BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Java News Roundup: Azul Zulu Support for CRaC, Spring Boot Updates Mitigate CVEs, OpenJDK JEPs

Java News Roundup: Azul Zulu Support for CRaC, Spring Boot Updates Mitigate CVEs, OpenJDK JEPs

This item in japanese

Bookmarks

This week's Java roundup for May 15th, 2023 features news from OpenJDK, JDK 21, Azul Zulu, point releases of Spring Boot, Spring Security, Spring Security Kerberos, Spring Integration, Spring Batch, Spring for GraphQL, Spring Authorization Server, Spring LDAP, Micronaut, Open Liberty, TornadoVM, Hibernate ORM, Apache TomEE, Apache Tika, OpenXava, JBang, JDKMon and Spring I/O conference.

OpenJDK

JEP 449, Deprecate the Windows 32-bit x86 Port for Removal, has been promoted from Proposed to Target to Targeted for JDK 21. This feature JEP, introduced by George Adams, senior program manager at Microsoft, proposes to deprecate the Windows x86-32 port with the intent to remove it in a future release. With no intent to implement JEP 436, Virtual Threads (Second Preview), in 32-bit platforms, removing support for this port will enable OpenJDK developers to accelerate development of new features.

JEP 445, Unnamed Classes and Instance Main Methods (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. This feature JEP, formerly known as Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), proposes to "evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs." This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. InfoQ will follow up with a more detailed news story.

JEP 443, Unnamed Patterns and Variables (Preview), has been promoted from Proposed to Target to Targeted for JDK 21. This preview JEP proposes to "enhance the language with unnamed patterns, which match a record component without stating the component's name or type, and unnamed variables, which can be initialized but not used." Both of these are denoted by the underscore character as in r instanceof _(int x, int y) and r instanceof _.

JEP 404, Generational Shenandoah (Experimental), has been promoted from Proposed to Target to Targeted for JDK 21. This JEP proposes to "enhance the Shenandoah garbage collector with generational collection capabilities to improve sustainable throughput, load-spike resilience, and memory utilization." Compared to other garbage collectors, such as G1, CMS and Parallel, Shenandoah currently requires additional heap headroom and has a more difficult time recovering space occupied by unreachable objects. InfoQ will follow up with a more detailed news story.

JEP 452, Key Encapsulation Mechanism API, has been promoted from Candidate to Proposed to Target for JDK 21. This feature JEP type proposes to: satisfy implementations of standard Key Encapsulation Mechanism (KEM) algorithms; satisfy use cases of KEM by higher level security protocols; and allow service providers to plug-in Java or native implementations of KEM algorithms. This draft was recently updated to include a major change that eliminates the DerivedKeyParameterSpec class in favor of placing fields in the argument list of the encapsulate(int from, int to, String algorithm) method. The review is expected to conclude on May 26, 2023. InfoQ will follow up with a more detailed news story.

Ron Pressler, architect and technical lead for Project Loom at Oracle, has announced several changes to JEP 453, Structured Concurrency (Preview). Still in Candidate status, changes in this feature include: the TaskHandle interface has been renamed to Subtask; a fix to correct the generic signature of the handleComplete() method; a change to the states and behavior of subtasks on cancellation; and a new currentThreadEnclosingScopes() method defined in the Threads class that returns a string with the description of the current structured context.

JDK 21

Build 23 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 22 that include fixes to various issues. Further details on this build may be found in the release notes.

For JDK 21, developers are encouraged to report bugs via the Java Bug Database.

Azul

Azul has announced that Zulu, their downstream distribution of OpenJDK, now supports Coordinated Restore at Checkpoint (CRaC) to reduce Java application startup and warm up times. InfoQ will follow up with a more detailed news story.

Spring Framework

The release of Spring Boot 3.1.0 delivers notable new features such as: support for managing external services at development time using Testcontainers and Docker Compose; simplified configuration of Testcontainers in integration tests; centralized and expanded configuration of SSL trust material for connections; and auto-configuration for Spring Authorization Server. There were also dependency upgrades to Spring Data 2023.0, Spring GraphQL 1.2, Spring Integration 6.1, Spring Security 6.1 and Spring Session 3.1. More details on this release may be found in the release notes.

Versions 3.0.7, 2.7.12, 2.6.15 and 2.5.15 of Spring Boot have been released featuring bug fixes, improvements in documentation and dependency upgrades and resolutions to mitigate: CVE-2023-20883, Spring Boot Welcome Page DoS Vulnerability, a vulnerability in which there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache; and CVE-2023-20873, Security Bypass With Wildcard Pattern Matching on Cloud Foundry, a vulnerability in which an application deployed to Cloud Foundry could be susceptible to a security bypass with requests that match the /cloudfoundryapplication/** endpoint. Further details on these releases may be found in the release notes for version 3.0.7, version 2.7.12, version 2.6.15 and version 2.5.15.

The release of Spring Security 6.1.0 delivers new features: a more comprehensive explanation for deprecating the and() method in favor of lambda DSLs for configuring Spring Security; and improved documentation for Cross-Site Request Forgery (CSRF). More details on this release may be found in the release notes.

The first release candidate of Spring Security Kerberos 2.0.0 features improvements in documentation and a re-implementation/migration of the utilities in spring-security-kerberos-test as the Apache directory server libraries have undergone many refactorings. Further details on this release may be found in the release notes.

The release of Spring Integration 6.1 delivers notable changes such as: additional diagnostics for testing the SftpRemoteFileTemplateTests class; fix memory leak in the FluxMessageChannel class; improvements and cleanup of the ImapMailReceiverTests class; and a new PartitionedChannel class for partitioned message dispatching. More details on this release may be found in the release notes.

