|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7" |
| 4 | +# Do NOT change the categories section |
| 5 | +categories: blog |
| 6 | +author_picture: https://avatars3.githubusercontent.com/navaneethsnair1 |
| 7 | +author_github: https://github.com/navaneethsnair1 |
| 8 | +seo-title: Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7 - OpenLiberty.io |
| 9 | +seo-description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled. |
| 10 | +blog_description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled. |
| 11 | +open-graph-image: https://openliberty.io/img/twitter_card.jpg |
| 12 | +open-graph-image-alt: Open Liberty Logo |
| 13 | +--- |
| 14 | += Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7 |
| 15 | +Navaneeth S Nair <https://github.com/navaneethsnair1> |
| 16 | +:imagesdir: / |
| 17 | +:url-prefix: |
| 18 | +:url-about: / |
| 19 | +//Blank line here is necessary before starting the body of the post. |
| 20 | + |
| 21 | +This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled. |
| 22 | + |
| 23 | +// // // // // // // // |
| 24 | +// In the preceding section: |
| 25 | +// Do not insert any blank lines between any of the lines. |
| 26 | +// Do not remove or edit the variables on the lines beneath the author name. |
| 27 | +// |
| 28 | +// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it |
| 29 | +// can be left empty which will set it to the default |
| 30 | +// |
| 31 | +// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to |
| 32 | +// a custom picture, you must provide a custom string for "open-graph-image-alt". |
| 33 | +// |
| 34 | +// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4 |
| 35 | +// Replace GITHUB_USERNAME with your GitHub username eg: lauracowen |
| 36 | +// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post). |
| 37 | +// Replace AUTHOR_NAME with your name as you'd like it to be displayed, eg: Laura Cowen |
| 38 | +// |
| 39 | +// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc |
| 40 | +// |
| 41 | +// If adding image into the post add : |
| 42 | +// ------------------------- |
| 43 | +// [.img_border_light] |
| 44 | +// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"] |
| 45 | +// ------------------------- |
| 46 | +// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not |
| 47 | +// around diagrams. Then double check how it looks. |
| 48 | +// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark |
| 49 | +// backgrounds. |
| 50 | +// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog |
| 51 | +// change the "IMAGE CAPTION" to a couple words of what the image is |
| 52 | +// // // // // // // // |
| 53 | + |
| 54 | +In link:{url-about}[Open Liberty] 26.0.0.7: |
| 55 | + |
| 56 | +* <<cookie_cache, Tracking Logged-Out SSO Cookies Enabled by Default>> |
| 57 | +* <<mpHealth_4_0, Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled>> |
| 58 | +* <<CVEs, Security Vulnerability (CVE) Fixes>> |
| 59 | +* <<bugs, Notable bug fixes>> |
| 60 | + |
| 61 | + |
| 62 | +// // // // // // // // |
| 63 | +// If there were updates to guides since last release, keep the following, otherwise remove section. |
| 64 | +// // // // // // // // |
| 65 | +Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>. |
| 66 | + |
| 67 | +// // // // // // // // |
| 68 | +// In the preceding section: |
| 69 | +// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3 |
| 70 | +// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3 |
| 71 | +// Where the updates are grouped as sub-headings under a single heading |
| 72 | +// (eg all the features in a MicroProfile release), provide sub-entries in the list; |
| 73 | +// eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with |
| 74 | +// Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4) |
| 75 | +// // // // // // // // |
| 76 | + |
| 77 | +View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[26.0.0.7]. |
| 78 | + |
| 79 | +Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts]. |
| 80 | + |
| 81 | + |
| 82 | +[#run] |
| 83 | + |
| 84 | +// // // // // // // // |
| 85 | +// LINKS |
| 86 | +// |
| 87 | +// OpenLiberty.io site links: |
| 88 | +// link:{url-prefix}/guides/maven-intro.html[Maven] |
| 89 | +// |
| 90 | +// Off-site links: |
| 91 | +//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions] |
| 92 | +// |
| 93 | +// IMAGES |
| 94 | +// |
| 95 | +// Place images in ./img/blog/ |
| 96 | +// Use the syntax: |
| 97 | +// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"] |
| 98 | +// // // // // // // // |
| 99 | + |
| 100 | +== Develop and run your apps using 26.0.0.7 |
| 101 | + |
| 102 | +If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file: |
| 103 | + |
| 104 | +[source,xml] |
| 105 | +---- |
| 106 | +<plugin> |
| 107 | + <groupId>io.openliberty.tools</groupId> |
| 108 | + <artifactId>liberty-maven-plugin</artifactId> |
| 109 | + <version>3.12.0</version> |
| 110 | +</plugin> |
| 111 | +---- |
| 112 | + |
| 113 | +Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file: |
