Entries tagged [java]

Wednesday April 24, 2019

The Apache Software Foundation Announces Apache® NetBeans™ as a Top-Level Project

Popular, award-winning Open Source development environment, tooling platform, and application framework enables Java programmers to easily build desktop, mobile, and Web applications

Wakefield, MA —24 April 2019— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today Apache® NetBeans™ as a Top-Level Project (TLP).

Apache NetBeans is an Open Source development environment, tooling platform, and application framework that enables Java programmers to build desktop, mobile, and Web applications. The project was originally developed as part of a student project in 1996, was acquired and open-sourced by Sun Microsystems in 2000, and became part of Oracle when it acquired Sun Microsystems in 2010. NetBeans was submitted to the Apache Incubator in October 2016.

"Being part of the ASF means that NetBeans is now not only free and Open Source software: it is also, uniquely, and for the first time, part of a foundation specifically focused on enabling open governance," said Geertjan Wielenga, Vice President of Apache NetBeans. "Every contributor to the project now has equal say over the roadmap and direction of NetBeans. That is a new and historic step and the community has been ready for this for a very long time. Thanks to the strong stewardship of NetBeans in Sun Microsystems and Oracle, Apache NetBeans is now ready for the next phase in its development and we welcome everyone to participate as equals as we move forward."

Apache NetBeans 11.0 was released on 4 April 2019, and is the project’s third major release since entering the Apache Incubator. The project has most recently won the 2018 Duke's Choice Award, a well established industry award in the Java ecosystem.

"'Have a patch for NetBeans? Then create a pull request for Apache NetBeans!' I love how that sounds," said Jaroslav Tulach, original founder and architect of NetBeans. "I am really glad the transition has gone so well and that 'my NetBeans' has turned into a full-featured project at The Apache Software Foundation."

"From the moment that I first evaluated NetBeans for use in my courses at Dawson College and Concordia University, I recognized that it was a unique tool. In the years that followed, it has never disappointed me as the best tool for education. Now, I am even more excited about using it as it becomes a top-level project in the Apache Software Foundation," said Ken Fogel, Chairperson of Computer Science Technology at Dawson College, Montreal. "A lot of amazing developers from around the world have contributed to making NetBeans a first-class tool worthy of being under The Apache Software Foundation. Now, more than ever, its continued evolution will be faster, more responsive to the needs of the development community, and ever more open to the participation of the community. I am proud to have had a very small part in its development and I am excited to see how it will grow and evolve going forward."

By becoming an Apache project, NetBeans is benefiting from being enabled to receive more contributions from around the world. For example, large companies are using NetBeans as an application framework to build internal or commercial applications and are much more likely to contribute to NetBeans with it being part of the ASF than as part of a commercial enterprise. At the same time, individual contributors from Oracle continue to work on Apache NetBeans in its new home, as part of the worldwide community of individual contributors, both self-employed as well as from other organizations.

"Apache is the perfect home for NetBeans, allowing its long tail of historic contributors to stay involved while also launching another stage in its evolution for newcomers," said Simon Phipps, current President of the Open Source Initiative. "As a member of the new Apache NetBeans Project Management Committee, I look forward to helping in any way I can and I encourage the whole Java family to do so too."

"I've used NetBeans since I first started learning Java over 15 years ago," said Neil C. Smith, creator of PraxisLIVE. "It remains my tool of choice. It's great to be part of the Apache community and helping it to thrive. But NetBeans is more than just a development environment, it's also a powerful platform for building other business and development tools. It forms the backbone of PraxisLIVE, which I have created and continue developing on top of Apache NetBeans, powering a hybrid visual Smalltalk-like IDE for the underlying live programmable Java actor system". 

"I am an avid NetBeans user, since my first experience in about 2008. The most important aspect is, quoting Java EE guru Adam Bien: ‘It always works’," said Pieter van den Hombergh, lecturer at Fontys Venlo University of Applied Sciences. "This is particularly important in my job and to my audience: I teach Java, as well as, occasionally, PHP. Now that NetBeans has gone through the hard work of the transfer from Oracle to Apache, I am glad to see it increasingly becoming complete again. I am certain to enjoy using the up to date version with Java 11+, JUnit 5 integration, and all the other goodies, either built-in or provided by the many useful plugins."

"The flip side of freedom is responsibility," added Wielenga. "Now that the community finally has what’s its been asking for for so many years, it needs to step up and take ownership of Apache NetBeans. Each and every user of Apache NetBeans now has the ability to ask themselves where they can best fit in to drive the project forward -- from evaluating bugs, to reviewing pull requests, to tweaking the documentation, to verifying tutorials, to helping answer questions on the mailing lists, or sharing tips and insights on Twitter. Lack of Java knowledge and even lack of programming knowledge is no excuse; there’s really something to do for everyone with any skill or interest level. There is no need nor excuse to stand on the sidelines anymore -- NetBeans is now yours, exactly as much as you want it to be."

Catch Apache NetBeans in action at conferences all over the world. Users are welcome to set up and host their own Apache NetBeans events, such as the annual Apache NetBeans Day UK, which will be held 27 September 2019, in London.

Availability and Oversight
Apache NetBeans software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache NetBeans, visit http://netbeans.apache.org/ and https://twitter.com/netbeans

About the Apache Incubator
The Apache Incubator is the entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects seeking to become an Apache project or initiative enter through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects that provide $20B+ worth of Apache Open Source software to the public at 100% no cost. Through the ASF's merit-based process known as "The Apache Way," more than 730 individual Members and 7,000 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting billions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Aetna, Alibaba Cloud Computing, Anonymous, ARM, Baidu, Bloomberg, Budget Direct, Capital One, Cerner, Cloudera, Comcast, Facebook, Google, Handshake, Hortonworks, Huawei, IBM, Indeed, Inspur, Leaseweb, Microsoft, ODPi, Pineapple Fund, Pivotal, Private Internet Access, Red Hat, Target, Tencent, Union Investment, Workday, and Verizon Media. For more information, visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "NetBeans", "Apache NetBeans", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Wednesday December 13, 2017

The Apache Software Foundation Announces Apache® Mnemonic™ as a Top-Level Project

Open Source storage-class memory oriented durable object platform for Java application developers in use across an array of industries that include eCommerce, Financial Services, and Semiconductors, among others.

Forest Hill, MD —13 December 2017— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® Mnemonic™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.

Apache Mnemonic is an Open Source Java-based storage-class memory oriented durable object platform for linked objects processing and analytics. Using Apache Mnemonic, objects can also be directly accessed by other computing languages (e.g. C/C++); the durable object model and durable computing model implemented by this library might lead to new cache-less and SerDe-less (Serializer and Deserializer-less) architecture for high-performance applications and frameworks.

