WildFly 40 Final is released!
by Brian Stansberry
I'm very happy to announce that the feature-packs for WildFly 40 Final
are now available in Maven, with zips and tars at
https://www.wildfly.org/downloads/.
Thank you all for all the hard work on this one; it has been a big
push. I think our users will appreciate it.
You can read all about it in my release announcement post at.
https://www.wildfly.org/news/2026/05/21/WildFly-40-is-released/
Some key things:
* The primary WildFly variant now provides EE 11!
* We've introduced a new WildFly EE 10 variant that still provides EE
10. We'll provide that for the 40 and 41 series.
* We've introduced Hashicorp Vault integration via a new feature-pack.
* OIDC logout support.
* Java SE 25 as the recommended SE version for standard WildFly.
... and more.
For WildFly 41 we'll go back to our normal cadence of
January/April/July/October releases so we're aiming, so we're aiming
to have it out on July 9. You can use the
https://www.wildfly.org/events/#calendar page to track the dates. This
means a pretty short dev cycle, with PRs due for the Beta in 4 weeks,
on June 17.
Best regards,
Brian Stansberry
WildFly project lead
3 weeks, 1 day
Possible component upgrades report: Apache CXF 4.1.5/JBoss WS CXF 7.4.0 - wildfly:main
by Fabio Burzigotti
Hi all,
Following up on a discussion on Zulip [1], I am attaching a report that previews the component upgrades coming with the consolidation and release of jbossws-cxf-7.4.0.Final.
TL;DR - org.apache.cxf:* will be upgraded to 4.1.5, since 4.2.0 does not support JDK 11 (planned for jbossws-cxf-8.0.0).
The relevant upgrades are the following ones:
*
Minor upgrades
*
Jboss.jaxbintros:jboss-jaxb-intros:2.0.1 -> Minor upgrade 2.1.0.Beta1
*
org.jboss.ws:jbossws-api:3.0.0.Final -> Minor upgrade 3.1.0.Beta1
*
org.jboss.ws:jbossws-common:5.1.0.Final -> Minor upgrade 5.2.0.Beta1
*
org.jboss.ws:jbossws-common-tools:2.1.0.Final -> Minor upgrade 2.2.0.Beta1
*
org.jboss.ws:jbossws-spi:5.0.0.Final -> Minor upgrade 5.1.0.Beta1
*
org.jboss.ws.cxf:jbossws-cxf-client:7.3.8.Final -> Minor upgrade 7.4.0.Beta*
*
Major upgrades
*
org.jboss.ws.projects:jaxws-undertow-httpspi:2.0.0.Final -> Very latest 3.0.0.Beta (a minor as a matter of fact, because the exposed API didn't change)
As you can see, all of them are currently released as Beta versions, and will be finalized as soon as testing is complete.
The plan is to finalize the component upgrade PR for WildFly within tomorrow/Monday.
I'll post an update as soon as Final versions are released.
Regards,
Fabio.
[1]
https://wildfly.zulipchat.com/#narrow/channel/174184-wildfly-developers/t...
---
Fabio Burzigotti
Software Developer
IBM Software
fburzigo(a)ibm.com
IBM
Unless otherwise stated above:
IBM Italia S.p.A.
Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
Cap. Soc. euro 247.656.998.20
C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
Società con unico azionista
Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
3 weeks, 2 days
JDK 27 Approaches Rampdown | Final Field Mutation Warnings Heads-up
by David Delabassee
Welcome! This is the last Quality Outreach note before JDK 27 enters Rampdown Phase One (RDP1) in early June, with the GA release planned for September. It is also worth mentioning that recent JDK 27 EA builds include fixes for issues reported by projects participating in the Quality Outreach effort, including Tomcat, Hibernate, and jOOQ. Thanks to them for their continued collaboration and testing!
I’ll conclude this brief update by encouraging everyone to review the QO heads-up below. It only takes a few minutes, but doing so can sometimes save a lot of time down the road!
# Heads-Up - JDK 27: Post-Quantum Hybrid Key Exchange for TLS 1.3
JDK 27 early-access builds now integrate JEP 527, which adds hybrid post-quantum key exchange support for TLS 1.3 to Java. This approach combines classical elliptic-curve cryptography with the quantum-resistant ML-KEM algorithm to help mitigate “harvest now, decrypt later” attacks.
