[PR] Bump org.apache.derby:derby from 10.15.2.0 to 10.17.1.0 [tomee-tck]

2023-11-20 Thread via GitHub 


dependabot[bot] opened a new pull request, #16:
URL: https://github.com/apache/tomee-tck/pull/16

   Bumps org.apache.derby:derby from 10.15.2.0 to 10.17.1.0.
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.derby:derby=maven=10.15.2.0=10.17.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot show  ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/tomee-tck/network/alerts).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: JPA impl in TomEE 10?

2023-11-20 Thread Jonathan S. Fisher 
If my opinion counts for anything, I'd love for TomEE to be based on
Apache Foundation projects as much as possible. With JPA itself is
just a large spec to cover, I can understand OpenJPA not having a
current spec implementation and am still thankful for the past efforts
of the committers on that project. My second choice would be
EclipseLink over Hibernate, mainly because of speed, but also because
many of the app servers in the space are already Weld + Hibernate +
other various Redhat derivative projects. TomEE by far is enormously
faster on startup and execution speed than OpenLiberty or WildFly
(deploying the exact same WAR) and I'd be sad to lose that.


On Mon, Nov 20, 2023 at 9:46 AM Jean-Louis Monteiro
 wrote:
>
> Thanks Thomas for pointing this out.
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Nov 20, 2023 at 4:06 PM Richard Zowalla  wrote:
>
> > Great news ;-)
> >
> > Am Montag, dem 20.11.2023 um 16:05 +0100 schrieb Thomas Andraschko:
> > > JFYI: https://in.relation.to/2023/11/18/license/
> > >
> > > it seems they would like to move to another license
> > >
> > > Am Di., 7. Feb. 2023 um 16:16 Uhr schrieb Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com>:
> > >
> > > > https://hibernate.org/community/license/
> > > >
> > > > Most Hibernate projects are released under LGPL v2.1
> > > > .
> > > > Only some sub projects are ASL v2
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > >
> > > > On Tue, Feb 7, 2023 at 4:12 PM Thomas Andraschko <
> > > > andraschko.tho...@gmail.com> wrote:
> > > >
> > > > > isnt hibernate licensed under Apache2.0?
> > > > >
> > > > > Am Di., 7. Feb. 2023 um 16:10 Uhr schrieb Swell <
> > > > souheil.sul...@gmail.com
> > > > > > :
> > > > >
> > > > > > Because of licenses we cannot ship with hibernate. Better be
> > > > éclipselink
> > > > > to
> > > > > > avoid license hell.
> > > > > >
> > > > > > On Tue 7 Feb 2023 at 16:08, Thomas Andraschko <
> > > > > andraschko.tho...@gmail.com
> > > > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > AFAICS OpenJPA isnt in real active development and doenst
> > > > > > > even
> > > > support
> > > > > > all
> > > > > > > JPA 2.2 features.
> > > > > > > Whats your plan for it?
> > > > > > > Can't we just use Hibernate as default?
> > > > > > >
> > > > > > > Best regards,
> > > > > > > Thomas
> > > > > > >
> > > > > >
> > > > >
> > > >
> >
> >



-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as
half full.
Engineers, of course, understand the glass is twice as big as it needs to be.

Re: JPA impl in TomEE 10?

2023-11-20 Thread Jean-Louis Monteiro 
Thanks Thomas for pointing this out.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Nov 20, 2023 at 4:06 PM Richard Zowalla  wrote:

