Gartner Analyst Defends 'Java EE Is Obsolete' Report

I'm not sure what I expected when I finally connected with Gartner Vice President and Distinguished Analyst Anne Thomas last week to discuss a research note she co-authored that took heavy fire from critics in the enterprise Java community. But her chipper, glad-to-help-out response to my interview request shouldn't have surprised me; in the roughly two decades since we first met, I've found Thomas to be a responsive and thoughtful industry watcher with a relatively thick hide.

"It's my job to be controversial if that's what's needed," Thomas told me, "to make people take a step back and look at what's really going on."

What did surprise me was Thomas's contention that she and her critics are essentially on the same page.

Thomas wrote the report ("Market Guide for Application Platforms") with contributing analyst Aashish Gupta. In it the authors asserted, among other things, that Java EE has not kept pace with architectural trends and digital business initiatives, that Java developers are demonstrating a clear preference for lightweight frameworks over Java EE, and that Java EE is not an appropriate framework for building cloud-native applications. They also advised those responsible for modernizing an enterprise's application infrastructure to "develop a strategy to deal with the obsolescence of Java EE and other three-tier application frameworks."

Java EE community leaders called the Gartner analysts irresponsible and out of touch with the platform, and many blasted the report in blog posts and social media (and my inbox). I interviewed several of those critics for my January post, which includes links to some of the blogs.

Thomas was a bit surprised at the level of outrage over her and Gupta's observations on what she believes are obvious facts about Java EE and the evolving demands on enterprise developers.

"In the note I definitely acknowledged that Java is a tremendous platform for developing enterprise applications," she told me. "But Java EE is, by definition, this amalgam of this massive number of APIs, all of which the certification process says must be present in the platform. What I'm saying is, people don't need 90 percent of the stuff sitting in Java EE to build modern enterprise applications."

Some critics argued that Thomas and Gupta failed to recognize that Java EE has evolved since version 5 and the J2EE era, and that lighter-weight enterprise Java technologies, such as the Web Profile, IBM's WebSphere Liberty Profile, Red Hat's WildFly Swarm, Payara Micro and the new Eclipse MicroProfile, have emerged. Others insisted that the admittedly slower pace of Java EE's evolution is a strength of the platform; it's standards-based, which matters in the enterprise.

But the critics are, if inadvertently, helping to make Thomas's point, she said.

"I'm 100 percent in agreement with a lot of what these guys are saying," she said. "But they've got it in their heads that Java EE means all of Java. The new MicroProfile, for example, is just three Java APIs. That's great, but it's not Java EE."

Everyone understands that Java EE is overgrown, and none better than Thomas, who was working at Sun Microsystems when the platform was conceived and the seeds of that growth were planted.

"The original intention behind Java EE was to make sure that everything you could possibly want in the enterprise Java space was going to be available in any application server you decided to deploy it on," she recalled. "It was all about portability. If I'm building a Java application, I know I'll have this specific set of APIs and these specific versions, so that when I'm building an application I'll know it's there. That was a valuable proposition when Java EE was first created.

"The problem is it ended up becoming this incredibly bloated environment. Do I really need CORBA in applications that I'm building today? In the next version of Java EE, they are going to remove CORBA, so there is evolution happening. The Web Profile took out a bunch of things, and it's a much better environment for building application than a full-bore Java EE. But it's still very focused on three-tier, where the front-end tier is a Web environment. It's not designed to support multi-client-, multi-channel-type applications. It's not designed to support both Web and mobile, much less 20 or 30 other types of systems that are out there. It's not very well suited to support Internet of Things applications. And it's not designed to support microservices, which is why this independent group has gone off and said, we have to have a MicroProfile for Java EE."

One of the criticisms leveled against Thomas and Gupta's report was that they failed to differentiate between the Java EE standard and what Java EE vendors are building.

"Again, that supports my position," Thomas said. "What the vendors are building is not in conformance with the standard. They are building much smaller, much more focused implementations. They're not including everything but the kitchen sink in case somebody might need it.

"If you look at something like the Jetty Web server, for example, which a lot of people are using now to build their applications, I think it's now about 12MB in size. Compare that with the WebLogic platform, which is over 3GB in size. Why do I need such a big platform to host a microservice? It would be insane to use it. What I want is to embed Jetty, or Undertow, or Tomcat into my Spring Boot component, which is now an independently deployable component. I don't have to deploy it into an application server. I just put it into a container and deploy it directly onto my VM. That's what the new environment looks like."

Effectively, she went on to argue, Java EE and enterprise Java are no longer the same thing. And a modern enterprise Java platform for modern applications is emerging, not from Oracle or the older standards bodies, but from open source communities.

"Over the past five years, maybe longer, the open source communities have literally displaced the big standards bodies as a way of ensuring fast innovation and commonality across different systems," she said. It takes years for new standards to get produced through the Java Community Process (JCP). And that process is even slower now that Oracle is running the JCP. The fact is, open source in general is a much more effective way of creating community standards. Communities like Spring, CloudFoundry, Eclipse, Apache -- that's where innovation in Java in particular is happening."

Thomas also expressed her admiration for the work of groups like the Java EE Guardians and the initiative, but insisted that they aren't protecting Java EE, but enterprise Java.