"The Mnemonic community continues to explore new ways to significantly improve the performance of real-time Big Data processing/analytics," said Gang "Gary" Wang, Vice President of Apache Mnemonic. "We worked hard to develop both our code and community the Apache Way, and are honored to graduate as an Apache Top-Level Project."

"Apache Mnemonic fills the void of the ability to directly persist on-heap objects, making it beneficial for use in production to accelerate Big Data processing applications at several large organizations," said Henry Saputra, ASF Member and Apache Mnemonic Incubating Mentor. "I am pleased how the community has grown and quickly embraced the Apache Way of software development and making progressive releases. It has been a great experience to be part of this project."

Mnemonic addresses Big Data performance issues that include serialization, caching, computing bottlenecks, and persistency using next-generation, non-volatile memory (NVM) storage media. Apache Mnemonic abstracts system memory, storage-class memory, and even traditional storage as hybrid memory services. Mnemonic’s performance-oriented architecture features include:

  • Unified platform enabling framework;
  • Unique durable object model and computing model;
  • Flexible and extensible focal point for optimization; and 
  • Easy integration with Big Data projects such as Apache Hadoop and Apache Spark

"Apache Mnemonic provides a unified interface for memory management," said Yanhui Zhao, Apache Mnemonic Committer. "It is playing a significant role in reshaping the memory management in current computer architecture along with the developments of large capacity NVMs, making a smooth transition from present mechanical-based storage to flash-based storage with the minimum cost."

"Apache Mnemonic provides intuitive abstractions and APIs to help make non-volatile memory a more natural and integrated part of data system development," said Wes McKinney, Software Architect at Two Sigma Investments and member of the Apache Arrow Project Management Committee.

Apache Mnemonic is in use by many industries, including eCommerce, Financial Services, and Semiconductors, among others.

"Next generation compute platforms will be dominated by technologies like non-volatile memory (NVM). As NVMs proliferate, we will need to revisit the memory access and the computation models," said Debojyoti Dutta, Distinguished Engineer at Cisco, and member of the Apache Metron and Mnemonic Project Management Committees. "Apache Mnemonic fills the gap around an urgent need to unify the memory management for JVM based applications. Given the proliferation of JVM based data intensive platforms, I expect Mnemonic to have a profound impact in leveraging NVMs for data workloads."

"Apache Mnemonic project will help in building memory based storage systems with the modern big memory storages," said Uma Maheswara Rao G, ASF Member, and member of the Apache Incubator and Hadoop Project Management Committees. "One of the key and useful goal is to avoid the serde overheads while storing and accessing durable objects. The Unified interface of Mnemonic allow us to leverage different type of storage services, that allow applications to use storage services transparently."

"Today’s challenge of data processing from different persistence layers is a big rock for application to manipulate easily and quickly, especially in the world of hybrid from on-premises to in the Cloud," said Luke Han, CEO of Kylingence, ASF Member, and Vice President of Apache Kylin. "Apache Mnemonic brings a way simplified such investment for it, which saved a lot of efforts to unify underlying storage options and speed up project implementation very much."

"We invite individuals interested in Apache Mnemonic to join our mailing lists and contribute to the project," added Wang. "We welcome user feedback across deployments of all scales."

Availability and Oversight
Apache Mnemonic software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache Mnemonic, visit http://mnemonic.apache.org/ and https://twitter.com/ApacheMnemonic

About the Apache Incubator
The Apache Incubator is the entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects wishing to join the ASF enter through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 680 individual Members and 6,300 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hortonworks, Huawei, IBM, Inspur, iSIGMA, ODPi, LeaseWeb, Microsoft, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, Union Investment, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "Mnemonic", "Apache Mnemonic", "Arrow", "Apache Arrow", "Hadoop", "Apache Hadoop", "Metron", "Apache Metron", "Spark", "Apache Spark", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

Tuesday October 31, 2017

The Apache Software Foundation Announces Apache® Juneau™ as a Top-Level Project

Open Source framework for quickly and easily creating Java-based REST microservices and APIs in use at IBM, The Open Group, and Salesforce, among others.

Forest Hill, MD –31 October 2017– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® Juneau™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.

Apache Juneau is a cohesive framework that allows developers to marshal POJOs (Plain Old Java Objects) and develop REST (Representational State Transfer) microservices and APIs. Marshalling is used to transform an object’s memory representation to a data format suitable for moving between different parts of a computer program (or across programs), and to simplify communications to remote objects with an object.

"We've worked hard on making the Apache Juneau code as simple and easy to use as possible," said James Bognar, Vice President of Apache Juneau. "We packed Juneau with rich features and functionality, and have successfully directed our efforts on building a diverse community that will help drive the project’s future. We’re very proud to graduate as an Apache Top-Level Project."

Apache Juneau consists of:

  1. A universal toolkit for marshalling POJOs to a wide variety of content types using a common cohesive framework;
  2. A universal REST server API for creating self-documenting REST interfaces using POJOs, simply deployed as one or more top-level servlets in any Servlet 3.1.0+ container;
  3. A universal REST client API for interacting with Juneau or 3rd-party REST interfaces using POJOs and proxy interfaces; and
  4. A REST microservice API that combines all the features above with a simple configurable Jetty server for creating lightweight standalone REST interfaces that start up in milliseconds.


Apache Juneau is in use at IBM, The Open Group, and Salesforce, among others. The Apache Streams project began incorporating Apache Juneau libraries in late 2016.

"Removing Dropwizard and Jackson in favor of Apache Juneau simplified our dependency tree, increased the performance of our APIs, and added several features, especially HTML rendering, that have been a huge hit," said Steve Blackmon, Vice President of Apache Streams. "An on-going collaboration between our projects continues to expand the capabilities of Juneau's Remoteable library. As Apache Streams adds additional data provider Java SDKs powered by Juneau, the variety of HTTP interfaces that can be modeled and integrated with Juneau has expanded."

"We were able to replace existing home-grown REST interfaces on top of EMF objects with ones based on Apache Juneau and dramatically reduced the size of our codebase," said Craig Chaney, former Jazz Repository team lead at IBM. "We also used it as the basis for our Docker-based microservices in our CLM-as-a-Service offering."

"I have used Apache Juneau on projects where I need to work with Web Services," said David Goddard, Executive IT Specialist at IBM. "Juneau has saved us many development hours, enabling me to easily consume third-party REST APIs and construct my own Web Services far more quickly than I would otherwise be able to. Juneau also aids the development of robust, maintainable applications with clear logical code structure."

"When The Apache Software Foundation moved the JSON.org license to Category X, successors for JSON processing were needed," said John D. Ament, Vice President of the Apache Incubator, and Apache Juneau incubation mentor. "Apache Juneau was identified as a clean solution. It provides an easy to use API, great performance and a large number of features that made it a strong recommendation for others to leverage."

"As Apache Juneau grows, we welcome new contributors to join the project and take an active role in its development," added Bognar. "Whether reviewing user code, helping with feedback, or contributing code changes through the mailing list, we look forward to learning more about usage patterns to further improve the product."

