The English version of is the official project site. Translated sites are community supported on a best-effort basis.

Quarkus 0.24.0 released - Vert.x everywhere

Due to serious outages of the OSS Sontype (our gate to Maven Central), we were unable to release as planned but…​ here we are, 0.24.0 is out!

This one is built on top of the shoulders of 0.23 to move more things to our new Vert.x based HTTP layer. It also introduces big changes to our security layer.


Servlet no longer required for JAX-RS

This means that if your application depends on quarkus-resteasy and not quarkus-undertow then Servlet will not be present, and RESTEasy will run directly on a Vert.x backend.

For most applications this should be largely transparent, however if you wish to use Servlet filters or other Servlet functionality then you can simply add a dependency on quarkus-undertow. If Undertow is present, RESTEasy will detect this and will fall back to running as a Servlet.

Please reach out to us if you think a missing feature should be supported out of the box by RESTEasy + Vert.x because we want as many users as possible on the new Vert.x layer.

For instance, we introduced quarkus.http.root-path as the counterpart of quarkus.servlet.context-path.

New reactive security layer

Previously Security was tied to Undertow and only applied to Servlet deployments, while also being 100% blocking. This change brings in a new security layer that is not tied to any specific implementation, and also allows for reactive security operations to integrate with Vert.x. It is also no longer tied to Elytron, however Elytron still remains an option.

This is still a work in progress and there is a lot more work to come over the following few weeks, however the main changes today are:

  • HTTP Authentication is now handled at the Vert.x layer. Previously this was configured in the Elytron extensions, this configuration has been removed

  • The elytron-security extension has been broken up into base functionality and a new elytron-security-properties-file extension that contains support for simple properties file based config.

  • There is a new elytron-security-jdbc extension that allows for users to be loaded from a database. This extension is still alpha and its configuration will likely be simplified for the next release.

  • HTTP basic auth is now enabled by the quarkus.http-auth.basic=true property. To use this, you will need to have the elytron-security-properties-file or the (still alpha) elytron-security-jdbc extension in your application.

  • HTTP form auth is missing in this release, it will be replaced sometime next week. Previously this relied on an in-memory HTTP session, so did not work in cloud environments. The new implementation will use encrypted cookies to replace the in memory session allowing it to be used in clustered environments.

Keycloak extension replaced by an OIDC extension (OpenID Connect)

The original Keycloak-specific quarkus-keycloak adapter has been replaced with a generic OpenID Connect (OIDC) quarkus-oidc adapter which will provide a comprehensive, generic and reactive support for the most important OIDC flows and be able to verify the tokens from all the certified OIDC providers including Keycloak. Tokens from the other OIDC and OAuth2 providers implementing a token introspection endpoint will also be recognized.

You can find all the information relative to this new extension in our new OIDC guide but here is a summary of the changes that will probably affect you.

Note that the configuration namespace has changed from quarkus.keycloak to quarkus.oidc. The realm property has been removed and the Keycloak users are now required to configure the auth-base-url as follows:

quarkus.oidc.auth-base-url ={realm}

where {realm} represents a Keycloak realm.

resource has been renamed to client-id. realm-public-key has been renamed to public-key.

Multi-tenancy support based on KeycloakConfigResolver is no longer supported with a Vert.x OAuth2 based alternative mechanism to be introduced in the next release.

Users needing to configure CORS should now use Quarkus CORS filter.

The team appreciates that some of the original quarkus-keycloak users may be affected by this change and would like to assure the community that quarkus-oidc will offer an equivalent but also significantly better overall OIDC experience very soon.

If some features are missing for your use case, please open GitHub issues.

MongoDB with Panache

You might already have used our Hibernate ORM with Panache layer. This simplified "Panache" approach will be generalized to other parts of the stack in the coming months.

And we already have a good news: we now have a MongoDB with Panache extension which heavily simplifies developing REST applications with MongoDB. You can find all the information in the MongoDB with Panache guide, which comes with a quickstart.

As for every brand new feature, feedback is highly welcome.

Jackson and JSON-B customization

It is now far easier to customize Jackson’s ObjectMapper or JSON-B configuration thanks to a new API we introduced in 0.24.

Everything is explained in detail in our REST JSON guide.

Amazon Lambda

We now support named request handlers.

REST Assured major update

We updated REST Assured to 4.1.1: there is a good chance you will have to adjust your tests. Checkout the Rest Assured Release Notes for details.

Other new extensions


We now have a proper RESTEasy JAXB extension. So if you are using JAXB with your REST services, please use the quarkus-resteasy-jaxb extension from now on.

Narayana STM

If you want to use Narayana STM (as in Software Transactional Memory), we now have an extension for it (and a guide!).

STM offers an approach to developing transactional applications in a highly concurrent environment with some of the same characteristics of ACID (Atomicity, Consistency, Isolation and Durability) transactions.


We also fixed a few bugs and usability issues: get the full changelog of 0.24.0 on GitHub.


Quarkus has now 159 contributors. Many many thanks to each and everyone of them.

In particular for this release, thanks to Adam Bien, Alessio Soldano, Alexey Loubyansky, Andrej Petras, Andrew Guibert, Arne Mejlholm, Bill Burke, Chamin Kahandawaarachchi, Clement Escoffier, Cristiano Nicolai, Daniel Petisme, David M. Lloyd, Dmitry Telegin, Dusan Odalovic, Emmanuel Bernard, George Gastaldi, Georgios Andrianakis, Guillaume Dufour, Guillaume Smet, Jacob Middag, Jaikiran Pai, Jan Martiska, Jason T. Greene, Ken Finnigan, Loïc Mathieu, Maciej Swiderski, Manyanda Chitimbo, Martin Kouba, Matej Novotny, Max Rydahl Andersen, Michael Musgrove, Paulo Lieuthier, Peter Palaga, Peter Sönder, Radim Vansa, Rostislav Svoboda, Sanne Grinovero, Sergey Beryozkin, Stephane Epardaud, Stuart Douglas, Stéphane Épardaud, Timothy Power and Yoann Rodière.