"The MicroProfile is saying, this is the stuff that's important to us today," she said, "but Java EE does not give us what we need, so we have to build our own, because Oracle isn't doing that. And the Guardians recognize that Oracle isn't doing what is needed to maintain Java as a critical enterprise language and platform for the modern age."

Posted by John K. Waters on 02/16/2017 at 9:45 AM0 comments

Oracle CPU Does Little to Fix Serialization Vulnerability

Oracle's latest Critical Patch Update, the first of 2017, left Java security maven and Waratek CTO John Matthew Holt scratching his head about Big O's fix for a particular vulnerability: CVE 2017-3241, which affects Java SE, Java SE Embedded, and JRockit, and earned a CVSS score of 9.0 out of 10.0 (very bad).

Holt considers this CVE -- a deserialization vulnerability inside the core Java Remote Method Invocation (RMI) APIs -- especially serious, and he lamented Oracle's fix: a user-configurable whitelist/blacklist filter. He called deserialization an "application security nightmare," and Oracle's latest fix "easy, obvious and simple," but not especially effective.

"I'm really not knocking Oracle," he told me. "They did address the vulnerability, but it's a primitive form of defense, and far from what is considered to be the best way of dealing with it."

Serialization is the process of converting an object into a stream of bytes for transport and storage. Deserialization reverses the process when the data is received. Security researchers discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could use this vulnerability to execute arbitrary code with the privileges of RMI registry or a Java RMI application.

In its security advisory, Oracle explained it this way: "This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator)."

High-profile attacks that exploit deserialization vulnerabilities abound, Holt said. To give me a local example, he cited last year's deserialization attack on the San Francisco Metropolitan Transit Agency's Municipal Rail (MUNI to locals). As security researcher Brian Krebs reported in November, the ransomware attack caused fare station terminals to carry the message, "You are Hacked. ALL Data Encrypted," and fare payment machines to read, "OUT OF SERVICE" in red LED letters. An SFMTA Web-facing server was probably compromised by the deserialization attack after it was identified by a vulnerability scan. A similar vulnerability was exploited to attack Med Star, the Maryland health system, last spring, and deprive multiple hospitals of access to critical systems.

The problem with the Oracle fix, Holt said, is fourfold:

  1. Any heuristic or "hands-on" security technique based on whitelists/blacklists almost always requires intricate manual configuration and tuning to operate correctly.
  2. Anything requiring manual human configuration and tuning requires special domain-specific and app-specific knowledge to configure, is expensive to test and validate, and prone to mistakes and human errors.
  3. Incomplete or incorrect configuration/tuning virtually guarantees false-positive results, which will break application operation and service.
  4. Most security professionals know nothing about the serialization mechanics or dependencies of the applications they're tasked with securing, making the job of configuring whitelists/blacklists virtually impossible.

"The consequences of requiring an application owner to know everything about the application -- to be God -- which this approach does, is that you are essentially putting the entire burden of the effectiveness of that security system on the end user, instead of the system," Holt said. "If an attack is successful, it's not the system's fault, but the user's. And that's just not an effective approach."

Waratek has found a way to circumvent this heuristic approach, and in the process, established a niche in a market overflowing with large enterprises that continue to run custom-developed, mission-critical applications on out-of-date versions. The Dublin-based company's virtualization-based AppSecurity product is designed to protect the Java Platform attack surface from known and unknown vulnerabilities by virtually applying critical patch updates and security policies at runtime. Waratek uses a proprietary Smart Compartment to process deserialization without relying on black or white lists.

"Walk into any really large organization and ask them how many Java applications they've got, and they'll tell you, oh we have 500 server-side applications, or 1,000 or 5,000," Holt said. "This is something we hear regularly. No human being is going to sit down in those organizations and manually create individual deserialization lists for those applications."

One of the knottier challenges facing organizations when it comes to application security -- and one Oracle can't solve with a CPU -- is the typical skill sets of the people charged with it, Holt said. "If you look at the security team in any major organization," he said, "most of the people have backgrounds in network security or systems administration. That's traditional. But application security, which is a relatively new problem space, involves thinking about the security inside the application, and these skill sets are inherently outside the application."

Adding to that challenge: App security can be frustratingly language-specific, he said. "The way deserialization vulnerabilities work and are exploitable on Java are entirely different from the way serialization vulnerabilities are exploitable on .NET or Ruby."

Posted by John K. Waters on 01/24/2017 at 11:47 AM0 comments

Oracle's Top 6 Predictions for Developers in 2017

Talking with Siddhartha Agarwal, Oracle's VP of product management and strategy, about the trends his company expects to impact developers in the coming year, I couldn't resist the obvious pun.

"So, you're Oracle's oracle?"

"You could say that, I guess," he said. "But these predictions are based not on my thinking, but on many conversations we've had with our customers, mostly large enterprises. Not many people tell us, for example, that they are currently using containers in development and production. But many people tell us that they want to use containers and they are starting down that path."

Agarwal is responsible for product management and strategy across Oracle's PaaS portfolio. His job, he said, is about "taking this rich portfolio and coming up with the solutions people want and ways to getting them to market."

Those customer conversations have led Oracle, "which has always been very good with IT," to a new focus on delivering "an open, modern, easy platform for developers," he said. "Developers are a very important constituency for us."

