Author: Michael Redlich

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for July 10th, 2023 features news from JDK 22, JDK 21, Spring Web Flow 3.0, Micronaut 4.0, Payara Platform, point and milestone releases of: Spring projects, Open Liberty, Helidon, Hibernate Reactive, Tomcat, Micrometer Metrics and Tracing, Piranha, Project Reactor, JHipster, JHipster Lite, Yupiik Fusion, Maven and Gradle; and AI Assistant in JetBrains IDEs.

JDK 21

Build 31 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 30 that include fixes to various issues. Further details on this build may be found in the release notes.

JDK 22

Build 6 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 5 that include fixes to various issues. More details on this build may be found in the release notes.

For JDK 22 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The release of Spring Web Flow 3.0.0 features: compatibility with Spring Framework 6 and Jakarta EE; and the removal of Apache Tiles, a project which has been retired and, therefore, has not migrated to Jakarta EE. The Spring Web Flow Samples have been updated accordingly and the booking-mvc example now uses Thymeleaf Layouts instead of Apache Tiles.

The second milestone release of Spring Framework 6.1 ships with bug fixes, improvements in documentation, dependency upgrades and numerous new features such as: an HTTP interface client infrastructure and adapter for the RestTemplate class; a new RestClient interface; and support for multiple instances of the TaskScheduler interface with the @Scheduled annotation. Further details on this release may be found in the release notes.

Versions 6.0.11, 5.3.29 and 5.2.25.RELEASE of Spring Framework have been released featuring bug fixes, improvements in documentation, dependency upgrades and new features such as: a simplification of the isDepedendent() method defined in the DefaultSingletonBeanRegistry class; add the missing @Nullable annotations in the ContentDisposition.Builder interface; and an extension of supported types in the nullSafeConciseToString() method defined in the ObjectUtils method. Versions 6.0.11 and 5.3.29 will be consumed in the upcoming releases of Spring Boot 3.1.2 and 2.7.14, respectively. Considered an out-of-cycle release, version 5.2.25.RELEASE will not ship with a Spring Boot version as Spring Boot 2.3.x has reached end-of-life. More details on these releases may be found in the release notes for version 6.0.11, version 5.3.29 and version 5.2.25.RELEASE.

The first milestone release of Spring Data 2023.1.0, codenamed Vaughn, delivers: compatibility with JDK 21; support for Kotlin value classes; the use of virtual threads through the Executor interface; and an exploration for optimizations using Coordinated Restore at Checkpoint (CRaC). Further details on this release may be found in the release notes.

Versions 2023.0.2, 2022.0.8, and 2021.2.14, service releases of Spring Data, ship with bug fixes and respective dependency upgrades to sub-projects such as: Spring Data MongoDB 4.1.2, 4.0.8 and 3.4.14; Spring Data Elasticsearch 5.1.2, 5.0.8, and 4.4.14; and Spring Data Neo4j 7.1.2, 7.0.8 and 6.3.14.

Versions 2.2.0-M1, 2.1.1, 2.0.5 and 1.5.5, service releases of Spring HATEOAS deliver bug fixes, dependency upgrades and a fix for CVE-2023-34036, Forwarded Header Exploit with Spring HATEOAS on WebFlux, a vulnerability in which hypermedia-based responses produced by Spring HATEOAS might be exposed to malicious forwarded headers if they are not behind a trusted proxy. More details on these releases may be found in the release notes for version 2.2.0-M1, version 2.1.1, version 2.0.5 and version 1.5.5.

The release of Spring Initializr 0.20.0 with new features and improvements such as: support for Spring Boot 3.x and JDK 17; improved code generation in which method bodies can now define arbitrary statements using the CodeBlock class; nested annotations; support for Gradle 8.x; and improved build and raw text test assertions. Further details on this release may be found in the release notes.

Micronaut

After five milestones and one release candidate, the Micronaut Foundation has released Micronaut Framework 4.0.0 featuring baselines to JDK 17, Groovy 4.0, Kotlin 1.8, Gradle 8.x.

There is also support for GraalVM 23, virtual threads, HTTP/3 and io_uring. This new version also introduces: an expression language that allows developers to place expressions in annotations; and a new Java HTTP Client, a lighter implementation of the Micronaut HTTP Client as an alternative to the existing Netty-based implementation. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.

Payara

Payara has released their July 2023 edition of the Payara Platform that includes Community Edition 6.2023.7, Enterprise Edition 6.4.0 and Enterprise Edition 5.53.0 featuring bug fixes and component upgrades that includes Hazelcast 5.3.1 for adding socket options for a per-socket keep-alive configuration. However, this is not yet supported on the Windows OS as acknowledged by Hazelcast. There was also an improvement with the reduction of duplication between the POMs and BOMs such as the removal of: an unused POM file; an outdated temporary Jakarta staging repository; and jdk8 profiles. Further details on these versions may be found in the release notes for Community Edition 6.2023.7, Enterprise Edition 6.4.0 and Enterprise Edition 5.53.0.

Open Liberty

IBM has released version 23.0.0.7-beta of Open Liberty with a test implementation of version 1.0.0-beta2 of the Jakarta Data specification as an experiment with proposed specification features so developers can try out these features and provide feedback to influence the specification as it is being developed. Jakarta Data 1.0.0 has passed its plan review and will most-likely be included in Jakarta EE 11, scheduled for a GA release in the first quarter of 2024.

Helidon

Oracle has provided Helidon 2.6.2, a second point release, featuring dependency upgrades and notable fixes such as: an intermittent failure in the CipherSuiteTest class; avoid reflecting back user data coming from exception messages; and the response from the WebServer component should not be chunked if there is no entity. More details on this release may be found in the release notes.

Hibernate

The release of Hibernate Reactive 2.0.3.Final delivers a new getFactory() method to the Mutiny.Session and Stage.Session interfaces that return instances of the Mutiny.SessionFactory and Stage.SessionFactory interfaces, respectively, that created those sessions. Further details on this release may be found in the release notes.

Apache Software Foundation

The Apache Software Foundation has released versions 11.0.0-M9, 10.1.11, 9.0.78 and 8.5.91 of Apache Tomcat this past week. All four versions provide bug fixes and introduce new classes: ContextNamingInfoListener, a listener which creates context naming information environment entries; and PropertiesRoleMappingListener, a listener which populates the context’s role mapping from a properties file. Version 11.0.0-M9 updates the implementations of the Jakarta Expression Language and Jakarta WebSocket specifications to align with the latest changes planned for Jakarta EE 11. More details on these releases may be found in the release notes for version 11.0.0-M9, version 10.1.11, version 9.0.78 and version 8.5.91.

Micrometer

Versions 1.12.0-M1, 1.11.2, 1.10.9 and 1.9.13 of Micrometer Metrics have been released featuring dependency upgrades and notable bug fixes such as: Micrometer Wavefront integration Proxy validation error with the default uri implementation; the removal of unnecessary ThreadLocal overhead for disabled log levels in the LogbackMetrics class; and a NullPointerException from the setValue() method defined in the ObservationThreadLocalAccessor class when there is no current scope. New features in version 1.12.0-M1 are: a configurable base time unit for registering Micrometer observations via the ObservationThreadLocalAccessor class; and improved instances of the Apache HttpAsyncClient interface instrumented with the MicrometerHttpClientInterceptor class to prevent meter I/O errors. Further details on these releases may be found in the release notes for version 1.12.0-M1, version 1.11.2, version 1.10.9 and version 1.9.13.

Similarly, versions 1.2.0-M1, 1.1.3 and 1.0.8 of Micrometer Tracing have been released featuring bug fixes, dependency upgrades and these new features: the addition of Java Microbenchmark Harness (JMH) benchmarks for basic tracing operations; and a new getDuration() method added to the FinishedSpan interface. More details on these releases may be found in the release notes for version 1.2.0-M1, version 1.1.3 and version 1.0.8.

Piranha

The release of Piranha 23.7.0 delivers notable changes such as: a migration from JBoss Jandex to SmallRye Jandex; a new FeatureManager interface to complement the existing Feature interface; and a new CracFeature class that enables Project CRaC. Further details on this release may be found in their documentation and issue tracker.

Project Reactor

The first milestone release of Project Reactor 2023.0.0 provides a dependency upgrade to reactor-core 3.6.0-M1. There was also a realignment to version 2023.0.0-M1 with the reactor-netty 1.1.9, reactor-kafka 1.3.19, reactor-pool 1.0.1, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.

Similarly, Project Reactor 2022.0.9, the ninth maintenance release provides dependency upgrades to reactor-core 3.5.8, reactor-netty 1.1.9, reactor-kafka 1.3.19 and reactor-pool 1.0.1. There was also a realignment to version 2022.0.9 with the reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. Further details on this release may be found in the changelog.

JHipster

The second beta release of JHipster 8.0.0 delivers bug fixes and notable changes such as: a removal of the unused import of the HttpServletRequest interface; a removal of the parameter with the spring-boot-maven-plugin as it was unknown to the plugin and had issued a warning; and an improvement in the Heroku sub-generator. More details on this release may be found in the release notes.

Versions 0.38.0 and 0.37.0 of JHipster Lite have been released featuring many dependency upgrades and these new features: an upgrade to Prettier for Svelte 3 components; and support for dark mode. Further details on these releases may be found in the release notes for version 0.37.0 and version 0.37.0.

Yupiik

The release of Yupiik Fusion 1.0.5 provides: support for a contextless database; a more precise error message when the JSON module is not seen or ignored; and improvements to the generated resources.json and native-image.properties files to include Fusion JSON metadata. More details on this release may be found in the release notes.

Maven

The seventh alpha release of Maven 4.0.0 ships with notable changes such as: support for JDK 20; a migration of the internal StringUtils class to the StringUtils class offered by Apache Commons Lang; and a migration of the FileUtils class offered by Plexus-Utils to the FileUtils class offered by Apache Commons IO.

Gradle

Gradle 8.2.1, a patch release, delivers fixes on notable Gradle 8.2 issues such as: a StackOverflowError exception in building applications with Gradle 8.2 and Quarkus 2.16.7; a broken Micronaut JacocoReportAggregationPlugin; and an incorrect value of false set to the --no-feature flag when it should be set to true.

JetBrains

JetBrains has introduced a new AI Assistant in all of their IntelliJ-based IDEs. Powered by the JetBrains AI service providers (only OpenAI at this time), the service transparently connects developers to “different large language models (LLMs) and enables specific AI-powered features inside many JetBrains products.” It is important to note that: a .NET Tools version is still under development; free to use during the EAP cycle; licensing and pricing model will come at a later date; and access may currently be limited by a waitlist. Further details on the AI Assistant in the .NET environment may be found in this detailed InfoQ news story.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for June 19th, 2023 features news from JDK 22, JDK 21, updates to: Spring Boot; Spring Security; Spring Vault; Spring for GraphQL; Spring Authorization Server and Spring Modulith; Liberica NIK 23.0, Semeru 20.0.1, Micronaut 4.0-RC2 and 3.9.4, JNoSQL 1.0, Vert.x 4.4.4, updates to: Apache Tomcat, Camel, Log4j and JMeter; JHipster Lite 0.35, KCDC 2023 and JCON Europe 2023.

JDK 21

Build 28 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 27 that include fixes to various issues. Further details on this build may be found in the release notes.

JDK 22

Build 3 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 2 that include fixes to various issues. More details on this build may be found in the release notes.

For JDK 22 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

Versions 3.1.1, 3.0.8 and 2.7.13 of Spring Boot 3.1.1 deliver improvements in documentation, dependency upgrades and notable bug fixes such as: difficulty using the from() method defined in the SpringApplication class in Kotlin applications; SSL configuration overwrites other customizations from the WebClient interface; and support for JDK 20, but no defined value for it in the JavaVersion enum. Further details on these versions may be found in the release notes for version 3.1.1, version 3.0.8 and version 2.7.13.

