This week's Java roundup for October 28th, 2024 features news highlighting: an update to the upcoming release of Jakarta EE; the eighth milestone release of GlassFish 8.0; and point releases of JReleaser 1.15.0, JHipster 8.7.3 and Quarkus 3.16.0.
OpenJDK
It was a busy week in the OpenJDK ecosystem in which: four JEPs, having successfully completed their respective reviews, are now Targeted for JDK 24; and five new JEPs have been Proposed to Target for JDK 24 and will be under review during the week of November 4, 2024. More details may be found in this InfoQ news story.
JDK 24
Build 22 of the JDK 24 early-access builds was made available this past week featuring updates from Build 21 that include fixes for various issues. Further details on this release may be found in the release notes.
For JDK 24, developers are encouraged to report bugs via the Java Bug Database.
Jakarta EE 11
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE Developer Advocate at the Eclipse Foundation, provided an update on Jakarta EE 11, writing:
The Jakarta EE 11 Core Profile API is ready and staged in the Jakarta EE Staging Repository. The specification document is ready, and there are two compatible implementations that have filed CCRs (Compatible Certification Requests). This means that as soon as the i's have been dotted and t's have been crossed, Jakarta EE 11 Core Profile will start its release review.
For the Jakarta EE 11 Platform and Jakarta EE 11 Web Profile specifications, the plan is to have the release sometime around JakartaOne Livestream on December 3.
The road to Jakarta EE 11 included four milestone releases with the potential for release candidates as necessary before the GA release in 4Q2024.
GlassFish
GlassFish 8.0.0-M8, the eighth milestone release, delivers notable changes such as: a resolution to CVE-2024-9329, a vulnerability in Glassfish versions before 7.0.17 where an attacker, with the ability to modify the /management/domain endpoint value to a malicious website, may successfully launch a phishing scam and steal user credentials; and a removal of security tests that used the deprecated SecurityManager class. This release incorporates almost all of the final Jakarta EE 11-M4 APIs (with the exception of Jakarta Data) and synchronizes with the GlassFish 7 release train. More details on this release may be found in the release notes.
Spring Framework
The Spring team has disclosed CVE-2024-38821, Authorization Bypass of Static Resources in WebFlux Applications, a vulnerability in Spring Security versions in the 5.7 through 6.3 release trains where an attacker may be able to bypass authorization rules on static resources under circumstances where the application: must be WebFlux; must be using support for Spring's static resources; and must have support for a non-permitAll authorization rule applied to static resources. Developers are encouraged to upgrade to Spring Security versions 6.3.4, 6.2.7, 6.1.11, 6.0.13, 5.8.15 and 5.7.13.
Quarkus
Red Hat has released version 3.16.0 (and subsequently 3.16.1 to include a last minute fix) of Quarkus featuring: support for OpenTelemetry logging; improvements to the Grafana LGTM dashboards; and a new @AuthorizationPolicy annotation to bind a named instance of the HttpSecurityPolicy interface to endpoints from the Jakarta RESTful Web Services specification as alternative to path-matching rules. Further details on these releases may be found in the release notes for version 3.16.1 and version 3.16.0.
Apache Software Foundation
The release of Apache Kafka 3.8.1 ships with bug fixes and an improvement that resolves an issue where the delegation tokens immediately expire upon creation when using Kafka Raft (KRaft) mode. More details on this release may be found in the release notes.
Maintaining alignment with Quarkus, the release of Camel Quarkus 3.16.0, composed of Camel 4.8.1 and Quarkus 3.16.0, provides resolutions to notable issues such as: a TemplateException due to Apache Camel annotated parameters not usable as a template variable in the LangChain4jProcessor class; and change the @BindToRegistry annotation to work outside of instances of the RouteBuilder class so that it could be used anywhere and have the resulting bean bound to a registry. Further details on this release may be found in the release notes.
JReleaser
Version 1.15.0 of JReleaser, a Java utility that streamlines creating project releases, has been released to deliver bug fixes, improvements in documentation, dependency upgrades and new features such as: the ability to configure the PomChecker strict mode for validating the <repositories> and <pluginRepositories> sections in a pom file; and the deployers will now check if target artifacts have already been deployed before they are uploaded. More details on this release may be found in the release notes.
JHipster
The release of JHipster 8.7.3 and 8.7.2 deliver: support for JDK 23 and Node 22; dependency upgrades to Spring Boot 3.3.5, Angular 18.2.9 and Vue 3.5.12; an upgrade to eight JHipster blueprints that are compatible with this release; and improvement Docker support that disables integration with Docker Compose if there is no container to start. Further details on these releases may be found in the release notes for version 8.7.3 and version 8.7.2.
MicroStream
MicroStream has announced that their Enterprise Edition, an extension to EclipseStore, will be available as "Open-Beta." This means that developers can temporarily use the Enterprise Edition free-of-charge until the final release becomes available. Advantages to using the Enterprise Edition in EclipseStore applications include: off-heap bitmap indexing, a technique that uses bitmaps to represent the presence or absence of a specific value within a collection; and GigaMap, an indexed collection designed to cope with vast amounts of data.
OpenXava
The release of OpenXava 7.4.2 ships with many bug fixes and improvements such as: a new changeLast() method, defined in the Strings class to change the last occurrence of a string inside another string; and a new reinit boolean property added to the ReturnPreviousModuleAction class to customize the initiation of the module upon return. More details on this release may be found in the release notes.
JDKUpdater
Version 14.0.61+81 of JDKUpdater, a utility that provides developers the ability to keep track of updates related to builds of OpenJDK and GraalVM has been made available this past week. Introduced in mid-March 2024 by Gerrit Grunwald, Principal Engineer at Azul, this release now supports CRaC builds of Azul Zulu. Further details on this release may be found in the release notes.
JDKMon
Version 21.0.7 of JDKMon, a tool that monitors and updates installed JDKs, has also been made available this past week. Also created by Grunwald, this new version features: detection for JDKs that support Coordinated Checkpoint at Restore (CRaC), such as Azul and BellSoft; and an upgrade to Gradle 8.10.1. More details on this release may be found in the release notes.
Keycloak
The release of Keycloak 26.0.5 provides bug fixes and a new feature that new users will be enabled by default for administrators using the Microsoft Active Directory administrative interfaces that eliminates having to update a user status after setting a password for the user. Further details on this release may be found in the release notes.
Gradle
The second release candidate of Gradle 8.11.0 delivers continuous updates on new features such as: improved performance in the configuration cache with an opt-in parallel loading and storing of cache entries; the C++ and Swift plugins now compatible with the configuration cache; and improved error and warning reporting in which Java compilation errors are now displayed at the end of the build output. More details on this release may be found in the release notes.