Enterprise grade Java.
You'll read about Conferences, Java User Groups, Java, Integration, Reactive, Microservices and other technologies.

Wednesday, June 26, 2013

New Article in German iX Magazine: Java EE 7

10:38 Wednesday, June 26, 2013 Posted by Test No comments:
, ,
Another article hit the road today. This time a comprehensive introduction to Java EE 7 in German iX Magazine 7/2013.

Java EE 7: Too early for the Cloud
Java EE 6 scored with many simplifications for developers. The seventh edition should initially address PaaS and cloud topics. However, the plan turned out to be too ambitious, and the recently completed version contains little fundamentally new, but has numerous additional features and more stability.

This is a German article and you can either grab the latest issue online or buy it at your favorite kiosk.

If you're curious about an English version have a look at my "Java EE 7 at a glance" article published by The H-Online (17 June 2013, 14:56).

Find some other articles of mine by searching this blog for posts labeled "article" and you get some results.

Wednesday, June 19, 2013

Java SE 7 Update 25 - Release-Notes explained.

08:41 Wednesday, June 19, 2013 Posted by Test No comments:
, ,
Yesterday was CPU day. Oracle released the Java SE update 25 with the June Java Critical Patch Update. After the last major update in April this is the last one which does not fit into the Oracle Critical Patch Update schedule along with all other Oracle products. Starting in October 2013, Java security fixes will follow the four annual security release cycle. But don't panic: Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program. Further on this is the first CPU which will not publicly update the Java SE 6 family. If you need an update on that JRE Family you need to have a Oracle's Java SE Support. Going down this road brings you Java SE 6u51.

The Management Summary
This release has been announced some time back already and addresses 40 vulnerabilities with fixes across Java SE products. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  Four of them are applicable to server deployments (CVE-2013-2451,CVE-2013-2457, CVE-2013-2407, CVE-2013-2461). A complete list is shown in the Oracle Java SE Risk Matrix. The expiration date for JRE 7u25 is November 15, 2013. After that date the clients start showing warnings about a too old JRE.

I'm an End-User. Whats new?
(Source: Oracle Docs)
Not very much this time. Two little improvements which should not impact you too much.
Before signed Java applets and Java Web Start applications are run, the signing certificate is checked to ensure that it has not been revoked. Advanced options in the Java Control Panel (JCP) can be set to manage the checking process. These online checks might not work at all in enterprise environments or have an impact on startup performance. To avoid both it is now possible to disable it. You should carefully make this decision and only do it in managed environments because it decreases the overall security protection mechanism.

(Source: Oracle Docs)
Further on the security dialogues have been enhanced with a "more information" link. Whenever you hit an insecure constellation you are now presented with the warning dialogues introduced with 7u21 with an additional link in them.

If you haven't been prompted to update you should do this as soon as possible. Download the JRE for your system from java.com and be up-to-date!

I'm a Developer! Tell me the dirty news!
No dirty and not announced news this time. But again, you still have a couple of things to take care of. First of all this release brings the new Olson Data 2013b. Which is a good thing even if we have the TZUpdater back.

An important bug was fixed regarding signed jars. With 7u21 signed jars were allowed to be loaded without any unsigned warning if they contain unsigned index.list entry but this is not true anymore with 7u25. To properly sign a jar, index entries must be created before the jar is signed. For more information see bug 8016771.

JDK 7u25 release introduces the permissions and codebase attributes in the JAR Manifest File. The Permissions attribute is used to verify that the permissions level requested by the RIA when it runs matches the permissions level that was set when the JAR file was created. The values sandbox and all-permissions are valid. It must match the permission level requested in the JNLP file or the applet tag.
The Codebase attribute is used to restrict the code base of the JAR to specific domains. Set this attribute to either the domain name or IP address where the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The value of the Codebase attribute must match the Code base specified in the JNLP file or the applet tag or the actual location from which the app is accessed.
If one of both or both requirements don't match, an error is shown and the application is not run. If the attributes permissions or codebase  are not present, a warning is written to the Java Console and the permissions/codebase specified for the applet tag or JNLP file is used. This behavior is most likely going to change and be handled more restrictively in the future. If you want more examples have a look at the SE 7 technote.