Versions 6.1.1, 6.0.4, 5.8.4, 5.7.9 and 5.6.11 of Spring Security have been released featuring bug fixes, dependency upgrades and new features such as: align the OAuth 2.0 Resource Server documentation with Spring Boot capabilities; a new section in the reference manual to include information related to support and limitations when working with native images; and a migration to Asciidoctor Tabs. More details on these versions may be found in the release notes for version 6.1.1, version 6.0.4, version 5.8.4, version 5.7.9 and version 5.6.11.

The release of Spring Vault 3.0.3 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a refinement in logging to log the token accessor upon token revocation failure; AWS Identity and Access Management (IAM) authentication added to the EnvironmentVaultConfiguration class; and the inclusion of a key_version attribute to the encrypt() method in the VaultTransitOperations interface. Further details on this release may be found in the release notes.

Versions 1.2.1 and 1.1.5 of Spring for GraphQL have been released featuring bug fixes, dependency upgrades and new features such as: an enhanced GraphQL request body check to prevent a 500 Internal Server Error when a 400 Bad Request is expected; elimination of the IllegalArgumentException due to no defined ConnectionAdapter interface when using existing Java Connection types. More details on these versions may be found in the release notes for version 1.2.1 and version 1.1.5.

Versions 1.1.1, 1.0.3 and 0.4.3 of Spring Authorization Server have been released featuring bug fixes and dependency upgrades. Version 1.1.1 ships with a new feature in which there was a performance enhancement by simply replacing the replaceFirst() method with the substring() method from the String class while using the OAuth2AuthorizationConsent class. Further details on these versions may be found in the release notes for version 1.1.1, version 1.0.3 and version 0.4.3.

The first milestone release of Spring Modulith 1.0.0 ships with bug fixes, dependency upgrades and a new feature that propagates instances of the ExecutorService interface defined in an application into instances of the Scenario class by default. This project has been promoted from its experimental status yielding these breaking changes: a rename of the actuator endpoint from applicationmodules to application-modules; a rename of the group identifier from org.springframework.experimental to org.springframework.modulith; and the removal of the previously deprecated configuration properties, spring.modulith.events.jdbc-*, in the JDBC-based event registry. More details on this release may be found in the release notes.

BellSoft

BellSoft has released version 23.0 of their Liberica Native Image Kit (NIK) featuring: the integration of the ParallelGC garbage collector as an experimental feature; implementation of the JFR ThreadCPULoad event; a removal of type checks from JNI-to-Java call stubs that can break compatibility; and implementation of the user CPU time thread with the getThreadCpuTime() method in the LinuxThreadCpuTimeSupport class.

IBM Semeru Open Edition

IBM has released version 20.0.1 their Semeru Runtime, Open Edition 20.0.1 built on OpenJDK 20.0.1 and Eclipse OpenJ9 0.39.0. Further details on this release may be found in the release notes.

Micronaut

The second release candidate of Micronaut 4.0.0 was also released providing bug fixes, dependency upgrades and these improvements: use of unsafe setters for Jackson; a new UnsafeBeanInstantiationIntrospection interface, a variation of the BeanIntrospection interface that includes an instantiateUnsafe() method for allowing to skip instantiation validation; and support for the All-open compiler plugin for the Kotlin Symbol Processing API.

The Micronaut Foundation has released Micronaut Framework 3.9.4 featuring bug fixes and updates to modules: Micronaut Security and Micronaut Servlet. There was also a dependency upgrade to Netty 4.1.94. More details on this release may be found in the release notes.

Eclipse Foundation

More than six years after its inception in March 2017, version 1.0.0 of JNoSQL, the compatible implementation of the Jakarta NoSQL specification, has been released. New features include: a migration to the jakarta.* namespace, support for the Jakarta Data specification; an implementation of new methods that explore fluent-API for the Graph, Document, Key-Value and Document NoSQL database types; and new methods, count() and exists(), as default on the DocumentManager and ColumnManager interfaces. Before it became a compatible implementation in November 2019, JNoSQL was a project for developers to more easily create NoSQL database applications using Java.

Two months after MicroStream had announced that their Java-native persistence layer had become an Eclipse Project, the first release of Eclipse Store, formerly known as MicroStream Persistence, has been made available to the Java community. Current non-Eclipse integrations in the MicroStream code base, such as Spring Boot, Quarkus and Helidon, will remain open source and the code will be hosted in a new MicroStream repository after they have been refactored to make use of the Eclipse Store and Eclipse Serializer projects.

Eclipse Vert.x 4.4.4 has been released featuring an upgrade to Netty 4.1.94.Final to address CVE-2023-34462, a vulnerability in which an attacker can manipulate the SniHandler class, with no configured idle timeout handler, to buffer the maximum 16MB of data per connection that can quickly lead to an OutOfMemoryError error and potential for a distributed denial of service. Further details on this release may be found in the release notes.

Apache Software Foundation

The Apache Tomcat team has disclosed that versions 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 are affected by CVE-2023-34981, a vulnerability in which a regression in the fix for Bug 66512 could lead to an information leak if a response did not include any HTTP headers, then no Apache JServ Protocol (AJP) SEND_HEADERS message would be sent for the response. This was fixed in Bug 66591 and developers are encouraged to migrate to minimal versions 11.0.0-M6, 10.1.9, 9.0.75 or 8.5.89.

The release of Apache Camel 3.20.6 provides bug fixes and improvements such as: ensure that the REQUEST_CONTEXT and RESPONSE_CONTEXT headers are mapped when populating a Camel CXF message from Camel Message; and enhancements to the Camel JBang module to support OpenAPI. More details on this release may be found in the release notes.

Similarly, the release of Apache Camel 3.14.9 ships with these bug fixes: use the createTempFile() method in the Files class within the FileConverter class instead of directly creating a file; and a potential NullPointerException when using XML Tokenize on an Woodstox XML namespace. Further details on this release may be found in the release notes.

The first alpha release of Apache Log4j 3.0.0 delivers notable changes such as: allow plugins to be created through more flexible dependency injection patterns; split support for Kafka, ZeroMQ, CSV, JMS, JDBC and Jackson to their own modules; and removal of support for the Serializable interface in several classes and interfaces that include Message, Layout, LogEvent, Logger, and ReadOnlyStringMap.

Apache JMeter 5.6.0 has been released featuring bug fixes and new features such as: use Caffeine for caching HTTP headers instead of the Apache Commons Collections LRUMap class; use the Java ServiceLoader class for loading plugins instead of classpath scanning for improved startup; and improved computation when many threads actively produce samplers by using the Java LongAdder and similar concurrency classes to avoid synchronization in the Calculator class. More details on this release may be found in the release notes.

JHipster

The JHipster team has released version 0.35.0 of JHipster Lite with bug fixes, improvements in documentation, dependency upgrades and an improved Sonar analysis that provides more error details and an option to wait. Further details on this release may be found in the release notes.

Kansas City Developer Conference

The 2023 Kansas City Developer Conference (KCDC) was held at the Kansas City Convention Center in Kansas City, Missouri this past week featuring speakers from the Java community who presented workshops and sessions on topics such as: Java, architecture, cloud, data science, JavaScript, project management and security. The conference also featured puppies available for adoption from the Great Plains SPCA.

JCON Europe

Also this past week, JCON Europe 2023 was held at the Cinedom in Kön, Germany featuring speakers from the Java community who presented sessions on topics such as: Java, developer productivity engineering, security, web components, microservices and cloud native.

Article originally posted on InfoQ. Visit InfoQ

Day Three of the 9th annual QCon New York conference was held on June 15th, 2023 at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York. This three-day event is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. It included a keynote address by Suhail Patel and presentations from these four tracks:

Morgan Casey, Program Manager at C4Media, and Danny Latimer, Content Product Manager at C4Media, kicked off the day three activities by welcoming the attendees. They introduced the Program Committee, namely: Aysylu Greenberg, Frank Greco, Sarah Wells, Hien Luu, Michelle Brush, Ian Thomas and Werner Schuster; and acknowledged the QCon New York staff and volunteers. The aforementioned track leads for Day Three introduced themselves and described the presentations in their respective tracks.

Keynote Address: The Joy of Building Large Scale Systems

Suhail Patel, Staff Engineer at Monzo, presented a keynote entitled, The Joy of Building Large Scale Systems. On his opening slide, which Patel stated was also his conclusion, asked why the following is true:

Many of the systems (databases, caches, queues, etc.) that we rely on are grounded on quite poor assumptions for the hardware of today.

He characterized his keynote as a retrospective of where we have been in the industry. As the title suggests, Patel stated that developers have “the joy of building large scale systems, but the pain of operating them.” After showing a behind-the-scenes view of the required microservices for an application in which a Monzo customer uses their debit card, he introduced: binary trees, a tree data structure where each node has at most two children; and a comparison of latency numbers, as assembled by Jonas Bonér, Founder and CTO of Lightbend, that every developer should know. Examples of latency data included: disk seek, main memory reference and L1/L2 cache references. Patel then described how to search a binary tree, insert nodes and rebalance a binary tree as necessary. After a discussion of traditional hard drives, defragmentation and comparisons of random and sequential I/O as outlined in the blog post by Adam Jacobs, Chief Scientist at 1010data, he provided analytical data of how disks, CPUs and networks have been evolving and getting faster. “Faster hardware == more throughput,” Patel maintained. However, despite the advances in CPUs and networks, “The free lunch is over,” he said, referring to a March 2005 technical article by Herb Sutter, Software Architect at Microsoft and Chair of the ISO C++ Standards Committee, that discussed the slowing down of Moore’s Law and how the drastic increases in CPU clock speed were coming to an end. Sutter maintained:

No matter how fast processors get, software consistently finds new ways to eat up the extra speed. Make a CPU ten times as fast, and software will usually find ten times as much to do (or, in some cases, will feel at liberty to do it ten times less efficiently).

Since 2005, there has been a revolution in the era of cloud computing. As Patel explained:

We have become accustomed to the world of really infinite compute and we have taken advantage of it by writing scalable and dist software, but often focused on ever scaling upwards and outwards without a ton of regard for perf per unit of compute that we are utilizing.

Sutter predicted back then that the next frontier would be in software optimization with concurrency. Patel discussed the impact of the thread per core architecture and the synchronization challenge where he compared: the shared everything architecture in which multiple CPU cores access the same data in memory; versus the shared nothing architecture in which the multiple CPU cores access their own dedicated memory space. A 2019 white paper by Pekka Enberg, Founder and CTO at ChiselStrike, Ashwin Rao, Researcher at University of Helsinki, and Sasu Tarkoma, Campus Dean at University of Helsinki found a 71% reduction in application tail latency using the shared nothing architecture.

Patel then introduced solutions to help developers in this area. These include: Seastar, an open-source C++ framework for high-performance server applications on modern hardware; io_uring, an asynchronous interface to the Linux kernel that can potentially benefit networking; and the emergence of programming languages, such as Rust and Zig; a faster CPython with the recent release of version 3.11; and eBPF, a toolkit for creating efficient kernel tracing and manipulation programs.

As an analogy of human and machine coming together, Patel used as an example, Sir Jackie Stewart, who coined the term mechanical sympathy as caring and deeply understanding the machine to extract the best possible performance.

He maintained there has been a cultural shift in writing software to take advantage of the improved hardware. Developers can start with profilers to locate bottlenecks. Patel is particularly fond of Generational ZGC, a Java garbage collector that will be included in the upcoming GA release of JDK 21.

Patel returned to his opening statement and, as an addendum, added:

Software can keep pace, but there’s some work we need do to yield huge results, power new kinds of systems and reduce compute costs

Optimizations are staring at us in the face and Patel “longs for the day that we never have to look at the spinner.”

Highlighted Presentations: Living on the Edge, Developing Above the Cloud, Local-First Technologies

Living on the Edge by Erica Pisani, Sr. Software Engineer at Netlify. Availability zones are defined as one or more data centers located in dedicated geographic regions provided by organizations such as AWS, Google Cloud or Microsoft Azure. Pisani further defined: the edge as data centers that live outside of an availability zone; an edge function as a function that is executed in one of these data centers; and data on the edge as data that is cached/stored/accessed at one of these data centers. This provides improved performance especially if a user is the farthest away from a particular availability zone.