Readers should feel free, of course, to take these prognostications with a grain of salt (as we should all industry augury). But keep in mind that Big O is betting big on these trends with investments in products and services with which it fully expects to exploit them.

1. New application development and deployment on containers will become more popular than dev-and-deploy on virtual machines toward the end of 2017 and into 2018.
"We all know the benefits of containers in improving the DevOps lifecycle," Agarwal said, "but when the containers go into production there's a lot more stuff for the developers to manage. They need to manage orchestration tools, such as Kubernetes, for example, and they might need to manage scheduling paradigms, like Marathon, or they might need to manage Etcd, which is the open source distributed key-value store that Kubernetes uses.

"As this trend evolves, developers are going to want a comprehensive cloud-based Container-as-a-Service platform," he added, "something that provides a quick way to create an enterprise-grade container infrastructure."

Not surprisingly, Agarwal pointed to Oracle's Container Cloud Service as one of the solutions that will meet this demand. Announced at last year's Oracle OpenWorld conference, the service provides tools for composing, deploying, orchestrating and managing Docker container-based applications on the Oracle Cloud for Dev, Dev/Test, DevOps and Cloud Native use cases.

2. The number of application releases from typical businesses will double over the coming year.
Oracle believes this accelerated pace will be driven by a burgeoning crowd of line-of-business (LOB) people amid digital transformations who want to experiment, to try a lot of applications or initiatives, with the expectation that only a few of them will succeed. This pace is going to put a lot of pressure on developers, Agarwal said.

"We're finding that the LOB folks just want to try a bunch of things," he said. "They want to get 15 apps out the door, knowing that maybe 13 will fail. They want to test them quickly and get feedback from the users and then they know that the two that succeeded are the ones that will give them the best chance in the competitive marketplace."

3. All new devtest will be done in the cloud by 2020. A bold prediction, but a logical one, Agarwal said, given customer feedback.
"There are obvious benefits for developers from leveraging the cloud," he said. "One is the agility it provides for spinning up resources to build apps. More importantly, the technology or innovation they want to use is all being delivered in the cloud these days -- which means they use the latest and greatest tools to deliver the best apps in the shortest possible time."

Among the drivers of this trend: challenging CIO budgets. "If you think about it, CIOs are spending about 30 percent of their budgets on running, operating, spinning up and managing development environments," Agarwal said. "Now they can free up a significant part of that budget, because devs can manage the process themselves in the cloud."

Exceptions to this trend are likely to be found in organizations with significant compliance requirements, data residency restrictions, or security demands, he added. For those organizations, the devtest is still going to happen in the public cloud, he said, but the apps will need to be flexible and portable, so developers can test them in the public cloud, but then easily move them to the on-premises environment.

4. Everyone is going to want to leverage artificial intelligence (AI) capabilities in their applications.
"AI is going to become the new user interface," Agarwal said. "Over the next year, we're going to see developers looking for ways to get AI capabilities into their applications. But data will be king. You can write as many phenomenal algorithms as you want, but until you have the data and a significant amount of it that the AI-based apps can leverage and deliver smart insight from, that's not going to be very useful."

4a. Chatbot apps with natural language processing will become the norm by 2018.
Along these same lines, Agarwal expects a growing number of developers to begin serious efforts around chatbots and natural language processing. "We're already seeing lots of companies putting out chatbots," he said. Oracle surprised attendees at the OpenWorld event with news that it would be getting into the chatbot business, joining companies like Facebook, Microsoft and Slack. The company plans to deliver a chatbot platform that will enable its customers to build a mobile engagement platform, Agarwal said, that will work seamlessly across mobile, Web and multiple messaging platforms.

5. By 2020 more than 20 percent of the developer community will be made up of non-traditional developers.
The number of so-called low-code developers has been growing steadily for years, so this isn't a particularly bold prediction. The trend is being powered by the same driver as No. 2: a new generation of LOB people who want to develop a Web or mobile app and quickly get it out the door.

Oracle is embracing this trend with its Application Builder Cloud Service, Agarwal pointed out. The low-code coder environment provides a drag-and-drop interface that allows users to "Rapidly create and host engaging business applications with a visual development environment right from the comfort of your browser," the Web site states.

More of these kinds of tools will be coming in the next year or so, Agarwal said, because the demand is growing. "People within marketing, customer service and HR will be able to use these low-code platforms to experiment, or to actually have real applications in production. As they drag and drop and build these apps, they'll be able to expose them as real-life applications. But a lot of it isn't necessarily about building strategic applications, but tactical apps that just help them to get things done."

6. Finally, 60 percent of IT organizations will move their critical systems management to the cloud by 2020.
Oracle is betting big on this one with the Oracle Management Cloud, a suite of integrated monitoring, management and analytics cloud services. "We've built a unified data platform," Agarwal said, "where the performance data across the Web tier, app tier and database tier and the log data being product on the servers by the VMs and the real-time user experience data -- all of it is being aggregated into one platform. And we put predictive machine learning algorithms into the infrastructure."

Posted by John K. Waters on 01/12/2017 at 6:30 PM0 comments

Gartner App Platform Report Calls Java EE Obsolete

Researchers at Gartner dropped something of a bomb on the enterprise Java community just before the holidays in the form of a new report in which analysts claim, among other things, that Java EE is fading from relevance and those responsible for modernizing enterprise application infrastructure should "develop a strategy to deal with the obsolescence of Java EE and other three-tier application frameworks."