| 114 | + |
| 115 | +[source,gradle] |
| 116 | +---- |
| 117 | +buildscript { |
| 118 | + repositories { |
| 119 | + mavenCentral() |
| 120 | + } |
| 121 | + dependencies { |
| 122 | + classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0' |
| 123 | + } |
| 124 | +} |
| 125 | +apply plugin: 'liberty' |
| 126 | +---- |
| 127 | +// // // // // // // // |
| 128 | +// In the preceding section: |
| 129 | +// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin |
| 130 | +// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin |
| 131 | +// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins |
| 132 | +// // // // // // // // |
| 133 | + |
| 134 | +Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]: |
| 135 | + |
| 136 | +[source] |
| 137 | +---- |
| 138 | +FROM icr.io/appcafe/open-liberty |
| 139 | +---- |
| 140 | + |
| 141 | +Or take a look at our link:{url-prefix}/start/[Downloads page]. |
| 142 | + |
| 143 | +If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE. |
| 144 | + |
| 145 | +[link=https://stackoverflow.com/tags/open-liberty] |
| 146 | +image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"] |
| 147 | + |
| 148 | +[#cookie_cache] |
| 149 | +== Tracking Logged-Out SSO Cookies Enabled by Default |
| 150 | +To continuously improve built-in security for applications, Open Liberty 26.0.0.7 now enables the tracking of logged-out Single Sign-On (SSO) cookies by default. With this feature, logged-out SSO cookies can no longer be replayed after logout. |
| 151 | + |
| 152 | +=== What is the potential impact? |
| 153 | +When a logged-out SSO cookie is replayed, the user is now explicitly prompted to reauthenticate. This helps harden security. |
| 154 | + |
| 155 | +Tracking logged-out SSO Cookies can still be disabled with the following server configuration: |
| 156 | + |
| 157 | +[source,xml] |
| 158 | +---- |
| 159 | +<webAppSecurity trackLoggedOutSSOCookies="false"/> |
| 160 | +---- |
| 161 | + |
| 162 | +For more information, check out the Tracking Logged-Out SSO Cookies link:https://openliberty.io/docs/latest/track-loggedout-sso.html[documentation]. |
| 163 | + |
| 164 | + |
| 165 | +// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // // |
| 166 | +// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34987 |
| 167 | +// Contact/Reviewer: pgunapal |
| 168 | +// // // // // // // // |
| 169 | +[#mpHealth_4_0] |
| 170 | +== Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled |
| 171 | + |
| 172 | +The mpHealth-4.0 feature enables support for MicroProfile Health 4.0 in Open Liberty. The feature also includes a file-based health check mechanism as an alternative to the `/health` REST endpoints. When the file-based health check mechanism is enabled, you can now disable the `/health/started`, `/health/live`, and `/health/ready` REST endpoints using server configuration attributes. |
| 173 | + |
| 174 | +Previously, when file-based health checks were enabled, the REST-based MicroProfile Health endpoints were still registered and accessible. This behavior was often redundant for Kubernetes deployments that rely on file-based health checks, where users typically configure probes using the `exec` strategy rather than `httpGet` or `gRPC`. In these scenarios, the REST health endpoints are not used. |
| 175 | + |
| 176 | +To address this redundancy, this release introduces a new optional `mpHealth` server configuration attribute that allows REST health endpoints to be disabled when file-based health checks are enabled. |
| 177 | + |
| 178 | +The `mpHealth-4.0` feature adds a new optional `enableEndpoints="false"` attribute to the `mpHealth` server configuration element in `server.xml` file. An equivalent environment variable, `MP_HEALTH_ENABLE_ENDPOINTS=false`, is also supported. |
| 179 | + |
| 180 | +When this option is set to `false` and file-based health checks are enabled, the server does not register or expose the MicroProfile Health REST endpoints (`/health, /health/live, /health/ready, /health/started`). Requests to these endpoints return '404 Not Found' response. |
| 181 | + |
| 182 | +File-based health checks can be enabled with the `checkInterval` configuration attribute or the `MP_HEALTH_CHECK_INTERVAL` environment variable. |
| 183 | + |
| 184 | +If both the environment variable and `server.xml` file configuration are specified, the `server.xml` setting takes precedence at runtime. |
| 185 | + |
| 186 | +[source,xml] |
| 187 | +---- |
| 188 | +<server> |
| 189 | + <featureManager> |
| 190 | + <feature>mpHealth-4.0</feature> |
| 191 | + </featureManager> |
| 192 | + |
| 193 | + <!-- Enable file-based health checks but disable HTTP endpoints --> |
| 194 | + <mpHealth startupCheckInterval="1s" checkInterval="5s" enableEndpoints="false" /> |
| 195 | + ... |
| 196 | +</server> |
| 197 | +---- |
| 198 | + |
| 199 | +If either the `enableEndpoints` configuration attribute or the `MP_HEALTH_ENABLE_ENDPOINTS` environment variable is not set, the default value is `true`, and the health check REST endpoints are enabled and exposed. |