After showing global maps of AWS availability zones and edge locations, she then provided an overview on the communication between a user, edge location and origin server. For example, when a user makes a request via a browser or application, the request first arrives at the nearest edge location. In the best case, the edge location responds to the request. However, if the cache at the edge location is outdated or somehow invalidated, the edge location must communicate with the origin server to obtain the latest cache information before responding to the user. While there is an overhead cost for this scenario, subsequent users will benefit.

Pisani discussed various problems and corresponding solutions for web application functionality on the edge using edge functions. These were related to: high traffic pages that need to serve localized content; user session validation taking too much time in the request; and routing a third-party integration request to the correct region. She provided an extreme example of communication between a far away user relative to two origin servers for authentication. Installing an edge server close to the remote user eliminated the initial latency.

There is an overall assumption that there is reliable Internet access. However, that isn’t always true. Pisani then introduced the AWS Snowball Edge Device, a physical device that provides cloud computing available for places with unreliable and/or non-existent Internet access or as a way of migrating data to the cloud. She wrapped up her presentation by enumerating some of the limitations of edge computing: lower available CPU time; advantages may be lost when network request is made; limited integration with other cloud services; and smaller caches.

Developing Above the Cloud by Paul Biggar, Founder and CEO at Darklang. Biggar kicked off his presentation with an enumeration of how computing has evolved over the years in which a simple program has become complex when persistence, Internet, reliability, continuous delivery, and scalability are all added to the original simple program. He said that “programming used to be fun.” He then discussed other complexities that are inherent in Docker, front ends and the growing number of specialized engineers.

With regards to complexity, “simple, understandable tools that interact well with our existing tools” are the way developers should build software along with the UNIX philosophy of “do one thing, and do it well.” However, Biggar claims that building simple tools that interact well is just a fallacy and is the problem because doing so leads to the complexity that is in software development today with “one simple, understandable tool at a time.”

He discussed incentives for companies in which engineers don’t want to build new greenfield projects that solve all the complexity. Instead, they are incentivized to add small new things to existing projects that solve problems. Therefore, Biggar maintained that “do one thing, and do it well” is also the problem. This is why the “batteries included” approach, provided by languages such as Python and Rust, deliver all the tools in one package. “We should be building holistic tools,” Biggar said, leading up to the main theme of his presentation on developing above the cloud.

Three types of complexity: infra complexity; deployment complexity; and tooling complexity, should be removed for an improved developer experience. Infra complexity includes the use of tools such as: Kubernetes, ORM, connection pools, health checks, provisioning, cold starts, logging, containers and artifact registries. Biggar characterized deployment complexity with a quote from Jorge Ortiz in which the “speed of developer iteration is the single most important factor in how quickly a technology company can move.” There is no reason that deployment should take a significant amount of time. Tooling complexity was explained by demos of the Darklang IDE in which creating things like REST endpoints or persistence, for example, can be quickly moved to production by simply adding data in a dialog box. There was no need to worry about things such as: server configuration, pushing to production or a CI/CD pipeline. Application creation is reduced down to the abstraction.

At this time, there is no automated testing in this environment and adoption of Darklang is currently in “hundreds of active users.”

Offline and Thriving: Building Resilient Applications With Local-First Techniques by Carl Sverre, Entrepreneur in Residence at Amplify Partners. Sverre kicked off his presentation with a demonstration of the infamous “loading spinner” as a necessary evil to inform the user that something was happening in the background. This kind of latency doesn’t need to exist as he defined offline-first as:

(of an application or system) designed and prioritized to function fully and effectively without an internet connection, with the capability to sync and update data once a connection is established.

Most users don’t realize their phone apps, such as WhatsApp, email apps and calendar apps, are just some examples of offline-apps and how they have improved over the years.

Sverre explained his reasons for developing offline-first (or local-first) applications. Latency can be solved by optimistic mutations and local storage techniques. Because the Internet can be unreliable with issues such as dropped packets, latency spikes and routing errors, Reliability is crucial to applications. Adding features for Collaboration leverage offline-first techniques and data models for this purpose. He said that developers “gain the reliability of offline-first without sacrificing the usability of real time.” Development velocity can be accomplished by removing the complexity of software development.

Case studies included: WhatsApp, the cross-platform, centralized instant messaging and voice-over-IP service, uses techniques such as end-to-end encryption, on-device messages and media, message drafts and background synchronization; Figma, a collaborative interface design tool, uses techniques such as real-time collaborative editing, a Conflict-Free Replicated Data Type (CRDT) based data model, and offline editing; and Linear, an alternative to JIRA, uses techniques such as faster development velocity, offline editing and real-time synchronization.

Sverre then demonstrated the stages for converting a normal application to an offline-first application. However, trade-offs to consider for offline-first application development include conflict resolution, eventual consistency, device storage, access control and application upgrades. He provided solutions to these issues and maintained that, despite these tradeoffs, this is better than an application displaying the “loading spinner.”

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for June 12th, 2023 features news from OpenJDK, JDK 22, JDK 21, GraalVM 23, various releases of: GraalVM Build Tools, Spring Framework, Spring Data, Spring Shell, Payara Platform, Micronaut, Open Liberty, Quarkus, Micrometer, Hibernate ORM and Reactive, Project Reactor, Piranha, Apache TomEE, Apache Tomcat, JDKMon, JBang, JHipster, Yupiik Bundlebee; and QCon New York 2023.

OpenJDK

After its review had concluded, JEP 404, Generational Shenandoah (Experimental), was officially removed from the final feature set in JDK 21. This was due to the “risks identified during the review process and the lack of time available to perform the thorough review that such a large contribution of code requires.” The Shenandoah team has decided to “deliver the best Generational Shenandoah that they can” and will seek to target JDK 22.

Julian Waters, OpenJDK development team at Oracle, has submitted JEP Draft 8310260, Move the JDK to C17 and C++17, to allow the use of the C17 and C++17 programming language features in JDK source code. Due to the required minimal JDK 17 version in Microsoft Visual C/C++ Compiler: Visual Studio 2019, this draft proposes to apply changes to the build system such that the existing C++ flag, -std:c++14, will change to -std:c++17 and the existing C flag, -std:c11, will change to -std:c17.

JDK 21

Build 27 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 26 that include fixes to various issues. Further details on this build may be found in the release notes.

JDK 22

Build 2 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 1 that include fixes to various issues. More details on this build may be found in the release notes.

For JDK 22 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.

GraalVM

Oracle Labs has introduced Oracle GraalVM with a new distribution and license model for both development and production applications. GraalVM Community Components 23.0.0 provides support for JDK 20 and JDK 17 with the GraalVM for JDK 17 Community 17.0.7 and GraalVM for JDK 20 Community 20.0.1 editions of GraalVM. New features in Native Image include: support for G1 GC; ​​compressed object headers and pointers for a lower memory footprint; and machine learning to automatically infer profiling information. InfoQ will follow up with a more detailed news story.

On the road to version 1.0, Oracle Labs has also released version 0.9.23 of Native Build Tools, a GraalVM project consisting of plugins for interoperability with GraalVM Native Image. This latest release provides notable changes such as: a fix for the compatibility of the “collect reachability metadata” task with Gradle’s configuration cache; remove the use of the deprecated Gradle GFileUtils class that will ultimately be removed in Gradle 9; and add a display of the GraalVM logo on the generated Native Build Tools documents. Further details on this release may be found in the changelog.

Spring Framework

The first milestone release of Spring Framework 6.1 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: initial support for the new Sequenced Collections interfaces; support for Coordinated Restore at Checkpoint (CRaC); compatibility with virtual threads; and a ClientHttpRequestFactory interface based on the HttpClient class provided by Jetty. More details on this release may be found in the release notes.

Similarly, versions 6.0.10 and 5.3.28 of Spring Framework have also been released featuring bug fixes, improvements in documentation, dependency upgrades and new features such as: a new remoteServer() method added to the MockHttpServletRequestBuilder class to set the remote address of a request; a new matchesProfiles() methods added to the Environment interface to determine whether one of the given profile expressions matches the active profiles; and declare the isPerInstance() method defined in the Advisor interface as default to eliminate the unnecessary implementation requirement of that method. Further details on these releases may be found in the release notes for version 6.0.10 and version 5.3.28.

Versions 2023.0.1, 2022.0.7 and 2021.2.13, service releases of Spring Data, ship with bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.1.1, 3.0.7 and 2.7.13; Spring Data MongoDB 4.1.1, 4.0.7 and 3.4.13; Spring Data Elasticsearch 5.1.1, 5.0.7 and 4.4.13; and Spring Data Neo4j 7.1.1 7.0.7 and 6.3.13.

Versions 3.1.1 and 3.0.5 of Spring Shell 3.0.5 have been released with notable bug fixes such as: a target annotated with @ShellAvailability not registering with Ahead-of-Time processing; native mode broken on Linux; and an unexpected comma inserted at the end of a parsed message. More details on these releases may be found in the release notes for version 3.1.1 and version 3.0.5.

Payara

Payara has released their June 2023 edition of the Payara Platform that includes Community Edition 6.2023.6, Enterprise Edition 6.3.0 and Enterprise Edition 5.52.0. All three versions feature: the removal of the throwable reference of the ASURLClassLoader class to eliminate class loader leaks; and a fix for the configuration of the dependency injection kernel, HK2, for JDK 17 compilation. Further details on these versions may be found in the release notes for Community Edition 6.2023.6, Enterprise Edition 6.3.0 and Enterprise Edition 5.52.0.

Micronaut

The fourth release candidate of Micronaut 4.0 delivers bug fixes and improvements such as: add a default method to the overloaded set of writeValueAsString() methods in the JsonMapper interface; improved exception handling on scheduled jobs; and a new parameter, missingBeans=EndpointSensitivityHandler.class, for the @Requires annotation on the EndpointsFilter class to convey that endpoint sensitivity is handled externally and the filter will not be loaded. More details on this release may be found in the release notes.

Open Liberty

IBM has released Open Liberty 23.0.0.6-beta that provides: continued improvements in their InstantOn functionality; continued support for the Jakarta Data specification; and improvements for OpenID Connect clients with support for Private Key JWT client authentication and RFC 7636, Proof Key for Code Exchange by OAuth Public Clients (PKCE).

Quarkus

Quarkus 3.1.2.Final, the second maintenance release, provide improvements in documentation, dependency upgrades and bug fixes such as: a ClassNotFoundException when using the Qute Templating Engine in dev mode; a NullPointerException in version 3.1.1 when using a Config Interceptor; and startup of the Quarkus server hangs indefinitely when using the OidcRecorder class. Further details on this release may be found in the release notes.

Micrometer

Versions 1.11.1, 1.10.8 and 1.9.12 of Micrometer Metrics have been released with dependency upgrades and bug fixes such as: an improper variable argument check in the KeyValues class that leads to NullPointerException; loss of scope and context propagation between Project Reactor and imperative code blocks; and random GRPC requests return null upon calling the currentSpan() method defined in the Tracer class. More details on these releases may be found in the release notes for version 1.11.1, version 1.10.8 and version 1.9.12.

Similarly, versions 1.1.2 and 1.0.7 of Micrometer Tracing have been released with dependency upgrades, improvements in documentation and bug fixes: abstractions from the Span interface are not equal when when delegating to the same OpenTelemetry object; and a fix for Project Reactor with Micrometer 1.10 by using null scopes instead of clearing thread locals. Further details on these releases may be found in the release notes for version 1.1.2 and version 1.0.7.

Hibernate

The release of Hibernate ORM 6.2.5.Final provides bug fixes such as: caching not working properly for entities with inheritance when the hibernate.cache.use_structured_entries property was set to true; generic collections not mapped correctly using a @MappedSuperclass annotation; and mapping of JSON-B of different types in a class inheritance hierarchy does not work.

The release of Hibernate Reactive 2.0.1.Final ships with compatibility with Hibernate ORM 6.2.5.Final and adds support for the @Lob annotation for MySQL, MariaDB, Oracle, and Microsoft SQLServer.

