Java News Roundup: New OpenJDK JEPs, Payara Platform, Spring and Tomcat Updates, WildFly 28
MMS • Michael Redlich
Article originally posted on InfoQ. Visit InfoQ
This week’s Java roundup for April 17th, 2023 features news from OpenJDK, JDK 21, JMC 8.3.1, BellSoft, Spring Boot, Spring Security, Spring Session, Spring Authorization Server, Spring Integration, Spring for GraphQL and Spring Shell, WildFly 28, Payara Platform, Open Liberty 23.0.0.4-beta, Micronaut 3.9, Apache Tomcat updates, Ktor 2.3, JHipster Lite 0.32, JBang 0.106.3 and Gradle 8.1.1.
OpenJDK
JEP 446, Scoped Values (Preview), has been promoted from its JEP Draft 8304357 to Candidate status. Formerly known as Extent-Local Variables (Incubator), this JEP is now a preview feature following JEP 429, Scoped Values (Incubator), delivered in JDK 20. This JEP proposes to enable sharing of immutable data within and across threads. This is preferred to thread-local variables, especially when using large numbers of virtual threads.
JEP 447, Statements before super(), has been promoted from its JEP Draft 8300786 to Candidate status. This JEP, under the auspices of Project Amber, proposes to: allow statements that do not reference an instance being created to appear before the this()
or super()
calls in a constructor; and preserve existing safety and initialization guarantees for constructors. Gavin Bierman, consulting member of technical staff at Oracle, has provided an initial specification of this JEP for the Java community to review and provide feedback.
JEP 448, Vector API (Sixth Incubator), has been promoted from its JEP Draft 8305868 to Candidate status. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous five rounds of incubation: JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. This feature proposes to enhance the Vector API to load and store vectors to and from a MemorySegment
as defined by JEP 424, Foreign Function & Memory API (Preview).
JEP 449, Deprecate the Windows 32-bit x86 Port for Removal, has been promoted from its JEP Draft 8303167 to Candidate status. This feature JEP, introduced by George Adams, Senior Program Manager at Microsoft, proposes to deprecate the Windows x86-32 port with the intent to remove it in a future release. With no intent to implement JEP 436, Virtual Threads (Second Preview), in 32-bit platforms, removing support for this port will enable OpenJDK developers to accelerate development of new features.
JEP Draft 8305968, Integrity and Strong Encapsulation, and JEP Draft 8306275, Disallow the Dynamic Loading of Agents by Default, have been submitted by Ron Pressler, architect and technical lead for Project Loom at Oracle.
Integrity and Strong Encapsulation proposes to assure the integrity of code and data with a variety of features, such as strong encapsulation, that are enabled by default. Goals of this draft include: allow the Java platform to robustly maintain invariants required for maintainability, security and performance; and differentiate use cases where breaking encapsulation is convenient from use cases where disabling encapsulation is essential.
Disallow the Dynamic Loading of Agents by Default, following the approach of Integrity and Strong Encapsulation, proposes to disallow the dynamic loading of agents into a running JVM by default. Goals of this draft include: reassess the balance between serviceability and integrity; and ensure that a majority of tools, which do not need to dynamically load agents, are unaffected.
JDK Mission Control (JMC) 8.3.1 has been released with notable fixes such as: unable to open JMX Console after installing plugins in macOS and Linux; unable to edit Eclipse project run configurations after installing JMC plugins on Linux; and unable to perform flight recording on jLinked applications; More details on this release may be found in the release notes.
JDK 21
Build 19 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 18 that include fixes to various issues. Further details on this build may be found in the release notes.
For JDK 21, developers are encouraged to report bugs via the Java Bug Database.
JDK 20
JDK 20.0.1, the first maintenance release of JDK 20, along with security updates for JDK 17.0.7, JDK 11.0.19 and JDK 8u371 were made available as part of Oracle’s Releases Critical Patch Update for April 2023.
BellSoft
Also concurrent with Oracle’s Critical Patch Update (CPU) for April 2023, BellSoft has released CPU patches for versions 17.0.6.0.1, 11.0.18.0.1 and 8u371 of Liberica JDK, their downstream distribution of OpenJDK. In addition, Patch Set Update (PSU) versions 20.0.1, 17.0.7, 11.0.19 and 8u372, containing CPU and non-critical fixes, have also been released.