By default, Java applications using the standard `javax.net.ssl` APIs will automatically negotiate hybrid post-quantum key exchange when supported by both client and server, unless the application explicitly overrides the default TLS named groups. The X25519MLKEM768 hybrid group is enabled alongside existing classical groups, while additional hybrid configurations can be controlled through `jdk.tls.namedGroups` or `SSLParameters::setNamedGroups`.
For more information, see [1].
[1] https://inside.java/2026/05/17/quality-heads-up/
# Heads-Up - JDK 27: Removal of Deprecated Java Launcher Options
Support for the options `-noclassgc`, `-verifyremote`, `-Xverify:none`, and `-noverify`, which were deprecated several releases ago, is removed from the Java launcher in JDK 27, and usage of any of these options will fail with an error.
In the case of the former two, `-Xnoclassgc` and `-Xverify:remote` should be used instead. No alternative is being provided for `-Xverify:none` and `-noverify`, as disabling bytecode verification (which is what these two options do) is not recommended.
For more information, see [2].
[2] https://inside.java/2026/05/13/quality-heads-up/
# Heads-Up - JDK 26: Final Field Mutation Warnings
Java's reflection API allows the mutation of final fields outside of construction. This undermines the integrity of the language, which promises exactly-once semantics for final field assignment. This, in turn, has negative downstream effects for integrity, performance, and security.
With JDK 26, Java has moved toward “integrity by default” for final fields, with the JVM now emitting warnings when code attempts to mutate final fields reflectively. These new warnings can be disabled using command-line options. The permanent option `--enable-final-field-mutation` allows specific modules to mutate final fields. The temporary option `--illegal-final-field-mutation`, with values `warn` (the default in JDK 26), `allow`, `debug`, or `deny` (the future default), controls how code without specific permission attempting to mutate final fields will be handled.
For more information, see [3] and [4].
[3] https://inside.java/2026/05/15/quality-heads-up/
[4] https://inside.java/2026/04/27/avoiding-final-field-mutation/
# JDK 27 Early-Access Builds
The latest JDK 27 early-access builds are available[5], along with the corresponding Release Notes[6].
[5] https://jdk.java.net/27/
[6] https://jdk.java.net/27/release-notes
## JEPs targeted to JDK 27, so far:
- JEP 523: Make G1 the Default Garbage Collector in All Environments
- JEP 527: Post-Quantum Hybrid Key Exchange for TLS 1.3
- JEP 531: Lazy Constants (3rd Preview)
- JEP 532: Primitive Types in Patterns, instanceof, and switch (5th Preview)
- JEP 533: Structured Concurrency (7th Preview)
- JEP 534: Compact Object Headers by Default
- JEP 537: Vector API (12th Incubator)
## JEPs proposed to target JDK 27:
- JEP 528: Post-Mortem Crash Analysis with jcmd
- JPE 536: JFR In-Process Data Redaction
- JEP 538: PEM Encodings of Cryptographic Objects
## Changes in recent JDK 27 builds that may be of interest:
- JDK-8273874: LdapClient can trigger memory leak [Reported by Apache Tomcat]
- JDK-8371817: javac with annotation processor throws AE: Cannot add metadata to this type: METHOD when dealing with local classes [Reported by Hibernate]
- JDK-8305250: Unnecessary "unknown enum constant" warning emitted by javac when dependency has optional annotations with enums [Reported by JOOQ]
- JDK-8368864: Confusing error message (or wrong error) when record component has @deprecated Javadoc tag [Reported by JOOQ]
- JDK-8381670: Revert the changes to GZIPInputStream related to InputStream.available() usage
- JDK-8372351: Add 2 WISeKey roots
- JDK-8371842: Update CLDR to Version 48.2
- JDK-8373481: Remove the deprecated -noclassgc, -noverify, -Xverify:none and -verifyremote options from the java launcher
- JDK-8372526: Add support for ZLIB TLS Certificate Compression
- JDK-8382740: JFR: Disable jdk.OldObjectSample event for generational ZGC
- JDK-8381436: Remove Obsolete Translation Resources
- JDK-8364182: Add jcmd VM.security_properties command
- JDK-8369917: LMS/HSS RFC 9858 Support
- JDK-8196182: ServiceLoader.iterator().hasNext()/.next() may throw a LinkageError
- JDK-8378228: Replace jQuery UI autocomplete component in JavaDoc search
- JDK-8347112: Copy nested directories in doc-files by default
- JDK-8379973: Provide means to customize localized patterns in DateTimeFormatter/Builder
- JDK-8383175: (tz) Update Timezone Data to 2026b
- JDK-8380542: ZipOutputStream.setComment and ZipEntry.setComment spec updates for rejecting unmappable characters and allowing null or empty comments
- JDK-8373922: Enhance Taglet API to support relative URLs
- JDK-8374839: Improve jpackage information messages
Note: A more exhaustive list of changes can be found here[7].