Entitled "Market Guide for Application Platforms," the report was authored by veteran industry watcher Anne Thomas and contributing analyst Aashish Gupta. As Gartner defines them, application platforms provide runtime environments for app logic and manage the life cycle of an app or app component. And they typically come with development, monitoring, management, and admin tools.

In their report, Thomas and Gupta allege that Java EE has not kept pace with architectural trends and digital business initiatives requiring new features and capabilities in application platforms. Those responsible for modernizing app infrastructure, they advise, should "retain Java EE servers for existing legacy applications, but use lighter-weight Java frameworks for digital business application development projects or evaluate other language platforms."

The analysts point to a decline in commercial Java EE platform revenues in 2015 as evidence of "a clear shift in the application platform market." They expect fewer than 35 percent of all new business applications to be deployed in Java EE app servers by 2019.

The report's authors do allow that Java continues to be the industry's most popular programming language, but claim that Java developers are demonstrating a clear preference for lightweight frameworks over Java EE. They also acknowledge Oracle's effort to produce a new version of Java EE with "long-overdue features," but argue that, by the time Java EE 8 is released in late 2017, it will already be two or three years behind the times.

"Java EE is not an appropriate framework for building cloud-native applications," they conclude. "Even Oracle and IBM recognize this fact. Both vendors have shifted their strategic application platform investments to PaaS and specialized platform technologies."

I heard from a lot of people in the enterprise Java community about this report. Reza Rahman, the former Oracle Java EE evangelist now leading the Java EE Guardians, said he found the quality of the research and analysis in the report "shocking."

"The most shocking is just how out of date Gartner's views of Java EE are," he told me. "They are clearly talking about technology from the J2EE era, old-school WebLogic and WebSphere, and ignoring everything that has happened in the evolution of Java EE since version 5. For years now, people have been demonstrating at conferences in front of thousands of people how Java EE is one of the most productive platforms out there. But Gartner seems to have decided to brush aside all that, ignoring all the work vendors have put into the platform. The WebSphere Liberty Profile, for example, is vastly different from the WebSphere of the J2EE days; you couldn't get a more lightweight runtime if you tried."

Rahman reminded me that the Java EE Guardians curate "surveys from trusted sources" on their Web site that track Java EE trends. "Those surveys show that Java EE and its APIs continue to be the most widely used in the industry," he said. "The claims that Gartner is making are actually contrary to the known data that we have."

Simon Maple, developer advocate at Java toolmaker ZeroTurnaround, sent me an e-mail in which he addressed several of the report's assertions. The claim that "Java EE has not kept pace with modern architectural trends," for example, is relatively meaningless, he said, when you understand that a standards-based ecosystem like the one supporting Java EE will never be as fast-changing as the non-standard alternatives. And for many people, that's a good thing.

"A standards-based approach means they are able to pick from a number of vendors who use the same model, with limited migration pain," Maple said. "Standards can also provide a sustainable future for a technology as many major organizations adopt and support them."

It's also true that Oracle's "one year of silence on the future of Java EE" was a significant, non-technical contributor to the platform's recent snail-pace evolution, he said. But that silence has been broken (thanks in no small part to the Guardians), and the technical gap between Java EE 7 and Java EE 8 is closing. More importantly, Oracle has strengthened the future of Java EE by committing to the delivery of both microservices and cloud capabilities in Java 8 and Java 9, and by unveiling the roadmap to delivery of Java EE 8 in 2017 and Java EE 9 a year later.

"This refocus to modern architectural trends and faster paced delivery will put Java EE in a much stronger position with modern needs," Maple said, "particularly when paired with standards. The delivery of individual JSRs which comprise the full Java EE version can easily be added to application servers, such as the modular IBM Liberty Profile, without the need to wait for the full umbrella version of Java EE 8 or 9. As a result, it's much faster for application servers to bring this value to market than ever before.

For what it's worth, internal sources at Oracle tell me that the company is really (no really) going to deliver the often-delayed Java EE 8 later this year, and, in fact, is putting the necessary resources behind a 2018 release of Java EE 9. If the latter happens, it would be a record for any steward of enterprise Java, past and present.

Chicago-based developer, blogger, and author Josh Juneau also thought the report missed the marked when it referred to "the obsolescence of Java EE."

"The opposite is actually happening," he said in an e-mail. "Although Oracle took a year off and delayed Java EE 8, things are coming back on track now, and we should be seeing real progress towards Java EE 8 soon. Moreover, the report leads one to believe that Java EE is not positioned very well for developing microservices or for the cloud. That is not accurate, as there are a number of great solutions for developing Java EE microservices. The key is that these APIs are not yet standardized and made part of Java EE proper. That's okay though, because in time we will work through the kinks of developing microservices and standardize on a great API. The same goes for cloud and configuration.

"Java EE moves at a slower pace than solutions from vendors such as Pivotal," Juneau added, "as it should. The point behind Java EE is not to be on the bleeding edge of technology. Rather, it is to be using solid, tried-and-true standard solutions."

Maple admits that the Gartner analysts' statement that "Java EE is not an appropriate framework for building cloud-native applications" is "a reasonable evaluation of the current Java EE position."

