Release Notes - Payara Platform Community 5.2022.5

Supported APIs and Applications

  • Jakarta EE 8

  • Jakarta EE 8 Applications

  • Jakarta EE 9

  • MicroProfile 4.1


Payara 5.2022.5 is the final release of Payara 5 Community. Payara 5 Community will receive no more bug fixes, updates or improvements. Payara 5 Community is now replaced by Payara 6 Community, to be used with Jakarta EE 10. If you want to keep using earlier Java EE/Jakarta EE versions, we encourage you to move to Payara 5 Enterprise.


  • [FISH-5809] Include jdk.internal.reflect packages in OSGi boot delegation configuration settings

  • [FISH-6495] Hazelcast File Configuration in Payara Embedded

Security Fixes

  • [FISH-6715] Upgrade Apache BCEL to 6.6.1

  • [FISH-6775] Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module.

Special thanks to Luc Créti and Jean-Michel Lenotte, working for Atos, for alerting us to the vulnerability fixed in FISH-6775.

Bug Fixes

  • [FISH-5778] The OpenApi @Schema "name" Property does not Rename Annotated Class Attribute

  • [FISH-5798] OpenAPI annotation @Parameter(…​ explode = Explode.TRUE) gives stacktrace

  • [FISH-5808] JAX-RS Subresources don’t Appear in OpenAPI Document

  • [FISH-6022] MicroProfile JWT Token verified on unauthorized endpoints

  • [FISH-6047] Single-Sign-On logout action not working correctly when used with Jakarta EE Security features

  • [FISH-6066] Invalid property 'default-web-xml' on instance start-up

  • [FISH-6299] Expired/Invalid JWT-Token and CORS-errors

  • [FISH-6499] NullPointerException When Deploying An Application

  • [FISH-6567] LDAP Realm Breaks with Java 11.0.15

  • [FISH-6598] Fix Authentication Mechanism Lookup for Per-Module Auth Configuration in EAR

  • [FISH-6606] Empty Zip File Error When Deploying via Admin Console

Component Upgrades