> Great news ;-)
>
> Am Montag, dem 20.11.2023 um 16:05 +0100 schrieb Thomas Andraschko:
> > JFYI: https://in.relation.to/2023/11/18/license/
> >
> > it seems they would like to move to another license
> >
> > Am Di., 7. Feb. 2023 um 16:16 Uhr schrieb Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com>:
> >
> > > https://hibernate.org/community/license/
> > >
> > > Most Hibernate projects are released under LGPL v2.1
> > > .
> > > Only some sub projects are ASL v2
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Tue, Feb 7, 2023 at 4:12 PM Thomas Andraschko <
> > > andraschko.tho...@gmail.com> wrote:
> > >
> > > > isnt hibernate licensed under Apache2.0?
> > > >
> > > > Am Di., 7. Feb. 2023 um 16:10 Uhr schrieb Swell <
> > > souheil.sul...@gmail.com
> > > > > :
> > > >
> > > > > Because of licenses we cannot ship with hibernate. Better be
> > > éclipselink
> > > > to
> > > > > avoid license hell.
> > > > >
> > > > > On Tue 7 Feb 2023 at 16:08, Thomas Andraschko <
> > > > andraschko.tho...@gmail.com
> > > > > >
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > AFAICS OpenJPA isnt in real active development and doenst
> > > > > > even
> > > support
> > > > > all
> > > > > > JPA 2.2 features.
> > > > > > Whats your plan for it?
> > > > > > Can't we just use Hibernate as default?
> > > > > >
> > > > > > Best regards,
> > > > > > Thomas
> > > > > >
> > > > >
> > > >
> > >
>
>

Re: JPA impl in TomEE 10?

2023-11-20 Thread Richard Zowalla 
Great news ;-)

Am Montag, dem 20.11.2023 um 16:05 +0100 schrieb Thomas Andraschko:
> JFYI: https://in.relation.to/2023/11/18/license/
> 
> it seems they would like to move to another license
> 
> Am Di., 7. Feb. 2023 um 16:16 Uhr schrieb Jean-Louis Monteiro <
> jlmonte...@tomitribe.com>:
> 
> > https://hibernate.org/community/license/
> > 
> > Most Hibernate projects are released under LGPL v2.1
> > .
> > Only some sub projects are ASL v2
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> > 
> > 
> > On Tue, Feb 7, 2023 at 4:12 PM Thomas Andraschko <
> > andraschko.tho...@gmail.com> wrote:
> > 
> > > isnt hibernate licensed under Apache2.0?
> > > 
> > > Am Di., 7. Feb. 2023 um 16:10 Uhr schrieb Swell <
> > souheil.sul...@gmail.com
> > > > :
> > > 
> > > > Because of licenses we cannot ship with hibernate. Better be
> > éclipselink
> > > to
> > > > avoid license hell.
> > > > 
> > > > On Tue 7 Feb 2023 at 16:08, Thomas Andraschko <
> > > andraschko.tho...@gmail.com
> > > > > 
> > > > wrote:
> > > > 
> > > > > Hi,
> > > > > 
> > > > > AFAICS OpenJPA isnt in real active development and doenst
> > > > > even
> > support
> > > > all
> > > > > JPA 2.2 features.
> > > > > Whats your plan for it?
> > > > > Can't we just use Hibernate as default?
> > > > > 
> > > > > Best regards,
> > > > > Thomas
> > > > > 
> > > > 
> > > 
> >

Re: JPA impl in TomEE 10?

2023-11-20 Thread Thomas Andraschko 
JFYI: https://in.relation.to/2023/11/18/license/

it seems they would like to move to another license

Am Di., 7. Feb. 2023 um 16:16 Uhr schrieb Jean-Louis Monteiro <
jlmonte...@tomitribe.com>:

> https://hibernate.org/community/license/
>
> Most Hibernate projects are released under LGPL v2.1
> .
> Only some sub projects are ASL v2
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Tue, Feb 7, 2023 at 4:12 PM Thomas Andraschko <
> andraschko.tho...@gmail.com> wrote:
>
> > isnt hibernate licensed under Apache2.0?
> >
> > Am Di., 7. Feb. 2023 um 16:10 Uhr schrieb Swell <
> souheil.sul...@gmail.com
> > >:
> >
> > > Because of licenses we cannot ship with hibernate. Better be
> éclipselink
> > to
> > > avoid license hell.
> > >
> > > On Tue 7 Feb 2023 at 16:08, Thomas Andraschko <
> > andraschko.tho...@gmail.com
> > > >
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > AFAICS OpenJPA isnt in real active development and doenst even
> support
> > > all
> > > > JPA 2.2 features.
> > > > Whats your plan for it?
> > > > Can't we just use Hibernate as default?
> > > >
> > > > Best regards,
> > > > Thomas
> > > >
> > >
> >
>

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

2023-11-20 Thread Jonathan Gallimore 
I've no issue with including it in 8.x, with respect to the EOL
announcement.

