This week’s Java roundup for August 21st, 2023 features news from OpenJDK, JDK 22, JDK 21, Jakarta EE, BellSoft, Spring Modulith 1.0, Spring Boot, Spring Authorization Server, Spring Batch, Spring AI, Testcontainers, Open Liberty, Quarkus, MicroProfile Metrics and Telemetry, Micronaut, Groovy, Tomcat, Grails, JHipster Lite, Vert.x Pinot Client, Yupiik Fusion and SpringOne conference.
OpenJDK
Ron Pressler, architect and technical lead for Project Loom at Oracle, has introduced JEP Draft 8307341, Prepare to Restrict The Use of JNI, proposes to restrict the use of the inherently unsafe Java Native Interface (JNI) in conjunction with the use of restricted methods in the Foreign Function & Memory (FFM) API that is expected to become a final feature in JDK 22. The alignment strategy, starting in JDK 22, will have the Java runtime display warnings about the use of JNI unless an FFM user enables unsafe native access on the command line. It is anticipated that in release after JDK 22, using JNI will throw exceptions instead of warnings.
Version 7.3.1 of the Regression Test Harness for the JDK, jtreg, has been released and ready for integration in the JDK that fixes a regression introduced in jtreg 7.3 that prevented correctly setting up the default environment variables on Windows. More details on this release may be found in the release notes.
Build 12 of the JDK 22 early-access builds was also made available this past week featuring updates from Build 11 that include fixes to various issues. Further details on this build may be found in the release notes.
In his weekly Hashtag Jakarta EE blog, Ivar Grimstad, Jakarta EE developer advocate at the Eclipse Foundation, has provided the voting results on the motions to add the Jakarta Data, Jakarta MVC and Jakarta NoSQL specifications to the Jakarta EE 11 Platform. Only one of these specifications, Jakarta Data, has passed.
Some comments from those who voted against or abstained from including Jakarta MVC:
This is a mature spec with some adoption at the moment, but before making this mandatory, there should be more adoption from the vendor side. As mentioned before by others, it could be added on every Profile as standalone spec, so nobody is blocked in using it right now and create more demand to add it in a future version (or give a reason for an update on the next versions Release Plan).
I encourage this work and hope it will continue forward. I look forward to eventual adoption by the platform.
I think it’s an interesting addition to the platform, and we have already added it to GlassFish where it can be used out of the box. We however have several concerns. Among them is the fact that Jakarta MVC is based on Jakarta REST, while the existing MVC framework in Jakarta EE is based on Jakarta Servlet. Basing new APIs on REST makes it even more confusing which “HTTP handling API” in Jakarta EE is the core one. We’d love to see a common base being established between Jakarta Servlet and Jakarta REST first, before accepting anything into the platform that builds on Jakarta REST.
Some comments from those who voted against or abstained from including Jakarta NoSQL:
The current architectural design seems to have more frequent updates required than is planned to have for Jakarta Platform releases – this gives a strong argument to keep it outside the Platform now. Another requirement might be to have Jakarta Data and Jakarta Config added first. In general having support for NoSQL is a good idea – so this may change in the future.
It is useful and should be included in the near future. But, the specification is not ready for now, and the maturity is not clear in EE 11 timeframe.
No real feature compared to vendor API/runtime and even the opposite: you can’t use your NoSQL backend without using proprietary API so misses the goal IMHO. Only gain is what can be done in 10-15LoC so not enough to justify the maintenance burden IMHO.
BellSoft
BellSoft has provided patch releases of their Liberica JDK 17 and 11 downstream distributions of OpenJDK that include a critical bug fix as described by JDK-8313765, Invalid CEN header (invalid zip64 extra data field size), a regression in which a ZipException is thrown when opening APK, ZIP or JAR files with several third-party tools. This issue emerged when JDK-8302483, Improved ZIP64 Extra Field Validation, provided additional validation of ZIP64 extra fields when opening a ZIP file.
