Eclipse GlassFish, the trusted application server for enterprise Java, has reached new milestones with its latest updates. Here’s what you need to know:
- Jakarta EE 11 Compliance: GlassFish is the first to pass the Jakarta EE 11 Web Profile TCK and Platform TCK, supporting Java 17 and 21.
- Performance Boosts: Deployment times on for big applications have improved, dropping from 110 seconds to 92 seconds with caching.
- JDK 24 Support: GlassFish 7.0.24 (April 2025) fully supports JDK 24, ensuring compatibility with the latest Java features.
- Enhanced Security: Fixes for critical vulnerabilities (CVE-2024-9329, CVE-2024-8646) and improved admin login processes.
- Multitude of fixes: 45 fixes and multiple maintenance improvements in the previous 6 months
These updates ensure GlassFish remains a reliable and modern platform for enterprise Java applications, with enhanced performance, security, and developer tools.
New Features in Latest GlassFish Releases
The latest GlassFish updates bring a stronger emphasis on security, support for modern Java versions, and better concurrency handling. These enhancements aim to elevate application performance while making life easier for developers. Here’s a closer look at some of the standout features in these releases.
TLS Protocol Deprecation Strategy
Security just got a serious upgrade. GlassFish now includes improved admin login processes and automatic password masking in logs. These changes help organizations stay aligned with industry standards like PCI DSS and SOX, reducing the chances of sensitive data being exposed during routine operations.
JDK 24 Compatibility Preparations
GlassFish 7.0.24, launched in April 2025, takes a big step forward by fully supporting JDK 24. Core components such as CORBA, ORB, and PFL have been updated to match JDK 24’s architecture. Additionally, JDK 24 guards have been added to AccessController.checkPermission, ensuring seamless integration with Java’s security framework.
With this release, GlassFish can now compile and run on Java versions ranging from JDK 11 to JDK 24. Rigorous testing ensures that applications running on the latest Java versions remain just as stable as those on long-term support releases.
Virtual Thread Support Improvements
Performance gets a major boost with the experimental virtual thread support in HTTP threads for GlassFish 7 by OmniFish. GlassFish 8 milestone versions have updated the Jakarta Concurrency API (v3.1). Developers can activate virtual threads using the @ManagedExecutorDefinition(virtual = true) annotation, allowing for higher throughput with minimal code adjustments.
The advantages are clear: virtual threads have a smaller memory footprint and are stored in the Java heap, enabling thousands of concurrent threads without hitting system limits.
Demistifying Java Virtual Threads: Lessons Learned From Adding Them to GlassFish – presented at JakartaOne 2024
Jakarta EE 11 Specification Alignment
GlassFish has been at the forefront of Jakarta EE 11’s development, driving progress in both core specifications and the validation process. This work marks a significant leap in enterprise Java, offering developers access to modern Java features while maintaining the stability required for production environments.
Web Profile and Platform Implementation
Eclipse GlassFish set a milestone by becoming the first implementation to pass the Jakarta EE 11 Web Profile TCK, and the full Jakarta EE 11 Platform TCK later. This achievement highlights the platform’s dedication to adhering to standards and supporting the latest Java features.
GlassFish incorporates updated APIs across various runtime layers. With Jakarta EE 11, the baseline now supports newer long-term support versions of Java, including Java 17 and the recommended Java 21. This upgrade lets developers leverage modern Java capabilities, such as records, while enhancing CDI (Contexts and Dependency Injection) integration across multiple specifications.
Looking ahead, GlassFish 8 is preparing to fully support the Jakarta EE 11 Platform with additional enhancements and features. This release will bring exciting new features like Jakarta Data 1.0, enabling repository-style data access through method-based queries with Jakarta Persistence (JPA) entities, as well as Jakarta NoSQL entities.. Additionally, it will include Jakarta NoSQL support, facilitating integration with databases such as document, key-value, column, and graph databases.
Jakarta EE TCK Validation
The Technology Compatibility Kit (TCK) validation for Jakarta EE 11 presented unique challenges, which the GlassFish team tackled head-on. The OmniFish engineering team played a pivotal role in refactoring and modularizing the Jakarta EE TCK, simplifying its maintenance and adoption.