If you're hosting Javadoc somewhere make sure to regenerate it with latest Javadoc Tool. As stated in  CVE-2013-1571  API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. If you can't regenerate them, use the new Updater Tool which is NOT contained in the SDK/JRE bundles.

Since 7u21 the decoding of command strings specified to java.lang.ProcessBuilder and the exec methods defined by java.lang.Runtime, has been made stricter on Windows platforms. 7u25 brings a new system property jdk.lang.Process.allowAmbigousCommands which can be used to relax the checking process and may be used as a workaround for some applications that are impacted by the stricter validation.  To use this workaround, either the command line should be updated to include -Djdk.lang.Process.allowAmbigousCommands=true or the java application should set the system property jdk.lang.Process.allowAmbigousCommands to true.

Further on there have been a lot of bug fixes which directly address CVEs. A complete explained list is available in text form.

Further Readings
The official announcement on the Java Blog:
The 7u25 Release-Notes:
Overview April Java CPU:
Patch Availability Document for Oracle Java SE June CPU
Java SE 6 Downloads:

Tuesday, June 18, 2013

Java EE 7 launch - Feedback and Press Coverage

11:50 Tuesday, June 18, 2013 Posted by Test No comments:
Java EE 7 is a couple of days old already. We all have had a chance to either watch the live launch events or the available replays. The last MR releases finished pushing their stuff to the JCP and it basically is a wrap. Time to reflect on what happened and what I think about it.

Community Participation within the Launch
Its not a big secret. Even if Oracle's Java EE 7 launch can be called a success and was very nicely arranged I was comparable unhappy that the highly praised community participation ended consequently before the launch. Not a single message was send to the FishCat members or the closed "Friends of GlassFish" list. Not a big surprise that a revamped glassfish.org draws some attention even if it jumped the gun and obviously haven't heard that the launch was scheduled a day later.
Might be the time to realize that "GlassFish is paying the bills for WebLogic" (free after Cameron Purdy) and it simply was a product launch. And let me emphasize that I'm not unhappy about the launch event at all. It was awesome to have the opportunity to chat to so many spec leads and ask questions. If all this would have happened without the crappy Flash front-end it would have been incredible. Can't help myself; Duke in an Ironman suite would have been the ultimate thing here.

Press Coverage about Java EE 7
Some 20 something press releases, blogs and articles made it to the official GlassFish blog. Nothing compared to the 3.0 launch which was celebrated together with the community in form of a blogfest. Two of mine also made it into the list. I finally managed to catch up with everything I had prepared and most of the stuff is published by now. Happy reading!

The H-Online (17 June 2013, 14:56)
Java EE 7 at a glance

Around three and a half years have passed since the last major version jump of the Java Enterprise Edition (Java EE). It was intended that Java EE 6, which was designed with developer performance and simplification in mind, would become technologically more powerful in Java EE 7 through the addition of cloud support. These plans proved too ambitions at quite a late stage. As a result, the version that was completed in mid-April contains very few fundamentally new aspects and just represents a consistent effort to round off existing features.

Heise Developer (German, 12.06.2013 - 11:29)
Die wichtigsten Neuerungen in der Java Enterprise Edition 7 - Keine Wolken, nur Sonnenschein

Rund dreieinhalb Jahre sind seit dem letzten großen Versionssprung der Java Enterprise Edition (Java EE) vergangen. Eine auf Entwicklerperformance und Vereinfachungen ausgelegte Java EE 6 sollte durch das Thema "Cloud" in Java EE 7 technisch stärker werden. Die Pläne stellten sich erst spät als zu ambitioniert heraus. Somit enthält die Mitte April fertiggestellte Version kaum grundlegend Neues und ist lediglich eine konsequente Abrundung der vorhandenen Funktionen.

Heise Developer (German, 11.06.2013 09:43)
Referenzimplementierung für Java EE 7: GlassFish 4.0 erschienen

Im April hatte das dafür zuständige Gremium innerhalb des Java Community Process (JCP) der Java EE 7 den Segen erteilt, nun hat Oracle mit GlassFish 4.0 die Referenzimplementierung für die Spezifikation nachgeschoben. Nach 89 "Promoted Builds" beziehungsweise gut einem Jahr und acht Monaten Entwicklungszeit ist damit die nächste größere Version des Java-Anwendungsservers offiziell fertiggestellt.