Meet members of the Apache Juneau community at the Salesforce Dreamforce 2017 conference 6-9 November 2017 in San Francisco.

Availability and Oversight
Apache Juneau software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache Juneau, visit http://juneau.apache.org/ and https://twitter.com/ApacheJuneau

About the Apache Incubator
The Apache Incubator is the entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation. All code donations from external organizations and existing external projects wishing to join the ASF enter through the Incubator to: 1) ensure all donations are in accordance with the ASF legal standards; and 2) develop new communities that adhere to our guiding principles. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF. For more information, visit http://incubator.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 680 individual Members and 6,300 Committers across six continents successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Capital One, Cash Store, Cerner, Cloudera, Comcast, Facebook, Google, Hewlett Packard, Hortonworks, Huawei, IBM, Inspur, iSIGMA, ODPi, LeaseWeb, Microsoft, PhoenixNAP, Pivotal, Private Internet Access, Red Hat, Serenata Flowers, Target, WANdisco, and Yahoo. For more information, visit http://apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "Juneau", "Apache Juneau", "Streams", "Apache Streams", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Monday March 21, 2016

The Apache® Software Foundation announces Apache PDFBox™ v2.0

Milestone release of Open Source Java tool for working with PDF documents features dozens of improvements and enhancements

Forest Hill, MD —21 March 2016— The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today the availability of Apache® PDFBox™ v2.0, the Open Source Java tool for working with Portable Document Format (PDF) documents.

PDF was first released by Adobe Systems in 1993, and became an ISO International Standard - ISO 32000-1 in 2008. Apache PDFBox allows for the creation of new PDF documents, manipulation, rendering, signing of existing documents and the ability to extract content from documents. In addition, PDFBox includes several command line utilities. In February 2015, the project became the first Open Source Partner Organization of the PDF Association.

"PDF is a very popular and easy to use format for document exchange. It is used by millions of people every day, however the format itself is quite complicated and a real challenge to write a piece of software to work with it," said Andreas Lehmkühler, Vice President of Apache PDFBox. "This new major release of PDFBox includes a lot of improvements, fixes and new features which should make the life easier for our users."

Under The Hood
The Apache PDFBox library enables users to create new PDF documents, manipulate existing documents, extract content, digitally sign, print, and validate files against the PDF/A-1b standard. Its command line utilities include encrypt, decrypt, overlay, debugger, merger, PDFToImage, and TextToPDF.

PDFBox v2.0 reflects 1,167 solved issues, 418 of which were back-ported to v1.8, as well as dozens of improvements and enhancements. Highlights include:
  • improved rendering and text extraction
  • Unicode support for PDF creation
  • overhauled interactive forms support
  • extended signing and encryption support
  • overhauled parser including a self-healing mechanism for malformed or corrupted PDFs
  • reduced memory/resources footprint including fine grained control of memory usage
  • enhanced preflight module for PDF/A-1b conformance checking
  • rearranged package structure to allow smaller runtime environments

A guide to migrating to v2.0 is available at http://pdfbox.apache.org/2.0/migration.html , with community support at http://pdfbox.apache.org/mailinglists.html

"We thank all the people from our small but fine community for their support," explained Lehmkühler. "Special thanks also goes to our fellow colleagues from the Apache Tika project for their cooperation in stress-testing with a corpus of 250,000 PDF files."

"We are grateful for the Google Summer of Code program," said PDFBox committer Tilman Hausherr. "The project allowed us to hire students to improve 3D rendering and the PDFDebugger stand-alone application, which also sped up our own bug finding." 

"Apache PDFBox v2.0 is a significant milestone as it took us several years to complete," added Lehmkühler. "This long-awaited release is the collective achievement of more than 150 individuals who have contributed code to date. Without their frequent contributions it wouldn't be possible to drive a project like PDFBox."

Availability and Oversight
Apache PDFBox software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache PDFBox, visit http://pdfbox.apache.org/ 

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 550 individual Members and 5,300 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Alibaba Cloud Computing, ARM, Bloomberg, Budget Direct, Cerner, Cloudera, Comcast, Confluent, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, iSigma, LeaseWeb, Microsoft, PhoenixNAP, Pivotal, Private Internet Access, Produban, Red Hat, Serenata Flowers, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ and https://twitter.com/TheASF

© The Apache Software Foundation. "Apache", "Apache PDFBox", "PDFBox", "ApacheCon", and their logos are registered trademarks or trademarks of The Apache Software Foundation in the U.S. and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Tuesday November 10, 2015

Apache Commons statement to widespread Java object de-serialisation vulnerability

Authors: Bernd Eckenfels, Committer, and Gary Gregory, Vice President of Apache Commons

In their talk "Marshalling Pickles - how deserializing objects will ruin your day" at AppSecCali2015 Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) presented various security problems when applications accept serialized objects from untrusted source. A major finding describes a way to execute arbitrary Java functions and even inject manipulated bytecode when using Java Object Serialization (as used in some remote communication and persistence protocols).

Building on Frohoff's tool ysoserial, Stephen Breen (@breenmachine) of Foxglove Security inspected various products like WebSphere, JBoss, Jenkins, WebLogic, and OpenNMS and describes (http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/) for each of them various attack scenarios.

Both research works show that developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

The best protection against this, is to avoid using a complex serialization protocol with untrusted peers. It is possible to limit the impact when using a custom ObjectInputStream which overrides resolveClass to implement a whitelist approach http://www.ibm.com/developerworks/library/se-lookahead/. This might however not always be possible, such as when a framework or application server provides the endpoint. This is rather bad news, as there is no easy fix and applications need to revisit their client-server protocols and overall architecture.

In these rather unfortunate situations, people have looked at the sample exploits. Frohoff provided "gadget chains" in sample payloads which combine classes from the Groovy runtime, Spring framework or Apache Commons Collection. It is quite certain that you can combine more classes to exploit this weakness, but those are the chains readily available to attackers today.


screenshot-commons.jpg

Even when the classes implementing a certain functionality cannot be blamed for this vulnerability, and fixing the known cases will also not make the usage of serialization in an untrusted context safe, there is still demand to fix at least the known cases, even when this will only start a Whack-a-Mole game. In fact, it is for this reason the original
team did not think it is necessary to alert the Apache Commons team, hence work has begun relatively late. The Apache Commons team is using the ticket COLLECTION-580
(http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java?r1=1713136&r2=1713307&pathrev=1713307&diff_format=h) to address the issue in the 3.2 and 4.0 branches of commons-collection by disabling de-serialization of the class InvokerTransformer. A to-do item being discussed is whether to provide programmatic enabling of the feature on a per-transformer basis.

