Chapter 1. Release notes for Red Hat build of Quarkus 3.27

Quarkiverse, the Quarkus community extensions hub, introduces Dev Assistant through the Quarkus Chappie extension (quarkus-chappie). Dev Assistant helps you troubleshoot exceptions, generate test code, complete TODO sections, and understand complex code by providing AI-powered assistance during development mode. The feature integrates with OpenAI-compatible services or a local Ollama instance, is configured through the Dev UI, and adds no overhead to production applications.

For more information, see the Quarkus Dev Assistant guide.

In the current release, you can use Hibernate ORM and Hibernate Reactive together in the same persistence unit.

This capability enables applications to combine blocking and reactive persistence, supporting mixed workloads and partial adoption of reactive features alongside imperative code.

For more information, see the GitHub Pull Request #44473.

In the current release, Red Hat build of Quarkus introduces Jakarta Data integration through the Hibernate ORM extension, quarkus-hibernate-orm.

The Jakarta Data API, a Jakarta EE 11 specification, simplifies how you access and interact with databases and other data sources in Java applications. It provides a standardized way of defining repositories and the ability to build queries in a type-safe manner.

Jakarta Data requires an additional runtime dependency to be added to your pom.xml file.

In the current release, Hibernate ORM can start offline without requiring a database connection. Hibernate provides sensible defaults for the database dialect and version. You can configure the dialect, version, and dialect-specific settings when your target database differs from the common defaults.

Because no connection is opened at startup, ensure the database schema has been created correctly before the application starts. A live database connection is required at runtime to persist or query data.

For more information, see the following resources:

Hibernate ORM is the standard Jakarta Persistence implementation and, in the current release, Hibernate ORM is upgraded to version 7.1 with Jakarta Persistence version 3.2.

The upgrade to the Hibernate ORM 7 release series introduces many new features and enhancements.

For a full list of changes, see the following Hibernate migration documentation:

This upgrade introduces breaking changes in Red Hat build of Quarkus. For information about the breaking changes, see the Hibernate ORM: Upgraded to version 7.1 release note.

For more information, see the following resources:

In the current release, named persistence units and data sources are provided with Hibernate Reactive.

This functionality is available as a Technology Preview scope of support feature.

This capability aligns Hibernate Reactive with Hibernate ORM and enables developers to define and use multiple persistence units or data sources in reactive applications.

For more information, see the following resources:

In the current release, Hibernate Reactive has been upgraded to version 3.1.

For more information, see the following resources:

In the current release, Hibernate Search has been upgraded to version 8.1.

The upgrade to the 8.x series introduces several new features, including improvements to Hibernate Search DSL and aggregations that help simplify the calculation of metric aggregations and create bucket aggregations.

Hibernate Search 8.1 remains compatible with version 7.2.

For more information about Hibernate Search 8.1 features and enhancements, see the following Hibernate documentation:

In the current release, Hibernate Validator extends its integration with Hibernate Reactive. This feature enables validation of entities and allows Hibernate Reactive to enrich the database schema.

For example, a @NotNull annotation on an entity attribute results in a not null clause in the corresponding column definition. This behavior provides consistency with Hibernate ORM and improves data integrity across reactive applications.

Constraint mappings defined in XML (validation.xml) are respected for constraint declarations. Quarkus does not support configuring the ValidatorFactory through XML.

This functionality is available as a Technology Preview scope of support feature. Therefore, some limitations apply. For instance, validation across lazy associations might not function properly.

For more information, see the following resources:

In the current release, Hibernate Validator is upgraded to version 9.0.

Hibernate Validator 9.0 removes many deprecated constraints and properties. For information about these removals, see the Hibernate Validator 9.0 migration guide.

For more information, see the following resources:

In the current release, you can configure MongoDB client (quarkus-mongodb-client) connections by using the Quarkus TLS registry:

# Configure MongoDB connection
quarkus.mongodb.connection-string=mongodb://localhost:27017?tls=true

# Define a named TLS configuration for MongoDB
quarkus.tls.my-mongo.trust-store.pem.certs=server-cert.pem
quarkus.tls.my-mongo.key-store.pem.0.key=client-key.pem
quarkus.tls.my-mongo.key-store.pem.0.cert=client-cert.pem

# Reference the named configuration in MongoDB client
quarkus.mongodb.tls-configuration-name=my-mongo

# Reuse the same TLS configuration for additional MongoDB connections
# quarkus.mongodb.db2.tls-configuration-name=my-mongo
# quarkus.mongodb.db3.tls-configuration-name=my-mongo

quarkus.tls.my-mongo.hostname-verification-algorithm=NONE
quarkus.mongodb.tls-configuration-name=my-mongo

In this example:

For more information, see the TLS configuration section of the Quarkus "Using the MongoDB Client" guide.