Spring Framework
The first release candidate of Spring Boot 3.1.0 delivers notable new features: improved Testcontainers support including support at development time; support for Docker Compose; enhancements to SSL configuration; and improvements for building Docker images. More details on this release may be found in the release notes.
The release of Spring Boot 3.0.6 primarily addresses CVE-2023-20873, Security Bypass With Wildcard Pattern Matching on Cloud Foundry, a vulnerability in which an application that is deployed to Spring Cloud for Cloud Foundry could be susceptible to a security bypass. Along with improvements in documentation and dependency upgrades, this release also provides notable bug fixes such as: integration of Spring Cloud for Cloud Foundry does not use endpoint path mappings; the ApplicationAvailability
bean is auto-configured even if a custom one already exists; and default configuration substitutions in Apache Cassandra don’t resolve against configuration derived from the spring.data.cassandra
properties file. More details on this release may be found in the release notes.
Similarly, the release of Spring Boot 2.7.11 also addresses the aforementioned CVE-2023-20873 and provides improvements in documentation, dependency upgrades and the same bug fixes as Spring Boot 3.0.6. More details on this release may be found in the release notes.
Versions 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 of Spring Security have been released to primarily address CVE-2023-20862, Empty SecurityContext Is Not Properly Saved Upon Logout, a vulnerability in which serialized versions of logout does not: properly clean the security context; and unable to explicitly save an empty security context to the HttpSessionSecurityContextRepository
class. This results in users still being authenticated even after logout. More details on these releases may be found in the release notes for version 6.1.0-RC1, version 6.0.3, version 5.8.3 and version 5.7.8.
The first release candidate of Spring Session 3.1.0 delivers dependency upgrades and a new feature in which an instance of the StringRedisSerializer
class is reused to eliminate the need to instantiate additional serializer instances. More details on this release may be found in the release notes.
The first release candidate of Spring Authorization Server 1.1.0 provides dependency upgrades and new features such as: support for device code and user code in the JdbcOAuth2AuthorizationService
class; improvements in the OAuth 2.0 Device Authorization Grant that include adding tests and reference documentation; and improvements in the OpenID Connect 1.0 logout endpoint. More details on this release may be found in the release notes.
Similarly, versions 1.0.2 and 0.4.2 of Spring Authorization Server have also been released featuring dependency upgrades and notable bug fixes: return of an incorrect INVALID_CLIENT
token error code to the correct INVALID_GRANT
token error code; a broken support link; the authentication secret should be saved after encoding upon registration of the client; and a consideration that would allow the use of localhost
in redirect URIs. More details on these releases may be found in the release notes for version 1.0.2 and version 0.4.2.
Version 6.1.0-RC1 and 6.0.5 of Spring Integration have been released that share notable changes such as: remove a trailing space in the IntegrationWebSocketContainer
class; and improvements to the BaseWsInboundGatewaySpec
and TailAdapterSpec
classes that didn’t override super methods and threw instances of NullPointerException
due to target
field not populated. More details on these releases may be found in the release notes for version 6.1.0-RC1 and version 6.0.5.
The first release candidate of Spring for GraphQL 1.2.0 delivers new features such as: update the SchemaMappingInspector
class to support Connection
types; support for pagination with Querydsl and Query By Example; and overall support for pagination and sorting. More details on this release may be found in the release notes.
Versions 3.1.0-M2, 3.0.2 and 2.1.8 of Spring Shell have been released featuring shared notable changes such as: builds upon Spring Boot 3.1.0-M2, 3.0.5 and 2.7.10, respectively; a backport of bug fixes; and a significant fix for custom type handling with positional arguments. More details on these releases may be found in the release notes for version 3.1.0-M2, version 3.0.2 and version 2.1.8.
WildFly
Red Hat has released WildFly 28 that ships with improved support for observability and full support for Jakarta EE 10. WildFly has added support for Micrometer and the MicroProfile Telemetry specification, but has removed support for MicroProfile Metrics. JDK 17 is recommended for production applications, but Red Hat has seen good results on JDK 20. More details on this release may be found in the release notes and InfoQ will follow up with a more detailed news story.