Versions 3.1.3, 3.0.10 and 2.7.15 of Spring Boot all feature improvements in documentation, dependency upgrades and notable bug fixes such as: logging configuration URLs with query parameters that are not detected in XML format; an instance of the JobLauncherApplicationRunner class returning a success exit code even when no jobs have been executed; and the addition of a missing test for RabbitMQ smoke tests. Further details on these releases may be found in the release notes for version 3.1.3, version 3.0.10 and version 2.7.15.
The release of Spring Modulith 1.0 features: a removal of the experimental declaration from the Scenario class; a removal of Spring Modulith Events parent POM from BOM; and upgrades to Spring Asciidoctor Backends 0.0.7 and jMolecules 2023.1.0. More details on this release may be found in the release notes. InfoQ will follow up with a more detailed news story.
The release of Spring Authorization Server 1.1.2 delivers dependency upgrades and notable bug fixes such as: add length validation to prevent an HTTP 500 Internal Server Error due to invalid usercode; the demo-authorizationserver samples test suite not being executed as part of build process; and an instance of the custom form login class, DefaultErrorController, that throws a NullPointerException with a missing error message attribute. Further details on this release may be found in the release notes.
Versions 5.1.0-M2, 5.0.3 and 4.3.9 of Spring Batch have been released that ship with bug fixes, improvements in documentation and enhancements such as: the addition of the Java ConcurrentHashMap and Date classes to the trusted list of classes in the Jackson2ExecutionContextStringSerializer class; and auto-detection of classes/interfaces to be mocked by replacing the mock(Class<T> classToMock) method with the mock() method. New features in version 5.1.0-M2 include: support for bulk inserts and new accessors in the MongoItemWriter class to facilitate extensions. More details on these releases may be found in the release notes for version 5.1.0-M2, version 5.0.3 and version 4.3.9.
Spring AI, a “Spring-friendly API and abstractions for developing AI applications” was introduced at the SpringOne conference this past week. Developers can learn more by watching this YouTube video featuring Josh Long, Spring Developer Advocate at VMware, and Mark Pollack, Senior Staff Engineer at VMware, and this ACME Fitness Store application. InfoQ will follow up with a more detailed news story.
AtomicJar
AtomicJar, makers of Testcontainers, an “open source framework for providing throwaway, lightweight instances of databases, message brokers, web browsers, or just about anything that can run in a Docker container,” has introduced a new Testcontainers Desktop application that is free to the Java community. This release includes features that allow developers to set fixed ports for improved debugging and connecting to running containers and the ability to freeze containers to prevent their shutdown while debugging. This application also allows developers to easily switch their local container runtime that eliminates the need to manipulate the testcontainers.properties file when using Testcontainers with OrbStack/Colima/Rancher Desktop or Podman. InfoQ will follow up with a more detailed news story.
Testcontainers for Java 1.19.0 was also released this past week with notable changes such as: a new forListeningPort(port) convenience method in the Wait class to check on a specific port; use of the SelinuxContext.SHARED enumeration by default; and a new implementation of the ClickHouseContainer class that support the withUsername(), withPassword(), withDatabaseName() and withUrlParam() methods.
Open Liberty
IBM has released version 23.0.0.8 of Open Liberty featuring: support for Proof Key for Code Exchange (PKCE) for OpenID Connect clients that prevents authorization code interception attacks; a fix for CVE-2023-38737, a vulnerability in which an attacker can send a specially-crafted request in Open Liberty versions 22.0.0.13 through 23.0.0.7 causing the server to consume memory resources and lead to a denial of service; and ensure that sufficient amount of features are installed when using the featureUtility installFeature <featurename> command that formerly didn’t guarantee the feature would work correctly.
Quarkus
Red Hat has released version 3.3.0 of Quarkus with notable changes such as: improvements to the OpenTelemetry extension; a new SmallRye Reactive Messaging Pulsar extension; and the ability to customize the Jackson ObjectMapper class in REST Client Reactive extension. It is important to note that, starting with this release, the .Final suffix in version names will be dropped due to the use of such versioning that is now outdated. Further details on this release may be found in the changelog.