In the current release, the gRPC extension introduces customization of the gRPC server build process.

This capability enables advanced scenarios such as tuning the ServerBuilder instance or server options at runtime.

For more information, see the following resources:

Red Hat build of Quarkus 3.27 introduces the Micrometer-OpenTelemetry Bridge (quarkus-micrometer-opentelemetry) extension, which allows the user to create a Micrometer registry implemented with the OpenTelemetry APIs in Red Hat build of Quarkus applications.

This functionality is available as a Technology Preview scope of support feature.

The quarkus-micrometer-opentelemetry extension helps to streamline integration by incorporating features of both quarkus-opentelemetry and quarkus-micrometer, allowing the normal use of the Micrometer API, but handling metrics through OpenTelemetry.

With this new extension, you can now generate Micrometer metrics, OpenTelemetry tracing, logs, and OpenTelemetry metrics by default.

For more information, see the Quarkus Micrometer and OpenTelemetry extension guide.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

In the current release, the Quarkus OpenID Connect (quarkus-oidc) extension supports the OAuth 2.0 Step Up Authentication Challenge Protocol for OIDC bearer token authentication.

You can configure applications to require stronger authentication levels for accessing sensitive endpoints by completing the following tasks:

To configure step-up authentication:

If a request does not meet the authentication requirements, the server returns a 401 Unauthorized response with a WWW-Authenticate header that contains the required authentication level.

This feature is supported in the following environments:

When implementing step-up authentication, note the following:

For more information, see the Step Up Authentication section in the OpenID Connect (OIDC) authentication guide.

In the current release, you can configure the OpenID Connect (OIDC) client (quarkus-oidc-client) extension to refresh tokens asynchronously in the background, improving performance for critical applications.

By default, the OIDC client refreshes tokens during the current request when it detects expiration or near-expiration. This can cause performance bottlenecks in high-throughput applications. The new asynchronous refresh feature proactively refreshes tokens in the background before they expire, preventing token refresh operations from blocking incoming requests. This is particularly beneficial for applications with strict latency requirements or high request volumes.

# Configure OIDC client connection
quarkus.oidc-client.auth-server-url=https://auth.example.com/realms/myrealm
quarkus.oidc-client.client-id=my-client
quarkus.oidc-client.credentials.secret=my-secret

# Enable periodic asynchronous token refresh
quarkus.oidc-client.refresh-interval=1m

# Optional: Configure refresh token time skew
quarkus.oidc-client.refresh-token-time-skew=30s

In this example:

For more information, see the Refreshing access tokens section of the OpenID Connect (OIDC) client and token propagation guide.

In the current release, the OIDC extension adds the ability to set the Clear-Site-Data HTTP response header on logout.

This header instructs the browser to clear local data such as cookies, cache, and storage when the user logs out, which improves security and privacy for end users.

For more information, see the following resources:

In the current release, the Quarkus OpenID Connect (quarkus-oidc) extension supports health readiness checks. With this feature, you can verify that your application can connect to your OIDC server before serving requests.

To enable OIDC health checks:

The health check is disabled by default. When enabled, it pings each configured OIDC tenant’s discovery endpoint. The check returns UP if at least one tenant reports OK status, and DOWN if no tenants are available or all tenants report non-OK statuses (DISABLED, UNKNOWN, or ERROR).

For more information, see the Create OIDC configuration at request time section of the "Quarkus OpenId Connect (OIDC) Expanded Configuration Reference" guide.

In the current release, both REST Client - OpenID Connect Filter (quarkus-rest-client-oidc-filter) and RESTEasy Client - OpenID Connect Filter (quarkus-resteasy-client-oidc-filter) extensions support automatic token refresh when REST client requests receive a "401 Unauthorized" response. With this feature, you can handle expired or revoked access tokens without manual intervention.