The team also updated TCK tests to ensure compatibility with both Java 17 and Java 21. This work established a reliable validation process for the Jakarta EE ecosystem. Although refactoring delays impacted the timeline, the validation efforts successfully spanned multiple Java versions, with GlassFish serving as the platform for ratifying Jakarta EE 11 Platform and Web Profile specifications on both Java 17 and Java 21.
Beyond TCK validation, the OmniFish engineering team contributed to key specifications during the Jakarta EE 11 release, including updates to Jakarta Concurrency, Jakarta Faces, and Jakarta Security. This thorough validation process reinforces GlassFish’s role as a reference standard for enterprise Java, providing developers with the confidence to build portable, standards-compliant applications within the Jakarta EE ecosystem.
Performance and Security Improvements
The latest GlassFish releases bring notable upgrades in both performance and security, thanks to system optimizations and streamlined code maintenance. These updates focus on enhancing resource management while tightening security measures.
Ephemeral Port Allocation Fixes
One key improvement addresses file handling inefficiencies that previously slowed deployments, particularly on Windows systems. By adopting the Files.walkFileTree method and shifting from URI-based operations to a more efficient Path-based approach, these bottlenecks have been significantly reduced in GlassFish.
For example, GlassFish 7.0.24 improved deployment times, cutting them by around 20% for bigger applications. On an example Windows environment deploying a big EAR application, the time was reduced from 110 seconds to 100 seconds. With implementation of additional caching, deployment times dropped further to 92 seconds. Additionally, the introduction of try-with-resources patterns ensures better resource management by preventing leaks.
Security Patch Integration
GlassFish 7.x has also prioritized addressing critical vulnerabilities. Two major security issues have been resolved:
- CVE-2024-9329: This vulnerability, found in versions prior to 7.0.17, allowed the Host HTTP parameter to redirect web applications to specific URLs, posing phishing risks.
- CVE-2024-8646: Found in versions before 7.0.10, this issue involved URL redirection to untrusted sites due to a flaw in the Apache code used by GlassFish.
“Furthermore, GlassFish has received a few security improvements: the admin flow login was improved by Alexander Pinčuk, and the OmniFish team improved the command logger, which now hides passwords in logged messages.”
On top of that, in cooperation with the Eclipse Foundation security auditing team, GlassFish silently received additional security fixes. Information about them is not publicly disclosed for security concerns.
Connection Pool Management Updates
Another area of enhancement is connection pool management and handling of distributed transactions. Although this mechanism is fairly complex and it was implemented in GlassFish in a reasonably robust way, the implementation itself was traditionally poorly designed and prone to occasional defects that happened in specific scenarios. With the help of community contributor R.M.Morrien, GlassFish team was able to improve the design, fix a few defects and improve stability of connection pools in GlassFish.
Enterprise Support and Services for GlassFish
While open-source updates keep GlassFish evolving, enterprise environments often demand more. That’s where OmniFish steps in, offering a suite of services designed to keep GlassFish running smoothly in production. These services go beyond configuration tuning and technical updates, ensuring enterprises can rely on the platform for performance, reliability, and security, with immediate security patches and bug fixes.
Get expert support for Eclipse GlassFish and Piranha Cloud. Ensure secure, modern,
and high-performing enterprise Java applications with OmniFish.
Conclusion: Moving Forward with GlassFish
The latest updates to GlassFish mark a step forward for modern Java application development, keeping pace with evolving standards while delivering the stability enterprises rely on.
GlassFish’s alignment with Jakarta EE 11 stands out, with a successful TCK passes confirming the Web Profile specification’s final approval on in March, 2025 and the complete Platform specification’s final approval in June, 2025. Without GlassFish and signification contributions by OmniFish, these Jakarta EE 11 releases would be much more delayed.
Beyond new features, the updates bring noticeable performance improvements, many fixes for old bugs and significant security fixes and improvements.
A example quote from GlassFish 7.0.21 release notes:
“This release was all about hunting bugs: Restart hanging on fast machines (including ephemeral ports appearing when stopping GlassFish), random 403 responses for authenticated sessions, and Faces failing to initialize on GlassFish Embedded. We’re proud to announce that after a lot of research and a lot of work, we were able to squash them all.”
– GlassFish Team
Modernization was another theme. GlassFish 7.0.24 introduces early JDK 24 support, following the general goal to support the latest Java releases as fast as possible.
For enterprises, the combination of open-source updates and professional support from the OmniFish company adds extra value and guarantees.