There is some precendence for this, the class com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl which is part of Oracle and OpenJDK JREs and which allows to inject and run
bytecode, does reject deserialization if a security manager is defined. This can be turned off with the system property jdk.xml.enableTemplatesImplDeserialization=true. Apache Commons Collection plans to disable this functionality independent of the existence of a security manager, as this execution model is less commonly used than it should.

However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability.

We want to thank Gabriel Lawrence for reviewing this blog post. 

Apache Commons Collection is a Java library offering additional collection classes in addition to the Java Collection framework. The InvokerTransformer is one specific implementation of the Transformer functional interface which can be used to transform objects in a collection (specifically by calling a method via reflection invocation).

Tuesday August 04, 2015

The Apache Software Foundation announces Apache™ Zest™ v2.1

Open Source Composite Oriented Programming platform and tools provides "New Energy For Java"

Forest Hill, MD –4 August 2015– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today the immediate availability of Apache™ Zest™ Java Edition v.2.1, the Composite Oriented Programming platform leveraging Java.

As Java is not a pure object-oriented language (thereby limiting code reuse and recycling), Composite Oriented Programming (COP) defines a whole new paradigm of how software is written, where INTENT is expressed and enforced by execution environment, helping developers to be disciplinary and in return improving efficiency and clarity. Composite Oriented Programming allows developers to work with 'fragments', smaller than classes, and 'compose' fragments into larger 'composites' which acts like the regular objects. Apache Zest also tackles the enforcement of application composition, i.e. composites are declared in modules, modules are contained in layers and access between how layers are controlled/enforced.

"Apache Zest is a completely new way of writing software", said Niclas Hedhman, Vice President of Apache Zest. "Object orientation isn't the appropriate abstraction, as objects in real application get too bloated and inter-dependent. By working with fragments, it is possible to break the objects down the respective roles that objects typically have, and mix those roles across different types of objects."

Apache Zest integrates aspect oriented programming, persistence, indexing/query, architecture enforcement and dependency injection.

"This 2.1 release, filled with new features and some bug fixes, is an important stepping stone towards the future," said Paul Merlin, Apache Zest Release Manager. "Compatibility with Qi4j 2.0 API has been maintained, but all documentation and other references are fully converted to Apache Zest, and in Zest 3.0 the transformation will be completed."

"Apache Zest challenges us Java developers to think differently, but enables increased productivity and fewer bugs," said Jiri Jetmar, member of the Apache Zest Project Management Committee and long-time Zest user. "We find that nearly all boiler-plate code, often found in JPA applications are completely eradicated, without mapping configuration and other details that just slows you down."

"Apache Zest's slogan --'New Energy for Java - Classes are Dead, Long Live Interfaces' -- truly captures what Apache Zest is really about: designing software efficiently," added Hedhman. "We are now looking forward to Zest 3.0, with many new interesting features, such Messaging integration, Event Sourcing, Timeseries, Geospatial Support, and much more. All with Java 8 goodness."

Zest originated as Qi4j in 2007, roughly four years following Rickard Öberg's inception of Composite Oriented Programming (COP). In early 2007, Hedhman convinced Öberg to start a new Open Source project around this concept, and Qi4j was born. Since the project's was first announced at the 2007 Oredev conference, 28 people have contributed source to the project, and many others have participated on mailing lists regarding direction, concepts and design.

Apache Zest has the unique designation as the first project to enter the ASF as a pTLP –provisional Top-Level Project– without entering the Apache Incubator (the official entry path for projects and codebases wishing to become part of the efforts at The Apache Software Foundation). As part of its eligibility, Apache Zest had to meet the rigorous requirements of the Apache Maturity Model http://s.apache.org/O4p , which addresses the integrity of a project's code, copyright, licenses, releases, consensus building, and independence, among other qualities. Apache Zest became an official ASF Top-Level Project in March 2015.

"Apache Zest arrived to the Apache Software Foundation four months ago, and we are incredibly satisfied with the progress on both the codebase as well as the transition from our previous Qi4j identity", added Hedhman.

Catch Apache Zest in action on 2 October 2015 at ApacheCon: Core in Budapest, where many members of the core development team will be available for questions and more before and after the presentation http://sched.co/3x3Y

Availability and Oversight
Apache Zest software is released under the Apache License v2.0 and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache Zest, visit http://zest.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than 350 leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 550 individual Members and 4,700 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Bloomberg, Budget Direct, Cerner, Citrix, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, IBM, InMotion Hosting, iSigma, Matt Mullenweg, Microsoft, Pivotal, Produban, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

© The Apache Software Foundation. "Apache", "Zest", "Apache Zest", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #


Tuesday September 30, 2014

The Apache Software Foundation Announces Apache™ Cayenne™ v3.1

Enterprise-grade Open Source Java framework for object relational mapping (ORM), persistence, and caching now easier to configure, with improved modularity and performance.

Forest Hill, MD –30 September 2014– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 200 Open Source projects and initiatives, announced today the availability of Apache™ Cayenne™ v3.1, the Open Source Java framework for object relational mapping (ORM), persistence, and caching.

"With the launch of version 3.1, Apache Cayenne has continued to evolve its mature 12 year-old library by introducing 125 new features," said Andrus Adamchik, Vice President of Apache Cayenne.

Cayenne is an enterprise Java ORM with integrated support for caching, three-tier persistence, object lifecycles and workflow, inheritance, paging, on demand faulting, auditing and much more. As an object relational mapping library, Cayenne integrates applications to any SQL database available today, freeing solutions from being locked into one database engine. At the same time it improves performance through paging and caching, enforces data integrity and makes it dramatically faster for developers to build a reliable application.

Cayenne has a track record of solid performance in high-volume environments. Apache Cayenne is an exceptional choice for persistence services, and is in use at ish onCourse, National Hockey League, Nike, Unilever and the Law Library of Congress (the world's largest publicly-available legal index) as well as dozens of high-demand applications and Websites accessed by millions of users each day.

Apache Cayenne v3.1 is the result of 4 years of development. Notable new features and improvements include:
  • easier configuration and embedding in any type of application;
  • highly configurable runtime, enabled by one of the industry's smallest built-in Dependency Injection (DI) containers written specifically for Cayenne (and that co-exists with other DI/IoC, such as Apache Tapestry). It is also very easy to create more than one runtime, which opens interesting possibilities like multi-tenancy;
  • nearly all components now pluggable, making it very easy to create more than one runtime and easily change or extend internals of the stack declaratively --from cache provider to SQL log format to DataSource lookup strategy and much more;
  • improved ORM modularity to allow  projects to be included in libraries without assumptions about the target use. Different aspects of an application can now be modeled in separate mapping projects and combined in runtime as needed. As a result Cayenne projects can be included in libraries that make no assumptions about the target use;
  • extended persistent events model from simple per-object events to more higher-level "workflows" that can be configured with app-specific annotations on persistent classes. Cayenne ships with "cayenne-lifecycle" module that provides a few common examples of such workflows activated on data changes: data modifications audit, precision cache invalidation, etc.; and
  • performance optimizations for improved overall concurrency

"Developers who are seeking an alternate to EJB/Hibernate might find Cayenne's graphical modeler, reverse database engineering, easy to use query API and flexible context model a joy to work with," said Aristedes Maniatis, member of the Apache Cayenne Project Management Committee and CEO of ish.

