Preparing for Confluence 9.0

Confluence Development Releases

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This documentation is intended for Confluence developers who want to ensure that their existing plugins and apps are compatible with Confluence 9.0.

Watch this page to find out when a new milestone is available and what’s changed. We will publish formal release notes once we release a beta.

Latest milestones

16 April 2024

9.0.0-m41

Download

Issues with this milestone?

Hit the Feedback button on the Confluence EAP header or raise an issue to tell us about it.

On this page:

Planned changes: experience improvements

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your app. We'll indicate when a change has been implemented, and in which milestone. 

This release only supports Data Center licenses. If you have a Server license, check out your options for upgrading.

Dark theme for Confluence

Status: IN PROGRESS

We are planning to ship dark theme in Confluence 9.0. Work is currently underway, and we will provide more updates very soon.

Make sure you've read the developer guidance on preparing your Data Center app for the dark theme. You can also start testing your apps with the new theme using the theme.switcher dark feature

Additionally, you can add the dark feature confluence.dark.theme.text.colors to enable text and table background color conversion in the content. This will convert the text colors and table background colors to the closest match from the new palette, introduced in 8.9, to provide full light and dark theme compatibility.

As a result of the changes we made to the editor color palettes in Confluence 8.9, the release of dark theme means that all colors in the editor will now be converted to match the updated color palettes and you will no longer be able to customize these palettes using the temporary workaround.

New REST APIs

Status: DONE

We are introducing additional REST APIs to help admins automate and script administrative tasks in bulk. We'll confirm the API functionality shortly.

As new APIs are introduced, they'll be added to the REST API documentation.

Confluence REST API documentation to be Swaggerfied

Status: IN PROGRESS

We’re modernizing the look and feel of our Confluence Data Center REST API documentation by migrating it to Swagger. As well as all the cosmetic benefits we’re getting from the Swagger API documentation framework, this migration will make our API docs easier for you to navigate, find examples, and copy snippets from. The modernized REST API will also have a new location! We’ll share the location here as soon as it’s available.

Planned changes: security & compliance (upgrades, removals, & functionality)

Editor TinyMCE 7 upgrade

Status: DONE

We're in the process of upgrading the Confluence editor from TinyMCE 6 to TinyMCE 7, and we plan to ship the upgraded editor in Confluence 9.0. Beside bug fixes, we expect no impact to end users.

We’ll keep you updated here about the changes we make to prepare for the upgrade. See TinyMCE’s guide for migrating from TinyMCE 6 to TinyMCE 7 to begin preparing your apps.

Upgrades to jQuery

Status: IN PROGRESS

As part of our ongoing efforts to ensure our platform remains secure and efficient, we will remove jQuery migrate 1.4.1 and jQuery version 2.x and we plan to update our platform to jQuery 3.x. Read more details in our jQuery upgrade guide.

Platform 7 upgrade

Status: IN PROGRESS

Confluence 9.0 will include an upgrade to Atlassian Platform 7. This upgrade puts us in a better position to respond to security changes with reduced disruption and breaking changes for your apps.

As part of this work, we will:

  • upgrade numerous Atlassian and third-party components to benefit from the latest security patches and bug fixes

  • remove ‘Gray APIs’ (unsupported third-party and cross-product libraries with dependencies – more on this below)

As a result of this work, we will:

  • rearchitect Atlassian REST APIs (Jackson/Jersey updated, and updated JAX-RS to v2)

  • reduce public APIs in Atlassian apps, WRM, and web fragments

Many of the newly defined APIs will become available in the upcoming 8.x feature releases, starting with Confluence 8.7. See REST API developer documentation for an updated list.

Proactively migrating away from code that is marked as deprecated will ensure a smoother upgrade to Confluence 9.0.

Read more about how to prepare for the Platform 7 upgrade here.

Gadgets removal

Removing the Gadgets package from Confluence has been a long-planned tech debt removal, and has finally been completed.

Vendors who have Jira Gadgets that they wish to provide inside Confluence will now need to provide Confluence macros to achieve the same outcome from Confluence 9.0 and beyond.

Decomposition of ConfluenceActionSupport

In Confluence 9.0, ConfluenceActionSupport has been stripped down to its essentials. Any missing methods or fields that your Action classes relied on should now be implemented directly in your Action class instead.

Existing Web Resource Manager functionality on short pause

Status: IN PROGRESS

As part of our Platform 7 upgrade, we’ve needed to temporarily pause some Web Resource Manager (WRM) functionality. In this release, the following functions won’t work, or may be affected:

Note that these are temporary deactivations for this release while we integrate Platform 7 into Confluence 9.0.