To enable automatic token refresh globally, set the property that matches your extension:

quarkus.rest-client-oidc-filter.refresh-on-unauthorized=true
quarkus.resteasy-client-oidc-filter.refresh-on-unauthorized=true

To enable token refresh for specific client endpoints, create a custom filter:

The feature works with both synchronous and reactive REST clients. When a request returns 401, the filter automatically refreshes the access token and retries the request.

For more information, see the Use OidcClient in RestClient Reactive ClientFilter and Use OidcClient in RestClient ClientFilter sections of the "OpenID Connect (OIDC) client and token propagation" guide.

In the current release, with the Quarkus OIDC (quarkus-oidc) extension, you can configure protected resources to advertise OAuth2 Protected Resource Metadata (RFC 9728) through a well-known endpoint. This endpoint returns metadata that includes the resource identifier and, optionally, the authorization servers that protect it. With this metadata, clients can automatically discover authentication requirements without manual configuration.

To enable this feature, set the following property:

quarkus.oidc.resource-metadata.enabled=true

For more information, see the Protected Resource Metadata section of the "Quarkus OpenId Connect (OIDC) Expanded Configuration Reference" guide.

In the current release, the Quarkus OIDC extension (quarkus-oidc) supports customizing request and response bodies in OIDC filters. With this feature, you can modify OIDC authentication and token exchange data.

To customize OIDC requests or responses:

Example:

@OidcEndpoint(value = Type.TOKEN)
public class TokenRequestFilter implements OidcRequestFilter {
    @Override
    public void filter(OidcRequestContext rc) {
        rc.requestBody(Buffer.buffer(rc.requestBody().toString() +
            "&custom_param=custom_value"));
    }
}

OIDC filters enable adding custom parameters, modifying headers, transforming response formats, and implementing validation logic.

For more information, see the following resources:

In the current release, you can use the Quarkus VertX HTTP (quarkus-vertx-http) extension to configure path-specific authorization programmatically using a fluent API. This API uses the io.quarkus.vertx.http.security.HttpSecurity CDI event and provides a more flexible alternative to configuration properties.

This functionality is available as a Technology Preview scope of support feature.

Previously, developers had to use configuration properties to set up path-specific authorizations, which could become verbose and difficult to manage for complex applications. The new fluent API allows you to define authorization rules directly in Java code, making security configurations more maintainable and dynamic. This approach is particularly beneficial for applications with complex authorization requirements or those that need to configure permissions based on runtime conditions.

package org.acme.http.security;

import io.quarkus.vertx.http.security.HttpSecurity;
import jakarta.enterprise.event.Observes;

public class HttpSecurityConfiguration {

    void configure(@Observes HttpSecurity httpSecurity) {
        httpSecurity
                .get("/public/*").permit()
                .path("/roles-secured/*", "/other/*", "/api/*").roles("admin", "user")
                .path("/forbidden").authorization().deny();
    }
}

In this example:

Additionally, the fluent API can configure specific authentication mechanisms and custom security policies for different paths. You can combine authentication methods like Basic, Bearer token, or Authorization Code Flow with custom authorization policies, including role-based access control and permission checks.

For more information, see the Set up path-specific authorization programmatically section of the "Authorization of web endpoints" guide.

In the current release, the Dev UI introduces a basic workspace feature.

In dev mode, you can browse and edit project source files directly in the Dev UI.

For more information, see the following resources:

In the current release, Dev Services adds Compose support.

This capability allows developers to define and orchestrate custom containers for Dev Services by using Compose descriptions with Docker or Podman, and the Dev Services framework automatically manages the startup, configuration, and lifecycle of the services.

For more information, see the following resources:

In the current release, Quarkus improves the test class loading infrastructure. These enhancements make test execution more reliable and consistent across different environments.

For more information, see the GitHub Pull Request #34681.

In the current release, SmallRye GraphQL supports running operations on Java virtual threads. Annotate blocking operations with @RunOnVirtualThread to run them on virtual threads without tying up platform threads. Use @RunOnVirtualThread for blocking operations and do not combine it with @Blocking or @NonBlocking. Virtual threads can increase concurrency compared to worker threads while keeping code simple; the reactive model remains the most resource-efficient for very high concurrency.

For more information, see the following resources:

Red Hat provides a development support for Quarkus development tools, including the Quarkus CLI and the Maven and Gradle plugins, to prototype, develop, test, and deploy Red Hat build of Quarkus applications.

