Chapter 2. New Features and Enhancements

Support for automatic update of credentials in a credential store

Elytron now automates adding and updating a credential to a previously defined credential store when you configure a credential reference that specifies both the store and clear-text attributes.

With this update, you do not need to add a credential to an existing credential store before you can reference it from a credential-reference. The automated process reduces the number of steps you need to perform for referencing new credentials in different subsystems.

New role mapper regex-role-mapper in Elytron

Elytron now provides a new role mapper, regex-role-mapper, to define a regular expression (regex) based mapping of security roles.

You can use regex-role-mapper to translate a list of roles to simpler roles. For example:

With regex-role-mapper, you do not need to implement your own custom component to translate security roles.

Accessing IP address of remote client

In the JBoss EAP CD 20 release, you can add the source-address-role-decoder role decoder to the elytron subsystem. By configuring this role decoder, you can gain additional information from a remote client when making authorization decisions.

The source-address-role-decoder extracts the IP address of a remote client and checks that it matches the IP address specified in the pattern attribute or the source-address attribute. If the IP address of the remote client matches the IP address specified in either attribute, the roles attribute then assigns roles to the user. When you have configured source-address-role-decoder, you can reference it in the role-decoder attribute of the security domain.

The aggregate-role-decoder role decoder

The aggregate-role-decoder consists of two or more role decoders. After each specified role decoder completes its operation, it adds roles to the aggregate-role-decoder.

You can use aggregate-role-decoder to make authorization decisions by adding role decoders that assign roles for a user. Further, aggregate-role-decoder provides you with a convenient way to aggregate the roles returned from each role decoder.

Configuring SameSite cookie attribute

You can now configure the SameSite attribute for cookies in the current JBoss EAP release with a samesite-cookie predicated handler in the undertow subsystem. With this handler, you can update your server configuration without having to change your applications. This enhancement supports changes to the processing of cookies that were recently implemented in major web browsers to improve security.

Default global stateful session bean timeout value in the ejb3 subsystem

In the ejb3 subsystem, you can now configure a default global timeout value for all stateful session beans (SFSBs) that are deployed on your server instance by using the default-stateful-bean-session-timeout attribute. This attribute is located in the JBoss EAP server configuration file. You can configure the attribute using the Management CLI.

Attribute behavior varies according to the server mode. For example:

By default, the attribute value is set at -1 milliseconds, which means that deployed SFSBs are configured to never time out. However, you can configure two other types of valid values for the attribute, as follows:

You can still use the pre-existing @StatefulTimeout annotation or the stateful-timeout element, which is located in the ejb-jar.xml deployment descriptor, to configure the timeout value for an SFSB. However, setting such a configuration overrides the default global timeout value to the SFSB.

Forcing Jakarta Enterprise Beans timer refresh in database-data-store

You can now set the wildfly.ejb.timer.refresh.enabled flag using the EE interceptor. When an application calls the TimerService.getAllTimers() method, JBoss EAP checks this flag. If this flag is set to true, JBoss EAP refreshes the Jakarta Enterprise Beans timers from database before returning the result.

In the previous JBoss EAP releases, the Jakarta Enterprise Beans timer reading could be refreshed in a database using the refresh-interval attribute found in database-data-store. Users could set the refresh-interval attribute value in milliseconds to refresh the Jakarta Enterprise Beans timer reading.

Access to runtime information from Jakarta Enterprise Beans

The ejb3 subsystem includes the ability to expose runtime data using annotations or deployment descriptors. Prior versions of JBoss EAP did not include the ability to retrieve this runtime information.

For JBoss EAP CD 20, the ejb3 includes the ability to retrieve this runtime information.

Configuring the wildfly.jpa.skipquerydetach persistence unit property

You can configure the wildfly.jpa.skipquerydetach persistence unit property from the persistence.xml file of a container-managed persistence context.

The default value for wildfly.jpa.skipquerydetach is false. Use this setting to set a transaction-scoped persistence context to immediately detach query results from an open persistence context.

Configure wildfly.jpa.skipquerydetach as true, to set a transaction-scoped persistence context to detach query results when a persistence context is closed. This enables a non-standard specification extension.

For applications that have the non-standalone specification extension jboss.as.jpa.deferdetach set as true, you can also set wildfly.jpa.skipquerydetach as true.

Ability for RESTEasy 3.x to access all standard MicroProfile ConfigSources

RESTEasy 3.x can now access all standard MicroProfile ConfigSources. The following additional ConfigSources are also added to RESTEasy 3.x:

Previously, these capabilities were only included in RESTEasy 4.x. With this update, RESTEasy can access configuration parameters with or without the MicroProfile ConfigSources. In the absence of a MicroProfile Config implementation, RESTEasy falls back to the older method of gathering parameters from ServletContext parameters and init parameters.