DOAG Online (German)
Frühstart für GlassFish 4.0

Die siebte Version der Java-EE-Spezifikation hat im JCP (Java Community Process) grade erst die Zielgrade genommen, Oracle vermarktet aktuell mit viel Energie den offiziellen „Java EE 7“-Launch am morgigen Mittwoch – und gestern Abend ist es dann passiert: Still und leise – und offensichtlich viel zu früh – tauchte die für den morgigen Launch komplett überarbeitete Webseite des GlassFish-Projekts online auf.

Monday, June 17, 2013

Documenting Compliance - About TCKs, Specifications and Testing

11:46 Monday, June 17, 2013 Posted by Test No comments:
, , ,
Working with software specifications is hard. No matter in which exact filed; you end up with the big question: Does everything ever specified is implemented and tested? Back in the days of waterfall driven methodologies this has been an issue and even today at the time of writing, agility and user-stories still don't guarantee you the perfect fit. Many of today's agile approaches combine well with Test Driven Development or even Behavior Driven Development concepts to turn the issue upside down. Instead of asking "Does my code cover every single sentence of written specification?" those simply assume that writing the tests first is a valid way of having the needed coverage. The down-side here is the lack of documentation which easily can happen. Additionally you never find a suitable document workflow to re-factor tests to the one single document. What might work for individual solutions and projects comes to an end if you look at stuff like "Technology Compatibility Kits" (TCK) which by nature are more or less gathered from any kind of document based written specification.

TCKs for the Java platforms
Diving into that kind of topics always is a good candidate to polarize the development community. Especially because documentation is still a topic which tends to be forgotten or delayed completely. To me documentation is key on may levels. On a framework level it assures that your users don't struggle and you lay a good ground for quick adoption. To me the Arquillian project and team did an amazing job in their first years. Even on a project level this makes sense to quickly swap new team members in and out without losing knowledge. But there is another area which not simply benefits from it but has a strong relation to documentation: The Java TCKs. All Java Platforms define Java Specification Requests (JSRs) as the point for language improvements. A Technology Compatibility Kit (TCK) is a suite of tests that at least nominally checks a particular alleged implementation of a Java Specification Request (JSR) for compliance. Given the fact, that most specifications exist in some Office like documents and are pushed around as PDFs for review and comments it is nearly impossible to say weather a TCK has a defined coverage of the original specification at all. This at best is scary. Most of the time it is annoying because Reference Implementations (RIs) simply forget to cover parts of the spec and the user has to handle the resulting bugs or behaviors in specific ways. If that is possible at all.
Just a short note here regarding the availability of TCKs. Most of them aren't available as of today but subject to terms of license and financial agreements. Hopefully this is going to change with the upcoming changes to the Java Community Process.

Some JBoss Goddess to cure documentation
But some bright minds came up with a solution. It probably isn't a big surprise that a great effort came out of a couple of RedHats. A small project which initially was created as part of the hibernate-validator project which is the RI for BeanValidation is here to cure the problems. The unknown and itself mostly undocumented jboss-test-audit project calls itself "Utility classes for TCK Test Coverage Report". This perfectly nails it. It is a very lightweight but still powerful little addition to any RI which post-processes sources for special annotations to gather a coverage report for any project which has the goal of implementing a specification. It is licensed under the Apache License, Version 2.0 and you only need some very few steps to get this up an running against your own setup.
It all begins with the specification. This is a xml document which defines the different sections and required assertions.
    <section id="1" title="Chapter 1 - Introduction"/>
    <section id ="2" title="Chapter 2 - What's new">
        <assertion id="a">
            <text>A simple sample test</text>
This document is the base line for your tests. You now need to go ahead and equip all your tests with relevant section and assertion information. This might look like the following:
SpecVersion(spec = "spectests", version = "1.0.0")
public class AppTest {

    @SpecAssertion(section = "2", id = "a")
    public void simpleTestForAssertion() {
        App app = new App();
        assertEquals(app.sayHello("Markus"), "Hello Markus");

Combined with a bit of maven magic (maven-processor-plugin) all the annotations are parsed and a nice report is generated about the overall coverage.
If you want to have a look at the complete bootstrap example find it on github.com/myfear.