Red Hat does not support using Quarkus development tools in production environments.

For more information about development support, see Development Support Scope of Coverage.

In the current release, the QuarkusTransaction.isActive() method is deprecated.

The method’s behavior is ambiguous and does not reliably indicate transaction state.

Use the getStatus() method to determine the current transaction status. Update all existing uses of isActive() to getStatus() to ensure correct behavior.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

In the current release, Quarkus removes support for legacy configuration classes. Applications that rely on extensions, including custom extensions, built on legacy configuration classes, fail to build.

Update affected extensions to versions that use @io.smallrye.config.ConfigMapping, or migrate custom extensions accordingly.

For example, replace the compatibility class GlobalDevServicesConfig with DevServicesConfig.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the following resources:

In the current release, feature toggles in configuration use the .enabled suffix instead of .enable. This change enhances consistency across configuration properties and prevents the mixing of suffixes. The old .enable properties remain recognized for backward compatibility but are deprecated.

Run quarkus update to automatically migrate your configuration. If you update manually, rename keys such as quarkus.log.console.enable to quarkus.log.console.enabled to avoid deprecation warnings. Named logging handlers follow the same rule and use quarkus.log.handler.*."handler-name".enabled.

To apply this change, run the automatic update process described in the Migrating applications to Red Hat build of Quarkus 3.27 guide.

In the current release, the org.eclipse.jgit dependency is no longer managed in the quarkus-bom.

Now, if your application relies on JGit, add the quarkus-jgit extension to your dependencies to ensure native image compatibility and to use a compatible library version.

The quarkus-jgit extension is not supported in Red Hat build of Quarkus.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

In the current release, a JsonRPCProvidersBuildItem must be produced regardless of the build mode.

Previously, most extensions produced this build item only in dev mode by using @BuildStep(onlyIf = IsDevelopment.class).

Now, the build process requires this item at build time to enable execution model validation on JSON-RPC classes.

The build process uses this item to identify JSON-RPC endpoints, particularly classes that use annotations such as @Blocking, @NonBlocking, or @RunOnVirtualThread.

Quarkus previously provided a fallback detection mechanism for JSON-RPC classes. That mechanism is removed in the current release.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22: extensions must produce JsonRPCProvidersBuildItem always.

In the current release, Stork is no longer a built-in dependency of the REST Client.

Now, you must add the quarkus-stork extension to your project dependencies to use Stork with REST Client.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

Breaking change: The current release removes the long-deprecated quarkus.test.native-image-profile configuration property. Update any configurations that still use the removed property to use the current quarkus.test.integration-test-profile property instead.

The quarkus.test.integration-test-profile property specifies the configuration profile to use when running tests with @QuarkusIntegrationTest:

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

In the current release, support for the Apache Derby database has been removed from Red Hat build of Quarkus.

Apache Derby was deprecated in a previous release and has now been fully removed. Applications using Derby should migrate to a supported database such as PostgreSQL, MySQL, MariaDB, or another database listed in the supported configurations.

If your application currently uses Derby, you will need to:

For information about configuring datasources in Red Hat build of Quarkus, see Configuring data sources.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

In the current release, the default images for the following Dev Services have been updated to the following versions:

Breaking change: If your applications require specific versions of these images, you must configure the container image explicitly. For example:

quarkus.elasticsearch.devservices.image-name=docker.io/elastic/elasticsearch:9.1.3

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Configuring the image section of the Quarkus "Dev Services for Elasticsearch" guide.

In the current release, Hibernate ORM improves database version checks.

Earlier releases already applied these checks; this update enhances version detection accuracy and expands the scope of checks run at startup.

If application startup fails the version check, set the correct database version for your dialect or upgrade the database to a supported version.

When you use CockroachDialect, set the CockroachDB version (not a PostgreSQL version) to match the server your application connects to.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.25.

In the current release, the following Hibernate ORM (quarkus-hibernate-orm) extension properties are renamed to simplify YAML configuration and prepare for future changes.

The old properties remain recognized in the current release, but are deprecated and are planned to be removed in a future release.

Use the new properties when you upgrade to the current release.

To apply this change, run the automatic update process described in the Migrating applications to Red Hat build of Quarkus 3.27 guide.

In the current release, Hibernate ORM has been upgraded to version 7.1. This upgrade introduces breaking changes that might affect your applications.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the following resources:

In the current release, Hibernate Reactive validates database versions during startup.