MicroProfile
On the road to MicroProfile 6.1, the MicroProfile Working Group has provided the first release candidate of the MicroProfile Metrics 5.1 specification featuring notable changes such as: an introduction of MicroProfile Config properties that customize how Histogram and Timer metrics track and output statistics for percentiles and histogram buckets; the @RegistryScope annotation is now a qualifier; and a new mp.metrics.defaultAppName property as a requirement for consistent tag sets that previously caused problems in multi-app application server implementations. More details on this release may be found in the changelog.
Similarly, the second release candidate of the MicroProfile Telemetry 1.1 specification has also been released featuring an dependency upgrade to OpenTelemetry Java 1.29.0; a clarification of the behavior of Span and Baggage beans when the current span or baggage changes; and an implementation of tests in such a way that is not timestamp dependent. Further details on this release may be found in the release notes.
Version 2.0.0 of Micronaut Blueprint for JHipster was also released this past week. Based on JHipster 7.9.3, the latest stable version, this blueprint generates a back-end server based on Micronaut Framework 3.10.1 for either monolith- or microservice-style JHipster applications.
Similarly, versions 4.0.14 and 3.0.19 of Apache Groovy provide bug fixes, dependency upgrades and improvements such as support for: a null parameter in the collectEntries() method defined in the DefaultGroovyMethods class; and closure parameter type inference for tuples when static type checking. More details on these releases may be found in the release notes for version 4.0.14 and version 3.0.19.
Lastly, the release of Apache Groovy 2.5.23 delivers two bug fixes: improved behavior of variable resolution within the Closure class; and a NoSuchMethodError thrown when executing a Groovy script. Further details on this release may be found in the changelog.
Versions 11.0.0-M11, 10.1.13, 9.0.80 and 8.5.93 of Apache Tomcat were released this past week with all four versions providing notable changes such as: a fix for CVE-2023-41080, a URL redirection to an untrusted site vulnerability in the FORM authentication feature in Apache Tomcat; and use of the provided error code during error page processing rather than assuming an HTTP 500 Internal Server Error if an application or library sets both a non-HTTP 500 Internal Server Error and the jakarta.servlet.error.exception</code> request attribute. Version 11.0.0-M11 also includes an update to the HTTP parameter handling to align with the changes in the Jakarta Servlet 6.1 API for the methods defined in the ServletRequest interface. More details on these releases may be found in the release notes for version 11.0.0-M11, version 10.1.13, version 9.0.80 and version 8.5.93.
Grails
The Grails Foundation has introduced version 6.0.0 of the Grails Spring Security Core Plugin featuring elevated security, support for Spring Security 5.8.6, compatibility with Grails 6.0.0, an enhanced command line interface, dependency upgrades and improved navigation of documentation.
JHipster
Version 0.41.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and improvements such as: a replacement on the use of the Java @Generated annotation with the JHipster @ExcludeFromGeneratedCodeCoverage annotation; a removal of the password() method from the OAuth2Configuration class; and an execution of integration tests with a configuration derived from an application configuration file. Further details on this release may be found in the release notes.
Eclipse Vert.x
The Eclipse Vert.x team has introduced a new Pinot Client for Apache Pinot, a realtime distributed datastore for analytical workloads, as a replacement for the Apache Pinot Java Client. This new client exposes a convenient API for Eclipse Vert.x applications to query Apache Pinot servers.
Yupiik
Version 1.0.6 of Yupiik Fusion has been released with notable changes such as support for: embeddable nested tables for cases with more than 255 columns; the ability of the PartialResponse class to customize the RESPONSE_HEADERS field in the JsonRpcHandler class; and the OffsetDateTime, ZoneOffset and LocalDate as root parameters on a JSON-RPC endpoint. More details on this release may be found in the release notes.
SpringOne
The SpringOne and VMware Explore conference was held at the Venetian Convention and Expo Center in Las Vegas, Nevada this past week featuring sessions designed for Application Developers, Platform Operators/DevOps/SREs and Application Architects. Spring Technologies included: Platforms and Tooling for Spring Applications; Spring Framework; Spring Boot; Spring Security; Spring Cloud; Spring Data/Stream; and the Spring Community.
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.