The Hard Parts
This obviously is a no-brainer. To add some annotations to your tests will not be the hardest thing you ever did. What is really hard is to convert your documentation into that fancy audit xml format. There are plenty of ways to do this. Given the fact, that most of the companies leading a JSR have some kind of hard-core document management in place should make this a once in a lifetime thing to implement. If you're working with Microsoft Word you could also use the available xml schema to write well formed documents with it (which is a pain! Don't do it!).

Plenty of Ideas
The little utility classes work comparably well. But there is still plenty of room for improvements. It might be a valid idea to have some supportive information here like issue-numbers or other references. I also would like to be able to use asciidoc in the documentation :) But I'm not complaining here because I am not going to change it myself. But if anybody is interested, the complete thing is on github.com and I believe those guys know how community works and accept contributions.

Future Wishes for the JCP
Given that simple and easy approach it would be a good thing to foster adoption along with JSRs. So if you like it approach the EC member you trust and make him/her aware of this and put it as an idea on their list.

Wednesday, June 12, 2013

German iJUG e.V. interviewed in latest Oracle Java Magazine

12:32 Wednesday, June 12, 2013 Posted by Test No comments:
, ,
This has been on the list of things I was looking forward to since some time now. Oracle's own Java Magazine regularly features JUGs around the world in their digital edition and today it finally was time for an interview with the German "Interest Alliance of the Java User Groups (iJUG)"

Sign up for the free Java Magazine and read about latest in Java EE 7 and Java together with this nice little interview.

iJUG Interview (Source: Oracle Java Magazine)

The Interest Alliance of the Java User Group (iJUG) is an association of twelve Java User Groups in Germany, Austria and Switzerland.  The ambition of the iJUG is to represent the interests of more than 20,000 Java User and the Java User Groups. If you want to know more about them visit the German website http://www.ijug.eu

And if you are interested in writing: Take a look at their mouthpiece called "Java Aktuell" which is a German speaking magazine covering all the latest and greatest in the Java ecosystem.

Tuesday, June 11, 2013

GlassFish 4 brings Java EE 7

06:36 Tuesday, June 11, 2013 Posted by Test No comments:
What a surprise. Apple had nothing to offer at wwdc except the new iOS 7 launch. Might be coincidence that shortly after their keynote another 7 made an official appearance. GlassFish 4.0 was release yesterday evening (obviously unwanted). The new Java EE 7 reference implementation automatically is the first Java EE 7 application server available today.

New Website 
After 89 promoted builds (first from 14-Sep-2011) it took the team 1 year, 8 months and 1 day to get the new release ready. Congratulations to the release. Everything seems to point to the fact, that it should have been released for the June 12 launch event. Some links on the completely reworked website didn't work yesterday and the NetBeans 7.3.1 release which finally supports Java EE 7 isn't available as of today. The commercial offering which is called "Oracle GlassFish Server" also didn't seem to have hit it's place on OTN.

New Java EE 7 Example
The launch comes with a completely revamped Java EE 7 Example. The "First Cup" application calculates the age of Duke, the Java mascot and interacts with the users. Duke was born May 23, 1995, when the first demo of Java technology was publicly released. It contains JAX-RS, EJB, JSF and JPA. Find the source and some more information on the java.net project website. The complete code is developed under a BSD license and you're free to play around with it.

Now that everything already is here there is still some time to register for the Java EE 7 launch event tomorrow.

Links and further reading:
Official Java EE 7 SDK on OTN
Java EE 7 API
The Java EE 7 Tutorial
Your First Cup: An Introduction to the Java EE Platform
Java EE 7 Technical Documentation

Tuesday, June 4, 2013

Java EE 7 is final. Thoughts, Insights and further Pointers.