This change ensures compatibility with supported databases and prevents applications from running against unsupported or incompatible versions.

If your application connects to a database version that does not meet Hibernate Reactive’s requirements, startup fails with a clear error message.

To resolve this issue, upgrade the database to a supported version or adjust your setup accordingly.

For more information, see the Quarkus Migration guide 3.25.

In the current release, Hibernate Reactive has been upgraded to version 3.1.

Hibernate Reactive 3.1 remains compatible with 3.0 for most applications, but it inherits breaking changes from Hibernate ORM.

For more information about the Hibernate ORM breaking changes, see the Hibernate ORM: Upgraded to version 7.1 release note.

The following Hibernate Reactive breaking changes are also introduced:

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

In the current release, Hibernate Search has been upgraded to version 8.1.

With the upgrade to the 8.x version series, some breaking changes are introduced that might impact your applications.

For more information, see the following resources:

In the current release, the Apache Kafka client artifact, kafka-clients, which is used in the quarkus-kafka-client extension, has been upgraded to version 4.0.0.

This version introduces the following changes:

You can still connect to Apache Kafka 3.x brokers. Older brokers that rely on removed protocol versions might be incompatible.

For more information, see the following resources:

In the current release, the OpenTelemetry metrics provided by the quarkus-opentelemetry extension have changed.

The following table lists the OpenTelemetry metrics that are now available. Note that jvm.system.cpu.utilization metric is removed in JVM mode; use jvm.cpu.recent_utilization instead.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the following resources:

In the current release, the deprecated blocking HttpAuthenticationMechanism.getCredentialTransport() method is removed.

If your application or a custom security extension overrides this method, you must update the implementation to avoid compilation errors.

Replace the removed method by implementing the reactive version, as in the following example:

Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext context) {
    return Uni.createFrom().item(myHttpCredentialTransport);
}

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

In the current release, the TLS Registry extension (quarkus-tls-registry) has been restructured to avoid having a split package between the runtime and spi modules.

As part of this reorganization, the io.quarkus.tls.TlsRegistryBuildItem class has been renamed to io.quarkus.tls.deployment.spi.TlsRegistryBuildItem. It is still located in the spi module.

If you have existing code that references the earlier TlsRegistryBuildItem class location, update your imports to use the current package:

// Earlier import
import io.quarkus.tls.TlsRegistryBuildItem;

// Current import
import io.quarkus.tls.deployment.spi.TlsRegistryBuildItem;

This change aligns with the architectural improvements proposed in the Quarkus project to maintain clearer separation between deployment and runtime components.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

Breaking change: Support for building extensions with legacy config classes and the -AlegacyConfigRoot=true annotation processor option has been removed.

Extensions must now use config interfaces annotated with @ConfigMapping and @ConfigRoot.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the following resources:

In the current release, the Gradle tasks testNative and quarkusIntTest no longer depend on the test task.

Now, they execute only the native tests and the integration tests respectively, allowing independent test execution stages.

Update your build scripts if you previously relied on the default task dependency that included unit tests when running native or integration tests.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

In the current release, defining a ContextResolver in REST Client with a lambda throws an IllegalArgumentException.

This occurs because the REST Client extension cannot infer the generic type, unlike previous versions that defaulted to Object.

Replace lambdas with concrete ContextResolver implementations to avoid runtime errors and ensure correct REST Client configuration.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

In the current release, Jakarta REST resource classes that use Panache work only with Quarkus REST modules.

REST Data Panache modules no longer work with RESTEasy Classic modules.

The following modules are affected:

Use Quarkus REST, quarkus-rest-*, instead of RESTEasy Classic, quarkus-resteasy-*, to avoid runtime failures.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.22.

In the current release, Quarkus REST applies @JsonView consistently to both serialization and deserialization.

@JsonView on resource methods or DTOs now controls which properties are read from input and written to output according to the specified view classes (for example, Views.Public and Views.Private).

Previously, only serialization honored @JsonView, so deserialization might have accepted properties outside the active view. Applications that relied on that behavior might require code or configuration changes to align with the new behavior.

To apply this change to existing code, manually perform any additional steps described in this release note. The automatic update process in the Migrating applications to Red Hat build of Quarkus 3.27 guide do not cover this change.

For more information, see the Quarkus Migration guide 3.21.