"However, the future releases of Java EE do consider this a key area of its future direction," he added. "Unfortunately, the report doesn't go into any depth on this future path, nor the increased pace at which Oracle aims to deliver it. I think it's irresponsible not to mention these, or take them into account when using terms like 'the obsolescence of Java EE.'"

Ondrej Mihályi, a Java EE trainer, consultant, and Senior Services Engineer at Payara Services in the Czech Republic, sent me an e-mail just before Christmas with his reaction, which started with "Wow!" and ended with his observation that the Gartner analysts "irresponsibly provide obsolete information about the Java EE platform."

"They base most of their statements on a very traditional and old-school way of building and running Java EE applications in 3-tier architecture, using Oracle WebLogic and IBM WebSphere servers as a reference," he said. "There is clearly much more in Java EE than these two, and even IBM offers another, highly modular WebSphere Liberty Profile server as an alternative to their flagship product. Other vendors and projects, like WildFly Swarm, sponsored by Red Hat, or Payara Micro, derived from Oracle-sponsored GlassFish Server, prove that Gartner's claim that 'Java EE is a framework for building three-tier client/server applications' no longer reflects the reality."

Mihályi expands his argument on his blog. He concludes it with this paragraph:

"Rather than listening to Gartner, ask architects or experts whom you trust for recommendations based on their experience -- or, simply see for yourself and compare. If you explore beyond the 'traditional' Java EE servers mentioned by Gartner, you will realize that Java EE is already suitable for designing cloud-native applications. The Java EE platform, with its full ecosystem, provides flexible ways to run applications and is easily extensible for any current trends, as well as any future trends to come."

Others have blogged about this report, including Red Hat product manager John Clingan on his "Middle-Me" blog. He offers a detailed analysis of the report, and concludes: "My primary issue with the Gartner report is that it seems to completely ignore the advancements that Java EE vendors have made beyond the traditional Java EE APIs and runtimes, nor mention the MicroProfile efforts to develop microservices APIs for traditional Java EE developers."

Prague-based Java developer Pavel Pscheidl offers "A quick reaction to hate on Java EE in Gartner report" on his blog. (It's actually not all that quick, which is good.) In his conclusion, he invites the Gartner analysts to join him for a "quick online talk." "In a matter of minutes, I can create a microservice-architecture-driven application deployable and easily scalable in the cloud," he writes. "The very thing you claim Java EE is not capable of."

I also invited Thomas and Gupta to respond to all this, but have not yet heard from them. When/if I do, I'll let you know what they have to say.

UPDATE (1/4/17): Mark Little, vice president of engineering at Red Hat and JBoss CTO, has posted a thoughtful and unique take on the Gartner report on his blog. Little allows that Java EE will likely "pass into history" eventually, but in the short-to-medium term, "it will evolve and continue to influence the next generation of technologies, just as the dinosaurs became the birds and aspects of CORBA evolved into J2EE." But he criticizes the report's lack of evidence for its assertions and failure of insight. Its authors offer "one subjective statement after another, with no real attempt to justify them," he writes. And the report "fails miserably to differentiate between Java EE as a standard and the various implementations." Another must read on this issue.

Posted by John K. Waters on 01/03/2017 at 12:30 PM0 comments

Live! 360/App DevTrends: Reza Rahman Calls on Java Enterprise Community To Come Together

Reza Rahman delivered the opening keynote at App Dev Trends 2016 (part of Live 360!) Tuesday morning, giving attendees a deep, contextual history of enterprise Java and issuing something of a call to arms.

"If we are going to ensure the future of enterprise Java, we must remain alert, stay engaged, and participate in the community. You have to do these things anyway, of course, but it's more important now than ever. Java EE is a maturing technology. If we don't reenergize it now, as a community, the investment in this technology we have made over the years will go away."

Rahman emerged as a pivotal figure in the enterprise Java world earlier this year, starting with his departure from Oracle, where he had served as Java EE Evangelist, over concerns about what he perceived to be the company's neglect of enterprise Java. Shortly after resuming his consulting work for CapTech, a national IT management consulting firm, Rahman and a group of concerned Java community members launched the Java EE Guardians, and promptly published a petition aimed at Oracle executives.

Rahman's keynote, entitled "You Are the Future of Enterprise Java!" was an apt exploration of a dynamic technology evolution presented within the context of recent developments. It focused on what's inside Java EE 8 and how it got there, and explored the critical role Java EE and APIs currently play in maintaining the health of the entire Java and IT ecosystem.

But at a fundamental level, his presentation was about a community. "The process of defining the scope of Java EE 8 was the most community-opinion-driven process in the history of the platform," he told me in an earlier interview. "In fact, it was the community that helped to smooth the many bumps along the road to Java EE 8 for the entire IT industry."

To a question from a skeptical audience member about how important the Java community really is to the future of Java EE, Rahman offered a hypothetical scenario with the largely Microsoft-centric conference in mind.

"In a worst-case scenario, we -- the Java EE community -- could say, forget about Oracle and let's all just stand behind the MicroProfile project and move the technology ahead together," he said. "But imagine this happening in the Microsoft world. If Microsoft were ever to decide to divest itself from .NET -- and I'm not saying they ever would—you would have no one to respond, no one who could leverage the strength of a community to get them to change their minds.

