Skip to main content
Version: 8.2607.x.x LTS

Appendix J - Java 25 upgrade

nevisAuth LTS-26 (8.2607.x) requires Java 25. Customers upgrading from LTS-24 (which shipped with Java 17) can upgrade directly to Java 25. Java 25 includes all changes introduced in Java 21 and later releases; the relevant breaking changes are summarized in this appendix.

Previous Java migration

For reference, the Java 8 to Java 17 migration guide is available in Appendix I. The structure and recommendations in this appendix follow the same pattern.

Custom auth states

It is strongly recommended to recompile custom Java auth states, REST services, and SOAP services using Java 25 and the nevisAuth LTS-26 artifacts. Custom auth states compiled with Java 17 may fail at runtime even if the build succeeds.

Nevis does not recommend and will not provide support for using Java 17-compiled custom Java auth states or services with nevisAuth LTS-26.

Java version requirements per nevisAuth release

nevisAuth versionMinimum Java version
7.2405.x (LTS-24)Java 17
8.2505.3.5 and later rolling releasesJava 21
8.2607.x (LTS-26, planned)Java 25

When upgrading directly from LTS-24 to LTS-26, the operating system Java package must be updated to Java 25 before starting the new nevisAuth instance.

Java 21-era changes included in Java 25

TLS cipher changes

Java releases since Java 21 have progressively restricted legacy TLS ciphers. If a connection between nevisAuth and a backend relies exclusively on a cipher that has been disabled, the connection will fail after the upgrade. Review the JDK security properties release notes for the list of affected ciphers and verify that your backends support at least one currently enabled cipher.

JVM flags

Java 21 strengthened encapsulation of internal JDK APIs introduced in Java 9. If your nevisAuth instance or custom auth states use --add-opens or --add-exports JVM flags in env.conf, review them for continued necessity. Flags referencing APIs that have been removed or relocated will cause JVM startup warnings or errors.

Java 25 changes

Java 25 is a Long-Term Support release. The main areas of change relevant for nevisAuth deployments are:

Removed and restricted internal APIs

Certain internal APIs that were accessible in Java 17 and Java 21 via reflection may no longer be accessible in Java 25 without explicit --add-opens flags. Custom auth states that use reflection to access non-public JDK internals must be reviewed and updated to use supported public APIs.

Custom auth state recompilation

Recompile all custom Java auth states, REST services, and SOAP services against the nevisAuth LTS-26 artifacts and Java 25. See Developing AuthStates for general guidance on building custom auth states. Verify that:

  • The source and target compiler flags in your Maven or Gradle build are set to 25 or later.
  • No deprecated APIs that were removed between Java 17 and Java 25 are in use.
  • Unit tests pass against the new Java version.

The nevisAuth SDK artifact coordinates for LTS-26 are:

<dependency>
<groupId>ch.nevis</groupId>
<artifactId>nevisauth-sdk</artifactId>
<version>8.2607.0</version>
</dependency>
Testing recommendation

Run the full test suite of your custom auth states against Java 25 before deploying to production. Runtime failures that are not caught by the compiler (for example, reflection-based access failures) will only appear when the auth state is loaded or executed.