What I'm really asking is: if we do this update in 8.x, and you know it'll
negatively impact you (i.e. you'll have some sort of regression), please
say so.

I'll give it a couple of days and then merge the change in, unless we hear
of anything that suggests there would be an issue.

Jon

On Mon, Nov 20, 2023 at 12:32 PM Alex The Rocker 
wrote:

> +1 for this change, given that there's still some time before end of
> this year (=potential for some critical CVEs fixing anyway)
>
> Le lun. 20 nov. 2023 à 12:05, Jean-Louis Monteiro
>  a écrit :
> >
> > Based on the timing (mid-November) and the EOL end of this year, is it
> > worth it?
> > I'd say no. But it's up to you
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Nov 20, 2023 at 10:48 AM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > I make these changes to 9.x and main - is there any objection to
> making the
> > > change to 8.x as well?
> > >
> > > Thanks
> > >
> > > Jon
> > >
> > > On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
> > > jonathan.gallim...@gmail.com> wrote:
> > >
> > > > Thanks for the feedback, and especially the pointer to the JIRA!
> > > >
> > > > Jon
> > > >
> > > > On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla 
> wrote:
> > > >
> > > >> I am ok with the change. I would just updating the related deps in
> our
> > > >> webapps. A backing arquillian test would be useful, I guess.
> > > >>
> > > >> While looking into it (related to logging & classloaders), it might
> be
> > > >> interesting to also have a look on [1].
> > > >>
> > > >> For TomeEE 10, I would like to first have the owb4 branch on main,
> > > >> though (just waiting for johnzon 2.0.0).
> > > >>
> > > >> Gruß
> > > >> Richard
> > > >>
> > > >>
> > > >>
> > > >> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
> > > >>
> > > >>
> > > >>
> > > >> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan
> Gallimore:
> > > >> > I'm hoping the URLClassLoaderFirst change would mean that the
> slf4j-
> > > >> > api
> > > >> > 1.7.x could keep working for you. I'd be happy to add an
> Arquillian
> > > >> > test to
> > > >> > check that as part of a PR for the change. Does that sound ok?
> > > >> >
> > > >> > The upstream dependencies are not pulling in logback.
> > > >> >
> > > >> > If someone wanted to use logback with SLF4J, in a Jakarta EE
> version
> > > >> > of
> > > >> > TomEE, by bundling both slf4j-api and logback in their
> application,
> > > >> > they'd
> > > >> > have to use slf4j-api 2.x (because the Jakarta EE version of
> logback
> > > >> > requires that API level).
> > > >> >
> > > >> > Cheers,
> > > >> >
> > > >> > Jon
> > > >> >
> > > >> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
> > > >> > 
> > > >> > wrote:
> > > >> >
> > > >> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> > > >> > > although it'd be best if the dependency wasn't seen by the apps
> > > >> > > somehow. I know that's a lot of classloader acrobatics :)
> > > >> > >
> > > >> > > Just to clarify though, the upstream dependencies are or are not
> > > >> > > including logback? If they are including logback, that
> transitive
> > > >> > > dependency ought to be blocked... it's up to the final
> developer to
> > > >> > > decide which binding implementation to use. Including a binding
> > > >> > > (over
> > > >> > > the default sysout binding) would likely cause problems for
> users.
> > > >> > >
> > > >> > >
> > > >> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
> > > >> > >  wrote:
> > > >> > > >
> > > >> > > > Hi All
> > > >> > > >
> > > >> > > > There's a couple of suggestions I'd like to run past the
> group to
> > > >> > > > see if
> > > >> > > > there's any thoughts / potential issues.
> > > >> > > >
> > > >> > > > The first is: updating to SLF4J 2.x API and JUL implementation
> > > >> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
> > > >> > > > here:
> > > >> > > >
> > > >> > > > - The 1.x branch of SLF4J is no longer maintained
> > > >> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x
> API
> > > >> > > > for
> > > >> > > > Jakarta EE support
> > > >> > > >
> > > >> > > > Secondly, thanks to this bit of code in the class loader:
> > > >> > > >
> > > >> > >
> > > >>
> > >
> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
> > > >> > > ,
> > > >> > > > it is possible for a webapp to include its own SLF4J API and
> > > >> > > > binding in
> > > >> > > its
> > > >> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
> > > >> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with
> the
> > > >> > > > binders,
> > > >> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
> > > >> > >

