Appendix J - Java 25 upgrade
nevisAuth LTS-26 (8.2607.x) requires Java 25. Customers upgrading from LTS-24 (which shipped with Java 17) can upgrade directly to Java 25. Java 25 includes all changes introduced in Java 21 and later releases; the relevant breaking changes are summarized in this appendix.
For reference, the Java 8 to Java 17 migration guide is available in Appendix I. The structure and recommendations in this appendix follow the same pattern.
It is strongly recommended to recompile custom Java auth states, REST services, and SOAP services using Java 25 and the nevisAuth LTS-26 artifacts. Custom auth states compiled with Java 17 may fail at runtime even if the build succeeds.
Nevis does not recommend and will not provide support for using Java 17-compiled custom Java auth states or services with nevisAuth LTS-26.
Java version requirements per nevisAuth release
| nevisAuth version | Minimum Java version |
|---|---|
| 7.2405.x (LTS-24) | Java 17 |
| 8.2505.3.5 and later rolling releases | Java 21 |
| 8.2607.x (LTS-26, planned) | Java 25 |
When upgrading directly from LTS-24 to LTS-26, the operating system Java package must be updated to Java 25 before starting the new nevisAuth instance.
Java 21-era changes included in Java 25
TLS cipher changes
Java releases since Java 21 have progressively restricted legacy TLS ciphers. If a connection between nevisAuth and a backend relies exclusively on a cipher that has been disabled, the connection will fail after the upgrade. Review the JDK security properties release notes for the list of affected ciphers and verify that your backends support at least one currently enabled cipher.
JVM flags
Java 21 strengthened encapsulation of internal JDK APIs introduced in Java 9. If your nevisAuth instance or custom auth states use --add-opens or --add-exports JVM flags in env.conf, review them for continued necessity. Flags referencing APIs that have been removed or relocated will cause JVM startup warnings or errors.
Java 25 changes
Java 25 is a Long-Term Support release. The main areas of change relevant for nevisAuth deployments are:
Removed and restricted internal APIs
Certain internal APIs that were accessible in Java 17 and Java 21 via reflection may no longer be accessible in Java 25 without explicit --add-opens flags. Custom auth states that use reflection to access non-public JDK internals must be reviewed and updated to use supported public APIs.
Custom auth state recompilation
Recompile all custom Java auth states, REST services, and SOAP services against the nevisAuth LTS-26 artifacts and Java 25. See Developing AuthStates for general guidance on building custom auth states. Verify that:
- The
sourceandtargetcompiler flags in your Maven or Gradle build are set to25or later. - No deprecated APIs that were removed between Java 17 and Java 25 are in use.
- Unit tests pass against the new Java version.
The nevisAuth SDK artifact coordinates for LTS-26 are:
<dependency>
<groupId>ch.nevis</groupId>
<artifactId>nevisauth-sdk</artifactId>
<version>8.2607.0</version>
</dependency>
Run the full test suite of your custom auth states against Java 25 before deploying to production. Runtime failures that are not caught by the compiler (for example, reflection-based access failures) will only appear when the auth state is loaded or executed.