The May Payara Platform release is here! With the Payara Enterprise 5.28.0 and the Payara Community 5.2021.3 releases, we're introducing an HSTS security feature, an improvement to the Admin Console performance, better integration of Hazelcast along with new functionalities provided in Hazelcast 4.2, and a couple useful security and bug fixes. Meanwhile, updates to ecosystem components IntelliJ and the Flight Recorder Notifier, offer more functionality to Payara Platform users.
Read more below to find out the details.
HSTS Security Feature
HTTP Strict Transport Security (HSTS) forces the browser to make a secure connection (TLS) with the server. To enforce safer communication, activate HSTS through the SSL configuration option in Payara.
A Security Vulnerability in Metro Framework Implementation of JAX-WS Specs is Fixed
A security fix is provided for Payara Enterprise 4, Payara Enterprise 5, and Payara Community in the May release to address a vulnerability in the metro framework implementation of JAX-WS. An endpoint is available within Payara (exposed by Metro framework) that can be used to import an external WSDL document and start a remote code execution on the Payara Server so the server can connect with remote endpoints and start.
The fix can only be exploited when an application makes use of the JAX-WS functionality (this is, has SOAP endpoints), in that case, make sure you update your environment to the latest version of Payara Server.
Admin Console Performance Improvement
The Admin Console sometimes performed slower when remote instances are slow to respond. This release offers improvements to the Admin Console’s performance in certain situations involving slow remote instances.
Better Integration of Hazelcast with Payara Platform
Hazelcast in Payara has been upgraded from 4.1 to 4.2, to provide Payara users with the benefits of Hazelcast 4.2 – including improved SQL functionalities and AWS support. The integration of Payara with Hazelcast is improved, resulting in fewer classloader-related issues when using the JCache and/or Hazelcast objects, like Map and Queue.
Fix Problems Caused by EL Expression Spec Change Between Java EE 6 and Java EE 7
Between Java EE 6 and Java EE 7, the EL expression specification changed regarding the handling of static Field references. This change can lead to problems like locked threads and significant performance degradation for a Java EE 6 application that was previously running fine.
To allow easier migration of those applications, the Payara Platform introduced a System property `fish.payara.javax.servlet.jsp.disable-static-field-references` that makes the EL expression evaluation behave like it did in Java EE 6.
IntelliJ Plugins Update
If you use the Payara IntelliJ plugin, you’ll want to update it. The new IntelliJ IDEA release (2021.1) changed the IntelliJ API which is what our plugin is based on, so you need to update the plugin to be compatible. At the same time, we’ve adapted our plugin so it should maintain compatibility with future versions of IntelliJ.
Flight Recorder Notifier
If you use Flight Recorder with Payara, you can now make use of the new Flight Recorder notifier. It can send the Health Check, Request Tracing, and Asadmin audit events to the Flight Recorder System. This Notifier allows you to combine this information with all other information about the JVM and application that is kept by the Flight Recorder System. The Flight Recorder Notifier requires JDK 11 and needs to be installed separately into the Payara environment.
The Enterprise Release (request here) includes 1 feature, 4 bug fixes, 1 security fix and 4 improvements; while the Community Release (direct download here) includes 1 new feature, 5 bug fixes, 6 improvements, 1 security fix and 1 component upgrade.
See more detailed overview of the fixes and improvements in the Release Notes: