Re: [ANN] Welcome new Apache TomEE Committer Thomas Andraschko

[Jonathan Gallimore]

Congratulations Thomas, and welcome!

On Tue, Mar 26, 2024 at 8:42 PM Richard Zowalla  wrote:

> The Project Management Committee (PMC) for Apache TomEE has
> invited Thomas to become a committer and we are pleased to announce
> that he has accepted.
>
> I'm very proud to be writing this announcement on behalf of the Apache
> TomEE PMC. You have been continuously contributing (over the last
> decade!) to the project and to a lot of our dependencies, with code,
> documentation, examples and most important, helping out users and other
> potential committers.
>
> You are involved in so many EE-related projects at the ASF, you have
> the Apache way and I'm glad you accepted the invite.
>
> It's our committer responsibility to enable others to contribute and
> again I think you have been doing great.
>
> Being a committer enables easier contribution to the project since
> there is no need to go via the patch submission process. This should
> enable better productivity.
>
> Please join me and send him a warm welcome and thank you.
>
> Gruß
> Richard
>

Re: JPA impl in TomEE 10?

[Jonathan Gallimore]

I've created a WIP PR which had the changes I had:
https://github.com/apache/tomee/pull/1090.

Still working on unit test failures, and likely isn't complete.

I'll keep plugging away, but equally happy for someone else to incorporate
this into another PR, or trash this and do something else, or whatever -
I'm happy either way.

Jon

On Mon, Jan 8, 2024 at 11:08 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Awesome. I'll take a look.
>
> Jon
>
> On Mon, Jan 8, 2024 at 10:50 AM Richard Zowalla 
> wrote:
>
>> Hey Jon,
>>
>> your changes (if they are committed at the ee10 migrate merge) are
>> basically already on "main" :)
>>
>> Gruß
>> Richard
>>
>> Am Montag, dem 08.01.2024 um 10:37 + schrieb Jonathan Gallimore:
>> > I did _some_ work on concurrency a while back. Very happy to rebase
>> > it -
>> > maybe it helps even if it isn't complete.
>> >
>> > Jon
>> >
>> > On Sun, Jan 7, 2024 at 5:40 PM Thomas Andraschko <
>> > andraschko.tho...@gmail.com> wrote:
>> >
>> > > 1) OpenJPA: couldnt we just set EclipseLink as our default for now?
>> > > We dont
>> > > need to remove it, but leaving it as default is not a good
>> > > decision.
>> > > 2) BatchEE: Is there a alternative impl for now available? I can
>> > > try to
>> > > migrate BatchEE to jakarta later but for now the highest prio for
>> > > me and my
>> > > company to migrate to a EE10 container.
>> > > 3) Concurency: Can you point me to the sources? I will try to work
>> > > on it
>> > > upcoming week.
>> > >
>> > > Am Fr., 5. Jan. 2024 um 11:07 Uhr schrieb Richard Zowalla <
>> > > rich...@zowalla.com>:
>> > >
>> > > > I have tested a custom TomEE 10 build (with fixed deps) for quite
>> > > > a while
>> > > > now and it worked for my usecases.
>> > > >
>> > > > What needs to be done (imho):
>> > > >
>> > > > - We need to have stable versions for BatchEE and OpenJPA.
>> > > > Currently,
>> > > they
>> > > > are only SNAPSHOT.
>> > > >
>> > > > - Implement the concurrency changes. Currently, they are only
>> > > > added as
>> > > > stub impls. (I am not using that in my test env, so didn't
>> > > > encounter
>> > > issues)
>> > > >
>> > > > - TCK still hangs but isn't a blocker for a milestone imho.
>> > > >
>> > > > Thoughts?
>> > > >
>> > > > Gruß
>> > > > Richard
>> > > >
>> > > >
>> > > > Am 5. Januar 2024 10:40:05 MEZ schrieb Thomas Andraschko <
>> > > > andraschko.tho...@gmail.com>:
>> > > > > i would like to have everything apache, too but i think our
>> > > > > goal must be
>> > > > to
>> > > > > get a TomEE10-M1 release out ASAP.
>> > > > > we can later easily make openjpa the default again.
>> > > > >
>> > > > > how should we proceed here?
>> > > > > i have some time slots to work on something and provide PRs, we
>> > > > > just
>> > > need
>> > > > > some decisions.
>> > > > >
>> > > > >
>> > > > > Am Mo., 20. Nov. 2023 um 23:12 Uhr schrieb Jonathan S. Fisher <
>> > > > > exabr...@gmail.com>:
>> > > > >
>> > > > > > If my opinion counts for anything, I'd love for TomEE to be
>> > > > > > based on
>> > > > > > Apache Foundation projects as much as possible. With JPA
>> > > > > > itself is
>> > > > > > just a large spec to cover, I can understand OpenJPA not
>> > > > > > having a
>> > > > > > current spec implementation and am still thankful for the
>> > > > > > past efforts
>> > > > > > of the committers on that project. My second choice would be
>> > > > > > EclipseLink over Hibernate, mainly because of speed, but also
>> > > > > > because
>> > > > > > many of the app servers in the space are already Weld +
>> > > > > > Hibernate +
>> > > > > > other various Redhat derivative projects. T

Re: JPA impl in TomEE 10?

[Jonathan Gallimore]

Awesome. I'll take a look.

Jon

On Mon, Jan 8, 2024 at 10:50 AM Richard Zowalla  wrote:

> Hey Jon,
>
> your changes (if they are committed at the ee10 migrate merge) are
> basically already on "main" :)
>
> Gruß
> Richard
>
> Am Montag, dem 08.01.2024 um 10:37 + schrieb Jonathan Gallimore:
> > I did _some_ work on concurrency a while back. Very happy to rebase
> > it -
> > maybe it helps even if it isn't complete.
> >
> > Jon
> >
> > On Sun, Jan 7, 2024 at 5:40 PM Thomas Andraschko <
> > andraschko.tho...@gmail.com> wrote:
> >
> > > 1) OpenJPA: couldnt we just set EclipseLink as our default for now?
> > > We dont
> > > need to remove it, but leaving it as default is not a good
> > > decision.
> > > 2) BatchEE: Is there a alternative impl for now available? I can
> > > try to
> > > migrate BatchEE to jakarta later but for now the highest prio for
> > > me and my
> > > company to migrate to a EE10 container.
> > > 3) Concurency: Can you point me to the sources? I will try to work
> > > on it
> > > upcoming week.
> > >
> > > Am Fr., 5. Jan. 2024 um 11:07 Uhr schrieb Richard Zowalla <
> > > rich...@zowalla.com>:
> > >
> > > > I have tested a custom TomEE 10 build (with fixed deps) for quite
> > > > a while
> > > > now and it worked for my usecases.
> > > >
> > > > What needs to be done (imho):
> > > >
> > > > - We need to have stable versions for BatchEE and OpenJPA.
> > > > Currently,
> > > they
> > > > are only SNAPSHOT.
> > > >
> > > > - Implement the concurrency changes. Currently, they are only
> > > > added as
> > > > stub impls. (I am not using that in my test env, so didn't
> > > > encounter
> > > issues)
> > > >
> > > > - TCK still hangs but isn't a blocker for a milestone imho.
> > > >
> > > > Thoughts?
> > > >
> > > > Gruß
> > > > Richard
> > > >
> > > >
> > > > Am 5. Januar 2024 10:40:05 MEZ schrieb Thomas Andraschko <
> > > > andraschko.tho...@gmail.com>:
> > > > > i would like to have everything apache, too but i think our
> > > > > goal must be
> > > > to
> > > > > get a TomEE10-M1 release out ASAP.
> > > > > we can later easily make openjpa the default again.
> > > > >
> > > > > how should we proceed here?
> > > > > i have some time slots to work on something and provide PRs, we
> > > > > just
> > > need
> > > > > some decisions.
> > > > >
> > > > >
> > > > > Am Mo., 20. Nov. 2023 um 23:12 Uhr schrieb Jonathan S. Fisher <
> > > > > exabr...@gmail.com>:
> > > > >
> > > > > > If my opinion counts for anything, I'd love for TomEE to be
> > > > > > based on
> > > > > > Apache Foundation projects as much as possible. With JPA
> > > > > > itself is
> > > > > > just a large spec to cover, I can understand OpenJPA not
> > > > > > having a
> > > > > > current spec implementation and am still thankful for the
> > > > > > past efforts
> > > > > > of the committers on that project. My second choice would be
> > > > > > EclipseLink over Hibernate, mainly because of speed, but also
> > > > > > because
> > > > > > many of the app servers in the space are already Weld +
> > > > > > Hibernate +
> > > > > > other various Redhat derivative projects. TomEE by far is
> > > > > > enormously
> > > > > > faster on startup and execution speed than OpenLiberty or
> > > > > > WildFly
> > > > > > (deploying the exact same WAR) and I'd be sad to lose that.
> > > > > >
> > > > > >
> > > > > > On Mon, Nov 20, 2023 at 9:46 AM Jean-Louis Monteiro
> > > > > >  wrote:
> > > > > > >
> > > > > > > Thanks Thomas for pointing this out.
> > > > > > > --
> > > > > > > Jean-Louis Monteiro
> > > > > > > http://twitter.com/jlouismonteiro
> > > > > > > http://www.tomitribe.com
> > > > > > >
> > &

Re: JPA impl in TomEE 10?

[Jonathan Gallimore]

I did _some_ work on concurrency a while back. Very happy to rebase it -
maybe it helps even if it isn't complete.

Jon

On Sun, Jan 7, 2024 at 5:40 PM Thomas Andraschko <
andraschko.tho...@gmail.com> wrote:

> 1) OpenJPA: couldnt we just set EclipseLink as our default for now? We dont
> need to remove it, but leaving it as default is not a good decision.
> 2) BatchEE: Is there a alternative impl for now available? I can try to
> migrate BatchEE to jakarta later but for now the highest prio for me and my
> company to migrate to a EE10 container.
> 3) Concurency: Can you point me to the sources? I will try to work on it
> upcoming week.
>
> Am Fr., 5. Jan. 2024 um 11:07 Uhr schrieb Richard Zowalla <
> rich...@zowalla.com>:
>
> > I have tested a custom TomEE 10 build (with fixed deps) for quite a while
> > now and it worked for my usecases.
> >
> > What needs to be done (imho):
> >
> > - We need to have stable versions for BatchEE and OpenJPA. Currently,
> they
> > are only SNAPSHOT.
> >
> > - Implement the concurrency changes. Currently, they are only added as
> > stub impls. (I am not using that in my test env, so didn't encounter
> issues)
> >
> > - TCK still hangs but isn't a blocker for a milestone imho.
> >
> > Thoughts?
> >
> > Gruß
> > Richard
> >
> >
> > Am 5. Januar 2024 10:40:05 MEZ schrieb Thomas Andraschko <
> > andraschko.tho...@gmail.com>:
> > >i would like to have everything apache, too but i think our goal must be
> > to
> > >get a TomEE10-M1 release out ASAP.
> > >we can later easily make openjpa the default again.
> > >
> > >how should we proceed here?
> > >i have some time slots to work on something and provide PRs, we just
> need
> > >some decisions.
> > >
> > >
> > >Am Mo., 20. Nov. 2023 um 23:12 Uhr schrieb Jonathan S. Fisher <
> > >exabr...@gmail.com>:
> > >
> > >> If my opinion counts for anything, I'd love for TomEE to be based on
> > >> Apache Foundation projects as much as possible. With JPA itself is
> > >> just a large spec to cover, I can understand OpenJPA not having a
> > >> current spec implementation and am still thankful for the past efforts
> > >> of the committers on that project. My second choice would be
> > >> EclipseLink over Hibernate, mainly because of speed, but also because
> > >> many of the app servers in the space are already Weld + Hibernate +
> > >> other various Redhat derivative projects. TomEE by far is enormously
> > >> faster on startup and execution speed than OpenLiberty or WildFly
> > >> (deploying the exact same WAR) and I'd be sad to lose that.
> > >>
> > >>
> > >> On Mon, Nov 20, 2023 at 9:46 AM Jean-Louis Monteiro
> > >>  wrote:
> > >> >
> > >> > Thanks Thomas for pointing this out.
> > >> > --
> > >> > Jean-Louis Monteiro
> > >> > http://twitter.com/jlouismonteiro
> > >> > http://www.tomitribe.com
> > >> >
> > >> >
> > >> > On Mon, Nov 20, 2023 at 4:06 PM Richard Zowalla 
> > wrote:
> > >> >
> > >> > > Great news ;-)
> > >> > >
> > >> > > Am Montag, dem 20.11.2023 um 16:05 +0100 schrieb Thomas
> Andraschko:
> > >> > > > JFYI: https://in.relation.to/2023/11/18/license/
> > >> > > >
> > >> > > > it seems they would like to move to another license
> > >> > > >
> > >> > > > Am Di., 7. Feb. 2023 um 16:16 Uhr schrieb Jean-Louis Monteiro <
> > >> > > > jlmonte...@tomitribe.com>:
> > >> > > >
> > >> > > > > https://hibernate.org/community/license/
> > >> > > > >
> > >> > > > > Most Hibernate projects are released under LGPL v2.1
> > >> > > > > .
> > >> > > > > Only some sub projects are ASL v2
> > >> > > > > --
> > >> > > > > Jean-Louis Monteiro
> > >> > > > > http://twitter.com/jlouismonteiro
> > >> > > > > http://www.tomitribe.com
> > >> > > > >
> > >> > > > >
> > >> > > > > On Tue, Feb 7, 2023 at 4:12 PM Thomas Andraschko <
> > >> > > > > andraschko.tho...@gmail.com> wrote:
> > >> > > > >
> > >> > > > > > isnt hibernate licensed under Apache2.0?
> > >> > > > > >
> > >> > > > > > Am Di., 7. Feb. 2023 um 16:10 Uhr schrieb Swell <
> > >> > > > > souheil.sul...@gmail.com
> > >> > > > > > > :
> > >> > > > > >
> > >> > > > > > > Because of licenses we cannot ship with hibernate. Better
> be
> > >> > > > > éclipselink
> > >> > > > > > to
> > >> > > > > > > avoid license hell.
> > >> > > > > > >
> > >> > > > > > > On Tue 7 Feb 2023 at 16:08, Thomas Andraschko <
> > >> > > > > > andraschko.tho...@gmail.com
> > >> > > > > > > >
> > >> > > > > > > wrote:
> > >> > > > > > >
> > >> > > > > > > > Hi,
> > >> > > > > > > >
> > >> > > > > > > > AFAICS OpenJPA isnt in real active development and
> doenst
> > >> > > > > > > > even
> > >> > > > > support
> > >> > > > > > > all
> > >> > > > > > > > JPA 2.2 features.
> > >> > > > > > > > Whats your plan for it?
> > >> > > > > > > > Can't we just use Hibernate as default?
> > >> > > > > > > >
> > >> > > > > > > > Best regards,
> > >> > > > > > > > Thomas
> > >> > > > > > > >
> > >> > > > > > >
> > >> > > > > >
> > >> > > > >
> > >> > >
> > >> > >
> > >>
> > >>
> > >>
> > >> --
> > 

Re: [RESULT] [VOTE] Release Apache TomEE 9.1.2 (take 2)

[Jonathan Gallimore]

That should all be done. Any issues, please let me know. Thanks to everyone
for the review and votes.

Jon

On Tue, Dec 19, 2023 at 2:04 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> +1s:
>
> Richard Zowalla (binding)
> Martin Wiesner
> Alex The Rocker
> Jean-Louis Monteiro (binding)
> Daniel Dias Dos Santos
> Jonathan Gallimore (binding)
>
> Also noting the -1 (with a ?) from Frank Jung, which has been discussed
> and we'll be tackling in 9.1.3. I note that Frank has filed a JIRA here:
> https://issues.apache.org/jira/browse/TOMEE-4291. I suspect this may
> require XBean updates as well as EclipseLink, but I haven't looked at it.
> Frank - thank you very much for taking the time to review the release and
> feedback - I want to assure you it is greatly appreciated, and we'll work
> through the JIRA ticket.
>
> With 6 +1's (3 binding), I declare this has passed, and will proceed with
> the release.
>
> Jon
>
> On Mon, Dec 18, 2023 at 10:11 PM Daniel Dias Dos Santos <
> daniel.dias.analist...@gmail.com> wrote:
>
>> Hello
>> +1
>>
>> On Mon, Dec 18, 2023, 17:37 Alex The Rocker  wrote:
>>
>> > I agreed that this EclipseLink specific issue is not a blocker for
>> > releasing TomEE 9.1.2.
>> >
>> > As I mentioned, I tested TomEE+ with IBM Semeru 21 Milestone 1 without
>> > issue (but okay, I use no JPA so maybe that's why), and right now
>> > moving to Java 21 isn't critical, as running with Java 17 is still
>> > fine for the short term.
>> >
>> > However it will be nice to fix that EclipseLink issue shortly after
>> > 9.1.2 is released, so as to make sure it won't be forgotten and to
>> > allow tests with wider scope than mine with Java 21
>> >
>> > So again +1 (non-binding)
>> >
>> > Thanks,
>> > Alex
>> >
>> > Le lun. 18 déc. 2023 à 21:08, Jean-Louis Monteiro
>> >  a écrit :
>> > >
>> > > Not a show stopper. Jakarta EE 9 does not require Java 21.
>> > > So we are good, the upgrade can go later for the next maintenance
>> > release.
>> > >
>> > > Also here is my own +1
>> > > Thank you Jon for the release
>> > > --
>> > > Jean-Louis Monteiro
>> > > http://twitter.com/jlouismonteiro
>> > > http://www.tomitribe.com
>> > >
>> > >
>> > > On Mon, Dec 18, 2023 at 11:35 AM Richard Zowalla 
>> > wrote:
>> > >
>> > > > IMHO it isn't a show stopper because users can just replace the lib
>> in
>> > > > /lib - I feel like it is more important to get the CVE patches out
>> very
>> > > > soonish but finally up to the release manager :)
>> > > >
>> > > > Am Montag, dem 18.12.2023 um 11:21 +0100 schrieb Frank Jung:
>> > > > > -1 ?
>> > > > > I'm not sure if this is considered to be a showstopper, concerning
>> > > > > only Java 21:
>> > > > >
>> > > > > Eclipselink needs a dependency update to work with Code compiled
>> with
>> > > > > JDK 21.
>> > > > > Created a ticket for that:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4291
>> > > > >
>> > > > > > -Ursprüngliche Nachricht-
>> > > > > > Von: Richard Zowalla 
>> > > > > > Gesendet: Montag, 18. Dezember 2023 09:37
>> > > > > > An: dev@tomee.apache.org
>> > > > > > Betreff: Re: [VOTE] Release Apache TomEE 9.1.2 (take 2)
>> > > > > >
>> > > > > > Any more votes?
>> > > > > >
>> > > > > > Am Dienstag, dem 12.12.2023 um 16:57 + schrieb Jonathan
>> > > > > > Gallimore:
>> > > > > > > Hi All,
>> > > > > > >
>> > > > > > > I'd like to start a vote for the release of Apache TomEE
>> 9.1.2.
>> > > > > > > TomEE
>> > > > > > > 9.1.2
>> > > > > > > is a maintenance release with dependencies upgrades and bug
>> > > > > > > fixes. It
>> > > > > > > also fixes the latest Tomcat vulnerabilities as well as other
>> > > > > > > CVEs.
>> > > > > > >
>> > > > > > > ###
>> > > > > > >
>> > > > > > >

[RESULT] [VOTE] Release Apache TomEE 9.1.2 (take 2)

[Jonathan Gallimore]

+1s:

Richard Zowalla (binding)
Martin Wiesner
Alex The Rocker
Jean-Louis Monteiro (binding)
Daniel Dias Dos Santos
Jonathan Gallimore (binding)

Also noting the -1 (with a ?) from Frank Jung, which has been discussed and
we'll be tackling in 9.1.3. I note that Frank has filed a JIRA here:
https://issues.apache.org/jira/browse/TOMEE-4291. I suspect this may
require XBean updates as well as EclipseLink, but I haven't looked at it.
Frank - thank you very much for taking the time to review the release and
feedback - I want to assure you it is greatly appreciated, and we'll work
through the JIRA ticket.

With 6 +1's (3 binding), I declare this has passed, and will proceed with
the release.

Jon

On Mon, Dec 18, 2023 at 10:11 PM Daniel Dias Dos Santos <
daniel.dias.analist...@gmail.com> wrote:

> Hello
> +1
>
> On Mon, Dec 18, 2023, 17:37 Alex The Rocker  wrote:
>
> > I agreed that this EclipseLink specific issue is not a blocker for
> > releasing TomEE 9.1.2.
> >
> > As I mentioned, I tested TomEE+ with IBM Semeru 21 Milestone 1 without
> > issue (but okay, I use no JPA so maybe that's why), and right now
> > moving to Java 21 isn't critical, as running with Java 17 is still
> > fine for the short term.
> >
> > However it will be nice to fix that EclipseLink issue shortly after
> > 9.1.2 is released, so as to make sure it won't be forgotten and to
> > allow tests with wider scope than mine with Java 21
> >
> > So again +1 (non-binding)
> >
> > Thanks,
> > Alex
> >
> > Le lun. 18 déc. 2023 à 21:08, Jean-Louis Monteiro
> >  a écrit :
> > >
> > > Not a show stopper. Jakarta EE 9 does not require Java 21.
> > > So we are good, the upgrade can go later for the next maintenance
> > release.
> > >
> > > Also here is my own +1
> > > Thank you Jon for the release
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Mon, Dec 18, 2023 at 11:35 AM Richard Zowalla 
> > wrote:
> > >
> > > > IMHO it isn't a show stopper because users can just replace the lib
> in
> > > > /lib - I feel like it is more important to get the CVE patches out
> very
> > > > soonish but finally up to the release manager :)
> > > >
> > > > Am Montag, dem 18.12.2023 um 11:21 +0100 schrieb Frank Jung:
> > > > > -1 ?
> > > > > I'm not sure if this is considered to be a showstopper, concerning
> > > > > only Java 21:
> > > > >
> > > > > Eclipselink needs a dependency update to work with Code compiled
> with
> > > > > JDK 21.
> > > > > Created a ticket for that:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4291
> > > > >
> > > > > > -Ursprüngliche Nachricht-
> > > > > > Von: Richard Zowalla 
> > > > > > Gesendet: Montag, 18. Dezember 2023 09:37
> > > > > > An: dev@tomee.apache.org
> > > > > > Betreff: Re: [VOTE] Release Apache TomEE 9.1.2 (take 2)
> > > > > >
> > > > > > Any more votes?
> > > > > >
> > > > > > Am Dienstag, dem 12.12.2023 um 16:57 + schrieb Jonathan
> > > > > > Gallimore:
> > > > > > > Hi All,
> > > > > > >
> > > > > > > I'd like to start a vote for the release of Apache TomEE 9.1.2.
> > > > > > > TomEE
> > > > > > > 9.1.2
> > > > > > > is a maintenance release with dependencies upgrades and bug
> > > > > > > fixes. It
> > > > > > > also fixes the latest Tomcat vulnerabilities as well as other
> > > > > > > CVEs.
> > > > > > >
> > > > > > > ###
> > > > > > >
> > > > > > > Maven Repo:
> > > > > > >
> > > >
> https://repository.apache.org/content/repositories/orgapachetomee-1225
> > > > > > > /
> > > > > > >
> > > > > > > ###
> > > > > > >
> > > > > > > Binaries & Sources:
> > > > > > >
> > > >
> https://dist.apache.org/repos/dist/dev/tomee/staging-1225/tomee-9.1.2/
> > > > > > >
> > > > > > > ###
> > > > > > >
> > > > > > > Tags:

Re: [VOTE] Release Apache TomEE 9.1.2 (take 2)

[Jonathan Gallimore]

Here's my own +1 (binding).

Jon

On Tue, Dec 12, 2023 at 4:57 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi All,
>
> I'd like to start a vote for the release of Apache TomEE 9.1.2. TomEE
> 9.1.2 is a maintenance release with dependencies upgrades and bug fixes. It
> also fixes the latest Tomcat vulnerabilities
> as well as other CVEs.
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1225/
>
> ###
>
> Binaries & Sources:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1225/tomee-9.1.2/
>
> ###
>
> Tags:
> https://github.com/apache/tomee/releases/tag/tomee-9.1.2
>
> ###
>
> = Apache TomEE 9.1.2 Release Notes
> :index-group: Release Notes
> :jbake-type: page
> :jbake-status: published
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
> ActiveMQ 5.16.7 / 5.18.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4278[TOMEE-4278]
> Commons CLI 1.6.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4277[TOMEE-4277]
> Commons Codec 1.16.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4274[TOMEE-4274]
> Commons DBCP 2.11.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4275[TOMEE-4275]
> Commons Lang3 3.13.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4276[TOMEE-4276]
> Jackson 2.15.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4279[TOMEE-4279]
> Log4J2 2.21.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4280[TOMEE-4280]
> WSS4J 3.0.2
>
> == New Feature
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4281[TOMEE-4281]
> Improve logging when failing to load a class
>  - link:https://issues.apache.org/jira/browse/TOMEE-4268[TOMEE-4268]
> Create MicroProfile OpenAPI Reader exemple
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4267[TOMEE-4267]
> MicroProfile Metrics JMX Registrar must be initialized once
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4285[TOMEE-4285] Port
> fix for CVE-2023-46589 for TomEE 9.x
>  - link:https://issues.apache.org/jira/browse/TOMEE-4286[TOMEE-4286]
> Namespace error when processing web-fragment.xml
>  - link:https://issues.apache.org/jira/browse/TOMEE-4287[TOMEE-4287]
> Better information when XBean Finder fails to read a class/jar file
>  - link:https://issues.apache.org/jira/browse/TOMEE-4289[TOMEE-4289]
>  java.util.NoSuchElementException in SystemLogHandler
>  - link:https://issues.apache.org/jira/browse/TOMEE-4269[TOMEE-4269]
> Enable SLF4J 2.x webapps to include bindings in their WEB-INF/lib
>
> == Task
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4284[TOMEE-4284]
> Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.no-exp
>
> ###
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Thanks
>
> Jon
>
>
>
>

[VOTE] Release Apache TomEE 9.1.2 (take 2)

[Jonathan Gallimore]

Hi All,

I'd like to start a vote for the release of Apache TomEE 9.1.2. TomEE 9.1.2
is a maintenance release with dependencies upgrades and bug fixes. It also
fixes the latest Tomcat vulnerabilities
as well as other CVEs.

###

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1225/

###

Binaries & Sources:
https://dist.apache.org/repos/dist/dev/tomee/staging-1225/tomee-9.1.2/

###

Tags:
https://github.com/apache/tomee/releases/tag/tomee-9.1.2

###

= Apache TomEE 9.1.2 Release Notes
:index-group: Release Notes
:jbake-type: page
:jbake-status: published

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
ActiveMQ 5.16.7 / 5.18.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4278[TOMEE-4278]
Commons CLI 1.6.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4277[TOMEE-4277]
Commons Codec 1.16.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4274[TOMEE-4274]
Commons DBCP 2.11.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4275[TOMEE-4275]
Commons Lang3 3.13.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4276[TOMEE-4276]
Jackson 2.15.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4279[TOMEE-4279] Log4J2
2.21.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4280[TOMEE-4280] WSS4J
3.0.2

== New Feature

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4281[TOMEE-4281]
Improve logging when failing to load a class
 - link:https://issues.apache.org/jira/browse/TOMEE-4268[TOMEE-4268] Create
MicroProfile OpenAPI Reader exemple

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4267[TOMEE-4267]
MicroProfile Metrics JMX Registrar must be initialized once

== Improvement

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4285[TOMEE-4285] Port
fix for CVE-2023-46589 for TomEE 9.x
 - link:https://issues.apache.org/jira/browse/TOMEE-4286[TOMEE-4286]
Namespace error when processing web-fragment.xml
 - link:https://issues.apache.org/jira/browse/TOMEE-4287[TOMEE-4287] Better
information when XBean Finder fails to read a class/jar file
 - link:https://issues.apache.org/jira/browse/TOMEE-4289[TOMEE-4289]
 java.util.NoSuchElementException in SystemLogHandler
 - link:https://issues.apache.org/jira/browse/TOMEE-4269[TOMEE-4269] Enable
SLF4J 2.x webapps to include bindings in their WEB-INF/lib

== Task

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4284[TOMEE-4284]
Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.no-exp

###

Please VOTE

[+1] go ship it
[+0] meh, don't care
[-1] stop, there is a ${showstopper}

The VOTE is open for 72h or as long as needed.

Thanks

Jon

[CANCELLED] [VOTE] Release Apache TomEE 9.1.2

[Jonathan Gallimore]

Re-rerolling, hopefully with my GPG config sorted out, and a fix for
TOMEE-4289. New vote will be up shortly.

Jon

On Thu, Dec 7, 2023 at 2:12 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi All,
>
> I'd like to start a vote for the release of Apache TomEE 9.1.2. TomEE
> 9.1.2 is a maintenance release with dependencies upgrades and bug fixes. It
> also fixes the latest Tomcat vulnerabilities
> as well as other CVEs.
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1224/
>
> ###
>
> Binaries & Sources:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1224/tomee-9.1.2/
>
> ###
>
> Tags:
> https://github.com/apache/tomee/releases/tag/tomee-9.1.2
>
> ###
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12353729
>
> ###
>
> Here's an adoc generated version of the changelog:
>
> = Apache TomEE 9.1.2 Release Notes
> :index-group: Release Notes
> :jbake-type: page
> :jbake-status: published
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
> ActiveMQ 5.16.7 / 5.18.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4278[TOMEE-4278]
> Commons CLI 1.6.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4277[TOMEE-4277]
> Commons Codec 1.16.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4274[TOMEE-4274]
> Commons DBCP 2.11.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4275[TOMEE-4275]
> Commons Lang3 3.13.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4276[TOMEE-4276]
> Jackson 2.15.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4279[TOMEE-4279]
> Log4J2 2.21.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4280[TOMEE-4280]
> WSS4J 3.0.2
>
> == New Feature
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4281[TOMEE-4281]
> Improve logging when failing to load a class
>  - link:https://issues.apache.org/jira/browse/TOMEE-4268[TOMEE-4268]
> Create MicroProfile OpenAPI Reader exemple
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4267[TOMEE-4267]
> MicroProfile Metrics JMX Registrar must be initialized once
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4285[TOMEE-4285] Port
> fix for CVE-2023-46589 for TomEE 9.x
>  - link:https://issues.apache.org/jira/browse/TOMEE-4286[TOMEE-4286]
> Namespace error when processing web-fragment.xml
>  - link:https://issues.apache.org/jira/browse/TOMEE-4287[TOMEE-4287]
> Better information when XBean Finder fails to read a class/jar file
>  - link:https://issues.apache.org/jira/browse/TOMEE-4269[TOMEE-4269]
> Enable SLF4J 2.x webapps to include bindings in their WEB-INF/lib
>
> == Task
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4284[TOMEE-4284]
> Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.no-exp
>
> ###
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Thanks
>
> Jon
>
>
>
>

Re: [VOTE] Release Apache TomEE 9.1.2

[Jonathan Gallimore]

Yes - I'll get that sorted out. Thanks for the script.

While we're here, I've got one issue I'd like to get fixed in the release:
https://issues.apache.org/jira/browse/TOMEE-4289 (
https://github.com/apache/tomee/pull/1088).

Let me know if there's any objections. I'll re-roll today and put another
vote up to include it if that's ok.

Jon

On Tue, Dec 12, 2023 at 7:31 AM Richard Zowalla  wrote:

> Hi Jon,
>
> tried checking the gpg signature with the following script:
>
> https://gist.github.com/rzo1/99dcf6719f5e027f38403545ef20bd80
>
> Looks like the key used "927AEAC4B9AD730DEC3BB2319969E985B1A390A9" to
> sign the artifacts isn't available
> in https://dist.apache.org/repos/dist/release/tomee/KEYS
>
> Can you update the file?
>
> Gruß
> Richard
>
> Am Donnerstag, dem 07.12.2023 um 14:12 + schrieb Jonathan
> Gallimore:
> > Hi All,
> >
> > I'd like to start a vote for the release of Apache TomEE 9.1.2. TomEE
> > 9.1.2
> > is a maintenance release with dependencies upgrades and bug fixes. It
> > also
> > fixes the latest Tomcat vulnerabilities
> > as well as other CVEs.
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1224/
> >
> > ###
> >
> > Binaries & Sources:
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1224/tomee-9.1.2/
> >
> > ###
> >
> > Tags:
> > https://github.com/apache/tomee/releases/tag/tomee-9.1.2
> >
> > ###
> >
> > Release notes:
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12353729
> >
> > ###
> >
> > Here's an adoc generated version of the changelog:
> >
> > = Apache TomEE 9.1.2 Release Notes
> > :index-group: Release Notes
> > :jbake-type: page
> > :jbake-status: published
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
> > ActiveMQ 5.16.7 / 5.18.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4278[TOMEE-4278]
> > Commons CLI 1.6.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4277[TOMEE-4277]
> > Commons Codec 1.16.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4274[TOMEE-4274]
> > Commons DBCP 2.11.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4275[TOMEE-4275]
> > Commons Lang3 3.13.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4276[TOMEE-4276]
> > Jackson 2.15.3
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4279[TOMEE-4279] Log
> > 4J2
> > 2.21.1
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4280[TOMEE-4280] WSS
> > 4J
> > 3.0.2
> >
> > == New Feature
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4281[TOMEE-4281]
> > Improve logging when failing to load a class
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4268[TOMEE-4268] Cre
> > ate
> > MicroProfile OpenAPI Reader exemple
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4267[TOMEE-4267]
> > MicroProfile Metrics JMX Registrar must be initialized once
> >
> > == Improvement
> >
> > [.compact]
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4285[TOMEE-4285] Por
> > t
> > fix for CVE-2023-46589 for TomEE 9.x
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4286[TOMEE-4286]
> > Namespace error when processing web-fragment.xml
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4287[TOMEE-4287] Bet
> > ter
> > information when XBean Finder fails to read a class/jar file
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4269[TOMEE-4269] Ena
> > ble
> > SLF4J 2.x webapps to include bindings in their WEB-INF/lib
> >
> > == Task
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4284[TOMEE-4284]
> > Implement tomee.mp.jwt.allow.no-exp property over
> > mp.jwt.tomee.allow.no-exp
> >
> > ###
> >
> > Please VOTE
> >
> > [+1] go ship it
> > [+0] meh, don't care
> > [-1] stop, there is a ${showstopper}
> >
> > The VOTE is open for 72h or as long as needed.
> >
> > Thanks
> >
> > Jon
>
>

[VOTE] Release Apache TomEE 9.1.2

[Jonathan Gallimore]

Hi All,

I'd like to start a vote for the release of Apache TomEE 9.1.2. TomEE 9.1.2
is a maintenance release with dependencies upgrades and bug fixes. It also
fixes the latest Tomcat vulnerabilities
as well as other CVEs.

###

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1224/

###

Binaries & Sources:
https://dist.apache.org/repos/dist/dev/tomee/staging-1224/tomee-9.1.2/

###

Tags:
https://github.com/apache/tomee/releases/tag/tomee-9.1.2

###

Release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12353729

###

Here's an adoc generated version of the changelog:

= Apache TomEE 9.1.2 Release Notes
:index-group: Release Notes
:jbake-type: page
:jbake-status: published

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
ActiveMQ 5.16.7 / 5.18.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4278[TOMEE-4278]
Commons CLI 1.6.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4277[TOMEE-4277]
Commons Codec 1.16.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4274[TOMEE-4274]
Commons DBCP 2.11.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4275[TOMEE-4275]
Commons Lang3 3.13.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4276[TOMEE-4276]
Jackson 2.15.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4279[TOMEE-4279] Log4J2
2.21.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4280[TOMEE-4280] WSS4J
3.0.2

== New Feature

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4281[TOMEE-4281]
Improve logging when failing to load a class
 - link:https://issues.apache.org/jira/browse/TOMEE-4268[TOMEE-4268] Create
MicroProfile OpenAPI Reader exemple

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4267[TOMEE-4267]
MicroProfile Metrics JMX Registrar must be initialized once

== Improvement

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4285[TOMEE-4285] Port
fix for CVE-2023-46589 for TomEE 9.x
 - link:https://issues.apache.org/jira/browse/TOMEE-4286[TOMEE-4286]
Namespace error when processing web-fragment.xml
 - link:https://issues.apache.org/jira/browse/TOMEE-4287[TOMEE-4287] Better
information when XBean Finder fails to read a class/jar file
 - link:https://issues.apache.org/jira/browse/TOMEE-4269[TOMEE-4269] Enable
SLF4J 2.x webapps to include bindings in their WEB-INF/lib

== Task

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4284[TOMEE-4284]
Implement tomee.mp.jwt.allow.no-exp property over mp.jwt.tomee.allow.no-exp

###

Please VOTE

[+1] go ship it
[+0] meh, don't care
[-1] stop, there is a ${showstopper}

The VOTE is open for 72h or as long as needed.

Thanks

Jon

Re: Cutting 9.1.2 release?

[Jonathan Gallimore]

Done - looks good. Thank you Zoltán!

On Wed, Dec 6, 2023 at 3:14 PM Richard Zowalla  wrote:

> Maybe TOMEE-4284 regarding the property deprecation?
> TOMEE-4112 is in TomEE 8.x, so maybe time to bring it to main/9.x too ?
>
> But no hard blockers. I am fine with it :)
>
> Gruß
> Richard
>
>
> Am Mittwoch, dem 06.12.2023 um 15:10 +0000 schrieb Jonathan Gallimore:
> > Ok - is there anything else we want to try and pull in before I cut a
> > release? I note there's 3 PRs here for main from the last couple of
> > weeks -
> > should any be ported to 9.x? https://github.com/apache/tomee/pulls
> >
> > Jon
> >
> >
> >
> > On Mon, Dec 4, 2023 at 12:22 PM Richard Zowalla 
> > wrote:
> >
> > > Thx, Jon.
> > >
> > > Am Freitag, dem 01.12.2023 um 16:02 + schrieb Jonathan
> > > Gallimore:
> > > > I've merged in a fix for CVE-2023-46589, and a test for it. I'll
> > > > kick
> > > > off a
> > > > release either over the weekend if I get time, or on Monday. Let
> > > > me
> > > > know if
> > > > there's any objections.
> > > >
> > > > Jon
> > > >
> > > > On Wed, Nov 29, 2023 at 3:48 PM Alex The Rocker
> > > > 
> > > > wrote:
> > > >
> > > > > +1 and thanks Richard for raising attention on CVE-2023-46589
> > > > > which
> > > > > is
> > > > > fairly new
> > > > >
> > > > > Le mer. 29 nov. 2023 à 12:51, Richard Zowalla 
> > > > > a
> > > > > écrit :
> > > > > >
> > > > > > +1 and yes, CVE-2023-46589 is missing.
> > > > > >
> > > > > > Am Mittwoch, dem 29.11.2023 um 11:23 + schrieb Jonathan
> > > > > > Gallimore:
> > > > > > > +1
> > > > > > >
> > > > > > > I think there's one CVE to patch before release: CVE-2023-
> > > > > > > 46589
> > > > > > > which
> > > > > > > I'm
> > > > > > > happy to do. I'm also happy to cut the release as its been
> > > > > > > a
> > > > > > > while
> > > > > > > since I
> > > > > > > last did it.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > > > On Wed, Nov 29, 2023 at 11:20 AM Jean-Louis Monteiro <
> > > > > > > jlmonte...@tomitribe.com> wrote:
> > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > There are a couple of CVEs attached to the latest 9.x
> > > > > > > > release. Is
> > > > > > > > it time
> > > > > > > > to cut a release?
> > > > > > > >
> > > > > > > > Best
> > > > > > > > --
> > > > > > > > Jean-Louis Monteiro
> > > > > > > > http://twitter.com/jlouismonteiro
> > > > > > > > http://www.tomitribe.com
> > > > > > > >
> > > > > >
> > > > >
> > >
> > >
>
>

Re: Cutting 9.1.2 release?

[Jonathan Gallimore]

Ok - is there anything else we want to try and pull in before I cut a
release? I note there's 3 PRs here for main from the last couple of weeks -
should any be ported to 9.x? https://github.com/apache/tomee/pulls

Jon



On Mon, Dec 4, 2023 at 12:22 PM Richard Zowalla  wrote:

> Thx, Jon.
>
> Am Freitag, dem 01.12.2023 um 16:02 + schrieb Jonathan Gallimore:
> > I've merged in a fix for CVE-2023-46589, and a test for it. I'll kick
> > off a
> > release either over the weekend if I get time, or on Monday. Let me
> > know if
> > there's any objections.
> >
> > Jon
> >
> > On Wed, Nov 29, 2023 at 3:48 PM Alex The Rocker
> > 
> > wrote:
> >
> > > +1 and thanks Richard for raising attention on CVE-2023-46589 which
> > > is
> > > fairly new
> > >
> > > Le mer. 29 nov. 2023 à 12:51, Richard Zowalla  a
> > > écrit :
> > > >
> > > > +1 and yes, CVE-2023-46589 is missing.
> > > >
> > > > Am Mittwoch, dem 29.11.2023 um 11:23 + schrieb Jonathan
> > > > Gallimore:
> > > > > +1
> > > > >
> > > > > I think there's one CVE to patch before release: CVE-2023-46589
> > > > > which
> > > > > I'm
> > > > > happy to do. I'm also happy to cut the release as its been a
> > > > > while
> > > > > since I
> > > > > last did it.
> > > > >
> > > > > Jon
> > > > >
> > > > > On Wed, Nov 29, 2023 at 11:20 AM Jean-Louis Monteiro <
> > > > > jlmonte...@tomitribe.com> wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > There are a couple of CVEs attached to the latest 9.x
> > > > > > release. Is
> > > > > > it time
> > > > > > to cut a release?
> > > > > >
> > > > > > Best
> > > > > > --
> > > > > > Jean-Louis Monteiro
> > > > > > http://twitter.com/jlouismonteiro
> > > > > > http://www.tomitribe.com
> > > > > >
> > > >
> > >
>
>

Re: Cutting 9.1.2 release?

[Jonathan Gallimore]

I've merged in a fix for CVE-2023-46589, and a test for it. I'll kick off a
release either over the weekend if I get time, or on Monday. Let me know if
there's any objections.

Jon

On Wed, Nov 29, 2023 at 3:48 PM Alex The Rocker 
wrote:

> +1 and thanks Richard for raising attention on CVE-2023-46589 which is
> fairly new
>
> Le mer. 29 nov. 2023 à 12:51, Richard Zowalla  a écrit :
> >
> > +1 and yes, CVE-2023-46589 is missing.
> >
> > Am Mittwoch, dem 29.11.2023 um 11:23 + schrieb Jonathan Gallimore:
> > > +1
> > >
> > > I think there's one CVE to patch before release: CVE-2023-46589 which
> > > I'm
> > > happy to do. I'm also happy to cut the release as its been a while
> > > since I
> > > last did it.
> > >
> > > Jon
> > >
> > > On Wed, Nov 29, 2023 at 11:20 AM Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> wrote:
> > >
> > > > Hi all,
> > > >
> > > > There are a couple of CVEs attached to the latest 9.x release. Is
> > > > it time
> > > > to cut a release?
> > > >
> > > > Best
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> >
>

Re: Cutting 9.1.2 release?

[Jonathan Gallimore]

+1

I think there's one CVE to patch before release: CVE-2023-46589 which I'm
happy to do. I'm also happy to cut the release as its been a while since I
last did it.

Jon

On Wed, Nov 29, 2023 at 11:20 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi all,
>
> There are a couple of CVEs attached to the latest 9.x release. Is it time
> to cut a release?
>
> Best
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

[Jonathan Gallimore]

I've no issue with including it in 8.x, with respect to the EOL
announcement.

What I'm really asking is: if we do this update in 8.x, and you know it'll
negatively impact you (i.e. you'll have some sort of regression), please
say so.

I'll give it a couple of days and then merge the change in, unless we hear
of anything that suggests there would be an issue.

Jon

On Mon, Nov 20, 2023 at 12:32 PM Alex The Rocker 
wrote:

> +1 for this change, given that there's still some time before end of
> this year (=potential for some critical CVEs fixing anyway)
>
> Le lun. 20 nov. 2023 à 12:05, Jean-Louis Monteiro
>  a écrit :
> >
> > Based on the timing (mid-November) and the EOL end of this year, is it
> > worth it?
> > I'd say no. But it's up to you
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Nov 20, 2023 at 10:48 AM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > I make these changes to 9.x and main - is there any objection to
> making the
> > > change to 8.x as well?
> > >
> > > Thanks
> > >
> > > Jon
> > >
> > > On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
> > > jonathan.gallim...@gmail.com> wrote:
> > >
> > > > Thanks for the feedback, and especially the pointer to the JIRA!
> > > >
> > > > Jon
> > > >
> > > > On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla 
> wrote:
> > > >
> > > >> I am ok with the change. I would just updating the related deps in
> our
> > > >> webapps. A backing arquillian test would be useful, I guess.
> > > >>
> > > >> While looking into it (related to logging & classloaders), it might
> be
> > > >> interesting to also have a look on [1].
> > > >>
> > > >> For TomeEE 10, I would like to first have the owb4 branch on main,
> > > >> though (just waiting for johnzon 2.0.0).
> > > >>
> > > >> Gruß
> > > >> Richard
> > > >>
> > > >>
> > > >>
> > > >> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
> > > >>
> > > >>
> > > >>
> > > >> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan
> Gallimore:
> > > >> > I'm hoping the URLClassLoaderFirst change would mean that the
> slf4j-
> > > >> > api
> > > >> > 1.7.x could keep working for you. I'd be happy to add an
> Arquillian
> > > >> > test to
> > > >> > check that as part of a PR for the change. Does that sound ok?
> > > >> >
> > > >> > The upstream dependencies are not pulling in logback.
> > > >> >
> > > >> > If someone wanted to use logback with SLF4J, in a Jakarta EE
> version
> > > >> > of
> > > >> > TomEE, by bundling both slf4j-api and logback in their
> application,
> > > >> > they'd
> > > >> > have to use slf4j-api 2.x (because the Jakarta EE version of
> logback
> > > >> > requires that API level).
> > > >> >
> > > >> > Cheers,
> > > >> >
> > > >> > Jon
> > > >> >
> > > >> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
> > > >> > 
> > > >> > wrote:
> > > >> >
> > > >> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> > > >> > > although it'd be best if the dependency wasn't seen by the apps
> > > >> > > somehow. I know that's a lot of classloader acrobatics :)
> > > >> > >
> > > >> > > Just to clarify though, the upstream dependencies are or are not
> > > >> > > including logback? If they are including logback, that
> transitive
> > > >> > > dependency ought to be blocked... it's up to the final
> developer to
> > > >> > > decide which binding implementation to use. Including a binding
> > > >> > > (over
> > > >> > > the default sysout binding) would likely cause problems for
> users.
> > > >> > >
> > > >> > >
> > > >> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
> > > >> > >

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

[Jonathan Gallimore]

I make these changes to 9.x and main - is there any objection to making the
change to 8.x as well?

Thanks

Jon

On Wed, Oct 25, 2023 at 3:28 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Thanks for the feedback, and especially the pointer to the JIRA!
>
> Jon
>
> On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla  wrote:
>
>> I am ok with the change. I would just updating the related deps in our
>> webapps. A backing arquillian test would be useful, I guess.
>>
>> While looking into it (related to logging & classloaders), it might be
>> interesting to also have a look on [1].
>>
>> For TomeEE 10, I would like to first have the owb4 branch on main,
>> though (just waiting for johnzon 2.0.0).
>>
>> Gruß
>> Richard
>>
>>
>>
>> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
>>
>>
>>
>> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan Gallimore:
>> > I'm hoping the URLClassLoaderFirst change would mean that the slf4j-
>> > api
>> > 1.7.x could keep working for you. I'd be happy to add an Arquillian
>> > test to
>> > check that as part of a PR for the change. Does that sound ok?
>> >
>> > The upstream dependencies are not pulling in logback.
>> >
>> > If someone wanted to use logback with SLF4J, in a Jakarta EE version
>> > of
>> > TomEE, by bundling both slf4j-api and logback in their application,
>> > they'd
>> > have to use slf4j-api 2.x (because the Jakarta EE version of logback
>> > requires that API level).
>> >
>> > Cheers,
>> >
>> > Jon
>> >
>> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
>> > 
>> > wrote:
>> >
>> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
>> > > although it'd be best if the dependency wasn't seen by the apps
>> > > somehow. I know that's a lot of classloader acrobatics :)
>> > >
>> > > Just to clarify though, the upstream dependencies are or are not
>> > > including logback? If they are including logback, that transitive
>> > > dependency ought to be blocked... it's up to the final developer to
>> > > decide which binding implementation to use. Including a binding
>> > > (over
>> > > the default sysout binding) would likely cause problems for users.
>> > >
>> > >
>> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
>> > >  wrote:
>> > > >
>> > > > Hi All
>> > > >
>> > > > There's a couple of suggestions I'd like to run past the group to
>> > > > see if
>> > > > there's any thoughts / potential issues.
>> > > >
>> > > > The first is: updating to SLF4J 2.x API and JUL implementation
>> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
>> > > > here:
>> > > >
>> > > > - The 1.x branch of SLF4J is no longer maintained
>> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x API
>> > > > for
>> > > > Jakarta EE support
>> > > >
>> > > > Secondly, thanks to this bit of code in the class loader:
>> > > >
>> > >
>> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
>> > > ,
>> > > > it is possible for a webapp to include its own SLF4J API and
>> > > > binding in
>> > > its
>> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
>> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with the
>> > > > binders,
>> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
>> > > > SLF4J and
>> > > a
>> > > > binder is present in the web app. Simply removing this method,
>> > > > and the
>> > > > single place it is called seems to enable the web app to do its
>> > > > own
>> > > logging
>> > > > with its own binder.
>> > > >
>> > > > I've run a TCK build with both of these changes present, and it
>> > > > looks ok.
>> > > > Does anyone have any feedback with respect to these proposals? Is
>> > > > anyone
>> > > > out there using SLF4J in their applications with these versions
>> > > > of TomEE
>> > > > who would be impacted?
>> > > >
>> > > > Thanks
>> > > >
>> > > > Jon
>> > >
>> > >
>> > >
>> > > --
>> > > Jonathan | exabr...@gmail.com
>> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
>> > > as
>> > > half full.
>> > > Engineers, of course, understand the glass is twice as big as it
>> > > needs to
>> > > be.
>> > >
>>
>>

Re: [VOTE] TomEE 8.0.16 (RC2)

[Jonathan Gallimore]

+1

Thanks for doing the release, Jonathan!

On Sun, Oct 29, 2023 at 6:35 PM Richard Zowalla  wrote:

> Hi all,
>
> This is the second attempt for a vote for a release of Apache TomEE
> 8.0.16. The first vote was cancelled due to some issues with the BOM
> modules.
>
> I'd like to start with a big thank you and a big applause to Jonathan
> Fisher. He is rolling out his first release today.
>
> Per ASF rules, the actual VOTE needs to be run by a TomEE PMC member,
> that's why I'm starting it.
>
> However, the work has been done by Jonathan, so thank you. Well done.
>
> TomEE 8.0.16 is a maintenance release with dependencies
> upgrades and bug fixes. It also fixes the latest Tomcat vulnerabilities
> as well as other CVEs.
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1223/
>
> 
> 
> tomee-8.0.16-rc2
> Testing TomEE 8.0.16 RC2
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1223/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1222/tomee-8.0.16/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16
>
>
> ###
>
> Release notes:
>
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12353257
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266]
> ActiveMQ 5.16.7 / 5.18.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE-4234]
> Bouncy Castle 1.75
>  - link:https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE-4229]
> CVE-2023-34981
> 
> in TomEE 8.0.15
>  - link:https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE-4218]
> HSQLDB 2.7.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE-4221]
> JUnit 5.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE-4216]
> Jackson 2.15.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227]
> Jackson 2.15.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4228[TOMEE-4228]
> Johnzon 1.2.21
>  - link:https://issues.apache.org/jira/browse/TOMEE-4263[TOMEE-4263]
> Santuario Java (xmlsec) mitigate CVE-2023-44483
>  - link:https://issues.apache.org/jira/browse/TOMEE-4224[TOMEE-4224]
> Tomcat 9.0.76
>  - link:https://issues.apache.org/jira/browse/TOMEE-4237[TOMEE-4237]
> Tomcat 9.0.79
>  - link:https://issues.apache.org/jira/browse/TOMEE-4252[TOMEE-4252]
> Tomcat 9.0.80
> - link:https://issues.apache.org/jira/browse/TOMEE-4238[TOMEE-4238]
> Tomcat 9.0.82
>  - link:https://issues.apache.org/jira/browse/TOMEE-4262[TOMEE-4262]
> eclipselink 2.7.13
>  - link:https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE-4220]
> log4j
> 
> 2.20.0 (integration)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE-4219]
> xbeans 4.23
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4222[TOMEE-4222]
> @LoginToContinue JSR-375 (JavaEE Security API) causes
> IllegalArgumentException
>  - link:https://issues.apache.org/jira/browse/TOMEE-4226[TOMEE-4226]
> DataSource definition fails when @DataSourceDefinition doesn't define
> url property
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4031[TOMEE-4031]
> Improve TomEE Jmx Mbean Support for Parameter Names
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE-4234]
> Bouncy Castle 1.75
>  - link:https://issues.apache.org/jira/browse/TOMEE-4238[TOMEE-4238]
> Tomcat 9.0.80
>  - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227]
> Jackson 2.15.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE-4229]
> CVE-2023-34981
> 
> in Apache TomEE 8.0.15
>
> 
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Gruß
> Richard
>
>

Re: 8.0.16 release

[Jonathan Gallimore]

Upload to here: https://dist.apache.org/repos/dist/dev/tomee/ - this is
where we'll all be getting the artifacts to vote on. If you're using the
release tools, you'll be on this step: "Deploy Source and Distributions to
dist/dev".

Thanks for all your work on this.

Jon

On Fri, Oct 27, 2023 at 10:52 PM Jonathan S. Fisher 
wrote:

> Ok repository is uploaded and closed:
>
> https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/
>
> What's next? The directions say to upload but that seems a bit
> premature before calling for a vote or what not... sorry I'm new here!
> https://tomee.apache.org/dev/release-tomee.html
>
> On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore
>  wrote:
> >
> > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't
> > massive: https://github.com/apache/activemq/commits/activemq-5.17.x.
> >
> > Jon
> >
> > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher 
> > wrote:
> >
> > > ope, it's in there now. Just popped up and I merged.
> > >
> > > ActiveMQ merges make a be a bit nervous :) I'll go ahead
> > > release:perform but stop again before closing the repository.
> > >
> > > I'll try running this too with some of our bigger apps and see if I
> > > can find anything wrong.
> > >
> > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore
> > >  wrote:
> > > >
> > > > It should be done by the build, but I can do that and push it as
> well.
> > > >
> > > > Jon
> > > >
> > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher <
> exabr...@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks, do we need to do the bom thing?
> > > > >
> > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore
> > > > >  wrote:
> > > > > >
> > > > > > Done:
> > > > > >
> > > > >
> > >
> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26
> > > > > >
> > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore <
> > > > > > jonathan.gallim...@gmail.com> wrote:
> > > > > >
> > > > > > > Thanks. That commit is incoming in about 1 minute.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher <
> > > exabr...@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild
> > > > > > >>
> > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
> > > > > > >>  wrote:
> > > > > > >> >
> > > > > > >> > I was about to ask the same. Happy to push the update to the
> > > branch
> > > > > > >> before
> > > > > > >> > a release is kicked off.
> > > > > > >> >
> > > > > > >> > Jon
> > > > > > >> >
> > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, <
> > > alex.m3...@gmail.com>
> > > > > > >> wrote:
> > > > > > >> >
> > > > > > >> > > Hi
> > > > > > >> > >
> > > > > > >> > > Before it's too late, can 8.0.16 release include (if not
> > > already
> > > > > done)
> > > > > > >> > > the dependency update to ActiveMQ version fixing
> > > CVE-2023-46604
> > > > > (which
> > > > > > >> > > has High 8.8 score by
> > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's
> > > > > enabling
> > > > > > >> > > remote code execution ?
> > > > > > >> > >
> > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+.
> > > > > > >> > >
> > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version
> > > 5.16.6,
> > > > > and
> > > > > > >> > >

Re: 8.0.16 release

[Jonathan Gallimore]

Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't
massive: https://github.com/apache/activemq/commits/activemq-5.17.x.

Jon

On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher 
wrote:

> ope, it's in there now. Just popped up and I merged.
>
> ActiveMQ merges make a be a bit nervous :) I'll go ahead
> release:perform but stop again before closing the repository.
>
> I'll try running this too with some of our bigger apps and see if I
> can find anything wrong.
>
> On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore
>  wrote:
> >
> > It should be done by the build, but I can do that and push it as well.
> >
> > Jon
> >
> > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher 
> > wrote:
> >
> > > Thanks, do we need to do the bom thing?
> > >
> > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore
> > >  wrote:
> > > >
> > > > Done:
> > > >
> > >
> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26
> > > >
> > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore <
> > > > jonathan.gallim...@gmail.com> wrote:
> > > >
> > > > > Thanks. That commit is incoming in about 1 minute.
> > > > >
> > > > > Jon
> > > > >
> > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher <
> exabr...@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > >> No problemo. I'll cancel, do the pr two step, and rebuild
> > > > >>
> > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
> > > > >>  wrote:
> > > > >> >
> > > > >> > I was about to ask the same. Happy to push the update to the
> branch
> > > > >> before
> > > > >> > a release is kicked off.
> > > > >> >
> > > > >> > Jon
> > > > >> >
> > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, <
> alex.m3...@gmail.com>
> > > > >> wrote:
> > > > >> >
> > > > >> > > Hi
> > > > >> > >
> > > > >> > > Before it's too late, can 8.0.16 release include (if not
> already
> > > done)
> > > > >> > > the dependency update to ActiveMQ version fixing
> CVE-2023-46604
> > > (which
> > > > >> > > has High 8.8 score by
> > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's
> > > enabling
> > > > >> > > remote code execution ?
> > > > >> > >
> > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+.
> > > > >> > >
> > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version
> 5.16.6,
> > > and
> > > > >> > > according to
> > > > >> > >
> > > > >>
> > >
> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
> > > > >> > > ,
> > > > >> > > we need at least 5.16.7
> > > > >> > >
> > > > >> > > I hope this dependency update can make it in 8.0.16 before
> it's
> > > > >> > > released (or maybe it's already in the about-to-be voted
> 8.0.16 ?)
> > > > >> > >
> > > > >> > > Thanks,
> > > > >> > > Alex
> > > > >> > >
> > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher <
> > > exabr...@gmail.com>
> > > > >> a
> > > > >> > > écrit :
> > > > >> > > >
> > > > >> > > > Alright, I have the build completed, signed, and uploaded
> the
> > > the
> > > > >> > > > Nexus staging repository: orgapachetomee-1221
> > > > >> > > >
> > > > >> > > > What's next? I'm a little apprehensive to close out the
> staging
> > > repo
> > > > >> > > > for fear of prematurely publishing a release...
> > > > >> > > >
> > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher <
> > > > >> exabr...@gmail.com>
> > > >

Re: 8.0.16 release

[Jonathan Gallimore]

Those should be there for 8.0.x, 9.1.x and 10.0.x (I think you merged the
PR for 8.0.x yourself :-) )

Jon

On Fri, Oct 27, 2023 at 9:56 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> It should be done by the build, but I can do that and push it as well.
>
> Jon
>
> On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher 
> wrote:
>
>> Thanks, do we need to do the bom thing?
>>
>> On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore
>>  wrote:
>> >
>> > Done:
>> >
>> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26
>> >
>> > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore <
>> > jonathan.gallim...@gmail.com> wrote:
>> >
>> > > Thanks. That commit is incoming in about 1 minute.
>> > >
>> > > Jon
>> > >
>> > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher <
>> exabr...@gmail.com>
>> > > wrote:
>> > >
>> > >> No problemo. I'll cancel, do the pr two step, and rebuild
>> > >>
>> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
>> > >>  wrote:
>> > >> >
>> > >> > I was about to ask the same. Happy to push the update to the branch
>> > >> before
>> > >> > a release is kicked off.
>> > >> >
>> > >> > Jon
>> > >> >
>> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, 
>> > >> wrote:
>> > >> >
>> > >> > > Hi
>> > >> > >
>> > >> > > Before it's too late, can 8.0.16 release include (if not already
>> done)
>> > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604
>> (which
>> > >> > > has High 8.8 score by
>> > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's
>> enabling
>> > >> > > remote code execution ?
>> > >> > >
>> > >> > > As a reminder, ActiveMQ is embedded in TomEE+.
>> > >> > >
>> > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version
>> 5.16.6, and
>> > >> > > according to
>> > >> > >
>> > >>
>> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
>> > >> > > ,
>> > >> > > we need at least 5.16.7
>> > >> > >
>> > >> > > I hope this dependency update can make it in 8.0.16 before it's
>> > >> > > released (or maybe it's already in the about-to-be voted 8.0.16
>> ?)
>> > >> > >
>> > >> > > Thanks,
>> > >> > > Alex
>> > >> > >
>> > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher <
>> exabr...@gmail.com>
>> > >> a
>> > >> > > écrit :
>> > >> > > >
>> > >> > > > Alright, I have the build completed, signed, and uploaded the
>> the
>> > >> > > > Nexus staging repository: orgapachetomee-1221
>> > >> > > >
>> > >> > > > What's next? I'm a little apprehensive to close out the
>> staging repo
>> > >> > > > for fear of prematurely publishing a release...
>> > >> > > >
>> > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher <
>> > >> exabr...@gmail.com>
>> > >> > > wrote:
>> > >> > > > >
>> > >> > > > > I got another good build locally and CI is happy too. I'm
>> going to
>> > >> > > > > stage the release!
>> > >> > > > >
>> > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher <
>> > >> exabr...@gmail.com>
>> > >> > > wrote:
>> > >> > > > > >
>> > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI
>> > >> > > > > >
>> > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson <
>> > >> jej2...@gmail.com>
>> > >> > > wrote:
>> > >> > > > > > >
>> > >&g

Re: 8.0.16 release

[Jonathan Gallimore]

It should be done by the build, but I can do that and push it as well.

Jon

On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher 
wrote:

> Thanks, do we need to do the bom thing?
>
> On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore
>  wrote:
> >
> > Done:
> >
> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26
> >
> > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > Thanks. That commit is incoming in about 1 minute.
> > >
> > > Jon
> > >
> > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher  >
> > > wrote:
> > >
> > >> No problemo. I'll cancel, do the pr two step, and rebuild
> > >>
> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
> > >>  wrote:
> > >> >
> > >> > I was about to ask the same. Happy to push the update to the branch
> > >> before
> > >> > a release is kicked off.
> > >> >
> > >> > Jon
> > >> >
> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, 
> > >> wrote:
> > >> >
> > >> > > Hi
> > >> > >
> > >> > > Before it's too late, can 8.0.16 release include (if not already
> done)
> > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604
> (which
> > >> > > has High 8.8 score by
> > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's
> enabling
> > >> > > remote code execution ?
> > >> > >
> > >> > > As a reminder, ActiveMQ is embedded in TomEE+.
> > >> > >
> > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6,
> and
> > >> > > according to
> > >> > >
> > >>
> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
> > >> > > ,
> > >> > > we need at least 5.16.7
> > >> > >
> > >> > > I hope this dependency update can make it in 8.0.16 before it's
> > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?)
> > >> > >
> > >> > > Thanks,
> > >> > > Alex
> > >> > >
> > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher <
> exabr...@gmail.com>
> > >> a
> > >> > > écrit :
> > >> > > >
> > >> > > > Alright, I have the build completed, signed, and uploaded the
> the
> > >> > > > Nexus staging repository: orgapachetomee-1221
> > >> > > >
> > >> > > > What's next? I'm a little apprehensive to close out the staging
> repo
> > >> > > > for fear of prematurely publishing a release...
> > >> > > >
> > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher <
> > >> exabr...@gmail.com>
> > >> > > wrote:
> > >> > > > >
> > >> > > > > I got another good build locally and CI is happy too. I'm
> going to
> > >> > > > > stage the release!
> > >> > > > >
> > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher <
> > >> exabr...@gmail.com>
> > >> > > wrote:
> > >> > > > > >
> > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI
> > >> > > > > >
> > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson <
> > >> jej2...@gmail.com>
> > >> > > wrote:
> > >> > > > > > >
> > >> > > > > > > Should this be included?
> > >> > > > > > >
> > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2
> > >> (xmlsec) to
> > >> > > > > > > mitigate CVE-2023-4448
> > >> > > > > > >
> > >> > > > > > > Not sure how to find the others without going through
> commit
> > >> > > history.
> > >> > > > > > >
> > >> > > > > > > Jamie
> > >> > > > > > >
> > >> >

Re: 8.0.16 release

[Jonathan Gallimore]

Done:
https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26

On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Thanks. That commit is incoming in about 1 minute.
>
> Jon
>
> On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher 
> wrote:
>
>> No problemo. I'll cancel, do the pr two step, and rebuild
>>
>> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
>>  wrote:
>> >
>> > I was about to ask the same. Happy to push the update to the branch
>> before
>> > a release is kicked off.
>> >
>> > Jon
>> >
>> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, 
>> wrote:
>> >
>> > > Hi
>> > >
>> > > Before it's too late, can 8.0.16 release include (if not already done)
>> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which
>> > > has High 8.8 score by
>> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling
>> > > remote code execution ?
>> > >
>> > > As a reminder, ActiveMQ is embedded in TomEE+.
>> > >
>> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and
>> > > according to
>> > >
>> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
>> > > ,
>> > > we need at least 5.16.7
>> > >
>> > > I hope this dependency update can make it in 8.0.16 before it's
>> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?)
>> > >
>> > > Thanks,
>> > > Alex
>> > >
>> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher 
>> a
>> > > écrit :
>> > > >
>> > > > Alright, I have the build completed, signed, and uploaded the the
>> > > > Nexus staging repository: orgapachetomee-1221
>> > > >
>> > > > What's next? I'm a little apprehensive to close out the staging repo
>> > > > for fear of prematurely publishing a release...
>> > > >
>> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher <
>> exabr...@gmail.com>
>> > > wrote:
>> > > > >
>> > > > > I got another good build locally and CI is happy too. I'm going to
>> > > > > stage the release!
>> > > > >
>> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher <
>> exabr...@gmail.com>
>> > > wrote:
>> > > > > >
>> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI
>> > > > > >
>> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson <
>> jej2...@gmail.com>
>> > > wrote:
>> > > > > > >
>> > > > > > > Should this be included?
>> > > > > > >
>> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2
>> (xmlsec) to
>> > > > > > > mitigate CVE-2023-4448
>> > > > > > >
>> > > > > > > Not sure how to find the others without going through commit
>> > > history.
>> > > > > > >
>> > > > > > > Jamie
>> > > > > > >
>> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher <
>> > > exabr...@gmail.com>
>> > > > > > > wrote:
>> > > > > > >
>> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If
>> > > anyone
>> > > > > > > > else is aware of anything else I can upgrade before release,
>> > > please
>> > > > > > > > speak up :)
>> > > > > > > >
>> > > > > > > > Also good news: for whatever reason, I'm able to build
>> > > > > > > > tomee-release-tools now. The atlassian maven repository hit
>> me
>> > > with a
>> > > > > > > > rate limit briefly but it seems to have lifted.
>> > > > > > > >
>> > > > > > > > I have three questions at this point in time:
>> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for
>> > > CVE's?
>> > > > > &

Re: 8.0.16 release

[Jonathan Gallimore]

Thanks. That commit is incoming in about 1 minute.

Jon

On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher 
wrote:

> No problemo. I'll cancel, do the pr two step, and rebuild
>
> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore
>  wrote:
> >
> > I was about to ask the same. Happy to push the update to the branch
> before
> > a release is kicked off.
> >
> > Jon
> >
> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, 
> wrote:
> >
> > > Hi
> > >
> > > Before it's too late, can 8.0.16 release include (if not already done)
> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which
> > > has High 8.8 score by
> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling
> > > remote code execution ?
> > >
> > > As a reminder, ActiveMQ is embedded in TomEE+.
> > >
> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and
> > > according to
> > >
> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
> > > ,
> > > we need at least 5.16.7
> > >
> > > I hope this dependency update can make it in 8.0.16 before it's
> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?)
> > >
> > > Thanks,
> > > Alex
> > >
> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher 
> a
> > > écrit :
> > > >
> > > > Alright, I have the build completed, signed, and uploaded the the
> > > > Nexus staging repository: orgapachetomee-1221
> > > >
> > > > What's next? I'm a little apprehensive to close out the staging repo
> > > > for fear of prematurely publishing a release...
> > > >
> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher <
> exabr...@gmail.com>
> > > wrote:
> > > > >
> > > > > I got another good build locally and CI is happy too. I'm going to
> > > > > stage the release!
> > > > >
> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher <
> exabr...@gmail.com>
> > > wrote:
> > > > > >
> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI
> > > > > >
> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson  >
> > > wrote:
> > > > > > >
> > > > > > > Should this be included?
> > > > > > >
> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2
> (xmlsec) to
> > > > > > > mitigate CVE-2023-4448
> > > > > > >
> > > > > > > Not sure how to find the others without going through commit
> > > history.
> > > > > > >
> > > > > > > Jamie
> > > > > > >
> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher <
> > > exabr...@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If
> > > anyone
> > > > > > > > else is aware of anything else I can upgrade before release,
> > > please
> > > > > > > > speak up :)
> > > > > > > >
> > > > > > > > Also good news: for whatever reason, I'm able to build
> > > > > > > > tomee-release-tools now. The atlassian maven repository hit
> me
> > > with a
> > > > > > > > rate limit briefly but it seems to have lifted.
> > > > > > > >
> > > > > > > > I have three questions at this point in time:
> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for
> > > CVE's?
> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are
> present but
> > > > > > > > don't apply to us)
> > > > > > > > 3. I ran a build locally and got two test failures. Looks
> like
> > > CI did
> > > > > > > > too:
> > > > > > > >
> > >
> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/
> > > > > > > >
> > > > > > > > It doesn't look related to the EclipseLink change unless I
> > > screwed the
> > > > > 

Re: 8.0.16 release

[Jonathan Gallimore]

I was about to ask the same. Happy to push the update to the branch before
a release is kicked off.

Jon

On Fri, 27 Oct 2023, 21:23 Alex The Rocker,  wrote:

> Hi
>
> Before it's too late, can 8.0.16 release include (if not already done)
> the dependency update to ActiveMQ version fixing CVE-2023-46604 (which
> has High 8.8 score by
> https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling
> remote code execution ?
>
> As a reminder, ActiveMQ is embedded in TomEE+.
>
> With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and
> according to
> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
> ,
> we need at least 5.16.7
>
> I hope this dependency update can make it in 8.0.16 before it's
> released (or maybe it's already in the about-to-be voted 8.0.16 ?)
>
> Thanks,
> Alex
>
> Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher  a
> écrit :
> >
> > Alright, I have the build completed, signed, and uploaded the the
> > Nexus staging repository: orgapachetomee-1221
> >
> > What's next? I'm a little apprehensive to close out the staging repo
> > for fear of prematurely publishing a release...
> >
> > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher 
> wrote:
> > >
> > > I got another good build locally and CI is happy too. I'm going to
> > > stage the release!
> > >
> > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher 
> wrote:
> > > >
> > > > Yep! I just logged that one and pushed a PR. Waiting on CI
> > > >
> > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson 
> wrote:
> > > > >
> > > > > Should this be included?
> > > > >
> > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to
> > > > > mitigate CVE-2023-4448
> > > > >
> > > > > Not sure how to find the others without going through commit
> history.
> > > > >
> > > > > Jamie
> > > > >
> > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher <
> exabr...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Richard, thank you sir; I assigned that ticket to myself. If
> anyone
> > > > > > else is aware of anything else I can upgrade before release,
> please
> > > > > > speak up :)
> > > > > >
> > > > > > Also good news: for whatever reason, I'm able to build
> > > > > > tomee-release-tools now. The atlassian maven repository hit me
> with a
> > > > > > rate limit briefly but it seems to have lifted.
> > > > > >
> > > > > > I have three questions at this point in time:
> > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for
> CVE's?
> > > > > > 2. Are there CVEs we ignore? (basically ones that are present but
> > > > > > don't apply to us)
> > > > > > 3. I ran a build locally and got two test failures. Looks like
> CI did
> > > > > > too:
> > > > > >
> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/
> > > > > >
> > > > > > It doesn't look related to the EclipseLink change unless I
> screwed the
> > > > > > pooch on something. Are these known issues by chance?
> > > > > >
> > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla <
> rich...@zowalla.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > Might be relevant for your release preperations:
> > > > > > https://issues.apache.org/jira/browse/TOMEE-4263
> > > > > > >
> > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher"
> <
> > > > > > exabr...@gmail.com>:
> > > > > > > >Thank you, eclipselink has been updated and boms also updated.
> > > > > > > >
> > > > > > > >Are the tomee release tools still needed?
> > > > > > > >
> > > > > > > >[ERROR] Failed to execute goal on project release-tools:
> Could not
> > > > > > > >resolve dependencies for project
> > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT:
> Failed to
> > > > > > > >collect dependencies at
> org.tomitribe.jamira:jamira-core:jar:0.4 ->
> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2:
> Failed to read
> > > > > > > >artifact descriptor for
> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The
> following
> > > > > > > >artifacts could not be resolved:
> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2
> (absent): Could
> > > > > > > >not transfer artifact
> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to
> > > > > > > >atlassian (
> > > > > >
> https://maven.atlassian.com/content/repositories/atlassian-public/):
> > > > > > > >status code: 429, reason phrase: Too Many Requests (429) ->
> [Help 1]
> > > > > > > >
> > > > > > > >I can't seem to get the artifacts from their Maven repository
> due to
> > > > > > > >rate limiting unfortunately.
> > > > > > > >
> > > > > > > >
> > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla <
> r...@apache.org>
> > > > > > wrote:
> > > > > > > >>
> > > > > > > >> Feel free to update 3rd party dependencies (make sure to
> create a
> > > > > > Jira,
> > > > > > > >> so it gets into the release notes). To update the BOMs you
> can 

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

[Jonathan Gallimore]

Thanks for the feedback, and especially the pointer to the JIRA!

Jon

On Wed, Oct 25, 2023 at 3:26 PM Richard Zowalla  wrote:

> I am ok with the change. I would just updating the related deps in our
> webapps. A backing arquillian test would be useful, I guess.
>
> While looking into it (related to logging & classloaders), it might be
> interesting to also have a look on [1].
>
> For TomeEE 10, I would like to first have the owb4 branch on main,
> though (just waiting for johnzon 2.0.0).
>
> Gruß
> Richard
>
>
>
> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4242
>
>
>
> Am Mittwoch, dem 25.10.2023 um 15:19 +0100 schrieb Jonathan Gallimore:
> > I'm hoping the URLClassLoaderFirst change would mean that the slf4j-
> > api
> > 1.7.x could keep working for you. I'd be happy to add an Arquillian
> > test to
> > check that as part of a PR for the change. Does that sound ok?
> >
> > The upstream dependencies are not pulling in logback.
> >
> > If someone wanted to use logback with SLF4J, in a Jakarta EE version
> > of
> > TomEE, by bundling both slf4j-api and logback in their application,
> > they'd
> > have to use slf4j-api 2.x (because the Jakarta EE version of logback
> > requires that API level).
> >
> > Cheers,
> >
> > Jon
> >
> > On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher
> > 
> > wrote:
> >
> > > While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> > > although it'd be best if the dependency wasn't seen by the apps
> > > somehow. I know that's a lot of classloader acrobatics :)
> > >
> > > Just to clarify though, the upstream dependencies are or are not
> > > including logback? If they are including logback, that transitive
> > > dependency ought to be blocked... it's up to the final developer to
> > > decide which binding implementation to use. Including a binding
> > > (over
> > > the default sysout binding) would likely cause problems for users.
> > >
> > >
> > > On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
> > >  wrote:
> > > >
> > > > Hi All
> > > >
> > > > There's a couple of suggestions I'd like to run past the group to
> > > > see if
> > > > there's any thoughts / potential issues.
> > > >
> > > > The first is: updating to SLF4J 2.x API and JUL implementation
> > > > (specifically 2.0.9) in TomEE. There's a couple of rationale
> > > > here:
> > > >
> > > > - The 1.x branch of SLF4J is no longer maintained
> > > > - At least one of the bindings (Logback) requires a SLF4J 2.x API
> > > > for
> > > > Jakarta EE support
> > > >
> > > > Secondly, thanks to this bit of code in the class loader:
> > > >
> > >
> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
> > > ,
> > > > it is possible for a webapp to include its own SLF4J API and
> > > > binding in
> > > its
> > > > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
> > > > org/slf4j/impl/StaticLoggerBinder.class is not included with the
> > > > binders,
> > > > nor is it called, so shouldSkipSlf4j() returns true, even when
> > > > SLF4J and
> > > a
> > > > binder is present in the web app. Simply removing this method,
> > > > and the
> > > > single place it is called seems to enable the web app to do its
> > > > own
> > > logging
> > > > with its own binder.
> > > >
> > > > I've run a TCK build with both of these changes present, and it
> > > > looks ok.
> > > > Does anyone have any feedback with respect to these proposals? Is
> > > > anyone
> > > > out there using SLF4J in their applications with these versions
> > > > of TomEE
> > > > who would be impacted?
> > > >
> > > > Thanks
> > > >
> > > > Jon
> > >
> > >
> > >
> > > --
> > > Jonathan | exabr...@gmail.com
> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
> > > as
> > > half full.
> > > Engineers, of course, understand the glass is twice as big as it
> > > needs to
> > > be.
> > >
>
>

Re: SLF4J 2.x in TomEE 9.1.x and 10.0.x?

[Jonathan Gallimore]

I'm hoping the URLClassLoaderFirst change would mean that the slf4j-api
1.7.x could keep working for you. I'd be happy to add an Arquillian test to
check that as part of a PR for the change. Does that sound ok?

The upstream dependencies are not pulling in logback.

If someone wanted to use logback with SLF4J, in a Jakarta EE version of
TomEE, by bundling both slf4j-api and logback in their application, they'd
have to use slf4j-api 2.x (because the Jakarta EE version of logback
requires that API level).

Cheers,

Jon

On Wed, Oct 25, 2023 at 3:06 PM Jonathan S. Fisher 
wrote:

> While we use slf4j-api 1.7.x, I'm totally ok with a 2.x upgrade,
> although it'd be best if the dependency wasn't seen by the apps
> somehow. I know that's a lot of classloader acrobatics :)
>
> Just to clarify though, the upstream dependencies are or are not
> including logback? If they are including logback, that transitive
> dependency ought to be blocked... it's up to the final developer to
> decide which binding implementation to use. Including a binding (over
> the default sysout binding) would likely cause problems for users.
>
>
> On Wed, Oct 25, 2023 at 8:58 AM Jonathan Gallimore
>  wrote:
> >
> > Hi All
> >
> > There's a couple of suggestions I'd like to run past the group to see if
> > there's any thoughts / potential issues.
> >
> > The first is: updating to SLF4J 2.x API and JUL implementation
> > (specifically 2.0.9) in TomEE. There's a couple of rationale here:
> >
> > - The 1.x branch of SLF4J is no longer maintained
> > - At least one of the bindings (Logback) requires a SLF4J 2.x API for
> > Jakarta EE support
> >
> > Secondly, thanks to this bit of code in the class loader:
> >
> https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619
> ,
> > it is possible for a webapp to include its own SLF4J API and binding in
> its
> > WEB-INF/lib to use its own logging config. With SLF4J 2.x,
> > org/slf4j/impl/StaticLoggerBinder.class is not included with the binders,
> > nor is it called, so shouldSkipSlf4j() returns true, even when SLF4J and
> a
> > binder is present in the web app. Simply removing this method, and the
> > single place it is called seems to enable the web app to do its own
> logging
> > with its own binder.
> >
> > I've run a TCK build with both of these changes present, and it looks ok.
> > Does anyone have any feedback with respect to these proposals? Is anyone
> > out there using SLF4J in their applications with these versions of TomEE
> > who would be impacted?
> >
> > Thanks
> >
> > Jon
>
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as
> half full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>

SLF4J 2.x in TomEE 9.1.x and 10.0.x?

[Jonathan Gallimore]

Hi All

There's a couple of suggestions I'd like to run past the group to see if
there's any thoughts / potential issues.

The first is: updating to SLF4J 2.x API and JUL implementation
(specifically 2.0.9) in TomEE. There's a couple of rationale here:

- The 1.x branch of SLF4J is no longer maintained
- At least one of the bindings (Logback) requires a SLF4J 2.x API for
Jakarta EE support

Secondly, thanks to this bit of code in the class loader:
https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/util/classloader/URLClassLoaderFirst.java#L600-L619,
it is possible for a webapp to include its own SLF4J API and binding in its
WEB-INF/lib to use its own logging config. With SLF4J 2.x,
org/slf4j/impl/StaticLoggerBinder.class is not included with the binders,
nor is it called, so shouldSkipSlf4j() returns true, even when SLF4J and a
binder is present in the web app. Simply removing this method, and the
single place it is called seems to enable the web app to do its own logging
with its own binder.

I've run a TCK build with both of these changes present, and it looks ok.
Does anyone have any feedback with respect to these proposals? Is anyone
out there using SLF4J in their applications with these versions of TomEE
who would be impacted?

Thanks

Jon

Re: Good news on CXF4

[Jonathan Gallimore]

+1, and great work, thank you!

On Thu, Aug 31, 2023 at 5:55 PM Richard Zowalla  wrote:

> Hey ladies,
>
> some good news:
>
> We are now passing the JAX-RS part of the EE9.1 tck with the latest CXF
> 4.0.3-SNAPSHOT [1]. Don't bother about the json-p failures, which are
> unrelated (they are also failing for our shading approach and TomEE 10,
> so no regression here).
>
> Overall, I think, that we can now drop our CXF 3.5.5 Shade for TomEE
> 9.1.x and TomEE 10 and use the "native" Jakarta version of CXF instead.
>
> The CXF guys plan to do a release in Mid/End of September, so we can
> live with a SNAPSHOT for now imho.
>
> Any objections in bringing it into 10 _and_ 9.1.x ?
>
> Gruß
> Richard
>
>
> [1] https://tck.work/tomee/build?id=1693492927456
> [2] https://github.com/apache/tomee/pull/1061
> [3] https://github.com/apache/tomee/pull/1062
>

Connections to ActiveMQ brokers

[Jonathan Gallimore]

One of the things I've been looking into recently is the number of
connections that TomEE will make to an ActiveMQ broker. If you consider an
application that has 10 Message Driven Beans, and another bean that sends
messages using a connection factory, that application when started will
make 20 connections to ActiveMQ - 10 for the connection pool, and an
additional connection for each message driven bean.

Conversely, I could create (and it occurs to me that I should) a Spring
application that listens on 10 destinations, sends messages from another
bean, and uses just 1 connection: a JMS connection is capable of managing
several sessions at the same time. At a small scale, the number of
connections isn't an issue, but if you have hundreds of applications
connecting to ActiveMQ, each making dozens of connections, this can become
a bit of a challenge.

There are some options around this:

* Have the MDBs use connections from the connection pool - this is already
possible using an activation property "ConnectionFactoryLookup", for
example:


# Do not start the embedded ActiveMQ broker
BrokerXmlConfig  =
ServerUrl = tcp://localhost:61616
UserName system
Password manager



ResourceAdapter = MyJmsResourceAdapter
PoolMaxSize 10
PoolMinSize 0



ResourceAdapter = MyJmsResourceAdapter
activation.ConnectionFactoryLookup=MyJmsConnectionFactory


This means that the connections for the message driven beans will come from
the same pool as connections used to send messages, so you can at least
manage the full set. You'll still need at least  + 1
connections in that pool, however.

* Override the resource adapter behaviour where connections are created.
Connections are made here:
https://github.com/apache/tomee/blob/main/container/openejb-core/src/main/java/org/apache/openejb/resource/activemq/jms2/TomEEManagedConnectionFactory.java#L67.
I hacked up some code to override makeConnection():

private final Map
physicalConnections = new HashMap<>();

@Override
public ActiveMQConnection makeConnection(ActiveMQConnectionRequestInfo
connectionRequestInfo, ActiveMQConnectionFactory connectionFactory) throws
JMSException {
ActiveMQConnection activeMQConnection = null;

if (singleton) {
synchronized (this) {
activeMQConnection =
physicalConnections.get(connectionRequestInfo);
if (activeMQConnection == null) {
activeMQConnection =
super.makeConnection(connectionRequestInfo, connectionFactory);
physicalConnections.put(connectionRequestInfo,
activeMQConnection);
}
}
} else {
activeMQConnection =
super.makeConnection(connectionRequestInfo, connectionFactory);
}

return activeMQConnection;
}

The idea here is that only one physical connection per
username/password/client ID combination would be created, and can be shared
by different sessions. I added a parameter to the connection factory called
"singleton" (perhaps needs a better name) to turn this behaviour on.

The good news is that broadly speaking, it does work - I'm working on some
itests, but unit tests and actually running TomEE and ActiveMQ look good.

Does anyone have any thoughts or reservations on this (or any specific
cases that ought to be tested)?

Jon

Re: Backporting changes between 8.x, 9.x and 10.x

[Jonathan Gallimore]

I very much agree with specifying where you're willing to spend your time,
as opposed to just what you'd like to see.

- TomEE 10: I'm happy to contribute to the development of that as I can.
I'm currently working on the concurrency changes needed for EE10.
- TomEE 9: I'm happy to contribute towards maintaining this until a little
after TomEE 10 is released. If we discontinued this now, I think users
would potentially avoid actually doing their migration from javax to
jakarta. I don't see any way we can discontinue this until there is a GA
TomEE 10 release.
- TomEE 8: I agree we need to determine what its lifespan is, and this is
to a certain extent determined by all of the components we use. I suspect
CXF may be tricky in this area - as 3.4.10 is the last 3.4 release, and I'm
not sure what is involved in 3.5.x or it is suitable for EE8 etc. If we
don't determine a lifespan for TomEE 8, there's a real danger that people
will try and stick with it forever rather than migrate to newer versions.
I'd be happy to help maintain this branch for a short time
- Older branches: I wouldn't want to contribute to these any more, and
would be in favor of marking them as discontinued.

The EOL policy you've suggested is really clear, and I think it strikes a
reasonable balance with what's achievable from a maintenance perspective,
while giving time for users to upgrade. While I don't necessarily object to
releases from older branches, if there was a strong desire to do so, I do
think the responsible thing to do is clearly list every single CVE in each
library that hasn't been patched on the download page. I personally
strongly prefer the policy of not releasing software where there are CVEs
in any of the components, however.

Jon

On Wed, Feb 8, 2023 at 8:07 PM David Blevins 
wrote:

> Great thread to start, Richard!
>
> My request to everyone who responds: please be clear on where you’re
> willing to spend your time.  If we get a lot of +1s for an option, but not
> enough people actually volunteering to do the work, it really isn’t an
> option.
>
> Here’s my perspective on each branch:
>
>  - TomEE 9.  We need to keep that CVE patched and actively released.  If
> we don’t then people on TomEE 8 looking to migrate away won’t actually have
> a safe place to migrate to.  I’d be willing to put contribution time into
> CVE patches and doing or reviewing releases on TomEE 9 till TomEE 10 is
> released + 6 months so people have time to migrate from 9 to 10.  We would
> either need to upgrade to Tomcat 10.1 to make this work or volunteer time
> in Tomcat to maintaining 10.
>
>  - TomEE 8.  I’d be willing to review patches, help with release releases,
> etc for this year, so people have time to migrate.  As it will negatively
> impact our TomEE 10 work and people will mostly likely not take advantage
> unless forced, I’d want to have a clear end-of-life date that we set now.
> I think Dec 31st, 2023 is a good date.  That date would be communicated as
> best effort — if a dependency like say CXF stops maintaining the version we
> need, the actual end of life date for TomEE 8 would be shorter.  This would
> all have to be documented and visible when people download TomEE 8.  I
> wouldn’t be willing to put time into TomEE 8 open-ended, without an agreed
> end-of-life date.  Not as critical, but we might also be smart to do just
> one release a quarter or something to minimize impact.
>
>  - TomEE 7 & TomEE 1.7.  These are already effectively discontinued.  I
> think we should actually label them discontinued.  I definitely would not
> be willing to review patches or release binaries for those branches.
>
>
> # General End-of-life policy thoughts
>
> I had in the past leaned against officially calling a branch discontinued,
> but I think I’m swayed the other way on that.  Nobody wants to do the
> javax-to-jakarta transition and given the opportunity to put it off,
> everyone will.  In my experience, people don’t like to upgrade even when
> there are no breaking changes — the fear of one being hidden in there
> somewhere is enough to stop a lot of people.  In absence of a clear “this
> is going away” date, a lot of people will either hold off upgrading or not
> be able to get the internal support for doing an upgrade.
>
> If I had to take a stab at a default end-of-life policy, I’d probably
> recommend something like this:
>
>  - We maintain the latest stable (final) release branch indefinitely while
> the next branch is in development (non-final)
>  - When the development branch becomes final and becomes the new latest
> stable, we immediately announce the previous latest stable will be
> end-of-life in 6 months so people know to use the time to migrate.
>  - Any end-of-life date can be extended (e.g. TomEE 8) if someone shows up
> willing to do the work and commits to a new end-of-life date (which can
> again be extended if there are volunteers)
>  - If we cannot patch all the CVEs in a branch, we likely should have a
> policy 

Re: [VOTE] TomEE 8.0.14

[Jonathan Gallimore]

+1 (binding)

Additional comment is that we seem to have a few API jars creeping in,
which should be part of the javaee-api jar:

* geronimo-jta_1.1_spec
* jakarta.annotation-api
* jakarta.jws-api
* jakarta.xml.soap-api
* jakarta.xml.ws-api

Not a blocker for release in my opinion, but worth cleaning up after. (I'm
happy to help with that).

Jon

On Tue, Jan 17, 2023 at 1:40 PM Richard Zowalla  wrote:

> Hi all,
>
> this is a vote for a release of Apache TomEE 8.0.14.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades.
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1213/
>
> 
> 
> tomee-8.0.14-release-test
> Testing TomEE 8.0.14 release candidate
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1213/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1213/tomee-8.0.14/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.14
>
>
> ###
>
> Release notes:
>
> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]
> XBean 4.22
>  - link:https://issues.apache.org/jira/browse/TOMEE-4126[TOMEE-4126]
> CXF 3.4.10
>  - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> CXF 3.4.9
>  - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125]
> CXF versions mitigate CVE-2022-46364 and CVE-2022-46363
>  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> HSQLDB 2.7.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4170[TOMEE-4170]
> Hibernate 5.6.14
>  - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> Jackson 2.14.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4129[TOMEE-4129]
> Jackson 2.14.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4169[TOMEE-4169]
> SnakeYAML - CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> Tomcat 9.0.69
>  - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> Tomcat 9.0.70
>  - link:https://issues.apache.org/jira/browse/TOMEE-4173[TOMEE-4173]
> Tomcat 9.0.71
>  - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> Velocity 2.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> Woodstox 6.4.0 (CVE-2022-40152)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> bcel component
>  - link:https://issues.apache.org/jira/browse/TOMEE-4130[TOMEE-4130]
> commons-compress
> 
> 1.22
>  - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> jackson 2.14.0-rc2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> woodstox-core
> 
> mitigate CVE-2022-40153
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4120[TOMEE-4120]
> Remote EJB2 BMP Memory Leak
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> Typo with EL22Adaptor implementation in openwebbeans.properties
>  - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> TomEE logs SEVERE: Expected ContextBinding to have the method
> getThreadName()
>  - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> TomEE version no longer appearing at default manager page
>  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> Unable to see TomEE version in Tomcat home page with Java 17
>  - link:https://issues.apache.org/jira/browse/TOMEE-4108[TOMEE-4108]
> Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth
> mechanism
>  - link:https://issues.apache.org/jira/browse/TOMEE-3779[TOMEE-3779]
> tomee-embedded-maven-plugin
> 
> fails with NPE
>  - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176]
> CVE-2022-45143
> 
> Apache Tomcat - JsonErrorReportValve injection on TomEE's
> tomcat-websocket.jar
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4124[TOMEE-4124]
> Remove timing of timing just for logging
>
> == Task
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4171[TOMEE-4171]
> Apache Parent 29
>  - link:https://issues.apache.org/jira/browse/TOMEE-4172[TOMEE-4172]
> JUnit 5.9.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4177[TOMEE-4177]
> Patch Plugin 0.10
>
> 

Re: Post TomEE 9.0.0 final release

[Jonathan Gallimore]

I've started wiring up the Concurrency TCK here:
https://github.com/apache/tomee/tree/TOMEE-4159_Concurrency_TCK. After
updating the Jakarta EE API to 10, there are some compile issues,
particularly around the concurrency area, so there is some work to do
(which I'm looking at now!).

Cheers

Jon

On Thu, Jan 12, 2023 at 11:41 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> I saw some commits. Thanks for the setup and the work.
> We have a couple of pending PRs ready for the different TCK (BVal, CDI,
> JSONB, JSONP, Concurrent).
>
> The challenge with standalone TCK is that if we don't find a way to run
> them on the cloud, we'll need to consolidate the results between the 2
> platforms. It will be definitely slower on the Apache CI system and will
> make the build unbelievably slow.
>
> We have some investment there. We can of course run in the cloud with `mvn
> verify -pl tck/bval-tomee` etc. But how are we going to collect the
> results? Furthermore for CDI and others, it would be great to split into
> smaller chunks to run in parallel.
>
>
> Long story short, there is some good investment to have on this area. It
> will definitely pay off in the long run.
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Thu, Jan 12, 2023 at 2:54 AM David Blevins 
> wrote:
>
> > > On Jan 4, 2023, at 4:00 PM, David Blevins 
> > wrote:
> > >
> > > I created JIRAs for all the individual TCKs involved in EE 10.  Some of
> > these are already setup:
> > >
> > > TOMEE-4156   Platform/WebProfile TCK
> >
> > I have this at least minimally setup here:
> >
> >  - https://github.com/apache/tomee-tck
> >
> > There’s a `setup.sh` that will download and install the Jakarta EE 10
> > Platform & Web Profile TCK on your machine.
> >
> > General FYI on some tweaks I made to the branches.
> >
> >  - main: now points to TomEE 10 instead of TomEE 8
> >  - tomee-8.x: new branch made from the former `main` branch, dedicated to
> > TomEE 8
> >  - tomee-8.x: new branch made from the `jakartaee9-tck` branch, dedicated
> > to TomEE 9
> >
> > Next steps for me will be trying to get a run or two going up in the
> cloud
> > so we have some base numbers.  Quite a lot of the tests were moved out to
> > standalone TCKs, so there’ll some work to get a good view of how things
> > compare.
> >
> >
> > -David
> >
> >
>

Re: Post TomEE 9.0.0 final release

[Jonathan Gallimore]

Awesome, thanks - that's all assigned.