Project Reactor

Project Reactor 2022.0.8, the eighth maintenance release, provides dependency upgrades to reactor-core 3.5.7, reactor-netty 1.1.8. There was also a realignment to version 2022.0.8 with the reactor-kafka 1.3.18, reactor-pool 1.0.0, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.

Piranha

The release of Piranha 23.6.0 delivers notable changes such as: removal of the deprecated Logging Manager and MimeTypeManager interfaces; deprecation of the --war and --port command line arguments; and add HTTPS support to the Piranha Maven plugin. Further details on this release may be found in their documentation and issue tracker.

Apache Software Foundation

Apache TomEE 9.1.0 has been released featuring bug fixes, improvements in documentation, dependency upgrades and improvements: use of ActiveMQ 5.18.0 Jakarta EE-compatible client in favor of the shade approach with TomEE; and backport the fixes that addressed CVE-2023-24998 and CVE-2023-28708 in Apache Tomcat from version 10.1.x to version 10.0.27. More details on this release may be found in the release notes.

Versions 10.1.10 and 8.5.90 of Apache Tomcat delivers: support for JDK 21 and virtual threads; an update to HTTP/2 to use the RFC-9218, Extensible Prioritization Scheme for HTTP, prioritization scheme; a dependency upgrade to Tomcat Native to 2.0.4 and 1.2.37, respectively which includes binaries for Windows built with OpenSSL 3.0.9 and 1.1.1u, respectively; and a deprecation of the xssProtectionEnabled property from the HttpHeaderSecurityFilter class and set the default value to false. Further details on these versions may be found in the changelogs for version 10.1.10 and version 8.5.90.

JDKMon

Versions 17.0.67 and 17.0.65 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, these new versions provide: support for the new GraalVM Community builds; and a small icon added to the name of a JDK to indicate that it is managed by SDKMan. An experimental new feature in version 17.0.65 includes a new switch-jdk script placed in a user’s home folder that makes it possible to switch to a specific JDK in a shell session.

JBang

The release of JBang 0.108.0 ships with support for JEP 445, Unnamed Classes and Instance Main Methods (Preview). It is important to note that developers will be required to build and install JDK 21 early-access to use JEP 445 due to the Temurin JDK builds only providing JDK 20 as the latest version.

JobRunr

JobRunr 6.2.2 has been released to provide notable changes: improve caching of job analysis when using Java Stream API; and the ElectStateFilter and ApplyStateFilter interfaces are invoked while there is no change of state.

JHipster

The first beta release of JHipster 8.0.0 delivers bug fixes and notable changes such as: the use of Consul by default; a fix for Apache Cassandra tests by dropping CassandraUnit and adding reactive tests; and a move to deny-by-default over allow-by-default by using the authorizeHttpRequests() method defined in Spring Security HttpSecurity class. It is important to note that there is a rename of the AngularX configuration option to Angular for backward compatibility as AngularX will be removed in the GA release of JHipster 8.0. More details on this release may be found in the release notes.

Yupiik

The release of Yupiik Bundlebee 1.0.20, a light Java Kubernetes package manager, provides updates such as: additional placeholders for the default observability stack; support for namespace placeholder keywords to enable the reuse of globally configured namespace in placeholders; and proper usage of DaemonSet usage for Loki. Further details on this release may be found in the release notes.

QCon New York

After a three-year hiatus due to the pandemic, the 9th annual QCon New York conference was held at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York this past week featuring three days of presentations from 12 tracks and keynotes delivered by Radia Perlman, Alicia Dwyer Cianciolo, Suhail Patel and Sarah Bird. More details about this conference may be found in the InfoQ daily recaps from Day One and Day Two. InfoQ will follow-up with Day Three coverage.

Article originally posted on InfoQ. Visit InfoQ

Day Two of the 9th annual QCon New York conference was held on June 14th, 2023 at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York. This three-day event is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. It included a keynote address by Alicia Dwyer Cianciolo and presentations from these four tracks:

• Designing Modern Reliable Architectures
  • Hosted by Silvia Esparrachiari, Software Engineer at Google.
  • Provides a diverse collection of reliability strategies covering finance applications, gaming platforms and other real world segments of the tech industry.
• MLOps – Production & Delivery for ML Platforms
  • Hosted by Bozhao (Bo) Yu, Founder at BentoML.ai.
  • Explores the latest trends, best practices, and case studies in MLOps, and discusses how they can be applied to improve the reliability, scalability, and efficiency of machine learning systems.
• Next Gen Fintech: Performance, Complexity & Privacy
  • Hosted by Neha Sardana, Vice President and Senior Developer at Morgan Stanley.
  • Provides solutions to the challenges of data breaches, privacy, security, and performance, and stays on top of the latest trends and best practices in Fintech.
• Optimizing Teams for Fast Flow – Surviving in the Post-Agile Aftermath
  • Hosted by Katharine Chajka, Senior Product Manager at Planview Flow Methodology.
  • Focuses on understanding how to identify the specific issues slowing down flow and finding changes that resolve those impediments to make the most of the time and money spent on change.

There was also one sponsored solutions track.

Danny Latimer, Content Product Manager at C4Media, kicked off the day two activities by welcoming the attendees and introduced Daniel Bryant, InfoQ News Manager, who discussed InfoQ news activities and the InfoQ core values: information robin hoods; best, not (necessarily) first; facilitators, not leaders; and content that can trusted. Pia von Beren, Project Manager & Diversity Lead at C4Media, discussed the QCon Alumni Program and the benefits of having attended multiple QCon conferences. The aforementioned track leads for Day Two introduced themselves and described the presentations in their respective tracks.

Keynote Address

Alicia Dwyer Cianciolo, senior technical lead for Advanced Entry, Descent and Landing Vehicle Technology Development at the NASA Langley Research Center, presented a keynote entitled, NASA’S Return to the Moon: Managing Complexity in the Artemis Program. Cianciolo started her presentation with the famous quote from John F. Kennedy’s speech at Rice University in 1962: “We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.” With than in mind, she introduced the Artemis program, considered the “sister” to the Apollo program, as a collection of projects, namely:

Artemis = Space Launch System + Orion Spacecraft + Human Landing System (HLS) + Extravehicular Activity and Human Surface Mobility Program (EHP) + Gateway

Cianciolo currently works on the Human Landing System. Artemis and its component projects were designed as a collaboration for space missions. After introducing each of these projects, she provided background and orbit information on previous and upcoming Artemis launches. Artemis I, launched on November 16, 2022 and splashed down on December 11, 2022 featured the Space Launch System and Orion projects. Artemis II, scheduled to launch at the end of 2024, will feature the Space Launch System and Orion projects and include a flight crew: Reid Wiseman (commander), Victor Glover (pilot), Christina Hammock Koch (Mission Specialist) and Jeremy Hansen (Mission Specialist). The plan for Artemis III is to land on the moon and will feature the Space Launch System, Orion, HLS and EHP projects and include another flight crew that is still to be determined. She described the complex of operations related to the HLS that includes mission segments, contracts, landing requirements and gateway orbit. Apollo 11 through Apollo 17 landed on or near the moon’s equator. The landing plan for Artemis III is to land within 6° latitude and less than 10° surface slopes on the moon’s south pole due to the rough terrain. Another challenge is the amount of daylight that often changes. The crew will need a six-day window of daylight and to be in constant communication with Earth. “What could go wrong?” Cianciolo asked. The hardest part of going to the moon is talking to people, Cianciolo said, as she recalled her experience in which it took six months to resolve this seemingly simple issue related to sharing a bathroom space. The plan for Artemis IV is to land on the International Habitation Module and will feature the Space Launch System, Orion, HLS, EHP and Gateway projects and include a flight crew to be determined.

Highlighted Presentations

Maximizing Performance and Efficiency in Financial Trading Systems through Vertical Scalability and Effective Testing by Peter Lawrey, CEO at Chronical Software. Lawrey kicked off his presentation by discussing how allocating objects may have an overhead of 80x than that of collecting them. He maintained that the loss of objects can be allocated, but recommends against this strategy that has been a practice. As the legendary Grace Hopper once said: “The most dangerous phrase in the English language is: “‘We’ve always done it that way.'” He provided various analyses and benchmarks on why allocations don’t scale well. Allocations can spend approximately 0.3% of the time in the garbage collector. The concept of accidental complexity is complexity that is not inherent in a problem, but rather in a solution that can be removed or reduced with a better design or technology choice. Lawrey provided many examples and analyses of accidental complexity that included memory usage analysis from Chronical Queue where most of the allocation activity was from the JDK Flight Recorder. In many applications, especially in the financial industry, selecting a “source of truth” can significantly impact the latency and complexity of the application. The concept of durability guarantees identifies critical paths for performance, but are often considered the largest bottlenecks. Examples include: a database; durable messaging that is guaranteed to be on disk; redundant messaging; and persisted messaging that will eventually be on disk. Lawrey introduced Little’s Law, a founding principle in queueing theory, as L = λ, such that:

• L = average number of items in a system
• λ = average arrival rate = exit rate = throughput
• W = average wait time in a system for an item (duration inside)

Little’s Law is applied in many aspects of system design and performance enhancement. The higher the latency, the higher the inherent parallelism required to achieve a desired throughput. On the opposite end of that spectrum, the lower the latency, the inherent required parallelism is minimized. Traditional object allocation in Java can impede performance, especially in high throughput scenarios, creating a bottleneck that hinders vertical scalability. By minimizing accidental complexity and using an event-driven architecture, vertical scalability can be achieved.

Performance and Scale – Domain-Oriented Objects vs Tabular Data Structures by Donald Raab, Managing Director and Distinguished Engineer at BNY Mellon, and Rustam Mehmandarov, Chief Engineer at Computas AS. Raab and Mehmandarov started their presentation with a retrospective into the problems with in-memory Java architectures using both 32-bit and 64-bit memory circa 2004. In the 32-bit world, it was challenging for developers to place, say, 6GB of data, into 4GB of memory. The solution was to build their own “small size” Java collections. The emergence of 64-bit provided some relief, but total heap size became an issue. Compressed Ordinary Object Pointers (OOPS), available with the release of Java 6 in late 2006, allowed developers to create 32-bit references (4 bytes) in 64-bit heaps. Solutions in this case include; building their own memory-efficient mutable Set, Map and List data structures; and building primitive collections for the List, Set, Stack, Bag and Map data structures. Raab and Mehmandarov then described the challenges developers face today where, for instance, large CSV data needs to be processed in-memory. They asked the questions: “How can that efficiently be accomplished in Java?,” “How can memory efficiency of data structures be measured?,” “What decisions affect memory efficiency?,” and “Which approach is better: row vs. columns?” To measure the cost of memory in Java, Raab and Mehmandarov introduced the Java Object Layout (JOL), a small toolbox to analyze object layout schemes in JVMs, and how to use it within an application. Using a large CSV data set as an example, Raab and Mehmandarov provided a comprehensive look into the various memory considerations: boxed vs. primitive types; mutable vs. immutable data; data pooling; and row-based vs. column-based structures. They also explored three libraries: Java Streams, introduced in Java 8; Eclipse Collections, invented by Raab; and DataFrame-EC, a tabular data structure based on the Eclipse Collections framework. Three Java projects: Amber, Valhalla and Lilliput, are working to improve productivity, value objects and user-defined primitives, and reduce the object header to 64 bits, respectively.

A Bicycle for the (AI) Mind: GPT-4 + Tools by Sherwin Wu, Member of the Technical Staff at OpenAI, and Atty Eleti, Software Engineer at OpenAI. In 1973, efficiencies in cycling started to emerge which were compared to a condor bird. Wu and Eleti coined the phrase “A bicycle for the mind” and used this as a metaphor for Steve Jobs and the creation of Apple. In 2023, the emergence of ChatGPT has evolved the phrase to “A bicycle for the AI mind.” They discussed large language models (LLMs) and their limitations followed by an introduction to new function calling capability that improves their gpt-4 and gpt-3.5-turbo applications. Wu and Eleti provided numerous demos for: converting natural language into queries; calling external APIs and multiple functions; and combining advanced reasoning with daily tasks. They maintained that technology is still in its infancy and they are excited to see how this technology will evolve in the future.

