#Release Notes

The Webswing version 26.1 comes with Java 25 support, handling of sleeping browser tabs, support of Oracle Forms 11, lifecycle endpoints for Kubernetes, SWT improvements and other enhancements and bug fixes.

#26.1.1

Release date: May 8th 2026

• #1209: Corrected JavaFX library resolution per platform
• #1287: Fixed JavaFX DPR handling, global input CSS styling, and window-dispose exception on app exit; updated Oracle Forms Migration documentation
• #1294: Fixed issues creating ComponentTree for JTable with RowSorter
• #1297: Dynamic paint ACK optimization to improve responsiveness on high-latency networks
• #1299: Fixed Admin REST/API handling when user is null - improved admin health endpoint return ready only after it received server info
• #1300: Improved DirectDraw image hash performance for byte- and ushort-buffer backed images

Fixed 3rd party vulnerabilities

• Tomcat: CVE-2026-24880, CVE-2026-29129, CVE-2026-29145, CVE-2026-34500
• Log4j: CVE-2026-34478
• SAML2/Shiro security modules: CVE-2025-14813, CVE-2026-5598, CVE-2026-40458

#26.1

Release date: April 10th 2026

New Features

• #1197: Added Java 25 and JavaFX 25 support, including toolchain-based builds
• #1143: Expanded Oracle Forms support with Oracle Forms 11 compatibility, safer message handling, and PDF auto-printing
• #1214: Added a configuration option to bypass EDT paint unresponsiveness, with Oracle Forms-specific handling and double buffering improvements
• #1225: Improved SWT application support, including e4 launch fixes, new CDateTime examples, and configurable EDT classloader syncing
• #1251: Added SAML2 login_hint support and improved SingleSignOutServiceUrl inference and descriptor timeouts
• #1253: Added OIDC session monitoring and session refresh support
• #1258: Added lifecycle and health endpoints for Kubernetes across admin, server, and session pool services
• #1095: Improved handling of frozen or sleeping browser tabs to avoid stale rendering and reconnect issues

Minor Changes

• #798: Improved macOS keymap support with extensible input map patching and correct Cmd/JavaFX key mapping
• #904: Enhanced Admin Console tables with sorting, persistent sort state, improved sizing and scroll sync, and locale-aware date/time formatting
• #1206: Added username filtering to the getSessions REST API
• #1279: Added Admin Console Events WebSocket support for real-time notifications and change propagation
• #1292: Made all Bootstrap options configurable from JavaScript with typesafe wiring
• #1283: Support for adding escape focus traversal keys when accessibility is off
• #1180: Upgraded the SAML2 security module to newer pac4j and added configurable response binding
• #1200: Upgraded frontend tooling and dependencies to Vite 5 and TypeScript 5 across shipped frontends and integrations
• #1203: Replaced the WebP encoder library
• #1222: Improved the Admin Console configuration UI with stronger validation, better duplicate-key handling, accessibility fixes, and more reliable field editing
• #1235: Added optional cookie name prefixes and fixed clearing of prefixed cookies
• #1239: Improved inter-tab communication using browser-side heartbeat coordination and cross-tab broadcasts
• #1240: Used the print job name as the generated PDF file name and exposed fileName to custom PDF viewers
• #1249: Made websocket ping/pong timing configurable and enabled closing on pending pong by default
• #1254: Allowed transparent file chooser UI when isolated filesystem mode is off
• #1265: Upgraded Tyrus for Tomcat compatibility
• #1266: Improved default language configuration for apps and Admin Console locale detection
• #1270: Exposed setCharacterEncoding in servlet request wrappers
• #1271: Reduced websocket memory usage for large chunked messages by unifying chunking and partial-message handling
• #1272: Made IWebswingInstance.logout return a promise
• #1278: Replaced the deprecated JavaScript unload event
• #1284: Improved session metrics sorting UI, header styling, and related translations
• #1289: Unified tid handling between the admin console and the application frontend
• #1188: Added French translation

Bug Fixes

• #988: Fixed directory upload/download stream handling
• #1190: Refactored SessionPoolAccessor cleanup and counting for stopped session pools and disconnected app websockets
• #1196: Fixed reconnect of CONTINUE_FOR_TAB after browser network failures
• #1199: Fixed stealing of disconnected sessions after logout
• #1201: Fixed memory leak in the process exit status timer
• #1202: Improved DirectDraw glyph rendering performance and fixed zero-size context restore handling
• #1204: Fixed JavaFX DirectDraw repaint after page refresh
• #1205: Prevented active connections from being dropped when websocketUrlLoader script loading fails
• #1207: Fixed JavaFX DirectDraw subimage rendering
• #1210: Fixed LDAP authentication issues and added verbose LDAP logging
• #1213: Removed files downloaded through direct transfer after use
• #1215: Restored paste and scan into focused inputs after tapping outside the field
• #1216: Fixed initialization of undocked windows on macOS in fullscreen
• #1219: Fixed a race condition when updating window decoration
• #1221: Redirect internal server errors to the custom 500 error page
• #1226: Fixed manifest.json serialization and content type
• #1227: Improved Linux downloads with delayed file download handling and clearer settings
• #1230: Fixed awt.Robot screenshot capture for HiDPI, undocked windows, and directdraw=false
• #1231: Prevented hidden windows from auto-undocking
• #1236: Improved resilient instance process stream redirection at startup and ensured session folders exist
• #1238: Fixed touchpad scrolling on JTable
• #1244: Made multi-file drop trigger a single drag-and-drop event
• #1245: Corrected the reference point for RAM usage warnings
• #1250: Improved stale websocket detection, timeout handling, and shutdown cleanup across browser, app, admin, and session pool connections
• #1252: Fixed an exception when approving the same file twice in the save file chooser
• #1255: Stopped touching sessions during login processing
• #1260: Fixed modal overlays not being removed after dialog close
• #1261: Fixed multiscreen positioning and permission state reset issues
• #1262: Switched clipboard handling to simulate real keyboard events instead of TransferHandler actions
• #1263: Fixed DirectDraw cache capacity overflow with small numbers of constants
• #1264: Stopped sending font-configured fonts when DirectDraw is disabled
• #1275: Fixed unreliable logout redirects when multiple tabs log out at the same time
• #1276: Enabled webswing.enforcePeerPaintsFromDirtyQueueOnly by default and reduced paintImmediately memory buildup during disconnects
• #1277: Fixed loading of stats properties from webswing.properties, including corrected memoryUsed calculations
• #1285: Fixed Admin Console 500 errors when shutting down apps and improved websocket disconnect handling
• #1288: Fixed issues with complex glyph rendering when DirectDraw is enabled and added configuration switches to disable the fix if needed

Security

• #778: Security hardening for toolchain processing and regex handling to address XXE and regexp DoS issues
• #1233: Obfuscated SAML2 keystore passwords
• #1257: Fixed expiration of unused refresh token cookies
• #1259: Updated React Router to address CVE-2026-22029
• #1273: Removed the Server header to reduce information disclosure

API and behavior changes

• The SAML2 security module is now compatible with Java 17+
• The Database and Properties Security module is now compatible with Java 11+
• DirectDraw default behavior changed. The webswing.enforcePeerPaintsFromDirtyQueueOnly flag flipped from false to true. Apps relying on off-EDT paintImmediately behavior can render differently until they explicitly set the flag back to false.
• The browser API contract changed:

• IWebswingInstance.logout() now returns Promise
• bootstrap options change: tabHeartbeatThreshold was removed. tabActivateRequestTimeout replaced it. Existing code/config tabHeartbeatThreshold no longer take effect.