Please be aware that there is newer version of documentation available for Webswing. Documentation 25.2
Release Notes
The Webswing version 25.1 comes with Linked View feature, configuration and deployment improvements, extended JavaFX support and other enhancements and bug fixes.
25.1.8
Release date: December 5th 2025
- #1202 DirectDraw glyph rendering fixed
- #798 API for MacOS input map override
- #1215 Cannot paste or scan into focused input after tap outside
- #1230 Fixed Robot screenshot capture with PNG rendering and HiDPI
- #1216 Fixed initialization of undocked windows in MacOS in fullscreen
- #1226 Fixed serialization and content type of manifest.json
Fixed 3rd party vulnerabilities
- Race Condition - Critical Severity CVE-2025-12383
25.1.7
Release date: November 12th 2025
- #1221 Internal Server Error not redirected to custom 500 error page
- #1205 When websocketUrlLoader.script fails active connections are dropped
- #1210 LDAP authentication issue
- #1206 REST API - getSessions filter by username
- #1204 JavaFX app does not repaint after page refresh in DD
- #1201 Memory leak for [Process exit status timer]
- #1199 Stealing disconnected session after logout not working
- #1198 Fixed recovering process of resilient instance
Fixed 3rd party vulnerabilities
- Relative Path Traversal (Tomcat) - High Severity CVE-2025-55752
- Improper Resource Shutdown or Release (Tomcat) - Medium Severity CVE-2025-61795
25.1.6
Release date: October 7th 2025
- #1196 Fix reconnect of CONTINUE_FOR_TAB after browser network fail
- #1195 Cannot maximize window with minimum size when taskbar is not used
- #1194 Refactor font loading to avoid using data uri
- #1193 Fix updating of REST users map on config change
- #1191 MouseListener mouseExited(MouseEvent e) isn't reported when the mouse exits the frame
- #1189 Fix embedded Tomcat host config for http connector
- #1187 Improve Admin console Overview SP data reporting, check for inconsistent state reported by server, add warning messages
- #1186 HtmlPanel in JFXPanel does not hide when JFXPanel hides
- #1185 Session pool reconnect race condition fix
- #1184 Keyboard navigation not working when accessibility is ON, fixed continueOldSessionDialog actions for non-iOS touch devices
- #1183 Fix reliability of Desktop.open(file) when downloading many files at once
- #1182 Resolve security context only for paths in restricted resources config
- #1181 Fix variable resolution for idle session configuration
- #1181 Ensure idle session prelaunch start in non-daemon thread to prevent JVM termination
- #1175 Fix the i18n breaking change with pluralization, fixes UI bug after update of recharts
- #1163 Fix resolving config fields from extended interfaces
- #904 Admin console Overview improvement, added refresh button
25.1.5
Release date: September 5th 2025
- #1179 NPE in Admin Console when app is disabled
- #1173 Added lock/unlock listener to Webswing API
- #1178 Decoration buttons not scaled correctly in PNG rendering
- #1176 Add version information to the Admin Console
- #1177 Regression: printAll does not print window decoration
- #1174 Custom args variable not replaced if no args provided
Fixed 3rd party vulnerabilities
- Improper Resource Shutdown or Release - High Severity CVE-2025-48989
- Allocation of Resources Without Limits or Throttling - Medium Severity CVE-2025-8916
- Regular Expression Denial of Service - Medium Severity CVE-2025-27789
25.1.4
Release date: August 7th 2025
- #1134 JVM shared with multiple users in a single browser
- #1155 Validator for variable substitutor
- #1170 Redirect session logs directly to Log4j
- #1152 CVE-2025-52495 - JWT Token Exposure in Log Download URL [Low Severity]
- #1172 Upload and delete operations fail on Samba (SMB) network share
- #1160 Fixed NPE in Component.getMousePosition
- #1163 A lot of proxy classes loaded in heap space - fixed MetadataGenerator
- #1165 Keyboard issue with Zebra Android
- #1167 Copy bar does not show on Safari > 13
- #1168 Webswing servlet shutdown issue with idle instances
- #1162 JFrame inconsistent behavior of getExtendedState and setExtendedState
- #1171 Fixed session log loading twice in session detail in Admin Console
- #1156 Added requestTabCloseTimeout as bootstrap option in configuration
- #1166 Allow configuration of boot class path using advanced settings
- #1159 Add better naming for table cell in requestComponentTree