| 200 | + |
| 201 | +*Note*: This capability is supported only when the file‑based health check mechanism is enabled. If file-based health checks are not enabled and the new `enableEndpoints` configuration attribute or environment variable is specified, a warning message is logged. The REST health endpoints remain enabled by default. |
| 202 | + |
| 203 | +For more information, see the link:{url-prefix}/docs/latest/health-check-microservices.html[documentation]. |
| 204 | + |
| 205 | +// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> |
| 206 | + |
| 207 | +[#CVEs] |
| 208 | +== Security vulnerability (CVE) fixes in this release |
| 209 | +[cols="5*"] |
| 210 | +|=== |
| 211 | +|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes |
| 212 | + |
| 213 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-8646[CVE-2026-8646] |
| 214 | +|8.1 |
| 215 | +|HTTP request smuggling |
| 216 | +|17.0.0.3-26.0.0.6 |
| 217 | +|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features |
| 218 | + |
| 219 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-9320[CVE-2026-9320] |
| 220 | +|5.9 |
| 221 | +|Denial of service |
| 222 | +|17.0.0.3-26.0.0.6 |
| 223 | +|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features |
| 224 | + |
| 225 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-9071[CVE-2026-9071] |
| 226 | +|7.1 |
| 227 | +|Denial of service |
| 228 | +|17.0.0.3-26.0.0.6 |
| 229 | +|Affects servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features |
| 230 | + |
| 231 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-42402[CVE-2026-42402] |
| 232 | +|7.5 |
| 233 | +|Denial of service |
| 234 | +|17.0.0.3-26.0.0.6 |
| 235 | +|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features |
| 236 | + |
| 237 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-42403[CVE-2026-42403] |
| 238 | +|7.5 |
| 239 | +|Denial of service |
| 240 | +|17.0.0.3-26.0.0.6 |
| 241 | +|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features |
| 242 | + |
| 243 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-42404[CVE-2026-42404] |
| 244 | +|7.2 |
| 245 | +|Server-Side Request Forgery |
| 246 | +|17.0.0.3-26.0.0.6 |
| 247 | +|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features |
| 248 | + |
| 249 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-11806[CVE-2026-11806] |
| 250 | +|7.2 |
| 251 | +|HTTP request smuggling |
| 252 | +|17.0.0.3-26.0.0.6 |
| 253 | +|Affects restConnector-2.0 feature |
| 254 | + |
| 255 | +|link:https://www.cve.org/CVERecord?id=CVE-2026-11541[CVE-2026-11541] |
| 256 | +|7.4 |
| 257 | +|HTTP request smuggling |
| 258 | +|17.0.0.3-26.0.0.6 |
| 259 | +| |
| 260 | + |
| 261 | +|=== |
| 262 | +// // // // // // // // |
| 263 | +// In the preceding section: |
| 264 | +// If there were any CVEs addressed in this release, fill out the table. For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc. If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz. |
| 265 | +// Note: When linking to features, use the |
| 266 | +// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and |
| 267 | +// NOT what security-vulnerabilities.adoc does (someFeature-1.0) |
| 268 | +// |
| 269 | +// If there are no CVEs fixed in this release, replace the table with: |
| 270 | +// "There are no security vulnerability fixes in Open Liberty [26.0.0.7]." |
| 271 | +// // // // // // // // |
| 272 | +For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list]. |
| 273 | + |
| 274 | + |
| 275 | +[#bugs] |
| 276 | +== Notable bugs fixed in this release |
| 277 | + |
| 278 | + |
| 279 | +We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[full list of bugs fixed in 26.0.0.7]. |
| 280 | + |
| 281 | +* link:https://github.com/OpenLiberty/open-liberty/issues/35179[PathUtils.normalize() skips collapsing ".." after "${"-prefixed segment] |
| 282 | +* link:https://github.com/OpenLiberty/open-liberty/issues/35121[Create server: WARNING: A restricted method in java.lang.System has been called] |
| 283 | +* link:http://github.com/OpenLiberty/open-liberty/issues/35112["featureUtility installServerFeatures" stopped working on 26.0.0.6 when FEATURE_REPO_URL is specified] |
| 284 | + |
| 285 | +// // // // // // // // |
| 286 | +// In the preceding section: |
| 287 | +// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release. |
| 288 | +// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution. |
| 289 | +// If the issue on Github is missing any information, leave a comment in the issue along the lines of: |
| 290 | +// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)" |
| 291 | +// Feel free to message the owner(s) directly as well, especially if no action has been taken by them. |
| 292 | +// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs) |
| 293 | +// // // // // // // // |
| 294 | + |
| 295 | + |
| 296 | +== Get Open Liberty 26.0.0.7 now |
| 297 | + |
| 298 | +Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>. |
0 commit comments