New version of pocketknife-dynamic-modules

Status: DONE
We've released two new versions of pocketknife-dynamic-modules — version 1.1.1, which is compatible with older and newer versions of Confluence, and version 2.0.0, which is compatible with only Confluence 8.8 and 8.9. Make sure you upgrade your apps to include one of these latest versions to keep them working.

Removing the legacy backup and restore system

Status: DONE

In Confluence 8.3, the backup and restore system underwent a complete upgrade with visible improvements to performance, stability, functionality, and appearance. The benefits of the upgrade include:

  • faster XML backup and restore operations with performance that is up to 10 to 50 times faster, based on the instance size

  • the ability to backup and restore multiple spaces, instead of the entire site

  • more visibility and control with the ability to cancel backup and restore jobs

  • improved reliability and reduced resource consumption

Learn more about these changes in the Confluence 8.3 Release Notes.

As part of Confluence 9.0, we plan to remove the legacy backup and restore system. This means that scheduled backups, which still uses our legacy system, will be no longer available. Scheduled XML backups are disabled by default in Confluence Data Center.

We don't recommend relying on XML backups as a main backup method. Instead, we recommend regularly backing up the database, installation directory, and home directories. See Production Backup Strategy for recommended methods.

For backups of test sites, or in addition to database and directory backups, we recommend using the upgraded backup and restore system’s documented API that makes managing these tasks easier and also allows for the automation of heavy or large site merges and space migrations.

Removing support for Java 11

Status: DONE

Confluence will end support for Java 11. That means that from Confluence 9.0, the oldest release we will support and test is Java 17. We will also only compile against Java 17 from Confluence 9.0.

See the end of support announcement.

Removing deprecated code

Status: IN PROGRESS

We will remove deprecated code paths in earlier Confluence versions. See Deprecated code paths removed in 9.0 for a full list of the classes and methods removed.

Changes like this help us maintain a healthy code base, remove hurdles for developers, and simplify the code structure where possible. 

Struts Velocity directives no longer supported

Status: IN PROGRESS

Struts Velocity directives (e.g. #scomponent, #stextfield, #scheckbox, #ssubmit and all others beginning with #s) are no longer supported. If you utilise these in your Velocity templates, please migrate to the raw HTML equivalent.

Example migration:

<div class="field-group">
    <label id="personalInformation-label" for="personalInformation">About Me</label>
    <textarea id="personalInformation" name="personalInformation" cols="70" rows="8" class="monospaceInput textarea"></textarea>
</div>

Removal of Gray APIs

Status: DONE

We will remove the ability for your apps to load many third-party libraries as well as a few Atlassian-specific libraries from the Confluence application (we’re calling this group of libraries ‘Gray APIs’). You will need to start bundling your own copies of these libraries with your apps if you wish to continue using them. We have been marking libraries as deprecated from Confluence 8.7 to 8.9.

This upgrade will allow us to improve Confluence more frequently without breaking your app or requiring you to do significant testing and rework when things change.

See our developer guidance on how to get your apps ready for the Gray API removal, which includes a list of deprecated code paths to be removed in 9.0.

Allowlist your Velocity template class and method invocations

Status: IN PROGRESS

The design of this feature has yet to be finalized; please check back for further details.

From Confluence 9.0, all method invocations within a Velocity template must be explicitly allowlisted using a newly-introduced annotation or plugin module descriptor. This annotation should either target class members directly, or be used on a class itself to allowlist all members.

Additionally, all method invocations will be subject to a depth limit to prevent them from infinitely traversing context items.

$contextItem.firstInvocation.secondInvocation.thirdInvocation


More secure defaults for endpoints

Status: IN PROGRESS

We’ve enabled better control access to endpoints with new annotations. From Confluence 9.0, only licensed users can access resources without specified access criteria annotations. Make sure you review:

  • @AdminOnly

  • @AnonymousSiteAccess

  • @LicensedOnly

  • @SystemAdminOnly

  • @UnlicensedSiteAccess

  • @UnrestrictedAccess

Reviewing these will ensure that the intended users can access your application endpoints. You may need to make changes to endpoints such as Struts Actions, Filters, Servlets and REST resources.

Visit Prepare your Data Center app to comply with secure endpoint defaults for full details.

Struts Actions XSRF protection enabled by default

Status: IN PROGRESS

Previously, all Struts actions accepted any HTTP request methods, unless explicitly restricted through a @PermittedMethods annotation, the @HttpMethodRequired annotation (deprecated), or a permittedMethods Action parameter in the Struts module descriptor.