- #1164 Application with JavaFX embedded in JDK doesn't start on Windows with space in path
Fixed 3rd party vulnerabilities
- Uncontrolled Recursion - High Severity CVE-2025-48924
- Allocation of Resources Without Limits or Throttling - High Severity CVE-2025-53506
- Integer Overflow or Wraparound - High Severity CVE-2025-52520
- Race Condition - High Severity CVE-2025-52434
25.1.3
Release date: July 4th 2025
- #1157 Fixed OIDC Logout from root context selector
- #1150 Reintroduced loading div to default index.html
- #1141 Admin Console: toast and tooltip component refactor
- #1141 Admin Console: sticky buttons for app/web config
- #786 Improve LDAP configuration description
- #1154 Application stuck on shutdown with session pool resilience
Fixed 3rd party vulnerabilities
- Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat - High Severity CVE-2025-49125
- Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat - High Severity CVE-2025-48988
- Uncontrolled Resource Consumption in Jetty - High Severity CVE-2025-1948
25.1.2
Release date: June 6th 2025
- #1147 Allow configuration of JavaFX version when JavaFX is embedded in JDK
- #1138 Steal session not working if max clients limit reached
- #1146 File upload stopped after switching to another app tab
- #1128 Force embedded Tomcat to use absolute redirect URLs
- #1145 User stuck on logout screen and the "New Session" button is not working
- #1144 Application shuts down if there are no windows but main is running
- #786 Fixed LDAP technical user login flow
- #1137 SNI check config flag: disable in jetty.properties
- #1140 No thread dump creation exception when killing idle session
- #1139 OIDC: allow adding trusted aud values if IDToken contains multiple
- #1135 Linked View improvements
Fixed 3rd party vulnerabilities
- Improper Access Control - High Severity CVE-2025-48734
- Improper Handling of Case Sensitivity - Medium Severity CVE-2025-46701
25.1.1
Release date: May 6th 2025
- #1137 SNI check jetty config flag
- #1128 Fixed Dockerfile in distributions
- #1128 Fixed missing decoration first time a JavaFX popup is opened
- #1128 Process multiscreen info even if there is only a single screen
- #1128 FileDialog stuck if JFileChooser window is closed by X button
- #1128 Improved upload/download process disposal
- #1136 InternalWindows (web components) not closed after last window is hidden
- #1132 Add all JTableCell and JTableHeader to component tree for JTables
- #1133 Exception in PNG rendering with 0 size window
- #1130 Fixed Session pool race condition when creating instance
- #1125 Mirror view broken after a while - use admin and user token to correctly authenticate mirror session
- #1131 AutoLogout with anonym SM restarts on shutdown
Fixed 3rd party vulnerabilities
- Improper Input Validation - Medium Severity CVE-2025-31672
- Improper Neutralization - Medium Severity CVE-2025-31651
- Improper Input Validation - Medium Severity CVE-2025-31650
25.1
Release date: April 15th 2025
- Linked View
- Prometheus metrics endpoints
- Removal of Protobuf library
- Javascript client configuration in server config
- Starting of the Session Pool with Cluster Server
- Upgrade to Jetty 12 and embedded Tomcat fallback
- Improved Modernisation API
- JavaFX: HiDPI and HtmlPanel support
- Admin Console: Scalability optimisations and Web folder setup
- New default window decoration theme
- Updated Modernisation demo with examples
Other enhancements:
- Compress JWT tokens with GZIP
- App lifecycle callbacks in JS
Removal of deprecated API
- removed
/rest/activeSessionsCountendpoint from Admin Console REST, replaced by/rest/activeSessionsInfo - removed interface
org.webswing.toolkit.api.component.Dockable, replaced byorg.webswing.toolkit.api.component.WebswingDockableWindow - removed method
createHtmlPanelForWebContainerComponentfromWebswingApi
Configuration defaults changed
isolatedFs-> enabled by defaultallowJsLink-> disabled by defaulttheme-> none by defaultfastSerialization-> removed (only fast serialization possible)
NOTICE: Webswing now uses Jetty 12 as its default embedded server.
In response to Jetty 9.4 reaching End of Life (EOL) and no longer receiving security patches, Webswing has upgraded its default embedded server to Jetty 12. However, Jetty 12 now requires Java 17 or higher. When running Java < 17, Jetty 12 cannot be used. There is an automatic fallback to an embedded Tomcat server to maintain compatibility.