Highlights of 10.0.0-beta3

Released 16 July 2025

Add scopes to REST endpoints to use OAuth 2.0 2LO

For: ADMINS

We’ve introduced @ScopesAllowed to improve security and control over REST endpoints.

Add the @ScopesAllowed annotation to your endpoints to make them accessible using an OAuth 2.0 Client Credentials token (2LO).

For example, this annotation requires that the access token has the WRITE scope before providing access to this endpoint.

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

The supported scopes are documented here:

• Confluence: OAuth 2.0 scopes for incoming links
• Jira: OAuth 2.0 scopes for incoming links
• Bitbucket: OAuth 2.0 scopes for incoming links
• Bamboo: OAuth 2.0 scopes for incoming links
• Crowd: Configuring an incoming link

Highlights of 10.0-beta2

Released 8 July 2025

Spring and Jakarta upgrade

For: ADMINS

To maintain high security standards and keep dependencies supported and up to date, we’re upgrading Spring to the 6.x line, Jakarta to EE Platform 10, Apache Tomcat to 10.1 as well as other libraries that depend on Spring and Jakarta.

The Apache Tomcat upgrade also introduces changes under the Jakarta Servlet specification. If you rely on custom server settings or connectors, review the following before upgrading:

• Check custom server.xml configurations, especially any references to "javax.servlet" APIs. Tomcat 10.1 has migrated to the "jakarta.servlet" namespace.
• Verify that any connectors (HTTP, AJP, etc.) are still supported and properly configured in Tomcat 10.1.
• Confirm that any security or TLS/SSL settings are compatible with Tomcat 10.1’s default cryptographic protocols.

For detailed information on the changes introduced in Tomcat 10.1, consult the official Apache Tomcat documentation.

Removal of deprecated components in AUI 10

For: ADMINS

We’re removing some outdated AUI 10 components with design and accessibility issues (Dropdown 1 and Toolbar 1) and updating internal dependencies to better support jQuery 3 and proactively address security issues.

End of support for LESS

For: ADMINS

To enhance the security and performance, we’re removing the ability to transform LESS to CSS at runtime, requiring LESS to be transpiled into CSS at compile time.

Removal of Trusted apps

For: ADMINS

Trusted apps won't be available starting from Confluence 10.0. We're removing Trusted apps to reduce the number of insecure entry points into the products. We’ve replaced this way of exchanging information between Atlassian products with more secure solutions that follow industry best practices, like the OAuth 2.0 protocol.

End of support for the Original theme

For: ADMINS

With the new light and dark themes that brought accessibility and usability improvements, we’re removing the original theme from all products.

Global serialization filter

For: ADMINS

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

We’ve implemented several important changes regarding the use of XStream:

• XStream now includes a predefined blocklist of known vulnerable classes that are prohibited from being serialized or deserialized.
• If there is a need to serialize or deserialize custom class types, apps must define these types in their module descriptor. For example:
  

  <xstream-security key="xstream-allowlist" name="XStream allow-list set">
          <type>java.util.Map</type>
  </xstream-security>

• The option to allow types through regular expressions has been removed.

App signing is now enabled by default for app installations

For: ADMINS

In this release, app signing is enabled by default. This feature improves app security and was gradually rolled out across Data Center products. For details, check out this community post.

App signing affects only new app installations; already installed apps will remain intact.

The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications.

Install apps from the Marketplace

To do so:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
2. Download and install the Atlassian Certificates bundle. For details, see Updating Atlassian Certificate Bundles.
3. That’s it! Enjoy the safe app installations from the Marketplace.

Install custom apps

If you use custom application builds, you can sign and secure your apps:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.
2. Get the app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.
3. Put your new certificate in your trust store as described in Updating Atlassian Certificate Bundles.
4. Install the signed application.

If you’re experiencing issues, check out App signing troubleshooting.

Enhanced security with Content Security Policy

For: ADMINS

We're implementing Content Security Policy (CSP) in Confluence 10.0. This new feature enhances security by instructing your web browser on what content is allowed to run on the page, significantly reducing the risk of cross-site scripting (XSS) and other code injection attacks. By controlling which resources a document can load, CSP helps protect against data exfiltration and improves the overall stability and reliability of Confluence.

In Confluence 10.0, the script-src CSP header will be enabled in a report-only mode. This means that while the system logs any violations, it won't block resources, allowing us to monitor potential security issues without affecting your experience. Full enforcement of CSP will be introduced in Confluence 11. 

Basic authentication disabled by default

For: ADMINS

We’re disabling authentication with basic authentication by default. This is a first step towards the removal of basic authentication altogether as we develop and mature alternatives to support the remaining few use cases. This change impacts only fresh installs (new customers); existing or upgraded Confluence setups won’t be affected. 

Monitoring and observability of the Synchrony process

For: ADMINS

We're pleased to announce the launch of enhanced monitoring capabilities for the Synchrony component in Confluence. With this update, you can now monitor Synchrony processes more effectively, ensuring system reliability and quick problem resolution. This update will allow you to export core Java Virtual Machine (JVM) and Synchrony-specific metrics via JMX or statsD, facilitating better integration with your existing monitoring systems.

• Core JVM metrics include various performance indicators such as garbage collection, memory usage, and CPU utilization. These metrics provide insights into the overall health and performance of the JVM environment.
• Synchrony-specific metrics focus on the performance of the Synchrony process itself. They include message processing times, user activity, and error counts, helping you monitor and optimize the collaborative editing experience.

To configure monitoring, use system properties or environmental variables. If Synchrony is managed by Confluence, add these properties to the synchrony-args.properties file. For detailed configuration instructions, refer to Configuring Synchrony.

Upgrade notes

Apps that use XStream allowlist with regex will face issues on upgrade. They would have to replace regex with explicit class name definitions and rebuild the app. 

Supported platforms changes

We’re adding support for the following databases:

• PostgreSQL 17

We’re also removing support for:

• PostgreSQL 15
• Java 17

This version of the product will only run on Java 21.

Infrastructure changes

Confluence 10.0 contains changes that may affect apps. Head to Preparing for Confluence 10.0 to find out how these changes will impact app developers.