Re: [PR] feat(#TOMEE-4281): Better logging we can't load an application class (tomee)

2023-11-20 Thread via GitHub 


jeanouii merged PR #1083:
URL: https://github.com/apache/tomee/pull/1083


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

2023-11-20 Thread Alex The Rocker 
+1 for this change, given that there's still some time before end of
this year (=potential for some critical CVEs fixing anyway)

Le lun. 20 nov. 2023 à 12:05, Jean-Louis Monteiro
 a écrit :
>
> Based on the timing (mid-November) and the EOL end of this year, is it
> worth it?
> I'd say no. But it's up to you
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Nov 20, 2023 at 10:48 AM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > I make these changes to 9.x and main - is there any objection to making the
> > change to 8.x as well?
> >
> > Thanks
> >
> > Jon
> >
> > On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > Thanks for the feedback, and especially the pointer to the JIRA!
> > >
> > > Jon
> > >
> > > On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla  wrote:
> > >
> > >> I am ok with the change. I would just updating the related deps in our
> > >> webapps. A backing arquillian test would be useful, I guess.
> > >>
> > >> While looking into it (related to logging & classloaders), it might be
> > >> interesting to also have a look on [1].
> > >>
> > >> For TomeEE 10, I would like to first have the owb4 branch on main,
> > >> though (just waiting for johnzon 2.0.0).
> > >>
> > >> Gruß
> > >> Richard
> > >>
> > >>
> > >>
> > >> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
> > >>
> > >>
> > >>
> > >> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan Gallimore:
> > >> > I'm hoping the URLClassLoaderFirst change would mean that the slf4j-
> > >> > api
> > >> > 1.7.x could keep working for you. I'd be happy to add an Arquillian
> > >> > test to
> > >> > check that as part of a PR for the change. Does that sound ok?
> > >> >
> > >> > The upstream dependencies are not pulling in logback.
> > >> >
> > >> > If someone wanted to use logback with SLF4J, in a Jakarta EE version
> > >> > of
> > >> > TomEE, by bundling both slf4j-api and logback in their application,
> > >> > they'd
> > >> > have to use slf4j-api 2.x (because the Jakarta EE version of logback
> > >> > requires that API level).
> > >> >
> > >> > Cheers,
> > >> >
> > >> > Jon
> > >> >
> > >> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
> > >> > 
> > >> > wrote:
> > >> >
> > >> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> > >> > > although it'd be best if the dependency wasn't seen by the apps
> > >> > > somehow. I know that's a lot of classloader acrobatics :)
> > >> > >
> > >> > > Just to clarify though, the upstream dependencies are or are not
> > >> > > including logback? If they are including logback, that transitive
> > >> > > dependency ought to be blocked... it's up to the final developer to
> > >> > > decide which binding implementation to use. Including a binding
> > >> > > (over
> > >> > > the default sysout binding) would likely cause problems for users.
> > >> > >
> > >> > >
> > >> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
> > >> > >  wrote:
> > >> > > >
> > >> > > > Hi All
> > >> > > >
> > >> > > > There's a couple of suggestions I'd like to run past the group to
> > >> > > > see if
> > >> > > > there's any thoughts / potential issues.
> > >> > > >
> > >> > > > The first is: updating to SLF4J 2.x API and JUL implementation
> > >> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
> > >> > > > here:
> > >> > > >
> > >> > > > - The 1.x branch of SLF4J is no longer maintained
> > >> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x API
> > >> > > > for
> > >> > > > Jakarta EE support
> > >> > > >
> > >> > > > Secondly, thanks to this bit of code in the class loader:
> > >> > > >
> > >> > >
> > >>
> > https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
> > >> > > ,
> > >> > > > it is possible for a webapp to include its own SLF4J API and
> > >> > > > binding in
> > >> > > its
> > >> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
> > >> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with the
> > >> > > > binders,
> > >> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
> > >> > > > SLF4J and
> > >> > > a
> > >> > > > binder is present in the web app. Simply removing this method,
> > >> > > > and the
> > >> > > > single place it is called seems to enable the web app to do its
> > >> > > > own
> > >> > > logging
> > >> > > > with its own binder.
> > >> > > >
> > >> > > > I've run a TCK build with both of these changes present, and it
> > >> > > > looks ok.
> > >> > > > Does anyone have any feedback with respect to these proposals? Is
> > >> > > > anyone
> > >> > > > out there using SLF4J in their applications with these versions
> > >> > > > of TomEE
> > >> > > > who would be impacted?
> > >> > > >
> > >> > > > Thanks
> > >> > > >
> > >> > > > Jon
> > >> > >
> > >> >