"All of what has happened in the past year -- the founding of the Java EE Guardians and the MicroProfile, Oracle's response to our actions, etc. -- to me, is a validation that the Java ecosystem works. In fact, I'd say that this is the worst fire drill that we could have gone through, proving out what differentiates us from all the other technologies out there; that this is not an autocracy, but a dynamic system with multiple layers of control. Even with all our recent belly aching and strife, we are still fundamentally one of the strongest ecosystems around."

AppDevTrends is part of the popular Live! 360 uberconference, underway this week at Loews Royal Pacific Resort at Universal Orlando. We're running side-by-side with Visual Studio Live!, SQL Server Live!, Office/SharePoint Live!, Modern Apps Live!, and TechMentor. Videos of some of the other keynotes from the show are available here.

Be sure to say "hi" if you see me at the show, and follow the latest updates on my twitter.

Posted on 12/06/2016 at 4:13 PM0 comments

Java Community Process (JCP) Elects New Members, Including First Associate Members

The election results are in! No, not that election. I'm talking about the 2016 Fall Executive Committee (EC) election of the Java Community Process (JCP).

Each year roughly half the seats of the 24-member EC are up for ratification/election. The EC oversees the work of the Expert Groups that define Java specifications, essentially guiding the evolution of Java. The committee picks the JSRs that will be developed, approves draft specs and final specs, approves Technology Compatibility Kit (TCK) licenses, approves maintenance revisions and occasionally defers features to new JSRs, approves transfer of maintenance duties between members, and provides guidance to the Program Management Office (PMO).

In other words, who sits on this committee matters.

"This was the strongest slate of candidates since I've been in the job," JCP chair Patrick Curran told me when I caught up with him at the Devoxx Belgium Conference last week. (Thank you, Skype.) "It was really competitive this year."

This is also the first election held under the new JCP 2.10 rules, which, among other things, created two new seats on the committee for unaffiliated individuals. The new Associate Member seats are part of an ongoing effort by the JCP to get more Java jocks involved in the process. The JCP recently introduced Associate Membership, again, aimed at individuals who want to contribute to a Java Specification Request (JSR). There's no employer approval required and Associate Members get to vote for the two new Associate EC seats.

There are now three JCP membership levels: the new Associate level; the Partner level, which is for Java User Groups and other non-profit organizations; and Full Membership, which is for "legal entities who wish to join Expert Groups, lead JSRs, and/or vote or serve on the Executive Committee."

Curran says the JCP's recent recruitment effort has drawn several hundred new members in the past few months, largely in the Associate category. Although Associate membership doesn't include full JCP benefits, it does provide developers with an opportunity to build their reputations, Curran said.

"Previously the only way to participate in the JCP and get public recognition was to be on an Expert Group," he said. "Now, Associate members who participate, say, through the Adopt-a-JSR program or their local Java User Group, can get formal recognition for their work."

The JCP, of course, is the standards-development organization for Java. The organization has been making some serious changes over the past few years through a project called JCP.Next, and the new seats were part of that effort. JCP 2.10 reclassified two the existing Elected seats to provide for this new type of EC membership. The current EC was formed through JSR 355, which merged the SE/EE EC and the ME EC. The JCP continues to wrestle with the challenge of revising the Java Specification Participation Agreement (JSPA), which Curran has called "big and scary."

Today, the EC comprises 16 Ratified Seats, 6 Elected Seats, and the 2 new Associate Seats, as well as a permanent seat held by Oracle America, the official steward of Java. The Ratified Seats are filled by Full Members nominated by the PMO; the Elected and Associate Seats are filled by members nominated by Full and Partner Members.

So who got elected this time around?

The first two Associate Members of the EC are Java champion and enterprise software architect Ivar Grimstad, who is a member of the Expert Group for JSR 368 and JSR 372, and a member of the NetBeans dream team; and software architect and designer Werner Keil, who serves as senior test automation engineer at ING-DiBa, and who has contributed his insights to this blog more than once.

I reached out to EC member and London Java User Group leader Martijn Verburg, whose organization was also re-elected this year. I asked him about the EC's goals for the coming year, and he got back to me via e-mail.

"Our next immediate goal is to work with Oracle and OpenJDK to better align the open source model of development that is Java today (where everything is out in the open) with the requirements of the standards body (needing point in time specifications for purposes of IP flow as much as anything else)," he said. "There have already been some useful early stage discussions, but we'll have to wait for a few weeks before we can publicly comment. This will be an important step to helping Java get released more often."

The complete election results are available online here.

Last year I talked with Patrick Curran about the JCP, and one of his comments bears repeating here:

"The strength of the JCP is the fundamentally simple model of a group of interested experts defining specifications through a formal process that includes public review and oversight by an Executive Committee (EC). The process has always been flexible enough not to define exactly how the Expert Groups should do their work. This has permitted a natural evolution (with a little help and direction from the EC in the form of revisions to the Process) from the early days of relatively private deliberations by representatives of large corporations to the current, much more open and collaborative model. It's a Community Process, and that's its strength."

Posted by John K. Waters on 11/15/2016 at 3:52 PM0 comments

Q&A: App Dev Trends Live Preview with Java Maven Kito Mann

The debut of AppDev Trends 2016, our first-ever industry conference, is less than a month away! We're part of the very popular Live! 360 conference, scheduled for Dec. 5-9 at Loews Royal Pacific Resort at Universal Orlando. This is a multi-conference event that includes Visual Studio Live!, SQL Server Live!, Office/SharePoint Live!, Modern Apps Live!, TechMentor -- and us.

