Skip to main content

2026.0 to 2026.0.1

1. JWT Keystore: Introduction and Purpose

info

The following changes are only required for unmanaged systems. For managed systems, the operator handles everything needed.

What changed:

A dedicated JWT keystore has been introduced to enable the server to sign JWT tokens for securing endpoints independent of Vaadin sessions.
Four new properties have been added to the Instance Configuration to define JWT keystore parameters:

  • jwtServiceKeystoreLocation
  • jwtServiceKeystoreType
  • jwtServiceKeystoreProvider
  • jwtServiceKeystorePassword

Why it matters:

Short-lived JWTs are required to authenticate and authorize external service calls that operate outside the Vaadin session lifecycle. Without this keystore, these endpoints cannot be properly secured, creating a security gap for microservice-to-microservice communication.

These endpoints are needed for the new menu, the basictable and future components.

  1. Provide a jwt keystore for the server
  2. Ensure the keystore is accessible by the ADITO server service
  3. Configure the jwt alias within the keystore for token signing operations
  4. Restart the ADITO server