Payara
Payara has released their April 2023 edition of the Payara Platform that includes Community Edition 6.2023.4, Enterprise Edition 6.1.0 and Enterprise Edition 5.50.0.
Community Edition 6.2023.4 delivers:a fix for a Payara 6 deployment error with JDK17 and Records; improvements in the SameSite cookie attributes in the Application Deployment Descriptor and a global HTTP network listener; and dependency upgrades to EclipseLink 4.0.1, EclipseLink ASM 9.4.0, Hazelcast 5.2.2 and ASM 9.4. More details on this release may be found in the release notes.
Similarly, Enterprise Edition 6.1.0 features: a fix for a Payara 6 deployment error with JDK17 and Records; improvements in the SameSite cookie attributes in the Application Deployment Descriptor; and dependency upgrades to EclipseLink 4.0.1, EclipseLink ASM 9.4.0, Hazelcast 5.2.2 and ASM 9.4 More details on this release may be found in the release notes.
Enterprise Edition 5.50.0 ships with: a resolution for CVE-2023-24998, a vulnerability in Apache Commons FileUpload in which an attacker can trigger a denial-of-service with malicious uploads due to the number of processed request parts is not limited; a fix for a Hazelcast NoDataMemberInClusterException
; an improvement in the SameSite cookie attribute in the Application Deployment Descriptor; and a dependency upgrade to Hazelcast 5.2.2. More details on this release may be found in the release notes.
Open Liberty
IBM has released Open Liberty 23.0.0.4-beta featuring updated support for the Jakarta Data specification such that developers may now combine multiple ways of specifying ordering and sorting, defining a precedence. Sorting that is defined by the @OrderBy
annotation or a query-by-method keyword is applied first, followed by the parameters from the Sort
record on the method or the Pageable
interface.
Micronaut
The Micronaut Foundation has released Micronaut Framework 3.9.0 that delivers new features such as: the ability to customize a package to write introspection with the targetPackage
field of the @Introspected
annotation; the ability to enable Cross Origin Resource Sharing (CORS) configuration via the @CrossOrigin
annotation; a breaking change in which the configuration property, micronaut.server.cors.*.configurations.allowed-origins
, does not support regular expressions to prevent an accidental exposure of a user’s API; and updates to modules such as: Micronaut Kubernetes, Micronaut Security, Micronaut CRaC, Micronaut Maven and Micronaut Launch. More details on this release may be found in the release notes.
Apache Software Foundation
The Apache Tomcat team has provided point releases for versions 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88. All four versions share notable changes such as: reduce the default value of maxParameterCount
from 10000 to 1000; correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing, leading to an ERR_HTTP2_SERVER_REFUSED_STREAM
for some connections; implementation of RFC 9239, Updates to ECMAScript Media Types, in which the MIME types for JavaScript has changed to text/javascript
. More details on these releases may be found in the release notes for version 11.0.0-M5, version 10.1.8, version 9.0.74 and version 8.5.88.
Ktor
JetBrains has released version 2.3.0 of Ktor, the asynchronous framework for creating microservices and web applications, that include improvements and fixes such as: support for regular expressions when defining routes; drop support for the legacy JS compiler that will be removed in the upcoming release of Kotlin 1.9.0; support for Apache 5 and Jetty 11; and support for Structured Concurrency for Sockets. More details on this release may be found in the release notes.
JHipster
The JHipster team has released version 0.32.0 of JHipster Lite with many dependency upgrades and notable changes such as: support for Hibernate second-level cache by setting the spring.jpa.properties.hibernate.cache.use_second_level_cache
property to true
; remove an unnecessary warning upon executing the npm run lint
command; and remove an unnecessary stack trace upon running the npm t
command. More details on this release may be found in the release notes.
JBang
The release of JBang 0.106.3 fixes formatting for an issue where ChatGPT errors on bad keys or usage limits.
Gradle
Gradle 8.1.1 has been released that ships with bug fixes: a MethodTooLargeException
when instrumenting a class with significant number of lambdas for the configuration cache; the Kotlin DSL precompiled script plugins built with Gradle 8.1 cannot be used with other versions of Gradle; and Gradle 8.1 configuration of the freeCompilerArgs
method for Kotlin in buildSrc
breaks a build with errors that are not useful. More details on this release may be found in the release notes.