"We use Apache Cayenne as the ORM for a large and complex budgeting project for around twenty government organizations," said Daniel Abrams, CEO of MassLight. "Cayenne is used to access and persist exhibit data, business validation rules, and account information, and has simplified the development process. A single Cayenne method call evaluates all changes in the user's context and generates all statements required to commit their changes within a single transaction without the developer having to write code to track the changes -- Cayenne does all the work. Since switching to Cayenne, there haven't been any faulting errors that tended to plague the previous version of the application because of the complex data model. This was one of the principal reasons for the switch to Cayenne and the data model has become significantly more complex now."

"We use Cayenne in our system to collect, quality control and distribute world coverage nautical charts to navies, pilots, inspectors and several thousand vessels," said Tore Halset, Development Manager at Electronic Chart Centre and PRIMAR. "We have been happy users of Apache Cayenne since 2005 and are now on version 3.1."

"Apache Cayenne is a core service in Avoka Transact, an engagement platform for multi-channel sales and service transactions," said Malcolm Edgar, Vice President of Engineering at Avoka.

"We use Apache Cayenne to support the Oracle, MySQL, and SQL Server databases. Cayenne provides the right blend of ORM capabilities and low level JDBC access when required. It has been a rock-solid technology for us."

In addition, Apache Cayenne's HTML documentation and tutorials have been completely revised and available in PDF for the first time.

"Our comprehensive documentation and vibrant, helpful user community are just what you need when you have questions about the internals of Cayenne or the best way to achieve your goals," added Adamchik.

Availability and Oversight
Cayenne v3.1 is available immediately as a free download from http://cayenne.apache.org/download.html. As with all Apache products, Apache Cayenne software is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For documentation and ways to become involved with Apache Cayenne, visit http://cayenne.apache.org/ and @ApacheCayenne on Twitter.

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than two hundred leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 450 individual Members and 4,000 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Budget Direct, Citrix, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, Matt Mullenweg, Microsoft, Pivotal, Produban, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

© The Apache Software Foundation. "Apache", "Apache Cayenne", "Cayenne", "ApacheCon", and the Apache Cayenne logo are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

Monday September 29, 2014

Apache™ TomEE™ Wins Duke's Choice Award and Geek Choice Award at JavaOne 2014

Open Source project, Apache TomEE, receives Oracle's Duke's Choice Award and RebelLabs' Geek Choice Award at JavaOne, the premier Java technology conference

Apache TomEE, the all-Apache Java EE 6 Web Profile certified stack, receives a Duke's Choice Award and Geek Choice Award at JavaOne 2014. Oracle's Duke's Choice Award is given to innovative projects and efforts that are invaluable to the Java Community. RebelLabs' annual Geek Choice Awards are awarded to the top 10 technologies that profoundly improve modern software development. The Award winners are to be announced at the JavaOne 2014 conference.

"The increasing popularity and enterprise use rate of Apache TomEE is a success story for Open Source, Java EE and the ASF," said David Blevins, Vice President of Apache TomEE. "Born line by line and contributor by contributor entirely in Open Source, TomEE shows what can happen when JCP standards become open and community-driven, Open Source communities are fueled by business, and de facto standards like Tomcat meet industry standards like Java EE.  It's quite rare when market conditions align to pave the way for something like TomEE.  It's a victory for us all."

Apache TomEE is the Java Enterprise Edition 6 Web Profile Certified edition of Apache Tomcat, the world's most popular Java application server software, with more than 70% market penetration within the enterprise. TomEE is available in three flavors:  TomEE, TomEE JAX-RS and TomEE Plus with version 1.7.1 as the latest release. The rapid large-scale uptick of TomEE in Enterprise deployments is a tribute of quality Open Source solutions driven by committed developers who bring real use cases and requirements to the collaborative development process. TomEE's reputation for reliability and simplicity has grown among businesses seeking a high performance alternative to proprietary commercial products and services.

The Duke's Choice Award, the Java community equivalent of winning an Oscar, is awarded for compelling use of Java Technology. It recognizes distinguished projects that bring invaluable innovation, Java-Powered Technologies and Contributions to Java. One of this year's winners includes The Apache Software Foundation's TomEE project, written in Java, a vanilla Apache Tomcat stack with Java EE features. TomEE is a solution that simplifies the patchwork of APIs enabling enterprise features within Tomcat.

The developer-centric Geek Choice Award is the end result of ZeroTurnaround's RebelLabs annual report on "10 Kick-ass Technologies Modern Developers Love" http://zeroturnaround.com/rebellabs/10-kick-ass-technologies-modern-developers-love/.  This report reveals the industry's best technology based on market data, developer feedback, public interaction volume and anecdotal evidence. Of ten selected winners, Apache Tomcat + TomEE, won for their popularity and high usage rate by development teams. In RebelLabs' survey, Tomcat was the obvious leading application server for developers, with TomEE providing Java EE support for existing Tomcat base and new projects. 

"We are proud to receive such highly regarded awards by Oracle and RebelLabs for one of the Apache's many successful Open Source projects," added Blevins.

Availability and Oversight
A Top-level Project at The Apache Software Foundation, Apache TomEE software is released under the Apache License v2.0, and overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For downloads, documentation, and ways to become involved with Apache TomEE, visit http://tomee.apache.org/  and follow @ApacheTomEE on Twitter.

"Apache", "Apache Tomcat", "Apache TomEE", and "ApacheCon" are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

Tuesday July 22, 2014

The Apache Software Foundation Announces Apache™ Log4j™ v2

Framework for widely-used Open Source Java-based logging library now faster and more extensible, with new plugin architecture.

Forest Hill, MD –22 July 2014– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today the General Availability of Apache™ Log4j™ v2, the widely-used Open Source Java-based framework for logging application behavior and activity.

"We are happy to release Log4j 2.0 GA," said Christian Grobmeier, Vice President of Apache Logging Services. "It took us a few years until we got there --its predecessor is one of the most popular logging libraries."

Apache Log4j 2 is the successor of Log4j 1, and reflects thirteen prior releases over the last four years. The framework was rewritten from scratch and has been inspired by existing logging solutions, including Log4j 1 and JUL. Log4j 2 provides support for SLF4J, Commons Logging, Apache Flume and Log4j 1.

Log4j 2 offers performance improvements up to 12x faster in the same environment: Log4j 2 can write more than 18,000,000 messages per second, as opposed to other frameworks that write < 2,000,000 messages per second.