Re: [PR] Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.… (tomee)

2023-11-20 Thread via GitHub 


tichovz commented on code in PR #990:
URL: https://github.com/apache/tomee/pull/990#discussion_r1399037910


##
mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/JWTAuthConfigurationProperties.java:
##
@@ -117,6 +119,15 @@ private JWTAuthConfiguration createJWTAuthConfiguration() {
 config.getOptionalValue("mp.jwt.decrypt.key.algorithm", 
String.class).orElse(null),
 config.getOptionalValue("mp.jwt.verify.publickey.algorithm", 
String.class).orElse(null));
 }
+
+private Boolean queryAllowExp(){

Review Comment:
   Thanks for the improvement.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

2023-11-20 Thread Jean-Louis Monteiro 
Based on the timing (mid-November) and the EOL end of this year, is it
worth it?
I'd say no. But it's up to you
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Nov 20, 2023 at 10:48 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> I make these changes to 9.x and main - is there any objection to making the
> change to 8.x as well?
>
> Thanks
>
> Jon
>
> On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > Thanks for the feedback, and especially the pointer to the JIRA!
> >
> > Jon
> >
> > On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla  wrote:
> >
> >> I am ok with the change. I would just updating the related deps in our
> >> webapps. A backing arquillian test would be useful, I guess.
> >>
> >> While looking into it (related to logging & classloaders), it might be
> >> interesting to also have a look on [1].
> >>
> >> For TomeEE 10, I would like to first have the owb4 branch on main,
> >> though (just waiting for johnzon 2.0.0).
> >>
> >> Gruß
> >> Richard
> >>
> >>
> >>
> >> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
> >>
> >>
> >>
> >> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan Gallimore:
> >> > I'm hoping the URLClassLoaderFirst change would mean that the slf4j-
> >> > api
> >> > 1.7.x could keep working for you. I'd be happy to add an Arquillian
> >> > test to
> >> > check that as part of a PR for the change. Does that sound ok?
> >> >
> >> > The upstream dependencies are not pulling in logback.
> >> >
> >> > If someone wanted to use logback with SLF4J, in a Jakarta EE version
> >> > of
> >> > TomEE, by bundling both slf4j-api and logback in their application,
> >> > they'd
> >> > have to use slf4j-api 2.x (because the Jakarta EE version of logback
> >> > requires that API level).
> >> >
> >> > Cheers,
> >> >
> >> > Jon
> >> >
> >> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
> >> > 
> >> > wrote:
> >> >
> >> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> >> > > although it'd be best if the dependency wasn't seen by the apps
> >> > > somehow. I know that's a lot of classloader acrobatics :)
> >> > >
> >> > > Just to clarify though, the upstream dependencies are or are not
> >> > > including logback? If they are including logback, that transitive
> >> > > dependency ought to be blocked... it's up to the final developer to
> >> > > decide which binding implementation to use. Including a binding
> >> > > (over
> >> > > the default sysout binding) would likely cause problems for users.
> >> > >
> >> > >
> >> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
> >> > >  wrote:
> >> > > >
> >> > > > Hi All
> >> > > >
> >> > > > There's a couple of suggestions I'd like to run past the group to
> >> > > > see if
> >> > > > there's any thoughts / potential issues.
> >> > > >
> >> > > > The first is: updating to SLF4J 2.x API and JUL implementation
> >> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
> >> > > > here:
> >> > > >
> >> > > > - The 1.x branch of SLF4J is no longer maintained
> >> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x API
> >> > > > for
> >> > > > Jakarta EE support
> >> > > >
> >> > > > Secondly, thanks to this bit of code in the class loader:
> >> > > >
> >> > >
> >>
> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
> >> > > ,
> >> > > > it is possible for a webapp to include its own SLF4J API and
> >> > > > binding in
> >> > > its
> >> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
> >> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with the
> >> > > > binders,
> >> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
> >> > > > SLF4J and
> >> > > a
> >> > > > binder is present in the web app. Simply removing this method,
> >> > > > and the
> >> > > > single place it is called seems to enable the web app to do its
> >> > > > own
> >> > > logging
> >> > > > with its own binder.
> >> > > >
> >> > > > I've run a TCK build with both of these changes present, and it
> >> > > > looks ok.
> >> > > > Does anyone have any feedback with respect to these proposals? Is
> >> > > > anyone
> >> > > > out there using SLF4J in their applications with these versions
> >> > > > of TomEE
> >> > > > who would be impacted?
> >> > > >
> >> > > > Thanks
> >> > > >
> >> > > > Jon
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > Jonathan | exabr...@gmail.com
> >> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
> >> > > as
> >> > > half full.
> >> > > Engineers, of course, understand the glass is twice as big as it
> >> > > needs to
> >> > > be.
> >> > >
> >>
> >>
>