We've been planning this thing for nearly a year, and we've put together an awesome schedule of sessions and keynotes. As I mentioned in a previous post, we're bringing something to this event that's been largely missing in years past: serious Java. Reza Rahman, one of the chief drivers behind the Java EE Guardians, is giving our keynote, and a number of well-known Java experts will be leading sessions.

I had the pleasure of hosting a webcast last month, in which one of our presenters, Kito D. Mann, gave attendees a taste of the three sessions he will be leading at the Orlando event.

Kito is principal consultant at Virtua Inc., where he specializes in enterprise application architecture, training, development, and mentoring with JavaServer Faces, HTML5, portlets, Liferay, and Java EE technologies. He's also the editor-in-chief of, co-host of the Enterprise Java Newscast, and author of JavaServer Faces in Action. And he's served in expert groups of the Java Community Process and is one of the founding members of the Java EE Guardians.

Like I said: serious Java.

Kito is a popular and frequent speaker and session leader. His talks and presentations have been on the agendas of ... well ... a bunch of other conferences we need not mention here. The important thing is, he'll be leading three sessions at AppDev Trends 2016:

  • PrimeFaces 6: Modern UI widgets for Java EE, which covers the core PrimeFaces components and the key new features in PrimeFaces 6.
  • Full Stack Java with JSweet, Angular 2, PrimeNG and JAX-RS, which explores how to build an application using modern front-end technologies using Java for both the front-end and back-end.
  • Who's Taking out the Garbage, which takes a deeper look at how Garbage Collection works in the JVM.

I talked with Kito at the end of the webcast about a couple of his sessions.

PrimeFaces, the open-source UI component library for JavaServer Faces (JSF), has become a de facto standard for JSF component libraries. Version 5 was a major update, and version 6 had 345 new features components and enhancements. Is this tech on track, and what would you like to see in the next update?
It's definitely on the right track. What amazes me is that something so mature and with so many features that there's still more to add. If you look at 6.06, which just came out, it has things like a brand new text editor, and some enhancement to the exporter, which is a popular feature used for exporting PDF and CSV files. One of the things I've worked with the PrimeTek team on a lot over the last few years is accessibility. There's probably still a bit of work left to do there, but really not that much. And I'd also like to see a little more functionality around the exporter.

I loved the slide of the guy from Columbia you used to underscore the global popularity of PrimeFaces. How do you account for that popularity?
Among other things, it came out right around the same time as JSF 2 -- which was a huge upgrade -- and so it didn't have any of the baggage associated with older versions of JSF. It came right out of the gate with support for all the new JSF 2 features. Also, a lot of it has to do with Cagatay Civici (the founder of PrimeFaces), who is an awesome guy, and just really fast. He's all about constantly developing and putting stuff out there.

I though what you said about Angular being the 800-pound gorilla of Web development, especially given the big rewrite that is Angular 2, was very interesting. How would you characterize the impact of this rewrite?
I'm amazed at the number of people already working with it, especially since it just came out, and it kept breaking some compatibility between release candidates, which I'm not used to seeing. You had people asking, do I rewrite in Angular 2 or do I move to another framework. Hopefully now it's pretty stable in terms of the API. And a lot of people are going to stick with it, because it has a lot of backing and it's a really powerful framework.

The entire webcast is available now online.

Posted by John K. Waters on 11/09/2016 at 10:13 AM0 comments

NetBeans 8.2 Release Last Before Apache Handoff

NetBeans 8.2 became generally available last week, marking the last release under Oracle's stewardship. Big O's proposal to hand off the open source development environment, tooling platform and application framework to the Apache Software Foundation (ASF) has been accepted. Next stop: the Apache Incubator Project.

The ASF Incubator Project is the official entry path for projects and code bases whose supporters want them to become part of the ASF. It's where those projects are vetted to make sure they comply with the ASF legal standards and their support communities adhere to the ASF's guiding principles.

This release of what the community is already calling Apache NetBeans comes with a number of fixes and enhancements. Topping the list is an improved Java profiler, which includes new SQL Queries profiling modes, which enable profiling calls from Java processes to databases using a JDBC connection. The profiler displays a live list of executed SQL queries with times and execution counts, including the invocation paths, Oracle's Jiri Sedlacek explained in a blog post. Filtering based on statement type, command type, and related tables is available, and the collected data can be saved to a snapshot for offline analysis.

All SQL queries are displayed, regardless of the target database, Sedlacek wrote, and the profiler now enables coloring of results based on user-defined filters. "This is especially useful for the SQL call trees, but works in all profiler views," she wrote. The defined filters can be also easily added to results filters or instrumentation filters.