Additional Log4j 2 highlights include: 
  • improved reliability, filters, and configuration syntax; 
  • modularity --plug-in system support;
  • property support;
  • custom log levels;
  • support for XML and JSON configuration; and
  • automatic reloading of configuration

"A payments gateway company adopted Log4j 2 on one of their platforms, and testing has shown at least 100% throughput increase of the application due to bottlenecks they were experiencing with their former logging solution," said Ralph Goers of the Apache Log4j Project Management Committee.

Apache Log4j is widely used across numerous industries and applications. The project currently has code contributions from individuals in financial services, software development, retailing, and consulting, among other sectors.

"It's interesting to note that many of the developments to Log4j 2 came from new code committers to the project," added Grobmeier. "We plan on continuing improving the code and listening to community feedback." 

Availability and Oversight
As with all Apache products, Apache Log4j 2 software is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project’s day-to-day operations, including community development and product releases. For documentation and ways to become involved with Apache Log4j 2, visit http://logging.apache.org/log4j/2.x/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than one hundred and seventy leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 400 individual Members and 3,500 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Budget Direct, Citrix, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, Matt Mullenweg, Microsoft, Pivotal, Produban, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

"Apache", "Apache Log4j", "Log4j", and "ApacheCon" are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

Monday April 07, 2014

The Apache Software Foundation Announces Apache™ Olingo™ as a Top-Level Project

Open Source, generic Java client and server library implementation of the OData (Open Data Protocol) standard for interoperable querying and sharing of data across applications in enterprise, Cloud, and mobile environments

Forest Hill, MD –07 April 2014– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 170 Open Source projects and initiatives, announced today that Apache™ Olingo™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project's community and products have been well-governed under the ASF's meritocratic process and principles.

"We are pleased to graduate from the Apache Incubator," said Stephan Klevenz, Vice President of Apache Olingo. "The Apache Way of collaborative software development shows that it is possible to produce high-quality and faithful implementations of standards." Klevenz is also a development architect at SAP and an Apache committer since 2010.

Apache Olingo provides generic Java and JavaScript libraries that implement the Open Data Protocol (OData), the standardized data access protocol used for creating and consuming data APIs in an interoperable manner across applications and devices. OData provides a uniform way to expose full-featured data APIs by building on core protocols such as HTTP as well as commonly accepted methodologies such as REST. 

Apache Olingo serves client and server aspects of OData 2.0, and will serve as a code base for OData 4.0, the OASIS standard of the protocol (OASIS OData TC). The OASIS international open standards consortium recently announced that Open Data Protocol (OData) version 4.0 and OData JavaScript Object Notation (JSON) Format version 4.0 have been approved as OASIS Standards. These REST-based standards simplify the querying, sharing, and consuming of data across applications for re-use in enterprise, Cloud, and mobile environments. More information on the OData ecosystem of open data producer and consumer services is available at http://www.OData.org/

Olingo is used by browser-based user interfaces to query data residing on servers. It is also used to synchronize data to mobile devices, and exchange data between server systems, and is part of the technical foundation of SAP NetWeaver® Gateway technology, among other enterprise solutions.

Olingo entered the Apache Incubator in July 2013, seeded by code from SAP (Java server libraries for OData 2.0) and Microsoft Open Technologies (Java client libraries for OData 3.0 and JavaScript libraries for OData 3.0). The project has since undergone three releases, reflecting 495,107 lines of code and 1,102 commits by 20 individual contributors.

Apache Olingo supports multiple languages, including Java and JavaScript for OData clients and servers, namely OData 2.0 in Java, OData 4.0 in Java, and OData 4.0 in JavaScript. Olingo extensions contain additional features, such as the support of Java Persistence API (JPA) or annotated bean classes. The project's documentation, wiki, and tutorials highlight several examples of implementing a custom OData service, including a sample Web application built with Apache Maven that can be deployed to any Java Platform, Enterprise Edition (JEE)-compliant Web application server, such as Apache Tomcat.

"OData v4 recently became an OASIS standard that is increasingly opening up data for an open Web," said Eduard Koller, Senior Program Manager at Microsoft Open Technologies, Inc. "Apache Olingo is open source software to aid in the production of OData v4.0 clients and servers in both Java and JavaScript. The project brings together several companies and community developers and we look forward to welcoming more users and contributors to the community."

Availability and Oversight
As with all Apache products, Apache Olingo software is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. For documentation and ways to become involved with Apache Olingo, visit http://olingo.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees more than one hundred and seventy leading Open Source projects, including Apache HTTP Server --the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 400 individual Members and 3,500 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(c)(3) charitable organization, funded by individual donations and corporate sponsors including Budget Direct, Citrix, Cloudera, Comcast, Facebook, Google, Hortonworks, HP, Huawei, IBM, InMotion Hosting, Matt Mullenweg, Microsoft, Pivotal, Produban, WANdisco, and Yahoo. For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

"Apache", "Apache Olingo", "Olingo", and "ApacheCon" are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

Tuesday November 19, 2013

The ASF's Position on Oracle's TCK License

In December 2010, The Apache Software Foundation resigned its seat on the JCP Executive Committee. Since then, our access to TCKs that previously had been provided by Oracle to a number of ASF projects has expired.

The ASF has not blocked its projects from having access to JCP-provided TCKs. A number of such TCKs are made available without conditions that affect our ability to release our software under the terms of the Apache License, Version 2.0; for example, the JSR303 Bean Validation TCK was created by Red Hat/JBoss and is available under the Apache License, version 2.0.

This is not the case with a number of TCKs provided by Oracle.

ASF's position has always been that it would license Java TCKs only if it could do so without incurring any restriction that was incompatible with its license and open source software development and distribution practices. Sun Microsystems originally encouraged ASF to join the Java Community Process Executive Committee with the promise that ASF would have the opportunity to help define the Java Specification Participation Agreement and ensure that it included no such restrictions. Progress was slow, and ASF nearly abandoned the JCP in 2002, but eventually Sun agreed -- in a side-letter modifying the TCK License Agreements -- that the restrictions of concern to ASF would be construed so as not to restrict independent open source implementations:

http://jakarta.apache.org/site/sideletter.pdf

Additionally, the JSPA was modified to 1) prevent the specification lead (then Sun, now Oracle) from restricting the development or distribution of independent implementations and 2) require the specification lead to license essential IP royalty-free to any spec-compatible implementations. With these provisions in place, ASF was comfortable that the TCK licenses and JSPA were compatible with its development processes.

Unfortunately, Sun breached the JSPA in 2006 by licensing the Java SE Compatibility Kit under terms inconsistent with its prior representations to ASF and its obligations under the JSPA, and incompatible with ASF's development of Apache Harmony. ASF urged Sun to honor its agreements, but after Sun persisted in its breach for a year, ASF withdrew from the JCP. At the time, Oracle supported ASF's position that Sun was in breach of the JSPA. But after acquiring Sun, Oracle adopted Sun's policy, disregarding the limits of the JSPA that formed the basis for ASF's participation in the JSP and acceptance of the various TCK licenses.