[7] https://github.com/openjdk/jdk/compare/jdk-27+17...jdk-27+22
# JavaFX Direct3D 12 Early-Access Builds
New early-access JavaFX builds implementing the new Direct3D 12 graphics rendering pipeline for Windows x64 are now available[8]. The goal of this EA builds is to solicit feedback as we work toward integrating this functionality into JavaFX. Feedback can be sent to the openjfx-dev[9] mailing list (registration required).
[8] https://jdk.java.net/javafxdirect3d12/
[9] https://mail.openjdk.org/mailman/listinfo/openjfx-dev
# Topics of Interest
- Ask the Architects at JavaOne
https://inside.java/2026/04/23/podcast-056/
- How the JVM Optimizes Generic Code
https://inside.java/2026/04/19/generics-optimization/
- Java 26: Better Language, Better APIs, Better Runtime
https://inside.java/2026/05/19/javaone-better-jdk26/
- Post-Mortem JVM Crash Analysis with jcmd
https://inside.java/2026/05/16/javaone-jcmd-jvm-analysis/
- Java Gets Post-Quantum TLS
https://inside.java/2026/05/14/newscast-112/
- The JDK Client Desktop: 2026 and Still Swinging
https://inside.java/2026/05/03/jdk-client-desktop/
- Make Java Safer with Flexible Constructor Bodies
https://inside.java/2026/04/30/newscast-111/
- Avoiding Final Field Mutation
https://inside.java/2026/04/27/avoiding-final-field-mutation/
- How JDK 26 Improves G1's Throughput
https://inside.java/2026/04/09/podcast-054/
- JavaOne 2026 Playlist (Continuously updated)
https://www.youtube.com/playlist?list=PLX8CzqL3ArzUMVSzm-z_-if8BIB55EGl4
~
As always, if you encounter any issues while running your project on JDK 27 early-access builds, please feel free to reach out.
P.S. If you would prefer not to receive future OpenJDK Quality Outreach updates, just let me know.
—David
3 weeks, 2 days
Promote MCP server features to default stability level
by Jean-Frederic Mesnil
Hi,
I’ve created a new issue to promote MCP server features to default stability level[1].
The intent is to make WildFly a MCP server where users could integrate their applications as MCP server resources (tools, resources) and open them to AI ecosystem.
The scope is narrow and focuses only on MCP server features.
The code has been in development for quite some time and we are in the process of implementing the latest MCP server specification.
As part of this promotion, we need to iron out the code, fill gaps in the testing, provide documentation, etc. as described in our feature process document[2].
Only features and packages of the WildFly AI feature pack that provides MCP server capabilities are planned to move to default stability level.
There are many other capabilities (including MCP client, LLM, WASM) provided by the feature pack that will remain at the experimental level.
Best regards,
Jeff
[1] https://github.com/wildfly/wildfly-proposals/issues/829
[2] https://docs.wildfly.org/wildfly-proposals/FEATURE_PROCESS.html
--
Jeff Mesnil
Software Engineer
Red Hat JBoss EAP
http://jmesnil.net/
IBM
Unless otherwise stated above:
Compagnie IBM France
Siège Social : 17, avenue de l'Europe, 92275 Bois-Colombes Cedex
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 664 614 175,50 €
SIRET : 552 118 465 03644 - Code NAF 6203Z
3 weeks, 3 days
