-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Migration Guide 3.18
In dev and test mode, the management interface will now listen on the localhost
interface by default (instead of 0.0.0.0
) to be made consistent with the behavior of the main interface.
Note that similarly to what has been done for the main interface, on Windows with WSL, it will continue to listen to 0.0.0.0
.
For JSON templates the "
, \
and the control characters (U+0000
through U+001F
) are escaped by default if a corresponding template variant is set. In Quarkus, a variant is set automatically for templates located in the src/main/resources/templates
. By default, the java.net.URLConnection#getFileNameMap()
is used to determine the content-type of a template file. The additional map of suffixes to content types can be set via quarkus.qute.content-types
. If you need to render the unescaped value use the raw
or safe
properties implemented as extension methods of the java.lang.Object
, or wrap the String
value in a io.quarkus.qute.RawString
.
This release of Quarkus includes SmallRye Fault Tolerance 6.7.0. This version technically does not contain any breaking changes, but:
-
The first version of the programmatic API (
FaultTolerance
,@ApplyFaultTolerance
) is deprecated and will be removed in SmallRye Fault Tolerance 7.0. The second version (Guard
,TypedGuard
,@ApplyGuard
) is relatively similar, but there are still significant differences. -
The specification-defined configuration properties can still be used, but there are Quarkus-native configuration properties now.
See the SmallRye Fault Tolerance 6.7.0 release announcement (https://smallrye.io/blog/fault-tolerance-6-7-0/) for more information, including links to the migration guides for the programmatic API and a description of the new configuration properties. The Quarkus guide for SmallRye Fault Tolerance includes a full reference of the new configuration properties as well.
Query parameters set to an empty value (for example: ?foo=
) used to produce an empty String
value (""
) when deserialised as @RestQuery String foo
or a collection of size one with an empty string value when deserialised as @RestQuery List<String> foo
.
This has been changed in https://github.com/quarkusio/quarkus/pull/42468#issuecomment-2302312141 to produce a null
value when deserialised as @RestQuery String foo
and an empty collection when deserialised as @RestQuery List<String> foo
.
This release is now updated to Flyway 11, which removes the cleanOnValidationError
configuration. Because of that, the team decided to delete the configuration instead of deprecating it.
The quarkus-security-webauthn
module has been reimplemented on top of [WebAuthn4J](https://github.com/webauthn4j/webauthn4j). As a result, it is not binary or source compatible with the previous versions, and you must update the following code:
-
The
Authenticator
type -
The
Authenticator
class (from Vert.x) is no longer used, and has been replaced functionally withWebAuthnCredentialRecord
. It holds similar data to the previous class, but as it is a subtype of a WebAuthn4J type, accessing its content is slightly different. -
Its replacing type
WebAuthnCredentialRecord
now has agetRequiredPersistedData()
method which returns aRequiredPersistedData
record holding all the data you need to persist to your data source (database, or anything persistent), to make it easier. -
The static method
WebAuthnCredentialRecord.fromRequiredPersistedData(RequiredPersistedData)
allows you to turn your stored data into aWebAuthnCredentialRecord
for the opposite operation. -
If you had any JPA entities or database tables storing the old
Authenticator
format of data, you will need to update them to the new set of data. Open an issue if you need help for that. -
The
WebAuthnUserProvider
type that you had to implement has been restructured: -
findWebAuthnCredentialsByUserName()
was renamed tofindByUserName()
-
findWebAuthnCredentialsByCredID()
was renamed tofindByCredentialId()
-
updateOrStoreWebAuthnCredentials
was split into the two methods it represented:update(String credentialId, long counter)
andstore(WebAuthnCredentialRecord credentialRecord)
-
Default endpoints:
-
/q/webauthn/login
was renamed to/q/webauthn/login-options-challenge
-
/q/webauthn/register
was renamed to/q/webauthn/register-options-challenge
-
/q/webauthn/callback
was split into the two operations it represented:/q/webauthn/login
and/q/webauthn/register
. These endpoints are now disabled by default (for security reasons) and can be enabled using thequarkus.webauthn.enable-registration-endpoint
andquarkus.webauthn.enable-login-endpoint
configuration properties. -
/q/webauthn/register
now requires ausername
query parameter. -
/.well-known/webauthn
was added to return the list of allowed related origins -
The user name for
login
andlogin-options-challenge
is now optional -
WebAuthnSecurity
-
Two methods have been added to
WebAuthnSecurity
:getLoginOptionsChallenge()
andgetRegisterOptionsChallenge()
to make it easier to call and customise them. -
The user name parameter for
login()
andloginOptionsChallenge()
is now optional -
The
register()
method now takes an additionaluserName
parameter (due to the removal of the username cookie) -
Configuration:
-
The
quarkus.webauthn.require-resident-key
(boolean defaulting tofalse
) setting has been replaced by thequarkus.webauthn.resident-key
(enum defaulting toREQUIRED
) -
The
quarkus.webauthn.challenge-username-cookie-name
setting has been removed along with its related cookie. -
The
quarkus.webauthn.load-metadata
(boolean defaulting tofalse
) setting has been added to control loading of FIDO metadata. -
The
quarkus.webauthn.user-presence-required
(boolean defaulting totrue
) setting has been added to control the requirement of user presence. -
The
quarkus.webauthn.user-verification
setting has changed default fromDISCOURAGED
toREQUIRED
. -
The
quarkus.webauthn.timeout
default has increased from1 minute
to5 minutes
as specified in the WebAuthn standard -
The
quarkus.webauthn.pub-key-cred-params
setting has been renamed toquarkus.webauthn.public-key-credential-parameters
-
The
quarkus.webauthn.origin
setting has been renamed toquarkus.webauthn.origins
(plural) and now allows more than one origin (as required by spec) -
The new
quarkus.webauthn.enable-registration-endpoint
boolean configuration (defaults tofalse
) enables the default registration endpoint. -
The new
quarkus.webauthn.enable-login-endpoint
boolean configuration (defaults tofalse
) enables the default login endpoint. -
The verification of WebAuthn credential attestations may differ slightly for settings of
quarkus.security.webauthn.attestation
other thanNONE
(the default). -
In the
quarkus-test-security-webauthn
test module: -
The
WebAuthnHardware
contructor now requires aURL
to represent the location of your endpoints, you can obtain in your test classes it using@TestHTTPResource URL url
-
The
WebAuthnEndpointHelper.invokeRegistration
method was renamed toobtainRegistrationChallenge
-
The
WebAuthnEndpointHelper.invokeLogin
method was renamed toobtainLoginChallenge
-
The
WebAuthnEndpointHelper.invokeCallback
method was split into the two operations it represented:WebAuthnEndpointHelper.invokeRegistration
andWebAuthnEndpointHelper.invokeLogin
-
The
WebAuthnEndpointHelper.invokeLogin
andWebAuthnEndpointHelper.obtainLoginChallenge
user name parameter is now optional -
The
WebAuthnEndpointHelper.invokeRegistration
method now takes auserName
parameter -
JavaScript library:
-
The
registerOnly
method has been renamed toregisterClientSteps
-
The
loginOnly
method has been renamed tologinClientSteps
-
The
login
andloginClientSteps
method’suser
parameter is now optional -
The constructor’s
registerPath
has been renamed toregisterOptionsChallengePath
and has the default value/q/webauthn/register-options-challenge
-
The constructor’s
loginPath
has been renamed tologinOptionsChallengePath
and has the default value/q/webauthn/login-options-challenge
-
The constructor’s
callbackPath
has been split into its two componentsregisterPath
(default value/q/webauthn/register
) andloginPath
(default value/q/webauthn/login
-
The constructor now accepts a
csrf
option of typeJsonObject
with two keys:header
for the header name to use to add the CSRF token, andvalue
for the CSRF token value. This is mostly useful when using [quarkus-csrf
](https://quarkus.io/guides/security-csrf-prevention) and using custom endpoints that are protected by CSRF (unlike the default endpoints).
We have also downgraded its status from preview
to experimental
to allow extra bake time with those changes.