Re: [PR] Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.… (tomee)

2023-11-20 Thread via GitHub 


rmannibucau commented on code in PR #990:
URL: https://github.com/apache/tomee/pull/990#discussion_r1398970401


##
mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/config/JWTAuthConfigurationProperties.java:
##
@@ -117,6 +119,15 @@ private JWTAuthConfiguration createJWTAuthConfiguration() {
 config.getOptionalValue("mp.jwt.decrypt.key.algorithm", 
String.class).orElse(null),
 config.getOptionalValue("mp.jwt.verify.publickey.algorithm", 
String.class).orElse(null));
 }
+
+private Boolean queryAllowExp(){

Review Comment:
   ```
   private Boolean queryAllowExp(){
   return config.getOptionalValue("tomee.mp.jwt.allow.no-exp", 
Boolean.class)
   .or(() -> 
config.getOptionalValue("mp.jwt.tomee.allow.no-exp", Boolean.class)
   .map(value -> {
   CONFIGURATION.warning("mp.jwt.tomee.allow.no-exp 
property is deprecated, use tomee.mp.jwt.allow.no-exp propert instead.");
   return value;
   }))
   .orElse(false);
   }
   ```
   
   to avoid to read both entries all the time (`Config` can be slow depending 
the `ConfigSource`) and to avoid the `AtomicBoolean` which is not needed?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.… (tomee)

2023-11-20 Thread via GitHub 


tichovz commented on PR #990:
URL: https://github.com/apache/tomee/pull/990#issuecomment-1818743070

   I made a rebase to main and it seems ok.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

2023-11-20 Thread Jonathan Gallimore 
I make these changes to 9.x and main - is there any objection to making the
change to 8.x as well?