ASF's position has not changed -- it cannot accept restrictions on TCK-tested code that are incompatible with its license and open source development practices. An example is the requirement in Section 2.1(b)(v) of the Stand-Alone TCK License Agreement, that any software tested with the TCK must thereafter be updated to comply with every subsequent version of the corresponding specification published by Oracle. This provision has always been a part of the TCK License Agreement, but was previously relaxed by an agreement with Oracle's predecessor upon which ASF no longer feels it can rely.

Thus, ASF can only agree to the TCK license if Oracle will amend it consistent with the 2002 side-letter referred to above -- i.e. by removing or reconstruing restrictions that are incompatible with ASF's licensing and development practices -- and to make available under these terms all of the TCKs Apache has previously had access to. We would be eager to work with Oracle on these revisions.

# # #

Tuesday April 09, 2013

MEDIA ALERT: The Apache Struts Project Announces Apache Struts™ 1 End-Of-Life

Apache Struts 2 recommended as an elegant Open Source, extensible successor framework for creating enterprise-ready Java Web applications

Forest Hill, MD –9 April 2013–

WHO: The Apache Software Foundation's Apache Struts Project, creators of leading Open Source solutions for creating Java web applications.

WHAT: The Struts™ 1.x Web framework has reached its end-of-life (EOL) and is no longer officially supported.

Created in 2000 to provide an improved development experience over pure Java Server Pages (JSP) utilization, Apache Struts 1 soon became the de-facto standard for Java-based Web application development. Numerous companies world-wide adopted Struts 1 as a strategic platform, even after JSF (Java Server Faces) was introduced as a standardized Java EE framework for Web application development. Its popularity was so prevalent in the early 2000s, most job offerings in the space of Java-based Web technology required Struts 1 as a must-have skill. 

Today, many important Websites and Web-based user interfaces continue to rely on Struts 1 technology. In addition, many popular Web frameworks, such as Spring MVC and WebWork, were significantly inspired by Struts 1.

WHEN: The Apache Struts Project Management Committee is not aware of any urgent issues posing the immediate need to eliminate Struts 1 usage. However, the project's EOL status signifies that security and bug fixes will no longer be provided effective immediately.

The Apache Struts project recommends new projects to be developed using Struts 2 as opposed to Struts 1. While any action-based Java web framework is a potential candidate to re-use Struts 1 architectural experience or migrate existing Struts-1-based applications, users are highly advised to investigate Struts 2 as a successor framework.

WHY: Struts 2 is modern, highly decoupled, feature rich, well maintained, and successfully running in many mission-critical projects globally. It shares the same basic principles with Struts 1, and offers a highly improved architecture, API, and solution portfolio.

WHERE: The last release of Apache Struts 1 is version 1.3.10 from December 2008. All software downloads, notices, and updates are available at the Apache Struts project homepage at http://struts.apache.org/.

NEXT STEPS: The Struts community continues its focus on pushing the Apache Struts 2 framework forward, with as many as 23 releases to date. 

Availability and Oversight
Apache Struts software is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases. Apache Struts source code, documentation, mailing lists, and related resources are available at http://struts.apache.org/

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees nearly one hundred fifty leading Open Source projects, including Apache HTTP Server — the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way", more than 400 individual Members and 3,500 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(3)(c) not-for-profit charity, funded by individual donations and corporate sponsors including AMD, Basis Technology, Citrix, Cloudera, Facebook, Go Daddy, Google, HP, Hortonworks, Huawei, IBM, InMotion Hosting, Matt Mullenweg, Microsoft, PSW Group, SpringSource/VMware, WANdisco, and Yahoo!. For more information, visit http://www.apache.org/ or follow @TheASF on Twitter.

"Apache", "Struts", "Apache Struts", and "ApacheCon" are registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. All other brands and trademarks are the property of their respective owners.

# # #

Contact:
Sally Khudairi
Vice President
The Apache Software Foundation
press@apache.org
+1 617 921 8656

Tuesday October 04, 2011

The Apache Software Foundation Announces Apache TomEE Certified as Java EE 6 Web Profile Compatible

Groundbreaking, lightweight, scalable, all-Apache stack ideal for use in enterprise-grade Cloud applications

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of nearly 150 Open Source projects and initiatives, today announced that Apache TomEE has obtained certification as Java EE 6 Web Profile Compatible Implementation.

Making its certification debut at JavaOne, Apache TomEE (pronounced "Tommy") is the Java Enterprise Edition of Apache Tomcat (Tomcat + Java EE = TomEE) that unites several quality Java enterprise projects including Apache OpenEJB, Apache OpenWebBeans, Apache OpenJPA, Apache MyFaces and more.

"It is with great pride that we're announcing Apache TomEE as a certified implementation of the Java EE 6 Web Profile," said David Blevins, Vice President of Apache OpenEJB and original co-developer of TomEE. "Apache TomEE is the newest addition to the Java EE server space, standing alongside the likes of GlassFish, JBoss, and Apache Geronimo."

Developers build applications using Java EE-certified products to ensure portability across Java Enterprise Edition-compatible solutions. Apache TomEE is one of only six certified implementations available to the industry today.

Redefining Enterprise Cloud; Unifying Communities

The three core design objectives for TomEE were: 1) do not alter Tomcat; 2) maintain simplicity; and 3) avoid architecture overhead. This enables developers to quickly and easily build highly performant lightweight enterprise solutions using leading Apache projects without the need for complex modifications or customization. Apache TomEE's integration of Apache OpenWebBeans, Apache MyFaces, Apache ActiveMQ, Apache OpenJPA, and Apache CXFis simple, to-the-point, and focused on the singular task of delivering the Java EE 6 Web Profile in a minimalist fashion.

The simple, all-Apache stack is both incredibly light and fully embeddable, making it ideal for testing and usage in today's evolution of the enterprise Cloud, where the key to scalability is hundreds of tiny servers, as opposed to the traditional definition of how large your servers. Apache TomEE boasts groundbreaking performance in the following areas:

- Size: exceptionally small (about 24MB for the entire Web profile), consumes very little resources;

- Memory: TCK (Technology Compatibility Kit) passed with no additional memory settings beyond the default – a first in Java EE; and

- Speed: runs exceptionally fast in embedded mode: start/deploy/test/undeploy/stop in 2-3 seconds.

"No longer do developers have to ask 'Do we use Tomcat or Java EE?' at the start of a project, as has been the case for the last 10 years," explained Blevins. "These two camps have historically been separate, and certification is a major step in unifying these communities. With TomEE, developers can now retire untested legacy stacks and use a reliable product that doesn't deviate from the Tomcat that they know and love."