08:47 Tuesday, June 4, 2013 Posted by Test No comments:
It took us a little less than three years to get the next Java EE version out the door. On April 16th this year the JCP EC voted on JSR 342 and approved it. This is kind of a success story because the initial idea of having a cloud ready platform was withdrawn at the very last possible moment in late August last year. As a member of the EG it is more or less easy to write about upcoming features. Even if the umbrella EG only is responsible for the platform level stuff and not the individual contained JSRs you need to know a little more about the details than I expected at first. But I'm not going to recap what has already been written by Arun or the Adopt-a-JSR members. Instead I would like to give you some more behind the scenes and impressions. First of all: A heartily "Thank-You!" to all the hard working EGs and contributors of the individual JSRs! It was a pleasure contributing as an individual and I am thankful for the patience and respect I received for my views and ideas!

Platform Road-map
What started back in 1998 has been a tremendous success. The Java Enterprise Edition as we know it today started out with less than 10 individual specifications and grew over time to what it is today. Different topics started to form the versions with the beginning of what was called J2EE 1.4 in 2003.
A more developer centered view came up with the re-branding towards Java EE (and yes: There is nothing named JEE! Never use that name! Please! :) ) This was extended in the overly successful sixth version. Following that path for me it seemed as if the "cloud" topic initially proposed for 7 came out of nowhere. Reading Linda's email about the possible re-alignment was kind of a relief and the only thing I have to add is, that it probably came to late. The cloud things will come up again in the next version which will start somewhere in the future hopefully.

What I would Wish for
My personal wish would be to have a better and longer strategy here. Knowing that we are talking about comparably long time-frames this might stay a wish but instead of adopting latest industry trends all over and leaving it up to the individual JSRs to fill the buzz words, I would rather like to see a more platform centered approach. Given the different categories in which each of the new EE versions emerges this could look like this:
With a maximum of 25% fore each of them it would be a reasonable way to fulfill the needs for every stakeholder. 75% for standards related work to keep the platform integrated, usable and up to date and only 25% of the work to slightly adopt to new things. To me it feels like this approach would invert the way it is done today. But someone with more insight might proof me wrong here.
Further on I would suggest, that the "Big Tickets" need some kind of a visionary road-map, too. Lets say it might be related to Gartners Emerging Technologies Hype Cycle.
Gartners Emerging Technologies Hype Cyle (Source: Forbes.com)
So my personal road-map for EE's next big ticket topics would be the following:

Transparency and Community Contribution and Work in the EG
Even if I am complaining about the lack of transparency behind the overall planning I have to note that overall transparency and community contribution raised to a new level in EE 7. Starting with the official survey which Linda launched at the EE-BOF at JavaOne last year on to the upgraded JCP version (JCP 2.8) which is in use for most of the EE JSRs and the incredible amount of people working in the Adopt-A-JSR program this has been the most open EE specification effort of all time. And for those willing to contribute further I suggest  that you get familiar with the Adopt-a-JSR program and start contributing. This is a great way to give feedback to the individual EGs. You're of course free to pick whatever specification you want and contribute on the user-mailing-lists. They are open and the EGs monitor what is happening there. Further on, most of the EG members are publicly reachable and happy to receive feedback.
Generally I am pleased to say that working in the EE 7 Expert Group was a pleasant experience. I am incredibly honored to have the chance to work with the brightest EE minds in the industry. This includes Bill and Pete and many others. Especially those who won this year's Star Spec Lead award are the ones I recall being open and responsive to any single question I had. Thank you.

Java Enterprise Edition 7 at a Glance
Enough of behind the scenes and crazy ideas. Here is what EE 7 looks like as of today:
With four new specifications on board and four pruned ones (EJB Entity Beans, JAX-RPC 1.1, JAXR 1.0, und JSR-88 1.2) we're exactly where we've been in EE 6 according to the numbers. The complete specification now contains 34 individual specifications.

