246+
247+
If you're using link:{url-prefix}/guides/maven-intro.html[Maven], you can install the All Beta Features package using:
248+
249+
[source,xml]
250+
----
251+
<plugin>
252+
<groupId>io.openliberty.tools</groupId>
253+
<artifactId>liberty-maven-plugin</artifactId>
254+
<version>3.12.0</version>
255+
<configuration>
256+
<runtimeArtifact>
257+
<groupId>io.openliberty.beta</groupId>
258+
<artifactId>openliberty-runtime</artifactId>
259+
<version>26.0.0.5-beta</version>
260+
<type>zip</type>
261+
</runtimeArtifact>
262+
</configuration>
263+
</plugin>
264+
----
265+
266+
You must also add dependencies to your `pom.xml` file for the beta version of the APIs that are associated with the beta features that you want to try. For example, the following block adds dependencies for two example beta APIs:
267+
268+
[source,xml]
269+
----
270+
<dependency>
271+
<groupId>org.example.spec</groupId>
272+
<artifactId>exampleApi</artifactId>
273+
<version>7.0</version>
274+
<type>pom</type>
275+
<scope>provided</scope>
276+
</dependency>
277+
<dependency>
278+
<groupId>example.platform</groupId>
279+
<artifactId>example.example-api</artifactId>
280+
<version>11.0.0</version>
281+
<scope>provided</scope>
282+
</dependency>
283+
----
284+
285+
Or for link:{url-prefix}/guides/gradle-intro.html[Gradle]:
286+
287+
[source,gradle]
288+
----
289+
buildscript {
290+
repositories {
291+
mavenCentral()
292+
}
293+
dependencies {
294+
classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
295+
}
296+
}
297+
apply plugin: 'liberty'
298+
dependencies {
299+
libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[26.0.0.5-beta,)'
300+
}
301+
----
302+
// // // // // // // //
303+
// In the preceding section:
304+
// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin
305+
// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin
306+
// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins
307+
// // // // // // // //
308+
309+
Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
310+
311+
[source]
312+
----
313+
FROM icr.io/appcafe/open-liberty:beta
314+
----
315+
316+
Or take a look at our link:{url-prefix}/downloads/#runtime_betas[Downloads page].
317+
318+
If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE.
319+
320+
For more information on using a beta release, refer to the link:{url-prefix}docs/latest/installing-open-liberty-betas.html[Installing Open Liberty beta releases] documentation.
321+
322+
[#feedback]
323+
== We welcome your feedback
324+
325+
Let us know what you think on link:https://groups.io/g/openliberty[our mailing list]. If you hit a problem, link:https://stackoverflow.com/questions/tagged/open-liberty[post a question on StackOverflow]. If you hit a bug, link:https://github.com/OpenLiberty/open-liberty/issues[please raise an issue].

0 commit comments

Comments
 (0)