Implementing OSSF Scorecards Across an Organization by Chris Swan, Engineer at atsign.

Swan introduced the Open Source Security Foundation (OSSF or OpenSSF), a “cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them.” The OpenSSF Scorecard project, just one of the projects under OpenSSF, helps open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe. A number of important software security heuristics are measured against an open source software project and assign each heuristic with a score of 0-10. A badge is generated containing the heuristic and score that may be placed on the GitHub repository. This provides a visual representation that the maintainers of the open source repository care about security, and a feeling of safety and security. Swan explored the five holistic security practices: code vulnerabilities, maintenance, continuous testing, source risk assessment and build risk assessment. He encouraged developers who are new to OpenSSF to use Allstar, another OpenSSF project, as a starting point for assessing security for their own open source projects. Swan provided a comprehensive introduction on how to get started by exploring tools such as: GitHub Insights, a tool that can guide developers to create a good quality open source repository; and Terraform, an Infrastructure as a Service (IaaS) resource that provides scripts to improve a GitHub repository. The process also includes a very long questionnaire in which developers should budget at least one hour. The 80:20 rule in OpenSSF states that 20% of effort is required to obtain 80% of the Scorecard score. However, Swan commented that it gets more difficult from there and that it is really hard to achieve high scores.

Summary

In summary, day two featured a total of 27 presentations with topics such as: reliable architectures, machine learning, financial technology (fintech) and optimizing engineering teams.

Article originally posted on InfoQ. Visit InfoQ

Day One of the 9th annual QCon New York conference was held on June 13th, 2023 at the New York Marriott at the Brooklyn Bridge in Brooklyn, New York. This three-day event is organized by C4Media, a software media company focused on unbiased content and information in the enterprise development community and creators of InfoQ and QCon. It included a keynote address by Radia Perlman and presentations from these four tracks:

There was also one sponsored solutions track.

Dio Synodinos, president of C4Media, Pia von Beren, Project Manager & Diversity Lead at C4Media, and Danny Latimer, Content Product Manager at C4Media, kicked off the day one activities by welcoming the attendees and providing detailed conference information. The aforementioned track leads for Day One introduced themselves and described the presentations in their respective tracks.

Keynote Address

Radia Perlman, Pioneer of Network Design, Inventor of the Spanning Tree Protocol and Fellow at Dell Technologies, presented a keynote entitled, The Many Facets of “Identity”. Based on the history of practicing authentication methods, Perlman provided a very insightful look at how the phrase “the identity problem” may not be as well-understood. She maintained that “most people think they know the definition of ‘identity’…kind of.” Perlman went on to describe the many dimensions of “identity” including: human and DNS naming; how to prove ownership of a human or DNS name; and what a browser needs to know to properly authenticate a website. The theory of DNS is “beautiful,” as she described, but in reality, a browser search generally returns an obscure URL string. Because of this, Perlman once fell victim to a scam while trying to return her driver’s license. She then discussed how it is difficult for humans to properly follow password rules, questioned the feasibility of security questions, and recommended that people should use identity providers. Perlman characterized the Public Key Infrastructure (PKI) as “still crazy after all these years” and discussed how a certificate authority, a device that signs a message saying “This name has this public key,” should be associated with the registry from which DNS name is returned. She then described the problem with X.509 certificates such that Internet protocols use DNS names, not X.500 names. “If being able to receive at a specific IP address is secure, we don’t need any of this fancy crypto stuff,” Perlman said. She then compared the top-down and bottom-up models with DNS hierarchical namespaces in which each node in the namespace represents a certificate authority. Perlman recommended the bottom-up model, created by Charlie Kaufman circa 1988, because organizations wouldn’t have to pay for certifications. Also, there is still a monopoly at the root level and root can impersonate everyone in the top-down model. In summary, Perlman said that nothing is quite right today because names are meaningless strings and obtaining a certification certificate is messy and insecure. In conclusion, Perlman suggested to always start with the question, “What problem am I solving?” and to compare various approaches. In a humorous moment early in her presentation, she remarked, “I hate computers” when she had difficulty manipulating her presentation slides. Perlman is the author of the books, Network Security: Private Communication in a Public World and Interconnections: Bridges, Routers, Switches, and Internetworking Protocols.

Highlighted Presentations

Laying the Foundations for a Kappa Architecture – The Yellow Brick Road by Sherin Thomas, Staff Software Engineer at Chime. Thomas introduced the Kappa Architecture as an alternative to the Lambda Architecture, both deployment models for data processing that combine a traditional batch pipeline with a fast real-time stream pipeline for data access. She questioned why the Lambda Architecture is still popular based on the underlying assumption of Lambda: “that stream processors cannot provide consistency is no longer true thanks to modern stream processors like Flink.” The Kappa Architecture has its roots from this 2014 blog post by Kafka Co-Creator Jay Kreps, Co-Founder and CEO at Confluent. Thomas characterized the Kappa Architecture as a streaming first, single path solution that can handle real-time processing as well as reprocessing and backfills. She demonstrated how developers can build a multi-purpose data platform that can support a range of applications on the latency and consistency spectrum using principles from a Kappa architecture. Thomas discussed the Beam Model, how to write to both streams and data lakes and how to convert a data lake to a stream. She concluded by maintaining that the Kappa Architecture is great, but it is not a silver bullet. The same is true for the Lambda Architecture due to the dual code path making it more difficult to manage. A backward compatible, cost effective, versatile and easy to manage data platform could be a combination of the Kappa and Lambda architectures.

Sigstore: Secure and Scalable Infrastructure for Signing and Verifying Software by Billy Lynch, Staff Software Engineer at Chainguard, and Zack Newman, Research Scientist at Chainguard. To address the rise of security attacks across every stage of the development lifecycle, Lynch and Newman introduced Sigstore, an open-source project that aims to provide a transparent and secure way to sign and verify software artifacts. Software signing can minimize the compromise of account credentials and package repositories, and checks that a software package is signed by the “owner.” However, it doesn’t prevent attacks such as normal vulnerabilities and build system compromises. Challenges with traditional software signing include: key management, rotation, compromise detection, revocation and identity. Software signing is currently widely supported in open-source software, but not widely used. By default, tools don’t check signatures due to usability issues and key management. Sigstore frees developers from key management and relies on existing account security practices such as two-factor authentication. With Sigstore, users authenticate via OAuth (OIDC) and an ephemeral X.509 code signing certificate is issued to bind to the identity of the user. Lynch and Newman provided overviews and demonstrations of Sigstore to include sub-projects: Sigstore Cosign, signing for containers; Sigstore Gitsign, Git commit signing; Sigstore Fulcio, users authentication via OAuth; Sigstore Rekor, an append-only transparency log such that the certificate is valid if the signature is valid; Sigstore Policy Controller, a Kubernetes-based admission controller; and Sigstore Public Good Operations, a special interest group comprised of a group of volunteer engineers from various companies collaborating to operate and maintain the Sigstore Public Good instance. Inspired by RFC 9162, Certificate Transparency Version 2.0, the Sigstore team provides a cryptographically tamper-proof public log of everything they do. The Sigstore team concluded by stating: there is no single or one-size fits all solution; software signing is not a silver bullet, but is a useful defense; software signing is critical for any DevSecOps; and developers should start verifying signatures including your own software. When asked by InfoQ about security concerns with X.509, as discussed in Perlman’s keynote address, Newman stated that certificates are very complex and acknowledged that vulnerabilities can still make their way into certificates. However, Sigstore is satisfied with the mature libraries available to process X.509 certifications. Newman also stated that an alternative would be to scrap the current practice and start from scratch. However, that approach could introduce even more vulnerabilities.

Build Features Faster With WebAssembly Components by Bailey Hayes, Director at Cosmonic. Hayes kicked off her presentation by defining WebAssembly (Wasm) Modules as: a compilation target supported by many languages; only one .wasm file required for an entire application; and built from one target language. She then introduced the WebAssembly System Interface (WASI), a modular system interface for WebAssembly, that Hayes claims should really be known as the WebAssembly Standard Interfaces because it’s difficult to deploy modules in POSIX. She then described how Wasm modules interact with the WASI via the WebAssembly Runtime and the many ways that a Wasm module can be executed, namely: plugin tools such as Extism and Atmo, FaaS providers, Docker and Kubernetes. This was followed by a demo of a Wasm application. Hayes then introduced the WebAssembly Component Model, a proposed extension of the WebAssembly specification that supports high-level types within Wasm such as strings, records and variants. After describing the building blocks of Wasm components with the WASI, she described the process of how to build a component followed by a live demo of an application, written in Go and Rust, that was built and converted to a component.

Virtual Threads for Lightweight Concurrency and Other JVM Enhancements by Ron Pressler, Technical Lead OpenJDK’s Project Loom at Oracle. Pressler provided a comprehensive background on the emergence of virtual threads that included many mathematical theories. A comparison of parallelism vs. concurrency defined performance measures in latency (time duration) and throughput (task/time unit), respectively. For any stable system with long-term averages, he introduced Little’s Law as L = λW, such that:

• L = average number of items in a system
• λ = average arrival rate = exit rate = throughput
• W = average wait time in a system for an item (duration inside)

A comparison of threads vs. async/await in terms of scheduling/interleaving points, implementation and recursion/virtual calls defined the languages that support these attributes, namely: JavaScript, Kotlin and C++/Rust, respectively. After introducing asynchronous programming, syntactic coroutines (async/await) and the impact of context switching with servers, Pressler tied everything together by discussing threads and virtual threads in the Java programming language. Virtual threads is a relatively new feature that was initially introduced in JDK 19 as a preview. After a second preview in JDK 20, virtual threads will be a final feature in JDK 21, scheduled to be released in September 2023. He concluded by defining the phrase “misleading familiarity” as “there is so much to learn, but there is so much to unlearn.”

Summary

In summary, day one featured a total of 28 presentations with topics such as: architectures, engineering, language platforms and software supply chains.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for June 5th, 2023 features news from OpenJDK, JDK 21 in Rampdown, JDK 22 expert group, Jakarta EE 11 update, Spring Security Kerberos 2.0.0, Quarkus 3.1.1, Micronaut 3.9.3, Eclipse Vert.x 4.4.3, Apache Commons IO 2.13, Apache Tomcat 11.0.0-M7 and 9.0.76, Infinispan 14.0.10 and 13.0.17, JHipster Lite 0.34, OpenXava 7.1.1, Yupiik Fusion 1.0.3, Gradle 8.2-RC2 and JNation.

OpenJDK

JEP 453, Structured Concurrency (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. Formerly a incubating API, this initial preview incorporates enhancements in response to feedback from the previous two rounds of incubation: JEP 428, Structured Concurrency (Incubator), delivered in JDK 19; and JEP 437, Structured Concurrency (Second Incubator), delivered in JDK 20. The only significant change features the fork() method, defined in the StructuredTaskScope class, returns an instance of TaskHandle rather than a Future since the get() method in the TaskHandle interface was restructured to behave the same as the resultNow() method in the Future interface. More details on this JEP may be found in this detailed InfoQ news story.

JEP 446, Scoped Values (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. Formerly known as Extent-Local Variables (Incubator), this JEP is now a preview feature following JEP 429, Scoped Values (Incubator), delivered in JDK 20. This JEP proposes to enable sharing of immutable data within and across threads. This is preferred to thread-local variables, especially when using large numbers of virtual threads. InfoQ will follow-up with a more detailed news story.

Roman Kennke, principal engineer at AWS and owner of JEP 404, Generational Shenandoah (Experimental), has proposed to drop this JEP from JDK 21 due to the “risks identified during the review process and the lack of time available to perform the thorough review that such a large contribution of code requires.” The Shenandoah team has decided to “deliver the best Generational Shenandoah that they can” and will seek to target JDK 22. The review is expected to conclude on June 14, 2023.

JDK 21

Build 26 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 25 that include fixes to various issues. Further details on this build may be found in the release notes.