Thanks

Jon

On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Thanks for the feedback, and especially the pointer to the JIRA!
>
> Jon
>
> On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla  wrote:
>
>> I am ok with the change. I would just updating the related deps in our
>> webapps. A backing arquillian test would be useful, I guess.
>>
>> While looking into it (related to logging & classloaders), it might be
>> interesting to also have a look on [1].
>>
>> For TomeEE 10, I would like to first have the owb4 branch on main,
>> though (just waiting for johnzon 2.0.0).
>>
>> Gruß
>> Richard
>>
>>
>>
>> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
>>
>>
>>
>> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan Gallimore:
>> > I'm hoping the URLClassLoaderFirst change would mean that the slf4j-
>> > api
>> > 1.7.x could keep working for you. I'd be happy to add an Arquillian
>> > test to
>> > check that as part of a PR for the change. Does that sound ok?
>> >
>> > The upstream dependencies are not pulling in logback.
>> >
>> > If someone wanted to use logback with SLF4J, in a Jakarta EE version
>> > of
>> > TomEE, by bundling both slf4j-api and logback in their application,
>> > they'd
>> > have to use slf4j-api 2.x (because the Jakarta EE version of logback
>> > requires that API level).
>> >
>> > Cheers,
>> >
>> > Jon
>> >
>> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
>> > 
>> > wrote:
>> >
>> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
>> > > although it'd be best if the dependency wasn't seen by the apps
>> > > somehow. I know that's a lot of classloader acrobatics :)
>> > >
>> > > Just to clarify though, the upstream dependencies are or are not
>> > > including logback? If they are including logback, that transitive
>> > > dependency ought to be blocked... it's up to the final developer to
>> > > decide which binding implementation to use. Including a binding
>> > > (over
>> > > the default sysout binding) would likely cause problems for users.
>> > >
>> > >
>> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
>> > >  wrote:
>> > > >
>> > > > Hi All
>> > > >
>> > > > There's a couple of suggestions I'd like to run past the group to
>> > > > see if
>> > > > there's any thoughts / potential issues.
>> > > >
>> > > > The first is: updating to SLF4J 2.x API and JUL implementation
>> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
>> > > > here:
>> > > >
>> > > > - The 1.x branch of SLF4J is no longer maintained
>> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x API
>> > > > for
>> > > > Jakarta EE support
>> > > >
>> > > > Secondly, thanks to this bit of code in the class loader:
>> > > >
>> > >
>> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
>> > > ,
>> > > > it is possible for a webapp to include its own SLF4J API and
>> > > > binding in
>> > > its
>> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
>> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with the
>> > > > binders,
>> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
>> > > > SLF4J and
>> > > a
>> > > > binder is present in the web app. Simply removing this method,
>> > > > and the
>> > > > single place it is called seems to enable the web app to do its
>> > > > own
>> > > logging
>> > > > with its own binder.
>> > > >
>> > > > I've run a TCK build with both of these changes present, and it
>> > > > looks ok.
>> > > > Does anyone have any feedback with respect to these proposals? Is
>> > > > anyone
>> > > > out there using SLF4J in their applications with these versions
>> > > > of TomEE
>> > > > who would be impacted?
>> > > >
>> > > > Thanks
>> > > >
>> > > > Jon
>> > >
>> > >
>> > >
>> > > --
>> > > Jonathan | exabr...@gmail.com
>> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
>> > > as
>> > > half full.
>> > > Engineers, of course, understand the glass is twice as big as it
>> > > needs to
>> > > be.
>> > >
>>
>>

Re: [PR] add an integration test for optional beans (tomee)

2023-11-20 Thread via GitHub 


rzo1 commented on code in PR #1081:
URL: https://github.com/apache/tomee/pull/1081#discussion_r1398847521


##
itests/openejb-itests-optional-classes/3rdpartydep/src/main/java/org/apache/tomee/itests/optional/thirdparty/ThirdPartyApi.java:
##
@@ -0,0 +1,10 @@
+package org.apache.tomee.itests.optional.thirdparty;

Review Comment:
   @struberg Missed header.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[PR] feat(#TOMEE-4281): Better logging we can't load an application class (tomee)

2023-11-20 Thread via GitHub 


jeanouii opened a new pull request, #1083:
URL: https://github.com/apache/tomee/pull/1083

   (no comment)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Feat/TOMEE-4281/annotation deployer logging onerror (tomee)

2023-11-20 Thread via GitHub 


jeanouii closed pull request #1082: Feat/TOMEE-4281/annotation deployer logging 
onerror
URL: https://github.com/apache/tomee/pull/1082


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[PR] Feat/TOMEE-4281/annotation deployer logging onerror (tomee)

2023-11-20 Thread via GitHub 


jeanouii opened a new pull request, #1082:
URL: https://github.com/apache/tomee/pull/1082

   (no comment)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org