Blevins and members of the Apache OpenEJB community will be presenting several sessions, including "TomEE – Tomcat with a Kick", in the "Servers/Tomcat & Geronimo" track at ApacheCon, 7-11 November 2011, in Vancouver, Canada. To register, visit http://apachecon.com/

Availability and Oversight
Apache TomEE software is released under the Apache License v2.0, and is overseen by the Apache OpenEJB Project Management Committee (PMC) that guides the Project's day-to-day operations, community development, and product releases. Apache TomEE is certified on Amazon EC2 t1.micro, m1.small, and m1.large 32bit images; certification on 64bit EC2 images and other Cloud platforms are in the Project's future plans. Those Cloud vendors wishing to donate resources for TomEE to be certified on their platforms are encouraged to contact the Apache OpenEJB Project for information on how to participate. Apache TomEE source code, documentation, mailing lists, and related resources are available at http://openejb.apache.org/.

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees nearly one hundred fifty leading Open Source projects, including Apache HTTP Server -- the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 350 individual Members and 3,000 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(3)(c) not-for-profit charity, funded by individual donations and corporate sponsors including AMD, Basis Technology, Cloudera, Facebook, Google, HP, Hortonworks, IBM, Matt Mullenweg, Microsoft, PSW Group, SpringSource/VMware, and Yahoo!. For more information, visit http://www.apache.org/.

"Apache", "Apache OpenEJB", and "Apache TomEE" are trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

Tuesday August 30, 2011

The Apache Software Foundation Announces 10th Anniversary of Apache POI

Open Source project in use at Deutsche Bank, IBM, J.P. Morgan, NASA, Siemens and more.

The Apache Software Foundation (ASF),  the all-volunteer developers, stewards, and incubators of nearly 150 Open Source projects and initiatives, today announced the 10th anniversary of Apache POI. First created in 2001, Apache POI's cross-platform Open Source Java APIs allow users to read and write various file formats from the Microsoft Office suite of applications, including Word, PowerPoint, Excel, Outlook, Visio, and Publisher.

Apache POI is deployed in many highly-visible environments including CERN, Deutsche Bank, Freddie Mac, IBM, J.P. Morgan, Lawrence Livermore National Laboratory, NASA, SAP, and Siemens, among others. In addition, Apache POI is also used in Open Source projects such as Alfresco, JasperReports and Apache Tika.

"Apache POI's powerful solutions give users the ability to create and maintain many Office OpenXML (OOXML) and OLE2-based file formats," said Yegor Kozlov, Vice President of Apache POI. "With POI, you can do almost anything that you can with Microsoft Office products, only using Java."

The latest stable release of the project is v3.7 (October 2010) and the latest development version is 3.8beta4 (August 2011). Highlights include:

- the ability to read and write OLE2 files, including .xls, .doc, and .ppt, as well as MFC serialization API based file formats;

- the ability to read and write OOXML files, including .xlsx, .docx, and .pptx;

- a low-level API to support Open Packaging Conventions using openxml4j;

- highly-developed Java APIs for Excel workbooks, Word documents, and PowerPoint presentations;

- support for Outlook messages and attachments;

- converters for Excel and Word documents to streamline document production and consumption in HTML and XSLF-FO formats; and

- porting other OOXML and OLE2 formats

"Apache POI is a vital component of WSO2's Middleware Platforms and Open PaaS. WSO2 Governance Registry makes use of Apache POI to extract keywords to build its search index for MS Office Documents stored within the resource repository. Meanwhile, WSO2 Data Services Server relies on Apache POI to access MS Excel spreadsheets as Data Sources; making it possible to read data from any Excel Sheet and expose them through Data Services." said Senaka Fernando, Apache Member and Governance Registry Product Manager at WSO2.

In addition, POI's robust spreadsheet API enables advanced formatting, graphics, conditional formatting, data validations and evaluation of Excel formulas. Its streaming spreadsheet API increases performance when used for very large spreadsheet production with limited heap space.

"The spreadsheet libraries in Apache POI have been invaluable in our efforts to streamline workflows for renewable-energy infrastructure modeling and analysis," said Brian Bush, Principal Engineer, Energy Forecasting & Modeling Group, US Department of Energy National Renewable Energy Laboratory. "The clean and robust API that POI provides made it easy for us to embed externally provided spreadsheets within our applications and to evaluate the formulae within those spreadsheets as part of a larger set of analytic computations. We also found that POI opened new avenues for exposing spreadsheets as Web services and for Apache Ant-based regression testing of spreadsheets."

To improve functionality, the Apache POI project often collaborates with other Apache projects and Open Source communities that include Apache Cocoon, Lucene, OpenOffice, and Tika.

"We've donated components directly to those projects for POI-enabling them, and welcome additional contributions," added Kozlov.

Availability and Oversight
As with all Apache products, Apache POI software is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project’s day-to-day operations, including community development and product releases. Apache POI source code, documentation, mailing lists, and related resources are available at http://poi.apache.org/.

About The Apache Software Foundation (ASF)
Established in 1999, the all-volunteer Foundation oversees nearly one hundred fifty leading Open Source projects, including Apache HTTP Server -- the world's most popular Web server software. Through the ASF's meritocratic process known as "The Apache Way," more than 350 individual Members and 3,000 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation's official user conference, trainings, and expo. The ASF is a US 501(3)(c) not-for-profit charity, funded by individual donations and corporate sponsors including AMD, Basis Technology, Cloudera, Facebook, Google, IBM, HP, Matt Mullenweg, Microsoft, PSW Group, SpringSource/VMware, and Yahoo!. For more information, visit http://www.apache.org/.

"Apache" is a trademark of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.

# # #

CONTACT: Sally Khudairi
         The Apache Software Foundation
         press@apache.org
         +1 617 921 8656

Wednesday August 24, 2011

Belated congratulations to the Apache Turbine team on a decade at the ASF and the milestone release of Turbine-4.0-M1!

The Apache Software Foundation raises a glass to Apache Turbine, the rapid-development Web application framework that's been a part of the Foundation over the past decade.

Originally a sub-project of the Apache Jakarta Open Source Java solutions, Apache Turbine became a Top-level Project (TLP) in 2007. Turbine is a servlet based framework that allows experienced Java developers to quickly build secure Web applications. Parts of Turbine can also be used independently from its Web portion to be easily used in other applications.

Websites that use Apache Turbine include JRank, FlashCan, JXTA.org, OpenOffice.org, and Tigris.org. The project has also influenced numerous projects such as Apache DB Torque, Apache Maven and several Apache Commons components.

In addition, the project announced the release of Turbine-4.0-M1. This milestone release is not intended for production, but rather for verification of newly-integrated Fulcrum services and to gain experience migrating a 2.3.3 installation to the new architecture.

The project is seeking feedback from the community to release a stable version of Turbine later this year. For more information, please see http://s.apache.org/bXV

# # #

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation