Reduce the size of object headers in the HotSpot JVM from between 96 and 128 bits down to 64 bits on 64-bit architectures. This will reduce heap size, improve deployment density, and increase data locality.
Issue warnings about uses of the Java Native Interface (JNI) and adjust the Foreign Function & Memory (FFM) API to issue warnings in a consistent manner. All such warnings aim to prepare developers for a future release that ensures integrity by default by uniformly restricting JNI and the FFM API. Application developers can avoid both current warnings and future restrictions by selectively enabling these interfaces where essential.
Simplify the implementation of the G1 garbage collector's barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT's compilation pipeline to later.
Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. This is a preview API.
Improve startup time by making the classes of an application instantly available, in a loaded and linked state, when the HotSpot Java Virtual Machine starts. Achieve this by monitoring the application during one run and storing the loaded and linked forms of all classes in a cache for use in subsequent runs. Lay a foundation for future improvements to both startup and warmup time.
Provide a standard API for parsing, generating, and transforming Java class files.
Enhance the Stream API to support custom intermediate operations. This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.
The Security Manager has not been the primary means of securing client-side Java code for many years, it has rarely been used to secure server-side code, and it is costly to maintain. We therefore deprecated it for removal in Java 17 via JEP 411 (2021). As the next step toward removing the Security Manager, we will revise the Java Platform specification so that developers cannot enable it and other Platform classes do not refer to it. This change will have no impact on the vast majority of applications, libraries, and tools. We will remove the Security Manager API in a future release.
For more information: JEP 486: Permanently Disable the Security ManagerIntroduce scoped values, which enable a method to share immutable data both with its callees within a thread, and with child threads. Scoped values are easier to reason about than thread-local variables. They also have lower space and time costs, especially when used together with virtual threads (JEP 444) and structured concurrency (JEP 480). This is a preview API.
Enhance pattern matching by allowing primitive types in all
pattern contexts, and extend instanceof and
switch to work with all primitive types. This is a
preview language
feature.
Introduce an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPU architectures, thus achieving performance superior to equivalent scalar computations.
Remove the non-generational mode of the Z Garbage Collector (ZGC), keeping the generational mode as the default for ZGC.
Improve the scalability of Java code that uses
synchronized methods and statements by arranging for
virtual threads that block in such constructs to release their
underlying
platform threads for use by other virtual threads. This will
eliminate nearly all cases of virtual threads being pinned to platform
threads, which severely restricts the number of virtual threads
available to handle an application's workload.
In constructors in the Java programming language, allow
statements to appear before an explicit constructor invocation,
i.e., super(..) or this(..). The
statements cannot reference the instance under construction, but
they can initialize its fields. Initializing fields before invoking
another constructor makes a class more reliable when methods are
overridden. This is a preview
language feature.
Enhance the Java programming language with the ability to succinctly import all of the packages exported by a module. This simplifies the reuse of modular libraries, but does not require the importing code to be in a module itself. This is a preview language feature.
Evolve the Java programming language so that beginners can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of the language, beginners can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. Experienced developers can likewise enjoy writing small programs succinctly, without the need for constructs intended for programming in the large. This is a preview language feature.
Enhance the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). Key encapsulation mechanisms (KEMs) are used to secure symmetric keys over insecure communication channels using public key cryptography. ML-KEM is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 203.
Enhance the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of signatories. ML-DSA is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 204.
Issue a warning at run time on the first occasion that any
memory-access method in sun.misc.Unsafe is invoked.
All of these unsupported methods were terminally deprecated in
JDK 23. They have been superseded by standard APIs, namely the
VarHandle API (JEP 193, JDK 9) and
the Foreign Function & Memory API (JEP 454, JDK 22). We
strongly encourage library developers to migrate from
sun.misc.Unsafe to supported replacements, so that
applications can migrate smoothly to modern JDK releases.
Simplify concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API.
A new system property,
jdk.tls.server.newSessionTicket, sets the number of
TLSv1.3 resumption tickets sent by a JSSE server per session. It
can be set on the command line with
-Djdk.tls.server.newSessionTicket=#, where
# ranges from 0 to 10. The default is 1.
For more details, see Customizing JSSE.
TLS cipher suites can be disabled with the
jdk.tls.disabledAlgorithms security property in the
java.security configuration file using one or more
* wildcard characters. For example, "TLS_RSA_*"
disables all cipher suites that start with "TLS_RSA_". Only cipher
suites starting with "TLS_" are allowed to have wildcard
characters.
The jar tool's extract operation has been enhanced
to allow the --dir or the -C options to
be used to specify the directory where the archive will be
extracted.
Example Usages:
jar -xf foo.jar -C /tmp/bar/
or
jar --extract --file foo.jar --dir /tmp/bar/
Either of these commands will extract the foo.jar
to the /tmp/bar directory.
For more details, see the jar command man page.
The static factory method
java.io.Reader.of(CharSequence) has been added to get
a Reader that reads characters from a
CharSequence, String and
StringBuilder are examples of a
CharSequence. The returned Reader is more
efficient than using a java.io.StringReader in some
cases, as the latter requires conversion to String and
synchronization.
A new, overloaded method,
java.lang.Process#waitFor(Duration), has been added.
The existing waitFor() method with timeout needs both
a primitive time out value and its unit. The new method uses
java.time.Duration so that the user will not be
confused with the unit.
This release upgrades the Unicode version to 16.0, which includes updated versions of the Unicode Character Database and Unicode Standard Annexes #9, #15, and #29:
java.lang.Character class supports the Unicode
Character Database, which adds 5,185 characters, for a total of
154,998 characters. The new additions include seven new scripts:
java.text.Bidi and
java.text.Normalizer classes support Unicode Standard
Annexes, #9 and #15, respectively.java.util.regex package supports Extended
Grapheme Clusters based on the Unicode Standard Annex #29.For more details about Unicode 16.0, refer to the Unicode Consortium’s release note.
The jar tool's extract operation has been enhanced
to allow the --keep-old-files and the -k
options to be used in preventing the overwriting of existing
files.
Examples:
jar xkf foo.jar
or
jar --extract --keep-old-files --file foo.jar
Either of these commands will extract the contents of
foo.jar. If an entry with the same name already exists
in the target directory, then the existing file will not be
overwritten.
For more details, see the jar command man page.
A new, JDK-specific monitoring and management interface,
jdk.management.VirtualThreadSchedulerMXBean, has been
added to allow Java Management Extension (JMX) based tooling to
monitor and manage the virtual thread scheduler. The interface
supports monitoring the virtual thread scheduler's target
parallelism, the threads used by the scheduler, and the number of
virtual threads queued to the scheduler. It also supports
dynamically changing the scheduler's target parallelism.
Two commands have been added to the jcmd command
line tool to print information that may be useful when diagnosing
issues with virtual threads.
jcmd <pid> Thread.vthread_scheduler prints
the virtual thread scheduler, the target parallelism, number of
threads, and other useful counters. The output also includes the
delayed task schedulers that support virtual threads doing timed
operations.
jcmd <pid> Thread.vthread_pollers prints the
I/O pollers that support virtual threads doing blocking network I/O
operations.
For more details, see the jcmd command man page.
The java.security security properties file, and
those referred to by the java.security.properties
system property, now support including other properties files. The
directive include <path-to-a-file> can be used
for this purpose. The effect of including a file is equivalent to
defining its properties inline at the inclusion point. Find more
information and examples in the
Security Properties Files Inclusion section of the Security
Developer Guide and in JDK-8319333.
As a result of this change, the name include can no
longer be used to define a property in a security properties file.
If the name include is passed to the
java.security.Security::getProperty or
::setProperty APIs, an
IllegalArgumentException is thrown.
A new section for
PSSParameterSpec algorithm names has been added to
the Java Security Standard Algorithm Names specification. This
section lists the standard hash and message generation function
(MGF) algorithms that can be specified when initializing an
RSASSA-PSS signature with a
PSSParameterSpec object.
The SunPKCS11 provider has been enhanced to support the
following AES CTS transformations for the Cipher
service type:
The Addendum to NIST
Special Publication 800-38A defines three variants of
Ciphertext Stealing for CBC mode: CBC-CS1, CBC-CS2, and CBC-CS3. To
ensure interoperability with SunJCE and Kerberos, which use the CS3
variant, the SunPKCS11 provider needs to know the variant
implemented by the underlying PKCS #11 library and convert the data
if it is not in the CS3 variant. A new SunPKCS11 provider
configuration attribute named
cipherTextStealingVariant is introduced and must be
set with any of the following values: CS1,
CS2, or CS3, to indicate the CTS variant
of the underlying PKCS #11 library. An exception exists for NSS as
it is known to be CS1. Otherwise, the PKCS #11
CKM_AES_CTS mechanism is disabled.
For further information, see SunPKCS11 Configuration and SunPKCS11 Provider Supported Algorithms.
The API documentation contains a new summary page listing external specifications referenced by Java SE and JDK APIs. A link to the new summary page can be found in the Index page linked in the API documentation navigation bar.
For more details, see External Specifications.
jpackage can use WiX Toolset v4 and v5, in addition
to v3, on Windows. It will automatically choose the newest
installed version.
jpackage supports custom WiX sources in both WiX v3
and v4 formats. If WiX Toolset v4 or v5 is used,
jpackage will automatically convert custom WiX sources
in WiX v3 format to WiX v4 format.
The JDK built-in XML Catalog, introduced in JDK 22 with standard DTDs of the Java Platform, now includes the following DTDs and XSDs defined by W3C specifications. These DTDs and XSDs will be loaded locally from the XML Catalog, without requiring network access.
The JDK's java.desktop module has internal code
that interoperates with multiple versions of the GTK platform
library. This is primarily to support the Swing GTK
LookAndFeel.
The JDK previously included support for interoperating with the
GTK 2 version of the library, which is reaching the end of its
life. GTK 3 long ago superseded it and is supported by the JDK as
the preferred default. To use GTK 2, apps must request it using the
jdk.gtk.version System property. And since many recent
Linux distributions make GTK 2 only an optional install, it may
require extra work to use it. Future Linux distributions will
likely not provide any way to install it.
Since all versions of Linux to be supported by JDK 24 provide GTK3, GTK2 support in JDK is now removed.
Setting the jdk.gtk.version System property to
2 or 2.2 will no longer have any effect.
GTK 3 will be loaded.
The JDK 1.1-compatible behavior for the "EST," "MST," and "HST"
time zones has been removed. Previously, this behavior could be
enabled using the sun.timezone.ids.oldmapping system
property, but this property is no longer operational in this
release. In general, the use of all legacy
Three-letter time zone IDs is deprecated. Instead, use the
corresponding region-based time zone IDs listed in
ZoneId.SHORT_IDS.
java.naming.rmi.security.manager
Environment Property Is Removed (JDK-8344299)The JNDI environment property
java.naming.rmi.security.manager is no longer
supported. This property, used to request installation of the
RMISecurityManager, is no longer effective. As the
SecurityManager is removed, this property is no longer
needed.
javax.naming.Context.APPLET Constant Is
Removed (JDK-8340359)The javax.naming.Context.APPLET constant, which has
been deprecated since Java 9, has been removed from the
javax.naming.Context class. Applications relying on
this constant will require modification.
JNDI remote code downloading for LDAP and RMI providers is now
permanently disabled. The
com.sun.jndi.rmi.object.trustURLCodebase and
com.sun.jndi.ldap.object.trustURLCodebase system
properties are removed.
Some javax.management classes contained a feature
for Serialization compatibility with very old JMX releases (1.0,
1.1, 1.2), which are from before JMX was an integrated part of the
JDK (in JDK 5). This was enabled using the
jmx.serial.form system property.
This compatibility logic offered no value, and only added complexity, so has been removed. This will not affect any JMX features, or any interactions between JMX features in different JDKs.
-t,
-tm, -Xfuture, -checksource,
-cs, and -noasyncgc are Removed
(JDK-8339918)The java command no longer accepts the
-t, -tm, -Xfuture,
-checksource, -cs, and
-noasyncgc options.
These options are henceforth treated as unrecognized and usage
of any of these options will lead to an error resulting in a
failure to launch java. Applications that were
launching java with the -Xfuture option
may consider using -Xverify:all in its place - the
rest of the options have no replacements.
java.util.zip.ZipError has been deprecated for
removal. This error class has been obsolete for many releases and
has not been used by the reference implementation since Java 8.
Any existing code that used to throw
java.util.zip.ZipError should consider throwing
java.util.zip.ZipException instead. Code needing to
catch this error when running on releases prior to Java 9 may be
updated to catch the parent java.lang.InternalError
class instead.
The jstatd tool is deprecated, for removal in a
future release. jstatd is an RMI server application
which monitors HotSpot VMs, and provides a remote interface for
jstat. This will not affect use of jstat
to read the performance counters from local VMs.
LockingMode Flag and the
LM_LEGACY And LM_MONITOR Modes Are
Deprecated (JDK-8334299)A new, lightweight locking mechanism for object monitor locking
was introduced in JDK 21 under JDK-8291555. The
LockingMode flag was introduced to allow selection of
this new mechanism, (LM_LIGHTWEIGHT, value 2), in
place of the default mechanism, (LM_LEGACY, value 1).
In JDK 23, the LockingMode default was changed to
LM_LIGHTWEIGHT.
In JDK 24, the LockingMode flag, along with the
LM_LEGACY (1) and LM_MONITOR (0) modes,
are deprecated. The default locking mode,
LM_LIGHTWEIGHT, will be the only internal
implementation that is supported when these locking modes become
obsolete in a future release.
This is not expected to change any semantic behavior of Java monitor locking and it is expected to be performance neutral for almost all applications.
The debugd subcommand of the jhsdb
tool is deprecated, for removal in a future release. jhsdb
debugd is an RMI server which provides a remote interface
for other jhsdb commands. Those commands use the
--connect option which is also deprecated for removal.
This will not affect usage of jhsdb for debugging
local VMs or core files.
jrunscript tool has been deprecated and will be
removed in a future release. Usage of this tool will now print a
deprecation warning.
-verbosegc,
-noclassgc, -verify,
-verifyremote, -ss, -ms and
-mx Are Deprecated for Removal (JDK-8286851)The -verbosegc, -noclassgc,
-verify, -verifyremote, -ss,
-ms, and -mx options of the
java command are deprecated for removal. Usage of any
of these options when launching java will now log a
deprecation warning.
Applications may consider replacing usages of these options with the following:
| Deprecated | Replacement |
|---|---|
-verbosegc |
-verbose:gc |
-noclassgc |
-Xnoclassgc |
-verify |
-Xverify:all |
-verifyremote |
-Xverify:remote |
-ss |
-Xss |
-ms |
-Xms |
-mx |
-Xmx |
Reflectively invoking VarHandle signature polymorphic methods is
specified to throw UnsupportedOperationException.
However, the implementation previously threw
UnsatisfiedLinkError in such cases. The behavior was
adjusted to conform to the specification.
java.lang.constant.MethodTypeDesc.resolveConstantDesc
Throws ClassNotFoundException Instead of TypeNotPresentException
(JDK-8304929)In previous releases,
MethodTypeDesc.resolveConstantDesc threw an unchecked
TypeNotPresentException instead of a checked
ReflectiveOperationException when a component class
was not found. This behavior is now corrected to throw a
ClassNotFoundException, conforming to the
specification.
Code that previously handled
TypeNotPresentException in addition to
ReflectiveOperationException can consolidate the
exception handling into the existing
ReflectiveOperationException handling.
null
(JDK-8337302)Core reflection now throws a
TypeNotPresentException instead of substituting a
null value when encountering an undefined type
variable in a generic signature. The previous incorrect behavior
had been in place since the addition of generic signatures in JDK
5. The TypeNotPresentException::typeName method may
return type variable names in addition to fully qualified names of
classes.
DecimalFormat, when the format expects a suffix,
now parses correctly when the parse value contains a decimal symbol
and isParseIntegerOnly() would return
true. Previously, parsing would fail for such cases
and the correct value never returned.
For example, in the following snippet, 5 will now be returned by
the parse(String) invocation, instead of a
ParseException thrown.
NumberFormat fmt = NumberFormat.getPercentInstance(Locale.US);
fmt.setParseIntegerOnly(true);
fmt.parse("500.55%");
DocLint in javac and
javadoc no longer warns about a ///
single-line, dangling comment that starts a file. This is to
accommodate systems that support a stylized comment on the first
line of a source file as a way to "auto-execute" the file.
The Java Virtual Machine Specification is permissive regarding
the number of entries of the
RuntimeVisibleParameterAnnotations and
RuntimeInvisibleParameterAnnotations attributes in the
class file format. The javac tool was
less permissive, and was rejecting class files that
had a different number of entries than javac
expected.
With JDK 24, this is fixed, and javac now accepts
class files with any number of entries in the
RuntimeVisibleParameterAnnotations and
RuntimeInvisibleParameterAnnotations attributes. A
compile-time warning is produced if the content of the attributes
cannot be mapped to the corresponding method's parameters.
The ML-DSA implementation in the SUN provider in JDK 24 encodes the private key in its expanded format, as defined in FIPS 204, into its PKCS #8 encoding. This encoding may change as the related IETF draft is not yet finalized.
The ML-KEM implementation in the SunJCE provider in JDK 24 encodes the decapsulation key in its expanded format, as defined in FIPS 203, into its PKCS #8 encoding. This encoding may change as the related IETF draft is not yet finalized.
On Windows, the OperatingSystemMXBean CPU load
methods, such as getSystemCpuLoad,
getCpuLoad, and getProcessCpuLoad, always
return -1. This error affects CPU usage monitoring of Windows
targets.
This issue was introduced during JDK 24 development. It does not affect earlier releases. It was found too late to be fixed in JDK 24, but will be resolved in an update release.
Integer.numberOfLeadingZeros may return an
incorrect result on x86_64 with AVX2. The issue is caused by an
incorrect JIT compiler optimization. As a workaround, the following
command-line options can be used
-XX:+UnlockDiagnosticVMOptions
-XX:DisableIntrinsic=_numberOfLeadingZeros_i.
New Default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the legacy URL protocol
handler for HTTP, HttpURLConnection, and the new
HttpClient, in the module java.net.http, now have a
default limit on the maximum response headers size they will accept
from a remote party. The limit is set by default at 384kB (393216
bytes) and is computed as the cumulative size of all header names
and header values plus an overhead of 32 bytes per header name
value pair.
The default value of the limit can be changed by specifying a
positive value with the jdk.http.maxHeaderSize system
property on the command line, or in the
$JAVA_HOME/conf/net.properties file. A negative or
zero value is interpreted as no limit. If the limit is exceeded,
the request will fail with a protocol exception.
The JDK built-in implementation of the
com.sun.net.httpserver.HttpServer
(jdk.httpserver) implements a similar limit for the
maximum request header size the server is prepared to accept. The
HttpServer limit can be changed by specifying a positive value with
the sun.net.httpserver.maxReqHeaderSize system
property on the command line. A negative or zero value is
interpreted as no limit. The limit is set by default at 384kB
(393216 bytes) and the size is computed in the same way as
explained above. If the limit is exceeded, the connection is
closed.
In addition, the JDK built-in implementation of the new
java.net.http.HttpClient enforces two additional
limits:
The system property
jdk.httpclient.maxNonFinalResponses can be specified
with a positive value on the java command line, or in
the $JAVA_HOME/conf/net.properties file, to control
how many interim responses the client will accept before receiving
a final response. An interim response is considered informational
and is a response whose status is in the range [100, 199]. These
responses are typically either handled internally or simply
discarded by the implementation. The default limit is now set at a
maximum of 8 interim responses before receiving the final response.
A negative or zero value is interpreted as no limit. If the limit
is exceeded, the request will fail with a protocol exception.
The system property
jdk.httpclient.maxLiteralWithIndexing can be specified
with a positive value on the java command line, or in
the $JAVA_HOME/conf/net.properties file, to control
how many additions a server may request a client to make to the
HPack dynamic table when decoding a set of headers. The default
maximum value is now set to 512. A negative or zero value is
interpreted as no limit. If the limit is exceeded, the request will
fail with a protocol exception.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
If necessary, and at your own risk, you can work around the
restrictions by removing "ENTRUST_TLS" from the
jdk.security.caDistrustPolicies security property in
the java.security configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US |
73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C |
| CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 |
| CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 |
| CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 |
| CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net |
6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 |
| CN=AffirmTrust Commercial, O=AffirmTrust, C=US |
03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 |
| CN=AffirmTrust Networking, O=AffirmTrust, C=US |
0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B |
| CN=AffirmTrust Premium, O=AffirmTrust, C=US |
70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A |
| CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US |
BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 |
You can also use the keytool utility from the JDK
to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
Starting with JDK 24, the jlink --add-modules
ALL-MODULE-PATH option will require users to set the module
path via the --module-path option. Prior to JDK 24,
using --add-modules ALL-MODULE-PATH without
--module-path could be used to create an image with
all JDK modules from $JAVA_HOME/jmods. In JDK 24, to
create an image using ALL-MODULE-PATH, it is required
to explicitly set --module-path. To create an image
with all JDK modules, use jlink --add-modules ALL-MODULE-PATH
--module-path $JAVA_HOME/jmods instead.
New methods have been added to
sun.reflect.ReflectionFactory to allow custom
serialization libraries get MethodHandles to invoke
methods that implement the default behavior for serializable
classes. The new methods are
defaultReadObjectForSerialization and
defaultWriteObjectForSerialization. The method
serialPersistentFields has also been added to allow
custom serialization libraries obtain the
serialPersistentFields from a serializable class.
sun.reflect.ReflectionFactory is an undocumented
API in the jdk.unsupported module. It serves as a
stop-gap for custom serialization that would otherwise need to
break encapsulation to access inaccessible fields.
ProcessBuilder on Windows Quotes Argument Strings
Containing Any Space Character (JDK-8335428
(not public))On Windows, the ProcessBuilder has expanded the
quoting of argument strings when starting a process to ensure they
are recognized by the application as a single command argument. The
set of space characters has been expanded from space
(0x20) to include all space characters as defined by
java.lang.Character.isSpaceChar, which includes all
Unicode space separator characters, such as EN-SPACE (0x2002), and
line separator and paragraph separator characters.
The system property
sun.misc.URLClassPath.disableJarChecking controls
whether the first 4 bytes of JAR files on the class path are
checked to be the magic number for ZIP files ("PK"). The check is
not performed by default.
If the system property is set on the command line to the value
false, then JAR files on the class path are checked.
JAR files used by java.net.URLClassLoader at run time
are also checked. JAR files that fail the check are ignored.
The connect methods defined by
java.net.Socket are now specified, and changed, to
close the Socket if the connection cannot be
established, or the timeout (if provided) expires before the
connection is established.
The behavior in previous JDK releases was to close the
underlying socket when a connection could not be established but
leave the Socket open. The resulting
Socket was "useless" as most methods behaved as if the
Socket was closed.
The behavior of the connect methods when invoked
with an unresolved InetSocketAddress was unspecified
in previous releases. The behavior in JDK 11 and older releases was
to close the underlying socket, throw
UnknownHostException, but leave the
Socket open in a "useless" state. The behavior in JDK
12 to JDK 23 was to throw UnknownHostException without
closing the Socket or underlying socket. This case is
now specified, and changed, to close the Socket, the
underlying socket, and throw UnknownHostException if
the connection cannot be established because the address is
unresolved.
As part of this change, calling the connect method
on a Socket obtained from a SocketChannel
will now throw IOException if already connected. This
is the specified exception for this scenario. The incorrect
behavior in previous releases was to throw
AlreadyConnectedException for this case.
The java.net.http.HttpClient will now report HTTP/2
flow control errors to the server when they are detected. This is
an implementation detail that should be transparent to users of the
HttpClient API, but could result in streams being
reset or connections being closed if connecting to a non-conformant
HTTP/2 server.
Prior to JDK 24, if a java.net.Authenticator is set
on a HttpClient, then any user set
Authorization or Proxy-Authorization
headers will be removed or overwritten by values generated by the
client library. From JDK 24, if such headers are set by the user,
then they will be left in place and the authenticator will not be
invoked for the respective header. In particular, if the
authentication fails for the provided header, the failed response
with the 401 0r 407 status code will be returned directly to the
calling code. One use case for this could be to let the
authenticator handle proxy authentication and for the user to set
the Authorization headers for the server.
java.net.http.HttpClient would previously timeout
if a server didn’t respond to a request which included a
Expect: 100-Continue header.
This release updates
HttpClient to send the request body if the server
doesn’t respond. This brings the implementation in line with RFC
9110.
The Java Virtual Machine (JVM) option
MaxDirectMemorySize controls the maximum total size of
memory that may be used for direct buffers in an instance of the
JVM. Its default value is the maximum size of the heap. Prior to
JDK 24, the amount of memory allocated for internal, temporary
direct buffers such as used, for example, when reading from or
writing to a java.nio.channels.FileChannel, was
included in this total. As of JDK 24, internal use of temporary
direct buffers is no longer included in the total.
In the JDK, java.text.MessageFormat now has an
implementation limit for the ArgumentIndex pattern
element. The hard limit for the value is 10,000.
If an ArgumentIndex value is equal to or exceeds
the upper limit, an IllegalArgumentException will now
be thrown by
MessageFormats constructorsapplyPattern(String pattern) instance methodformat(String pattern, Object... arguments) static
methodDe-serializing a MessageFormat object with an
ArgumentIndex value at or over the limit will throw an
InvalidObjectException.
IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.
The new tzdata changes also impact some legacy zone IDs. Mapping of EST/MST/HST in java.time.ZoneId.SHORT_IDS have changed from fixed offset zones to links to other existing time zones with 2024b. "EST" now links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". Parsing of the short zone names "EST", "MST", and "HST" is not affected by this change. Further details are available at JDK-8340138
The locale data based on the Unicode Consortium's CLDR has been upgraded to version 46. Besides the usual addition of new locale data and translation changes, there are notable changes from the upstream CLDR, affecting Date/Time/Number formattings:
Note that locale data is subject to change in a future release of the CLDR. Although not all locale data changes affect the JDK, users should not assume stability across releases. For more details, please refer to the Unicode Consortium's CLDR release notes and their locale data deltas.
When redefining a class with JVMTI RedefineClasses,
the new bytecodes are verified with the Class File Verifier
regardless of the setting of the deprecated -Xverify
option.
Unified Logging now outputs a special empty decorator [
] followed by a space after newlines in multiline log
messages. This change allows unambiguous parsing of Unified Logging
output.
To illustrate the change, consider the output of
log_info(gc)("An[gc] B");:
[gc] A
[ ] [gc] B
It is possible to parse this multiline message unambiguously. This was previously not possible, as the output was
[gc] A
[gc] B
which could (and likely would be) parsed as two distinct log
messages A and B.
Tools that currently deal with multiline parsing ambiguities in Unified Logging require an update. The updates will likely result in simpler and more robust implementations.
The CDS archives for the Compact Object Headers feature are not included in the JDK released by Oracle. In order to take advantage of the start-up performance offered by CDS, the user can build the CDS archives with Compact Object Headers as follows:
java -Xshare:dump -XX:+UnlockExperimentalVMOptions
-XX:+UseCompactObjectHeaders
The above command generates the classes_coh.jsa
which is located in the same directory as the default CDS archive
(classes.jsa). For example, on Linux, it is located in
the <jdk>/lib/server directory.
To generate a CDS archive with Compact Object Headers and with compressed oops disabled:
java -Xshare:dump -XX:+UnlockExperimentalVMOptions
-XX:+UseCompactObjectHeaders -XX:-UseCompressedOops
The above command generates the
classes_nocoops_coh.jsa which is located in the same
directory as the default CDS archive with compressed oops disabled
(classes_nocoops.jsa). For example, on Linux, it is
located in the <jdk>/lib/server directory.
This release adds experimental support for compact object
headers. In current 64-bit implementations, Java objects have a
12-byte header. Compact object headers reduce header sizes to 8
bytes, improving the Java heap footprint. This experimental feature
can be enabled with -XX:+UnlockExperimentalVMOptions
-XX:+UseCompactObjectHeaders. Find more details in JEP 450.
As of JDK 24, the Security Manager is permanently disabled. This means that:
java
-Djava.security.manager .... Attempting to do so causes the
JVM to report an error and exit.System::setSecurityManager. Attempting to do
so causes the JVM to throw an
UnsupportedOperationException.SecurityException if denied permission by a
Security Manager have been changed to not throw
SecurityException.$JAVA_HOME/conf/security/java.policy, has been
removed.See JEP 486 for more information. Applications depending on the Security Manager should consider alternatives, such as containers.
In addition, methods in the Security Manager API have been
degraded to either return null or false,
pass through the caller's request, or unconditionally throw a
SecurityException or
UnsupportedOperationException. The full set of
behavioral changes is available here. Most
libraries that use the Security Manager API to check permissions or
execute privileged operations will behave in the same way on JDK 24
as they did on JDK 23 when a Security Manager was not enabled.
However, some libraries may be affected by the following
incompatible changes in JDK 24:
AccessController::checkPermission always throws
AccessControlException.Policy::setPolicy always throws
UnsupportedOperationException.SecurityManager::check* methods always throw
SecurityException.Subject::getSubject always throws
UnsupportedOperationException. Code using this method
should instead use the replacement API
Subject::current which was introduced in JDK 18.See the advice to library developers for more information.
The X.509 encoded format for HSS/LMS public keys has been updated to align with the latest standard outlined in RFC 9708. Notably, the additional OCTET STRING wrapping around the public key value has been removed. For compatibility, public key encodings generated by earlier JDK releases are still recognized.
The Local Computer key store is accessed using the
CERT_STORE_MAXIMUM_ALLOWED_FLAG. Since this store is
typically managed by administrators for security reasons, processes
are only given read-only access to specific private keys. By
opening the store in read-only mode, non-elevated processes can now
securely use these keys without requiring elevated permissions.
The performance of the MessageDigest
implementations that belong to the SHA3 family (SHA3-224, SHA3-256,
SHA3-384, and SHA3-512) has been improved by 6-27%, depending on
digested message length and on the platform used. An additional
30-40% can be experienced on AVX-512 capable platforms due to new
intrinsic implementations on that platform.
The TLS_RSA cipher suites have been disabled by default, by
adding "TLS_RSA_" to the
jdk.tls.disabledAlgorithms security property in the
java.security configuration file. The TLS_RSA cipher
suites do not preserve forward-secrecy and are not commonly used.
Some TLS_RSA cipher suites are already disabled because they use
DES, 3DES, RC4, or NULL, which are disabled. This action disables
all remaining TLS_RSA cipher suites. Any attempts to use cipher
suites starting with "TLS_RSA_" will fail with an
SSLHandshakeException. Users can, at their own risk,
re-enable these cipher suites by removing "TLS_RSA_" from the
jdk.tls.disabledAlgorithms security property.
The javadoc for SSLSessionContext has been reworded
to make it clear that when the timeout limit is exceeded for a
session, the object is marked so that future connections cannot
resume or rejoin the session. Active sessions can continue to be
used so long as resume and rejoin operations are not attempted.
If an entry is removed from a signed JAR file, there is no
mechanism to detect that it has been removed using the
JarFile API, since the getJarEntry method
returns null as if the entry had never existed. With
this change, the jarsigner -verify command analyzes
the signature files and if some sections do not have matching file
entries, it prints out the following warning: "This JAR contains
signed entries for files that do not exist". Users can further find
out the names of these entries by adding the -verbose
option to the command.
udp_preference_limit is a krb5.conf
setting to control how a KDC-REQ message is sent. If the size of
the message is greater than the value of
udp_preference_limit, TCP will be used; otherwise UDP
will be used. Before this change, setting it to zero is ignored and
the message is sent with UDP. With this change, setting it to zero
forces the message to be sent with TCP. This behavior is consistent
with other Kerberos 5 vendors.
Refactoring javac to support JEP 492 exposed some existing
problems regarding local classes and static contexts. For
example:
class O {
static void foo(int x) {
class C { // in static context, so no enclosing instance
void outer() {
System.out.println(x); // capture x
}
}
class U {
static void test() {
new C(); // (a)
}
}
}
public static void main(String[] args) {
foo(42);
}
}
javac 23 compiles this program, but executing the
classfile for class O throws an internal exception trying to create
the instance at position (a).
javac 24 requires that any new expression creating
an instance of a class C where C is an inner local class that
appears in a static context, should appear in the same static
context. Thus the new expression at position (a) results in a
compile-time error.
There is a similar fix for new expressions that create instances of anonymous classes, that is, new expressions with class bodies.
A similar issue surrounds super constructor invocations in a local class that is in a static context different from the static context containing the superclass. For example:
class O {
static void foo(int x) {
class C { // in static context, so no enclosing instance
void foo() {
System.out.println(x); /* capture x */
}
}
class I {
static void i(int y) {
class U extends C { // in static context, so no enclosing instance
U(){
super();
System.out.println(y); /* capture y */
}
}
var _ = new U(); // (b)
}
public static void main(String[] args) {
}
}
}
}
javac 23 compiles this code, but executing the
class file for class I results in a verifier error. There is no way
to correctly instantiate class U, so the new expression at position
(b) is always broken.
With javac 24, the class declaration of U results
in a compile-time error.
Lambda expressions and method references are sometimes
translated as methods by the javac compiler. As of
this release, the name of the generated methods for
non-serializable lambdas and method references has been updated.
Such updates might be visible when inspecting the content of a
class containing non-serializable lambdas and method references
using core reflection.
Moreover, the EnclosingMethod attribute for local
and anonymous classes declared inside lambda expressions has been
fixed to be compliant with JVMS 4.7.7 which states:
In particular, method_index must be zero if the current class was immediately enclosed in source code by an instance initializer, static initializer, instance variable initializer, or class variable initializer.
This means that the following code:
class Outer {
Runnable action = () -> {
class Inner() { }
System.out.println(Inner.class.getEnclosingMethod());
}
public static void main(String[] args) {
new Outer().action.run();
}
}
will now, correctly, print null. That is, the local
class Inner has no enclosing method. Earlier versions
incorrectly reported the enclosing method of Inner to
be the generated method for the lambda expression.
Command line arguments to the Java launcher are no longer converted with Windows' "best-fit" mapping when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher's argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings.
The default value of the property for XSLT and XPath Extension
Functions, jdk.xml.enableExtensionFunctions, has been
changed from true to false, which disables Extension Functions.
If an application handles XML transformation with a stylesheet that uses Extension Functions, it may encounter processing error such as the follows:
Use of the extension function '[function name]' is not allowed when extension functions are disabled
by the secure processing feature or the property 'jdk.xml.enableExtensionFunctions'. To enable extension
functions, set 'jdk.xml.enableExtensionFunctions' to 'true'.
For applications that require extension functions, the solution
is to set the property
jdk.xml.enableExtensionFunctions to true. This can be
done via the Transform API, e.g.
transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature("jdk.xml.enableExtensionFunctions", true);
Or in the JAXP Configuration File. A template for creating Strict JAXP Configuration File, jaxp-strict.properties.template, was provided in JDK 23 for developers to assess and prepare for this type of changes. To set the property, copy the template and create a custom configuration file:
cp $JAVA_HOME/conf/jaxp-strict.properties.template /<my_path>/jaxp-strict.properties
Edit and change the setting as follows:
jdk.xml.enableExtensionFunctions=true
Furthermore, as a system property, the property can also be set on the commandline, e.g.:
java -Djdk.xml.enableExtensionFunctions=true myApp`
The JDK's XML Processing Limits (known as JAXP Limits) are adjusted to be more in line with general applications. In particular, the default values of the limits are tuned down to more closely align with known DTDs.
If an application processes XML documents that reference an extremely large DTD, it may encounter a parsing error such as the follows:
JAXP00010001: The parser has encountered more than "2500" entity expansions in this document;
this is the limit imposed by the JDK.
To resolve the issue, application may increase the limit via the JAXP API. Using DOM processor as an example, the following code increases the expansion limit to 5000:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setAttribute("jdk.xml.entityExpansionLimit", 5000);
Or in the JAXP Configuration File. A template for creating
Strict JAXP Configuration File,
jaxp-strict.properties.template, was provided in JDK
23 for developers to assess and prepare their applications for the
changes.
To set the property in the configuration file, copy the template and create a custom configuration file:
cp $JAVA_HOME/conf/jaxp-strict.properties.template. /<my_path>/jaxp-strict.properties
Edit and change the setting as follows:
jdk.xml.entityExpansionLimit=5000
As a system property, this property can also be set on the commandline, e.g.:
java -Djdk.xml.entityExpansionLimit=5000 myApp
The Java tutorial, JAXP Processing Limits, provides a debug solution that can be used to analyze the usages and estimate the limits.