Spezifikation JSR Version Java.net Project
Java Platform, Enterprise Edition  342 7 javaee-spec
Managed Beans 342 1.0
Java EE Web Profile (Web Profile) 342 1.0
Java API for RESTful Web Services (JAX-RS) 339 2.0 jax-rs-spec
Web Services for Java EE 109 1.4
Java API for XML-Based Web Services (JAX-WS) 224 2.2 jax-ws
Java Architecture for XML Binding (JAXB) 222 2.2 jaxb
Web Services Metadata for the Java Platform 181 2.1
Java API for XML-Based RPC (JAX-RPC) (Optional) 101 1.1 jax-rpc
Java API for XML Registries (JAXR) (Optional) 93 1.0
Servlet 340 3.1
JavaServer Faces(JSF) 344 2.2 javaserverfaces
JavaServer Pages (JSP) 245 2.3
JavaServer Pages Expression Language (EL) 341 3.0 el-spec
A Standard Tag Library for JavaServer Pages (JSTL) 52 1.2 jstl
Debugging Support for Other Languages 45 1.0
Contexts and Dependency Injection for the Java EE Platform (CDI) 346 1.1 github.com
Dependency Injection for Java (DI) 330 1.0
Bean Validation 349 1.1 http://beanvalidation.org
Enterprise JavaBeans (EJB) 345 3.2 ejb-spec
Java EE Connector Architecture (JCA) 322 1.7
Java Persistence (JPA) 338 2.1 jpa-spec
Common Annotations for the Java Platform 250 1.2
Java Message Service API (JMS) 343 2.0 jms-spec
Java Transaction API (JTA) 907 1.2 jta-spec
JavaMail 919 1.5 javamail
Java Authentication Service Provider Interface for Containers (JASPIC) 196 1.1 jaspic-spec
Java Authorization Contract for Containers (JACC) 115 1.5 jacc-spec
Java EE Application Deployment (Optional) 88 1.2
Java Database Connectivity (JDBC) 221 4.0
Java Management Extensions (JMX) 255 2.0 openjdk
JavaBeans Activation Framework (JAF) 925 1.1
Streaming API for XML (StAX) 173 1.0 sjsxp
Java Authentication and Authorization Service (JAAS) 1.0
Interceptors 318 1.2 interceptors-spec
Batch Applications for the Java Platform 352 1.0 jbatch
Java API for JSON Processing 353 1.0 json-processing-spec
Java API for WebSocket 356 1.0 websocket-spec
Concurrency Utilities for Java EE 236 1.0 concurrency-ee-spec

Free Online Launch Event for Java EE 7
If you're interested in first hand information about all the new specs register for the Java EE 7 Launch Webcast: Jun 12th.

The introduction of Java EE 7 is a free online event where you can connect with Java users from all over the world as you learn about the power and capabilities of Java EE 7. Join Oracle for presentations from technical leaders and Java users from both large and small enterprises, deep dives into the new JSRs, and scheduled chats with Java experts.

- Business Keynote (Hasan Rizvi and Cameron Purdy)
- Technical Keynote (Linda DeMichiel)
- Breakout Sessions on different JSRs by specification leads
- Live Chat
- Lots of Demos
- Community, Partner, and Customer video testimonials

Monday, June 3, 2013

New German Article: Java 7 Update 21 Security Improvements

10:46 Monday, June 3, 2013 Posted by Test No comments:
, , ,
A follow-up on the original English blog post which described all the new Java 7 Update 21 Security Improvements in Detail another German article of mine was published. Read it online free of charge in German on the heise.de/developer website.

Only Signed
Java stands in the line of fire since several months. The security holes are covered in detail. Not only in specialized media, but were even published by popular press and reached many end users. Oracle responds consistently, but comparatively noiseless. On 16 April 2013 the Java 7 Update 21 has been published with the most far-reaching changes so far. The security settings will now longer to silently execute unsigned applets.

New German Article: Oracle Java Cloud Service

10:36 Monday, June 3, 2013 Posted by Test No comments:
, , ,
A short information for my German audience. A new article of mine was published a few days ago. Read it online free of charge in German on the heise.de/developer website.

Java EE Development with Oracle's Public Cloud
Only partly up to date
Oracle CEO Larry Ellison mocked the cloud topic for a long time. This has changed significantly in the meantime: 16 cloud offerings can be found on the central website for the cloud software company. It is not always easy to keep track of already available or pre-announced offerings. They all have one thing in common: They are based on the platform services offerings which are based on the WebLogic Application Server and the Oracle database.

Curious about your feedback!