From Confluence 9.0, Struts actions that do not have one of the above annotations or configuration parameter will by default only accept POST requests. Actions that map to the method name doDefault will additionally accept GET requests by default. To avoid unexpected behaviour we recommend explicitly annotating all Struts action methods with @PermittedMethods or configuring permittedMethods Action parameters in your Struts module descriptor.

New default HTTP security headers

Status: IN PROGRESS

In Confluence 9.0, all served requests will have the following headers placed on them:

X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' Strict-Transport-Security: max-age=31536000

Note that these can be customized by the customer.

The following plugin opt-out mechanisms are supported:

  • Plugin servlets, using the init param, securityHeadersExcluded

  • Plugin servlet-filters, using the init param, securityHeadersExcluded

  • Plugin REST resources, using the annotation, @SecurityHeadersExcluded

Embedded Crowd upgrades in progress

Status: IN PROGRESS

We’re upgrading Embedded Crowd to version 6. We've been working on integrating early previews of Embedded Crowd into Confluence 9, and have yet to find a breaking change to report. However, we're still in the early stages of this implementation, so check back regularly here for further updates. This change should deliver performance upgrades, provide a toolbox for additional possible features beyond Confluence 9.0, and minimize the effort involved with upgrading Embedded Crowd in the future.


Beyond 9.0 planned changes

OpenSearch opt-in feature ready for early access

Status: ADVANCE NOTICE

We’re working to introduce OpenSearch as an opt-in search engine in an upcoming feature release of Confluence 9.x. It will not be part of Confluence 9.0. This will provide more advanced indexing options leading to less processing requirements and faster search results.

As part of our Early Access Program (EAP), we’ve updated the OpenSearch upgrade guide, to include links to new content on how to set up OpenSearch, and information on what's currently working and what we're still working on, should you wish to test during the EAP phase. At this early stage, OpenSearch during EAP is not suitable for production environments, but we invite you to try it on your testing environment.

Contact us on osfc@atlassian.com, or via our customer support channel.

Implemented changes

In this section we'll provide details of changes we have implemented, organised by the milestone they are first available in. This will help you decide which milestone to use when testing.

EAP 13 – 16 April 2024

Milestone 9.0.0-m41

Contains:

  • New REST APIs
  • Tiny MCE upgrade
  • Temporary pause of some Web Resource Manager functionality
  • Removal of Gray APIs
  • Removal of legacy backup and restore system
  • Minor bugfixes

EAP 12 – 8 April 2024

Milestone 9.0.0-m30

Contains:

  • Added dark feature for dark theme color conversion
  • Minor bugfixes

EAP 11 – 2 April 2024

Milestone 9.0.0-m26

Contains:

  • Added OpenSearch as EAP for a later release
  • Minor bugfixes

EAP 10 – 25 March 2024

Milestone 9.0.0-m23

Contains:

  • Minor bugfixes

EAP 9 – 18 March 2024

Milestone 9.0.0-m16

Contains:

  • Minor bugfixes

EAP 8 – 11 March 2024

Milestone 9.0.0-m15

Contains:

  • pocketknife-dynamic-modules versions 1.1.1 and 2.0.0
  • Minor bugfixes

EAP 7 – 4 March 2024

Milestone 9.0.0-m14

Contains:

  • Minor bugfixes

EAP 6 – 27 February 2024

Milestone 9.0.0-m13

Contains:

  • Upgraded to SLF4J 2 (Simple Logging Facade for Java)
  • Fixed default serialization for REST v2 for JodaTime and java.time
  • Upgraded to platform 7.0.0-m20, including breaking changes in atlassian-event, including removal of Event interface

EAP 5 – 19 February 2024

Milestone 9.0.0-m11

Contains:

  • Minor bugfixes

EAP 4 – 12 February 2024

Milestone 9.0.0-m10

Contains:

  • Minor bugfixes

EAP 3 – 5 February 2024

Milestone 9.0.0-m09

Contains:

  • Minor bugfixes

EAP 2 – 29 January 2024

Milestone 9.0.0-m08

Contains:

  • Minor bugfixes

EAP 1 – 22 January 2024

Milestone 9.0.0-m07

Contains:

  • Removal of deprecated code paths
  • Minor bugfixes


Looking for updated documentation? Check out the Confluence EAP space for the latest docs.

Did you know we’ve got a new developer community? Head to community.developer.atlassian.com/ to check it out! We’ll be posting in the announcements category if when new EAP releases are available.

Last modified on Apr 18, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.