Java SE is the standard version of Java, it includes libraries for desktop applications, networking, security, database access, and more. If you need to run Java applications, downloading and installing the JRE is enough. If you're developing Java applications, you'll want to download the JDK, which also includes the JRE.

The JRE is the Java Runtime Environment, it covers most users needs. Contains everything required to run Java applications on your system. It is a package of everything necessary to run a compiled Java program, including the Java Virtual Machine (JVM), the Java Class Library, the Java command, and other infrastructure. However, it cannot be used to create new programs.

The JDK is the Java Development Kit, the full-featured SDK for Java. It has everything the JRE has, but also the compiler (javac) and tools (like javadoc and jdb). It is capable of creating and compiling programs.

For full information and terms, refer to the OTN License Agreement for Java SE. The OTN License Agreement for Java SE for current Oracle Java SE releases allows them to be used, without cost:

  • (i) For personal use on a desktop or laptop computer, such as to play games or run other personal applications.
  • (ii) For development, testing, prototyping, and demonstrating applications, including to use by/with profilers, debuggers, and Integrated Development Environment tools.
  • (iii) For use with some approved products, such as Oracle SQL Developer, or as an end user of a software application created by an approved product. (referred to as "Schedule A" and "Schedule B" Products in the OTN License Agreement for Java SE)
  • (iv) With identified Oracle Cloud Infrastructure products.

Java 8 is the last free software public update for commercial use, which explains why it remains popular. Oracle plans to maintain it until at least 2030. Also, you should know that some applications might refer to Java 8 as version 1.8.0.

The latest version of Java is Java 20, however many versions of Java are actively maintained for compatibility purposes. Java 8, Java 11 and Java 17 are the three long-term support versions recommended by Oracle.

Sometimes, even if you are not planning to do any Java development on a computer, you still need the JDK installed. For example, if you are deploying a web application with JSP, you are technically just running Java programs inside the application server. Why would you need the JDK then? Because the application server will convert JSP into Java servlets and needs to use the JDK to compile the servlets.

What's New

client-libs/2d

Marlin Renderer in JDK 8u

Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property:

sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine

core-libs/java.io:serialization

Context-specific Deserialization Filter Subset

Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.

The behavior is opt-in based on the presence of the jdk.serialFilterFactory system property on the command line or the jdk.serialFilterFactory security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.

The JVM-wide filter factory is a java.util.function.BinaryOperator function invoked when each ObjectInputStream is constructed and when the stream-specific filter is set using sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter). The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream constructors, the first parameter is null and the second parameter is the static JVM-wide filter. When invoked from sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter), the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter requested.

A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.

Previous release notes

Allow SASL Mechanisms to Be Restricted

  • A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.

SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

  • The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

New Checks on Trust Anchor Certificates

  • New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
  • A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
  • The default value of this property, if not set, is "false".
  • Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
  • This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.

Exact Match Required for Trusted TLS Server Certificate

  • A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.

Added LuxTrust Global Root 2 Certificate

The following root certificate has been added to the cacerts truststore:

+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU

Bug Fixes:

Support for OpenType CFF Fonts

  • Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.
  • Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.
  • Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.

Better Serial Filter Handling

  • The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.