The list of key features in the NetBeans IDE 8.2 release also includes:

  • ECMAScript 6 support
  • NodeJS enhancements
  • Oracle JET support enhancements
  • PHP7 support
  • Docker support
  • New editor multicaret features
  • New pinnable watches feature
  • C/C++ enhancements

NetBeans continues to be a popular Java IDE (1.5 million active users, according to the community), but it has grown beyond Java to support C/C++, Groovy, PHP, JavaScript, and the HTML5 and CSS Web development standards. The NetBeans Incubator Wiki explains the argument for moving the IDE to the ASF:

Although NetBeans is already open source, moving it to a neutral place like Apache, with its strong governance model, is expected to help get more contributions from various organizations. For example, large companies are using NetBeans as an application framework to build internal or commercial applications and are much more likely to contribute to it once it moves to neutral Apache ground. At the same time, though Oracle will relinquish its control over NetBeans, individual contributors from Oracle are expected to continue contributing to NetBeans after it has been contributed to Apache, together with individual contributors from other organizations, as well as self-employed individual contributors.

The wiki also provides the very long list of Initial Committers to the project.

NetBeans has been dual licensed (CDDL + GPL v2 with Classpath Exception), but will be migrated shortly to the current Apache license.

Posted by John K. Waters on 10/10/2016 at 9:32 AM0 comments

The Future of Apache NetBeans

I am deeply bummed that I had to miss the NetBeans party at the Tonga Room and Hurricane Bar in San Francisco on Saturday night. The 71-year-old tiki bar's cocktails are legendary. And it would have been great to talk with the JavaOne attendees IRL about this Apache NetBeans business.

Fortunately, Geertjan Wielenga, principal product manager in Oracle's Developer Tools group, and Bill Pataky, VP of product management for Oracle's PaaS, Mobile Software and Developer Tools groups, gave me a call.

It was Wielenga who announced Oracle's proposed contribution of the venerable Java IDE to the Apache Software Foundation, via the ASF's Incubator Project. As I reported earlier, the open source project will be called Apache NetBeans, and will, as Wielenga wrote, "continue to primarily focus on providing tools for the Java ecosystem, while also being focused on tools for other ecosystems, languages and technologies...."

Wielenga reminded me that moving the NetBeans development platform is going to require some heavy lifting. More than 30 NetBeans repositories must be moved from the Mercurial source control manager to Apache's repository (Git or Subversion).

"This is going to be one of the largest projects Apache has ever had to deal with," he said. "They're excited about it, but it's going to be quite a bit of work figuring out how things match up."

The process of sorting out the licensing and IP issues is going to take some time, too, Pataky pointed out. Oracle has a number of products that depend on NetBeans, including the Oracle Developer Studio, and even the JDeveloper IDE shares a lot of code with NetBeans.

"When Sun open sourced NetBeans 16 years ago, open source had a very different role in the enterprise," he said. "Sun set itself up as a benevolent dictator, and did a fairly good job of building a community over the years. But that model is pretty stale, and the community is asking for a broader role. Our solution was to open up the governance model."

Oracle has resources (people) committed to NetBeans through the NetBeans 9 release, Pataky said. More than two dozen oracle employees are included on the initial committers' list (which, BTW, includes James Gosling, the Father of Java).

"We will be adding additional folks to that list once we get through initial process with Apache," Pataky said.

There's a dot-dot release in the offing, Pataky said, but NetBeans 9 is likely to be the first official Apache NetBeans.

"We are committed to NetBeans for the foreseeable future, and we're welcoming the many community members, large and small, to take a much larger role in the planning and building of releases through NetBeans 9 and beyond."

I also heard from one of the proposed committers on that list: Martijn Verburg, CEO of jClarity and co-leader of the London Java Users' Group. "It looks like Oracle has a large number of committers on the initial list," he said in an e-mail, "so I'm hopeful that with that core strength and extra community contributions, NetBeans will continue to add value to the ecosystem."

NetBeans has a solid following, Verburg noted, ranking behind only IntelliJ and Eclipse among popular Java development environments. But that third-place spot means the IDE is unlikely to be a major commercial success for Oracle.

"However, it makes sense for Oracle, as the stewards of Java, to continue supporting NetBeans and open up the door to more contributions from the outside to help keep the Java IDE tooling ecosystem competitive," Verburg said. "The community certainly should be happy after years of campaigning to have NetBeans and other important parts of the Java ecosystem put into a software foundation where it's treated more as a public service or utility than a single vendor's product."

IDC analyst Al Hilwa sees Oracle's decision as one that will have positive consequences for the Java community, and for the company. "Oracle has gotten a lot of undeserved flack around NetBeans," he said in an -email, "even though they have continued to evolve it and share it internally with JDeveloper, and even though it has, in fact, gained more users in the last few years. Apache is a highly respected open source foundation with a solid governance model, and so I expect NetBeans to be even more popular as a result of this move. A battle of IDEs, including Eclipse, JDeveloper, and IntelliJ, is always a good thing for a programming language, as it is a mark of the size of the community."

I also heard from Forrester analyst Jeffrey S. Hammond: "NetBeans has long had a close following, so it will be interesting to see if that community blossoms under an Apache governance model," he said. "From Oracle's perspective, this could be construed as another step in slimming down commitments to Java in terms of the tools they directly support that target the languages. Supporting multiple IDEs (JDeveloper, Eclipse and NetBeans) always seemed like an expensive proposition to me. This move may end up being a win-win for the community and Oracle, assuming there's a community ready and willing to keep up support."

The NetBeans community is larger than ever, with approximately 1.5 million active users, worldwide, according to the NetBeans Web site.

Here's hoping there are enough tiny pink umbrellas for all their Mai Tais.

Posted by John K. Waters on 09/19/2016 at 4:44 PM0 comments

Upcoming Events