Spring Batch 5.0.2 has been released featuring bug fixes, improvements in documentation and new features such as: allow the StaxEventItemReader class to auto-detect the input file encoding; a change in which the JobParameters class now uses an instance of LinkedHashMap instead of HashMap in the constructor and the getParameters() method to guarantee input order; and a reduction in the use of deprecated APIs. Further details on this release may be found in the release notes.

Spring for GraphQL 1.2.0 has been released with new features such as support for: the @GraphQlExceptionHandler annotation methods in the AOT processor; nested paths in GraphQlTester interface; schema mapping inspection for the @BatchMapping annotation methods. More details on this release may be found in the release notes.

Similarly, Spring for GraphQL 1.1.4 has also been released to provide bug fixes, dependency upgrades, improvements in documentation and a new feature in which the ClientGraphQlRequest interface passes attributes to a request from the WebClient interface. Further details on this release may be found in the release notes.

The release of Spring Authorization Server 1.1.0 ships with dependency upgrades and new features such as: a simplified federated login and updated UI design in the demo sample; the addition of a logout success page to default client sample; and a revocation of tokens if authorization code is used more than once. More details on this release may be found in the release notes.

Versions 3.1.0 and 3.0.3 of Spring LDAP 3.1.0 have been released featuring: dependency upgrades such as Spring Security 5.8.3 and 5.7.8 and Jackson 2.15.0 and 2.14.3, respectively; and a new feature in version 3.0.3 in which there was calcification on the use of attribute mapping with the @DnAttribute annotation. Further details on these releases may be found in the release notes for version 3.1.0 and version 3.0.3.

Micronaut

The Micronaut Foundation has released Micronaut Framework 3.9.2 featuring bug fixes and updates to modules: Micronaut Azure, Micronaut AWS, Micronaut GCP, Micronaut OpenAPI, Micronaut SQL and Micronaut Kubernetes. More details on this release may be found in the release notes.

Open Liberty

IBM has released Open Liberty 23.0.0.5-beta featuring: continued enhancements to InstantOn, their new feature that provides faster startup times for MicroProfile and Jakarta EE applications; and the latest updates to the preview for the Jakarta Data specification.

TornadoVM

TornadoVM, an open-source software technology company, has released TornadoVM version 0.15.1 that ships with delivers bug fixes and notable improvements such as: improved compatibility with Apple M1/M2 through the OpenCL Backend; introduction of a device selection heuristic based on the computing capabilities of devices; integration and compatibility with the Graal 22.3.2 JIT compiler; optimisation of removing redundant data copies for read-only and write-only buffers from between the host (CPU) and the device (GPU) based on the Tornado Data Flow Graph; improved integration of GraalVM/Truffle programs; and the option to dump the TornadoVM bytecodes for unit tests. Further details on this release may be found in the release notes.

Juan Fumero, research associate, Advanced Processor Technologies Research Group at The University of Manchester, introduced TornadoVM at QCon London in March 2020 and has since contributed this more recent InfoQ technical article.

Hibernate

Hibernate ORM 6.2.3.Final has been released featuring bug fixes, performance improvements and HQL support for the native PostGIS distance operators. More details on this release may be found in the list of changes.

Apache Software Foundation

The release of Apache TomEE 8.0.15 features bug fixes, dependency upgrades and resolutions to mitigate: CVE-2022-1471, a vulnerability in which the deserialization of types using the SnakeYAML Constructor() class will allow an attacker to initiate a malicious remote code execution; CVE-2023-28708, a vulnerability in which using the RemoteIpFilter class, with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to HTTPS, session cookies created by Tomcat did not include the secure attribute. This vulnerability could result in an attacker transmitting a session cookie over an insecure channel; and CVE-2023-24998, a vulnerability in Apache Commons FileUpload such that an attacker can trigger a denial-of-service with malicious uploads due to the number of processed request parts is not limited. Further details on this release may be found in the release notes.

Apache Tika 2.8.0 has been released delivering new features such as: enable counting and/or parsing of incremental updates in PDFs; enable optional extraction of file system metadata in the FileSystemFetcher class; allow pretty printing from the FileSystemEmitter class; and improve embedded file extraction from PDFs. More details on this release may be found in the release notes.

OpenXava

OpenXava 7.1 has been released that ships with bug fixes, dependency upgrades and new features such as: the calendar in list mode; enhancements to web security that include mitigating CVEs; the ability to annotate properties to indicate a data input mask with the new @Mask annotation; and a rich new text editor. Further details on this release may be found in the release notes.

JBang

The release of JBang 0.107.0 provides support for JDK 21 with a new --enable-preview flag and notable fixes such as: export will now create the missing output folders; PicoCLI no longer throws exceptions for certain configuration values; and a resolution to unnecessary lookups in the JBang alias list.

JDKMon

Version 17.0.59 of JDKMon, a tool that monitors and updates installed JDKs, has been made available this past week. Created by Gerrit Grunwald, principal engineer at Azul, this new version provides changes such as: improved support on Linux; and fixes related to CVE detection.

Spring I/O Conference

The 10th annual Spring I/O conference was held at the Fira de Barcelona at Montjuïc in Barcelona, Spain this past week. Celebrating their 10th anniversary, speakers from the Java community presented sessions and workshops on Spring projects, GraalVM, native Java, enterprise security, domain-driven design and cloud computing.

About the Author

Rate this Article

Adoption
Style

BT