As per the JDK 20 release schedule, Mark Reinhold, chief architect, Java Platform Group at Oracle, formally declared that JDK 21 has entered Rampdown Phase One. This means that the main-line source repository has been forked to the JDK stabilization repository and no additional JEPs will be added for JDK 21. Therefore, the final set of 15 features for the GA release in September 2023 will include:

This feature set assumes that the proposal to remove the aforementioned JEP 404, Generational Shenandoah (Experimental), originally targeted for JDK 21, will be approved.

For JDK 21, developers are encouraged to report bugs via the Java Bug Database.

JDK 22

JSR 397, Java SE 22, was submitted this past week to formally announce the six-member expert group for JDK 22, namely Simon Ritter (Azul Systems), Manoj Palat (Eclipse Foundation), Andrew Haley (Red Hat), Christoph Langer (SAP SE), Iris Clark (Oracle) and Brian Goetz (Oracle). Clark and Goetz will serve as the specification leads. Other notable dates at this time include a public review from January 2024 through February 2024 and the GA release in March 2024.

Build 0 and Build 1 of the JDK 22 early-access builds were also made available this past week featuring the initial set of release updates.

Jakarta EE

Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, announced in his Hashtag Jakarta EE weekly blog that the requests for plan review for Jakarta EE 11 have been submitted ahead of the May 30, 2023 deadline. Developers can expect updates to the Jakarta Authentication 3.1, Jakarta Authorization 3.0, Jakarta Concurrency 3.1, Jakarta Contexts and Dependency Injection 4.1, Jakarta Expression Language 6.0, Jakarta Faces 5.0, Jakarta RESTful Web Services 4.0, Jakarta Server Pages 4.0, Jakarta Persistence 3.2, Jakarta Security 4.0, Jakarta Servlet 6.1 and Jakarta WebSocket 2.2 specifications with the release of Jakarta EE 11, scheduled for the first quarter of 2024.

It is also important to note that the Jakarta Data 1.0, Jakarta NoSQL 1.0 and Jakarta MVC 3.0 specifications with approved release plans, are currently considered as standalone, i.e., they haven’t yet been incorporated into the Platform, Web or Core profiles of Jakarta EE.

Spring Framework

The release of Spring Security Kerberos 2.0.0 delivers notable changes such as: backwards compatible support for JDK 8; wrap the execution of the UserDetailsService interface in a PrivilegedAction interface so that it can reuse Kerberos authentication; and a fix for a NotSerializableException with the JaasSubjectHolder class. More details on this release may be found in the list of issues.

Quarkus

Red Hat has released Quarkus 3.1.1.Final featuring dependency upgrades and notable changes such as: properly catch non-unique result exceptions with Security Jakarta Persistence Reactive; prevent a NullPointerException in preparation of Jacoco reports when a workspace module has no sources; a fix for the @NamedNativeQuery annotation not working in Hibernate Reactive when converting to native image; and a fix for Quarkus 3.1 throwing an IllegalStateException exception if the @Produces annotation is not defined on a stream response. Further details on this release may be found in the release notes.

Micronaut

The Micronaut Foundation has released Micronaut Framework 3.9.3 featuring bug fixes and updates to modules: Micronaut Servlet and Micronaut AWS. There was also a dependency upgrade to Netty 4.1.92. More details on this release may be found in the release notes.

The third release candidate of Micronaut 4.0 delivers bug fixes and improvements such as: add a default method to the overloaded set of writeValueAsString() methods in the JsonMapper interface; improved exception handling on scheduled jobs; and a new parameter, missingBeans=EndpointSensitivityHandler.class, for the @Requires annotation on the EndpointsFilter class to convey that endpoint sensitivity is handled externally and the filter will not be loaded. Further details on this release may be found in the release notes.

Eclipse Vert.x

Eclipse Vert.x 4.4.3 has been released with dependency upgrades and notable fixes such as: a broken tracing integration with the JDBC SQL client; an IndexOutOfBoundsException from the serviceName() method in the GrpcMethodCall class; and a NullPointerException from the updateSSLOptions() method in the HttpServer interface due to a null instance of the SSLHelper class. More details on this release may be found in the release notes and deprecations and breaking changes.

Version 4.4.3.1 of the Vert.x JDBC Client has also been released to fix an IP address parsing regression introduced in Vert.x 4.4.3. Developers who use the vertx-jdbc-client module should upgrade to this dependency until an upgrade to the next full stack release is provided.

Apache Software Foundation

The release of Apache Commons IO 2.13.0 delivers notable changes such as: a fix for the FileAlreadyExistsException from the createParentDirectories() method in the PathUtils class; reset the setCharset(null) and setCharsetEncoder(null) methods in the ReaderInputStream.Builder class to return a default object instead of throwing a NullPointerException; and add missing conversions to the subclasses of the AbstractOrigin class. Further details on this release may be found in the release notes.

Versions 11.0.0-M7 and 9.0.76 of Apache Tomcat both ship with: support for JDK 21 and virtual threads; a new RateLimitFilter class to help mitigate Denial of Service and Brute Force attacks by limiting the number of a requests that are allowed from a single IP address within a given time window; and a dependency upgrade to Tomcat Native to 2.0.4 which includes binaries for Windows built with OpenSSL 3.0.9. More details may be found in the changelogs for version 11.0.0-M7 and version 9.0.76.

Infinispan

Infinispan 14.0.10.Final provides notable changes such as: Spring Framework 6.x and Spring Boot 3.x dependency upgrades; a fix to the IPv6 wildcard address when detecting multihoming; and an implementation of the the conditional methods, computeIfAbsent() and computeIfPresent(), in the RemoteCache interface. Further details on this release may be found in the release notes.

Similarly, Infinispan 13.0.17.Final features notable changes such as: eliminate the corruption of binary files by not filtering binary resources; an issue where a JNDI data source is not available when deploying to Tomcat by lazily initiating the data source from the getConnection() method in the ManagedConnectionFactory class; and correct the documented port number in the property file examples in the Spring Boot starter documentation. More details on this release may be found in the release notes.

JHipster

The JHipster team has released version 0.34.0 of JHipster Lite with many dependency upgrades and notable enhancements such as: the removal of unused local variables; the replacement of concatenating strings with text blocks; and improvements in the React application. Further details on this release may be found in the release notes.

OpenXava

Version 7.1.1 of OpenXava has been released featuring dependency upgrades and the ability to visit a website resource that is annotated with @HtmlText. More details on this release may be found in the release notes.

Yupik

Version 1.0.3 of Yupiik Fusion has been released with notable changes such as: support for kubeconfig files in Kubernetes Client libraries; improved reuse of the CliAwaiter class; and expose the prepare() method in the KubenetesClient class by changing the access specifier from private to public. Further details on this release may be found in the release notes.

Gradle

The second release candidate of Gradle 8.2 features improvements such as: continued improvements to the Kotlin DSL reference documentation, clean and actionable error reporting for the console output, and dependency verification that mitigates security risks with compromised dependencies; and the simple property assignment operator (=) operator, introduced in the Kotlin DSL with the last release, is enabled by default. More details on this release may be found in the release notes.

JNation Conference

The JNation conference was held at the Convento São Francisco in Coimbra, Portugal, this past week featuring many speakers from the Java community who presented sessions and workshops on topics such as Project Loom, JavaScript, Java on ARM, WebAssembly, Kubernetes and GraalVM.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for May 29th, 2023 features news from OpenJDK, JDK 21, GlassFish 7.0.5, Payara, Open Liberty 23.0.0.5, IBM Semeru Runtimes, Micronaut 4.0-M6, Quarkus 3.1, Hibernate ORM 6.2.4, Hibernate Reactive 2.0, Hibernate Search 6.2.Beta1, Camel Quarkus 3.0-M2, Camel 3.14.8, Tomcat Native 2.0.4 and 1.2.37, Ktor 2.3.1, Multik 0.2.2, JobRunr 6.2.1, JDKMon 17.0.63 and Gradle 8.2-RC1.

OpenJDK

JEP 452, Key Encapsulation Mechanism API, has been promoted from Proposed to Target to Targeted for JDK 21. This feature JEP type proposes to: satisfy implementations of standard Key Encapsulation Mechanism (KEM) algorithms; satisfy use cases of KEM by higher level security protocols; and allow service providers to plug-in Java or native implementations of KEM algorithms. This JEP was recently updated to include a major change that eliminates the DerivedKeyParameterSpec class in favor of placing fields in the argument list of the encapsulate(int from, int to, String algorithm) method. InfoQ will follow up with a more detailed news story.

JEP 451, Prepare to Disallow the Dynamic Loading of Agents, has been promoted from Proposed to Target to Targeted for JDK 21. Originally known as Disallow the Dynamic Loading of Agents by Default, and following the approach of JEP Draft 8305968, Integrity and Strong Encapsulation, this JEP has evolved from its original intent to disallow the dynamic loading of agents into a running JVM by default to issue warnings when agents are dynamically loaded into a running JVM. Goals of this JEP include: reassess the balance between serviceability and integrity; and ensure that a majority of tools, which do not need to dynamically load agents, are unaffected.

JEP 453, Structured Concurrency (Preview), has been promoted from Candidate to Proposed to Target for JDK 21. Formerly a incubating API, this initial preview incorporates enhancements in response to feedback from the previous two rounds of incubation: JEP 428, Structured Concurrency (Incubator), delivered in JDK 19; and JEP 437, Structured Concurrency (Second Incubator), delivered in JDK 20. The only significant change features the fork() method, defined in the StructuredTaskScope class, returns an instance of TaskHandle rather than a Future since the get() method in the TaskHandle interface was restructured to behave the same as the resultNow() method in the Future interface. The review is expected to conclude on June 6, 2023.

JEP 446, Scoped Values (Preview), has been promoted from Candidate to Proposed to Target for JDK 21. Formerly known as Extent-Local Variables (Incubator), this JEP is now a preview feature following JEP 429, Scoped Values (Incubator), delivered in JDK 20. This JEP proposes to enable sharing of immutable data within and across threads. This is preferred to thread-local variables, especially when using large numbers of virtual threads. The review is expected to conclude on June 6, 2023.

JDK 21

Build 25 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 24 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Eclipse GlassFish

GlassFish 7.0.5, the fifth maintenance release, delivers a new feature that asynchronously updates the instance status in the Admin Console. Notable bug fixes include: deployment-time recursive bytecode preprocessing in the WebappClassLoader class; the JMX server accepting an arbitrary object as credentials; and a validation error upon deploying an application to a cluster. More details on this release may be found in the release notes.

Payara Platform

Payara has been authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). Payara is now allowed to publish authoritative cybersecurity vulnerability information about its products via the CVE Program.

Discussing how Payara can better support their customers, Fabio Turizo, service manager and senior engineer at Payara, stated:

Becoming a CVE Numbering Authority creates an extra level of dependability for those using our products and continues our commitment in adhering to and maintaining the best possible security standards. A key benefit is peace of mind when developing your mission critical Jakarta EE applications. As a CVE Numbering Authority, we ensure that when problems do occur, they can be quickly identified and a solution found, with ease of communication and total transparency.

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. Payara joins organizations such as The Apache Software Foundation, VMware, Oracle and IBM as defined in the CNA list of partners.

Open Liberty

IBM has released Open Liberty 23.0.0.5 featuring updates to 44 of the Open Liberty Guides that now support MicroProfile 6 and Jakarta EE 10. These include: Consuming a RESTful Web Service; Accessing and Persisting Data in Microservices using Java Persistence API (JPA); and Deploying a Microservice to Kubernetes using Open Liberty Operator. There were also notable bug fixes such as: a memory Leak found in the SchemaRegistry class within the MicroProfile Open API specification; and an EntryNotFoundException when defining a non-identifier type property for the input/output mapping of federated registries.

IBM has also released versions 19.0.2, 17.0.7, 11.0.19 and 8.0.372 of their Semeru Runtime, Open Edition, as part of their quarterly update. Further details on this release may be found in the release notes.

Micronaut

On the road to version 4.0, the Micronaut Foundation has provided the sixth milestone release of Micronaut 4.0.0 that delivers bug fixes, dependencies upgrades and new features and improvements such as: new interfaces, PropagatedContext and MutablePropagationContext, for HTTP filters; improved selection in the MessageBodyHandler interface; and the ability to make the NettyClientSslBuilder class pluggable. More details on this release may be found in the release notes.

Quarkus

The release of Quarkus 3.1.0.Final provides changes: a new API to programmatically create Reactive REST Clients as an alternative to using a properties file; the ability to customize RESTEasy Reactive response headers and status code for more flexibility in streaming responses; a reactive variant of the Security Jakarta Persistence extension, quarkus-security-jpa-reactive, based on Hibernate Reactive; and the OIDC ID token audience is now verified by default. There were also dependency upgrades to Kotlin 1.8.21 and Oracle JDBC driver 23.2.0.0. Further details on this release may be found in the release notes.

Hibernate

The Hibernate team has provided GA, point and beta releases of Hibernate Reactive, Hibernate ORM and Hibernate Search, respectively.

The release of Hibernate Reactive 2.0.0.Final delivers dependency upgrades and bug fixes such as: the ClassCastException when more than one field is lazy and bytecode enhancement is enabled; pagination not working for some queries with Microsoft SQL Server; and lambda expressions causing a NoSuchMethodError exception on application startup. This new version is compatible with Hibernate ORM 6.2.4.Final and Vert.x SQL client 4.4. More details on this release may be found in the list of issues.

The release of Hibernate ORM 6.2.4.Final ships with bug fixes and notable changes: resolutions to the JDK type pollution issue (JDK-8180450); and remove support for JPA static metamodel generation in the Hibernate Gradle plugin.

The first beta release of Hibernate Search 6.2.0 includes: many bug fixes and improvements; dependency upgrades; compatibility with Elasticsearch 8.8 and OpenSearch 2.7; an upgrade of the -orm6 artifacts to Hibernate ORM 6.2.4.Final; and a new feature, Highlighting in the Search API, a projection that returns fragments from full-text fields of matched documents that caused a query match. The specific terms that caused the match are highlighted with a pair of opening and closing tags such that developers can quickly identify search information on a results page.

Apache Software Foundation

The Apache Software Foundation has provided point and milestone releases of Apache Camel, Apache Camel Quarkus and Apache Tomcat Native Library, an optional component for use with Apache Tomcat that allows Tomcat to use OpenSSL as a replacement for Java Secure Socket Extension (JSSE) to support TLS connections.

The release of Apache Camel 3.14.8 features dependency upgrades and notable bug fixes such as: suppressed exceptions in the RedeliveryErrorHandler class cause a memory leak and logging issue; an application does not recover due to waiting threads when the thread pool from the NettyProducer class is exhausted; and the onFailure() callback method defined in the OnCompletionProcessor class is executed more than once. Further details on this release may be found in the release notes.

Apache Tomcat Native 2.0.4 has been released with dependency upgrades to Apache Portable Runtime (APR) 1.7.4 and OpenSSL 3.0.9. More details on this release may be found in the changelog.

Similarly, Apache Tomcat Native 1.2.37 has also been released with dependency upgrades to APR 1.7.4 and OpenSSL 1.1.1u. Further details on this release may be found in the changelog.

The second milestone release of Camel Quarkus 3.0.0 features numerous resolved issues such as: intermittent failures in JDBC native tests and the MyBatisConsumerTest class; a JDBC resource leak from the CamelJdbcTest class; and support for Groovy causes a failure with continuous integration. This version aligns with Quarkus 3.1.0.Final and Camel 4.0.0-M3. More details on this release may be found in the release notes.

JetBrains

JetBrains has provided point releases for Ktor, an asynchronous framework for creating microservices and web applications, and Multik, a multidimensional array library for Kotlin.

The release of Ktor 2.3.1 delivers notable bug fixes such as: Ktor Client under Javascript unable to stream responses from a server; requests to a non-existing route causing the server to lock up after responding with HTTP 404 (a potential DoS); and YAML configuration unable to read variables from itself. Further details on this release may be found in the release notes.

The release of Multik 0.2.2 provides new features that include: extended support for all JVM platforms in the multik-default module; functionality to create an array from lists of different sizes; a stub for singular value decomposition; and support for the npy and npz formats for JVM in the multik-core module. There were also dependency upgrades to Kotlin 1.8.21 and OpenBLAS 0.3.23.

JobRunr

JobRunr 6.2.1 has been released with bug fixes to resolve compatibility issues with: Quarkus 3.0 when using JSONB; and Java Records not working with the JacksonJsonMapper class.

JDKMon

Version 17.0.63 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version provides an enhancement related to loading common vulnerabilities and exposures.

Gradle

The first release candidate of Gradle 8.2 features improvements such as: new reference documentation for the Kotlin DSL; clean and actionable error reporting for the console output; and dependency verification that mitigates security risks with compromised dependencies. More details on this release may be found in the release notes.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for May 22nd, 2023 features news from OpenJDK, JDK 21, Spring Cloud 2022.0.3, Spring Shell 3.1.0, 3.0.4 and 2.1.10, Spring Security Kerberos 2.0-RC2, Payara Platform, Quarkus 3.0.4 and 2.13.8, WildFly 28.0.1, Micronaut 4.0-M5, Helidon 2.6.1, MicroStream 8.1.0, Apache Camel 3.20.5, JDKMon 17.0.61, JHipster Lite 0.33.0, Java’s 28th Birthday and Azul State of Java survey.

OpenJDK

JEP 451, Prepare to Disallow the Dynamic Loading of Agents, has been promoted from Candidate to Proposed to Target for JDK 21. Originally known as Disallow the Dynamic Loading of Agents by Default, and following the approach of JEP Draft 8305968, Integrity and Strong Encapsulation, this JEP has evolved from its original intent to disallow the dynamic loading of agents into a running JVM by default to issue warnings when agents are dynamically loaded into a running JVM. Goals of this JEP include: reassess the balance between serviceability and integrity; and ensure that a majority of tools, which do not need to dynamically load agents, are unaffected. The review is expected to conclude on May 31, 2023. InfoQ will follow up with a more detailed news story.

In response to numerous questions about the design philosophy of the exhaustiveness checking in pattern switch, Brian Goetz, Java language architect at Oracle, and Gavin Bierman, consulting member of technical staff at Oracle, have published a document detailing the connection between the properties of unconditionality, exhaustiveness and remainder.

JDK 21

Build 24 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 23 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Spring Framework

The release of Spring Cloud 2022.0.3, codenamed Kilburn, delivers compatibility with Spring Boot 3.1 and updates to Spring Cloud sub-projects such as: Spring Cloud OpenFeign 4.0.3, Spring Cloud Commons 4.0.3, Spring Cloud Kubernetes 3.0.3 and Spring Cloud Starter Build 2022.0.3. There are, however, breaking changes with the removal of sub-projects: Spring Cloud CLI, Spring Cloud for Cloud Foundry and Spring Cloud Sleuth. More details on this release may be found in the release notes.

Versions 3.1.0, 3.0.4 and 2.1.10 of Spring Shell have been released featuring notable fixes such as: an instance of the ConfirmationInput class does not show the option selected when typing; and having target method argument as a boolean argument fails if the @Option or @ShellOption annotations are not used. These versions build upon Spring Boot versions 3.1.0, 3.0.7 and 2.7.12, respectively. Further details on these releases may be found in the release notes for version 3.1.0, version 3.0.4 and version 2.1.10.

The second release candidate of Spring Security Kerberos 2.0.0 features a dependency upgrade to Spring Security 6.1.0. More details on this release may be found in the release notes.

Payara

Payara has released their May 2023 edition of the Payara Platform that includes Community Edition 6.2023.5, Enterprise Edition 6.2.0 and Enterprise Edition 5.51.0. All three versions feature resolutions to: address CVE-2023-1370, a vulnerability in which the unregulated recursive parsing of JSON nested arrays and objects in Json-smart, a JSON processor library, may lead to a stack overflow and crash the software; and the exception “JVM option${ } already exists in the configuration” upon creating JVM option using Web UI. There were also dependency upgrades to: Jackson 2.15.0, SnakeYAML 2.0, JSON Smart 2.4.10 and Docker Image for JDKs 8u372, 11.0.19, and 17.0.7. Further details on these versions may be found in the release notes for Community Edition 6.2023.5, Enterprise Edition 6.2.0 and Enterprise Edition 5.51.0.

Quarkus

Quarkus 3.0.4.Final, the third maintenance release (version 3.0.1 was the initial release), provides improvements in documentation and notable bug fixes such as: failed native image builds when the quarkus.package.output-directory property is set; a “No current injection point found” error when using a @ConfigMapping in conjunction with an onStartup() method; and fix location and content location headers in RestEasy Reactive. More details on this release may be found in the changelog.

Similarly, Quarkus 2.13.8 was also released with notable bug fixes, many of them backports, such as: a fix for the warning message quarkus.oidc.application-type=service; encrypt the OIDC session cookie value by default; filter out RESTEasy-related warning related to an Apache HTTP Client not being closed in the ProviderConfigInjectionWarningsTest class; and a recent Netty version update that introduced warnings while building a native image of MongoDB Client. Further details on this release may be found in the release notes.

WildFly

WildFly 28.0.1 has been released featuring dependency upgrades and notable bug fixes such as: the testContextPropagation() test defined in the ContextPropagationTestCase class will occasionally fail when using Long Running Actions; a deployable, yet non-functional QS app on OpenShift resulting from an update to Helm Charts in todo-backend, a quickstart for backend deployment on OpenShift; and the isExpired() method defined in the ExpirationMetaData interface does not conform to the logic in the LocalScheduler class.

Micronaut

On the road to version 4.0, the Micronaut Foundation has released Micronaut 4.0.0-M5 featuring numerous dependency upgrades and improvements such as: add @BootstrapContextCompatible, an annotation indicating that a bean can be loaded into the Bootstrap Context, to JSON message readers; the ability to disable SLF4J initialization when Micronaut environments are used in Micronaut OpenAPI; and use the bean definition type for unexpected duplicate beans in custom singleton-like scope based on the AbstractConcurrentCustomScope class. More details on this release may be found in the release notes.

Helidon

Oracle has released Helidon 2.6.1 with dependency upgrades and notable changes such as: update the isReleased() method defined in the ByteBufDataChunk class to use an instance of the AtomicBoolean class to prevent race conditions that may call the release callback more than once; add the @Target(ElementType.METHOD) annotation for the @MPTest annotation to specify a specific target; and fixes for the overloaded create() methods defined in the WritableMultiPart class. Further details on this release may be found in the release notes.

MicroStream

The release of MicroStream 8.1.0 delivers integration with Quarkus 3 and a fix for which the Stream API doesn’t unload as expected when using the Lazy Collections API.

The Micronaut team has also introduced the Quarkus Extension for MicroStream that allows accessing the functionality of MicroStream in Quarkus applications through the use of annotations.

Apache Camel

Apache Camel 3.20.5 has been released featuring bug fixes, dependency upgrades and improvements, primarily in the camel-jbang module, such as the ability to: load YAML files that only define Java beans; use a filename to generate the ID of a route when creating a Camel file in the XML DSL with camel-jbang; and run camel-jbang from an empty folder and then reload when new files are added. More details on this release may be found in the release notes.

JDKMon

Version 17.0.61 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version: adds a property to the jdkmon.properties file to disable notifications; and provides fixes to issues related to detected CPU architectures and multiple builds of the same JDK version.

JHipster

The JHipster team has released version 0.33.0 of JHipster Lite with many dependency upgrades and notable changes such as: sharing module properties between landscape and patch screens; a fix on native hints for the integration of JGit; and the addition of the DestroyRef provider. Further details on this release may be found in the release notes.

Happy 28th Birthday, Java!

Java turned 28 years old this past week as the language was introduced at the SunWorld 1995 conference on May 23, 1995. The Java developer relations team at Oracle celebrated with a 28 Hours of Java event hosted by Ana Maria Mihalceanu, Nicolai Parlog and Sharat Chander. Topics included: live coding and exploration, presentations, conversations with Java luminaries, and fun games. This was the agenda:

• An exploration on JUnit Pioneer with Nicolai.
• Data-Oriented Programming in Java (21) presented by Nicolai.
• A conversation with Gavin Bierman on pattern matching facilitated by Nicolai.
• Exploring JEP 451, Prepare to Disallow the Dynamic Loading of Agents, and JEP Draft 8305968, Integrity and Strong Encapsulation, with Nicolai.
• A conversation with Ron Pressler discussing platform integrity (JEP Draft 8305968), JEP 445, Unnamed Classes and Instance Main Methods (Preview), and JEP 453, Structured Concurrency (Preview), facilitated by Nicolai.
• Growing Up with Java presented by Ana.
• Playing Byte Legend with Ana.
• Java State of the Union and Why Community Matters presented by Sharat.
• A roundtable discussion with Pratik Patel, Mohammed Aboullaite, Venkat Subramaniam, Andres Almiray, Ixchel Ruiz and Vincent Mayers facilitated by Sharat.
• A conversation with Brian Goetz, facilitated by Nicolai, discussing Project Valhalla with a focus on how to surface value and primitive types and nullability in the language.
• A conversation with Gunnar Morling facilitated by Nicolai.
• Java Next presented by Nicolai.
• Playing Slay the Spire (written in Java) and exploring modding with Nicolai.
• Project Amber: The SolutionFactory To Java’s Problems presented by Nicolai.
• From Idea to IDE presented by Nicolai.
• Ask Me Anything session with Nicolai.
• Closing remarks by Nicolai.

This special event was live-streamed on the Java YouTube channel.

Developer Surveys

Azul has launched their State of Java survey in which the areas of study include: OpenJDK distributions and Java versions developers are using; Java-based infrastructures and languages; and Java applications running in public clouds. The survey closes on June 15, 2023.

Article originally posted on InfoQ. Visit InfoQ

This week’s Java roundup for May 15th, 2023 features news from OpenJDK, JDK 21, Azul Zulu, point releases of Spring Boot, Spring Security, Spring Security Kerberos, Spring Integration, Spring Batch, Spring for GraphQL, Spring Authorization Server, Spring LDAP, Micronaut, Open Liberty, TornadoVM, Hibernate ORM, Apache TomEE, Apache Tika, OpenXava, JBang, JDKMon and Spring I/O conference.

OpenJDK

JEP 449, Deprecate the Windows 32-bit x86 Port for Removal, has been promoted from Proposed to Target to Targeted for JDK 21. This feature JEP, introduced by George Adams, senior program manager at Microsoft, proposes to deprecate the Windows x86-32 port with the intent to remove it in a future release. With no intent to implement JEP 436, Virtual Threads (Second Preview), in 32-bit platforms, removing support for this port will enable OpenJDK developers to accelerate development of new features.

JEP 445, Unnamed Classes and Instance Main Methods (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. This feature JEP, formerly known as Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), proposes to “evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs.” This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. InfoQ will follow up with a more detailed news story.

JEP 443, Unnamed Patterns and Variables (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. This preview JEP proposes to “enhance the language with unnamed patterns, which match a record component without stating the component’s name or type, and unnamed variables, which can be initialized but not used.” Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.

JEP 404, Generational Shenandoah (Experimental), has been promoted from Proposed to Target to Targeted for JDK 21. This JEP proposes to “enhance the Shenandoah garbage collector with generational collection capabilities to improve sustainable throughput, load-spike resilience, and memory utilization.” Compared to other garbage collectors, such as G1, CMS and Parallel, Shenandoah currently requires additional heap headroom and has a more difficult time recovering space occupied by unreachable objects. InfoQ will follow up with a more detailed news story.

JEP 452, Key Encapsulation Mechanism API, has been promoted from Candidate to Proposed to Target for JDK 21. This feature JEP type proposes to: satisfy implementations of standard Key Encapsulation Mechanism (KEM) algorithms; satisfy use cases of KEM by higher level security protocols; and allow service providers to plug-in Java or native implementations of KEM algorithms. This draft was recently updated to include a major change that eliminates the DerivedKeyParameterSpec class in favor of placing fields in the argument list of the encapsulate(int from, int to, String algorithm) method. The review is expected to conclude on May 26, 2023. InfoQ will follow up with a more detailed news story.

Ron Pressler, architect and technical lead for Project Loom at Oracle, has announced several changes to JEP 453, Structured Concurrency (Preview). Still in Candidate status, changes in this feature include: the TaskHandle interface has been renamed to Subtask; a fix to correct the generic signature of the handleComplete() method; a change to the states and behavior of subtasks on cancellation; and a new currentThreadEnclosingScopes() method defined in the Threads class that returns a string with the description of the current structured context.

JDK 21

Build 23 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 22 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Azul

Azul has announced that Zulu, their downstream distribution of OpenJDK, now supports Coordinated Restore at Checkpoint (CRaC) to reduce Java application startup and warm up times. InfoQ will follow up with a more detailed news story.

Spring Framework

The release of Spring Boot 3.1.0 delivers notable new features such as: support for managing external services at development time using Testcontainers and Docker Compose; simplified configuration of Testcontainers in integration tests; centralized and expanded configuration of SSL trust material for connections; and auto-configuration for Spring Authorization Server. There were also dependency upgrades to Spring Data 2023.0, Spring GraphQL 1.2, Spring Integration 6.1, Spring Security 6.1 and Spring Session 3.1. More details on this release may be found in the release notes.

Versions 3.0.7, 2.7.12, 2.6.15 and 2.5.15 of Spring Boot have been released featuring bug fixes, improvements in documentation and dependency upgrades and resolutions to mitigate: CVE-2023-20883, Spring Boot Welcome Page DoS Vulnerability, a vulnerability in which there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache; and CVE-2023-20873, Security Bypass With Wildcard Pattern Matching on Cloud Foundry, a vulnerability in which an application deployed to Cloud Foundry could be susceptible to a security bypass with requests that match the /cloudfoundryapplication/** endpoint. Further details on these releases may be found in the release notes for version 3.0.7, version 2.7.12, version 2.6.15 and version 2.5.15.

The release of Spring Security 6.1.0 delivers new features: a more comprehensive explanation for deprecating the and() method in favor of lambda DSLs for configuring Spring Security; and improved documentation for Cross-Site Request Forgery (CSRF). More details on this release may be found in the release notes.

The first release candidate of Spring Security Kerberos 2.0.0 features improvements in documentation and a re-implementation/migration of the utilities in spring-security-kerberos-test as the Apache directory server libraries have undergone many refactorings. Further details on this release may be found in the release notes.

The release of Spring Integration 6.1 delivers notable changes such as: additional diagnostics for testing the SftpRemoteFileTemplateTests class; fix memory leak in the FluxMessageChannel class; improvements and cleanup of the ImapMailReceiverTests class; and a new PartitionedChannel class for partitioned message dispatching. More details on this release may be found in the release notes.

Spring Batch 5.0.2 has been released featuring bug fixes, improvements in documentation and new features such as: allow the StaxEventItemReader class to auto-detect the input file encoding; a change in which the JobParameters class now uses an instance of LinkedHashMap instead of HashMap in the constructor and the getParameters() method to guarantee input order; and a reduction in the use of deprecated APIs. Further details on this release may be found in the release notes.

Spring for GraphQL 1.2.0 has been released with new features such as support for: the @GraphQlExceptionHandler annotation methods in the AOT processor; nested paths in GraphQlTester interface; schema mapping inspection for the @BatchMapping annotation methods. More details on this release may be found in the release notes.

Similarly, Spring for GraphQL 1.1.4 has also been released to provide bug fixes, dependency upgrades, improvements in documentation and a new feature in which the ClientGraphQlRequest interface passes attributes to a request from the WebClient interface. Further details on this release may be found in the release notes.

The release of Spring Authorization Server 1.1.0 ships with dependency upgrades and new features such as: a simplified federated login and updated UI design in the demo sample; the addition of a logout success page to default client sample; and a revocation of tokens if authorization code is used more than once. More details on this release may be found in the release notes.

Versions 3.1.0 and 3.0.3 of Spring LDAP 3.1.0 have been released featuring: dependency upgrades such as Spring Security 5.8.3 and 5.7.8 and Jackson 2.15.0 and 2.14.3, respectively; and a new feature in version 3.0.3 in which there was calcification on the use of attribute mapping with the @DnAttribute annotation. Further details on these releases may be found in the release notes for version 3.1.0 and version 3.0.3.

Micronaut

The Micronaut Foundation has released Micronaut Framework 3.9.2 featuring bug fixes and updates to modules: Micronaut Azure, Micronaut AWS, Micronaut GCP, Micronaut OpenAPI, Micronaut SQL and Micronaut Kubernetes. More details on this release may be found in the release notes.

Open Liberty

IBM has released Open Liberty 23.0.0.5-beta featuring: continued enhancements to InstantOn, their new feature that provides faster startup times for MicroProfile and Jakarta EE applications; and the latest updates to the preview for the Jakarta Data specification.

TornadoVM

TornadoVM, an open-source software technology company, has released TornadoVM version 0.15.1 that ships with delivers bug fixes and notable improvements such as: improved compatibility with Apple M1/M2 through the OpenCL Backend; introduction of a device selection heuristic based on the computing capabilities of devices; integration and compatibility with the Graal 22.3.2 JIT compiler; optimisation of removing redundant data copies for read-only and write-only buffers from between the host (CPU) and the device (GPU) based on the Tornado Data Flow Graph; improved integration of GraalVM/Truffle programs; and the option to dump the TornadoVM bytecodes for unit tests. Further details on this release may be found in the release notes.

Juan Fumero, research associate, Advanced Processor Technologies Research Group at The University of Manchester, introduced TornadoVM at QCon London in March 2020 and has since contributed this more recent InfoQ technical article.

Hibernate

Hibernate ORM 6.2.3.Final has been released featuring bug fixes, performance improvements and HQL support for the native PostGIS distance operators. More details on this release may be found in the list of changes.

Apache Software Foundation

The release of Apache TomEE 8.0.15 features bug fixes, dependency upgrades and resolutions to mitigate: CVE-2022-1471, a vulnerability in which the deserialization of types using the SnakeYAML Constructor() class will allow an attacker to initiate a malicious remote code execution; CVE-2023-28708, a vulnerability in which using the RemoteIpFilter class, with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to HTTPS, session cookies created by Tomcat did not include the secure attribute. This vulnerability could result in an attacker transmitting a session cookie over an insecure channel; and CVE-2023-24998, a vulnerability in Apache Commons FileUpload such that an attacker can trigger a denial-of-service with malicious uploads due to the number of processed request parts is not limited. Further details on this release may be found in the release notes.

Apache Tika 2.8.0 has been released delivering new features such as: enable counting and/or parsing of incremental updates in PDFs; enable optional extraction of file system metadata in the FileSystemFetcher class; allow pretty printing from the FileSystemEmitter class; and improve embedded file extraction from PDFs. More details on this release may be found in the release notes.

OpenXava

OpenXava 7.1 has been released that ships with bug fixes, dependency upgrades and new features such as: the calendar in list mode; enhancements to web security that include mitigating CVEs; the ability to annotate properties to indicate a data input mask with the new @Mask annotation; and a rich new text editor. Further details on this release may be found in the release notes.

JBang

The release of JBang 0.107.0 provides support for JDK 21 with a new --enable-preview flag and notable fixes such as: export will now create the missing output folders; PicoCLI no longer throws exceptions for certain configuration values; and a resolution to unnecessary lookups in the JBang alias list.

JDKMon

Version 17.0.59 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version provides changes such as: improved support on Linux; and fixes related to CVE detection.

Spring I/O Conference

The 10th annual Spring I/O conference was held at the Fira de Barcelona at Montjuïc in Barcelona, Spain this past week. Celebrating their 10th anniversary, speakers from the Java community presented sessions and workshops on Spring projects, GraalVM, native Java, enterprise security, domain-driven design and cloud computing.