On Fri, Jan 6, 2023 at 7:23 PM Zoltán Tichov 
wrote:

> Hi!
>
> It is "eagleegg".
>
> Thanks:
>
> Zoltán
>
> On Fri, Jan 6, 2023 at 8:17 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > Can you let me know your JIRA username?
> >
> > Thanks
> >
> > Jon
> >
> > On Fri, 6 Jan 2023, 19:14 Jonathan Gallimore, <
> > jonathan.gallim...@gmail.com>
> > wrote:
> >
> > > Yes. I'll see if I can assign that to you.
> > >
> > > Jon
> > >
> > > On Fri, 6 Jan 2023, 18:15 Zoltán Tichov, 
> > wrote:
> > >
> > >> Hi!
> > >>
> > >> Can I choose the Jakarta Faces TCK?
> > >>
> > >> Thanks:
> > >> Zoltán
> > >>
> > >>
> > >> On Fri, Jan 6, 2023 at 1:06 AM David Blevins  >
> > >> wrote:
> > >>
> > >> > > On Jan 5, 2023, at 11:11 AM, Zoltán Tichov <
> zoltan.tic...@gmail.com
> > >
> > >> > wrote:
> > >> > >
> > >> > > Hi!
> > >> > >
> > >> > > Be it as you wrote. What should I do now?
> > >> >
> > >> > If you want to help learn & setup the new standalone TCKs, that’d
> be a
> > >> > fantastic way to contribute.  Basically, any of the ones in this
> list
> > >> that
> > >> > isn’t already assigned is up for grabs.
> > >> >
> > >> >  - https://issues.apache.org/jira/browse/TOMEE-4155
> > >> >
> > >> > If that sounds interesting, pick a TCK and someone can assign you
> the
> > >> JIRA.
> > >> >
> > >> > Most of these TCKs were in the main Jakarta EE TCK and were
> completely
> > >> > reworked.  Spec teams were allowed to use any testing framework or
> > >> approach
> > >> > they liked, so we’re all starting from zero on how these new TCKs
> > work.
> > >> > One of the rare situations where there isn’t someone who knows how
> > they
> > >> > work and can provide help -- we’re all newbies on these new TCKs.
> > >> >
> > >> > Previously the only standalone TCKs were bean validation, CDI and
> the
> > >> > MicroProfile TCKs.  They all live here:
> > >> >
> > >> >  - https://github.com/apache/tomee/tree/main/tck
> > >> >
> > >> > We should probably put all the new TCK setups there until we decide
> > >> > otherwise.
> > >> >
> > >> >
> > >> > -David
> > >> >
> > >> > >
> > >> > > On Wed, Jan 4, 2023 at 9:41 PM Jean-Louis Monteiro <
> > >> > jlmonte...@tomitribe.com>
> > >> > > wrote:
> > >> > >
> > >> > >> I think first, we should get the 2 PRs in. From experience,
> > delaying
> > >> > them
> > >> > >> makes it frustrating and painful because you have to rebase all
> the
> > >> > time.
> > >> > >>
> > >> > >> Then create a new issue assigned to version 10.x (or we can
> create
> > it
> > >> > for
> > >> > >> you because of the new Apache restrictions). So you can create
> the
> > PR
> > >> > for
> > >> > >> MVC in TomEE.
> > >> > >>
> > >> > >> What do you think?
> > >> > >>
> > >> > >> --
> > >> > >> Jean-Louis Monteiro
> > >> > >> http://twitter.com/jlouismonteiro
> > >> > >> http://www.tomitribe.com
> > >> > >>
> > >> > >>
> > >> > >> On Wed, Jan 4, 2023 at 9:34 PM Zoltán Tichov <
> > >> zoltan.tic...@gmail.com>
> > >> > >> wrote:
> > >> > >>
> > >> > >>> Hi!
> > >> > >>>
> > >> > >>> I could help, but I have a task, which I'm not ready yet ( put
> > >> jakarta
> > >> > >> mvc
> > >> > >>> 2.0 and tck in tomee).
> > >> > >>> What to do with this task?
> > >> > >>>
> > >> > >>> I also have two pending pull requests, should I synchron

Re: Post TomEE 9.0.0 final release

[Jonathan Gallimore]

Can you let me know your JIRA username?

Thanks

Jon

On Fri, 6 Jan 2023, 19:14 Jonathan Gallimore, 
wrote:

> Yes. I'll see if I can assign that to you.
>
> Jon
>
> On Fri, 6 Jan 2023, 18:15 Zoltán Tichov,  wrote:
>
>> Hi!
>>
>> Can I choose the Jakarta Faces TCK?
>>
>> Thanks:
>> Zoltán
>>
>>
>> On Fri, Jan 6, 2023 at 1:06 AM David Blevins 
>> wrote:
>>
>> > > On Jan 5, 2023, at 11:11 AM, Zoltán Tichov 
>> > wrote:
>> > >
>> > > Hi!
>> > >
>> > > Be it as you wrote. What should I do now?
>> >
>> > If you want to help learn & setup the new standalone TCKs, that’d be a
>> > fantastic way to contribute.  Basically, any of the ones in this list
>> that
>> > isn’t already assigned is up for grabs.
>> >
>> >  - https://issues.apache.org/jira/browse/TOMEE-4155
>> >
>> > If that sounds interesting, pick a TCK and someone can assign you the
>> JIRA.
>> >
>> > Most of these TCKs were in the main Jakarta EE TCK and were completely
>> > reworked.  Spec teams were allowed to use any testing framework or
>> approach
>> > they liked, so we’re all starting from zero on how these new TCKs work.
>> > One of the rare situations where there isn’t someone who knows how they
>> > work and can provide help -- we’re all newbies on these new TCKs.
>> >
>> > Previously the only standalone TCKs were bean validation, CDI and the
>> > MicroProfile TCKs.  They all live here:
>> >
>> >  - https://github.com/apache/tomee/tree/main/tck
>> >
>> > We should probably put all the new TCK setups there until we decide
>> > otherwise.
>> >
>> >
>> > -David
>> >
>> > >
>> > > On Wed, Jan 4, 2023 at 9:41 PM Jean-Louis Monteiro <
>> > jlmonte...@tomitribe.com>
>> > > wrote:
>> > >
>> > >> I think first, we should get the 2 PRs in. From experience, delaying
>> > them
>> > >> makes it frustrating and painful because you have to rebase all the
>> > time.
>> > >>
>> > >> Then create a new issue assigned to version 10.x (or we can create it
>> > for
>> > >> you because of the new Apache restrictions). So you can create the PR
>> > for
>> > >> MVC in TomEE.
>> > >>
>> > >> What do you think?
>> > >>
>> > >> --
>> > >> Jean-Louis Monteiro
>> > >> http://twitter.com/jlouismonteiro
>> > >> http://www.tomitribe.com
>> > >>
>> > >>
>> > >> On Wed, Jan 4, 2023 at 9:34 PM Zoltán Tichov <
>> zoltan.tic...@gmail.com>
>> > >> wrote:
>> > >>
>> > >>> Hi!
>> > >>>
>> > >>> I could help, but I have a task, which I'm not ready yet ( put
>> jakarta
>> > >> mvc
>> > >>> 2.0 and tck in tomee).
>> > >>> What to do with this task?
>> > >>>
>> > >>> I also have two pending pull requests, should I synchronize them
>> with
>> > the
>> > >>> new main branch?
>> > >>>
>> > >>> https://github.com/apache/tomee/pull/990
>> > >>> https://github.com/apache/tomee/pull/962
>> > >>>
>> > >>> Thanks:
>> > >>> Zoltán
>> > >>>
>> > >>>
>> > >>> On Wed, Jan 4, 2023 at 9:12 PM Jean-Louis Monteiro <
>> > >>> jlmonte...@tomitribe.com>
>> > >>> wrote:
>> > >>>
>> > >>>> Hi all,
>> > >>>>
>> > >>>> Looks like the TomEE 9.0.0 final release is in good shape and the
>> vote
>> > >> is
>> > >>>> about to pass. Awesome.
>> > >>>>
>> > >>>> I'm already looking forward to TomEE 10.x. To that regard, I
>> created a
>> > >>>> branch for 9.x maintenance already. Moved main to 10.0.0-SNAPSHOT.
>> I
>> > >>>> upgraded Tomcat already and I'm looking to upgrade CXF to its
>> latest
>> > >>>> jakarta version. I decided to remove all the shading and patching
>> all
>> > >>>> together so we get back to a Maven based dependency. We can cherry
>> > pick
>> > >>> on
>> > >>>> demand or even contribute to CXF if they are willing to accept the
>> > >>>> contributions.
>> > >>>>
>> > >>>> Here are a set of small actions before we enter into the actual
>> game
>> > of
>> > >>>> supporting Jakarta EE 10 and MicroProfile 6.0
>> > >>>>
>> > >>>> TODOs:
>> > >>>> - create jobs for TomEE 9.x maintenance
>> > >>>> - update tomee-tck to create a new branch for 10.x
>> > >>>> - update tomee-tck
>> > >>>> - release 9.1 API final (we have M2 for 9.0.0 final which is ok,
>> but
>> > we
>> > >>>> should release it so next time it's included).
>> > >>>> - create 10.x API and release a M1
>> > >>>>
>> > >>>> Who can help on what?
>> > >>>> Creating a JIRA with sub tasks so we can track the work to do and
>> > >>>> coordinate is also a good contribution.
>> > >>>>
>> > >>>> --
>> > >>>> Jean-Louis Monteiro
>> > >>>> http://twitter.com/jlouismonteiro
>> > >>>> http://www.tomitribe.com
>> > >>>>
>> > >>>
>> > >>
>> >
>> >
>>
>

Re: Post TomEE 9.0.0 final release

[Jonathan Gallimore]

Yes. I'll see if I can assign that to you.

Jon

On Fri, 6 Jan 2023, 18:15 Zoltán Tichov,  wrote:

> Hi!
>
> Can I choose the Jakarta Faces TCK?
>
> Thanks:
> Zoltán
>
>
> On Fri, Jan 6, 2023 at 1:06 AM David Blevins 
> wrote:
>
> > > On Jan 5, 2023, at 11:11 AM, Zoltán Tichov 
> > wrote:
> > >
> > > Hi!
> > >
> > > Be it as you wrote. What should I do now?
> >
> > If you want to help learn & setup the new standalone TCKs, that’d be a
> > fantastic way to contribute.  Basically, any of the ones in this list
> that
> > isn’t already assigned is up for grabs.
> >
> >  - https://issues.apache.org/jira/browse/TOMEE-4155
> >
> > If that sounds interesting, pick a TCK and someone can assign you the
> JIRA.
> >
> > Most of these TCKs were in the main Jakarta EE TCK and were completely
> > reworked.  Spec teams were allowed to use any testing framework or
> approach
> > they liked, so we’re all starting from zero on how these new TCKs work.
> > One of the rare situations where there isn’t someone who knows how they
> > work and can provide help -- we’re all newbies on these new TCKs.
> >
> > Previously the only standalone TCKs were bean validation, CDI and the
> > MicroProfile TCKs.  They all live here:
> >
> >  - https://github.com/apache/tomee/tree/main/tck
> >
> > We should probably put all the new TCK setups there until we decide
> > otherwise.
> >
> >
> > -David
> >
> > >
> > > On Wed, Jan 4, 2023 at 9:41 PM Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com>
> > > wrote:
> > >
> > >> I think first, we should get the 2 PRs in. From experience, delaying
> > them
> > >> makes it frustrating and painful because you have to rebase all the
> > time.
> > >>
> > >> Then create a new issue assigned to version 10.x (or we can create it
> > for
> > >> you because of the new Apache restrictions). So you can create the PR
> > for
> > >> MVC in TomEE.
> > >>
> > >> What do you think?
> > >>
> > >> --
> > >> Jean-Louis Monteiro
> > >> http://twitter.com/jlouismonteiro
> > >> http://www.tomitribe.com
> > >>
> > >>
> > >> On Wed, Jan 4, 2023 at 9:34 PM Zoltán Tichov  >
> > >> wrote:
> > >>
> > >>> Hi!
> > >>>
> > >>> I could help, but I have a task, which I'm not ready yet ( put
> jakarta
> > >> mvc
> > >>> 2.0 and tck in tomee).
> > >>> What to do with this task?
> > >>>
> > >>> I also have two pending pull requests, should I synchronize them with
> > the
> > >>> new main branch?
> > >>>
> > >>> https://github.com/apache/tomee/pull/990
> > >>> https://github.com/apache/tomee/pull/962
> > >>>
> > >>> Thanks:
> > >>> Zoltán
> > >>>
> > >>>
> > >>> On Wed, Jan 4, 2023 at 9:12 PM Jean-Louis Monteiro <
> > >>> jlmonte...@tomitribe.com>
> > >>> wrote:
> > >>>
> >  Hi all,
> > 
> >  Looks like the TomEE 9.0.0 final release is in good shape and the
> vote
> > >> is
> >  about to pass. Awesome.
> > 
> >  I'm already looking forward to TomEE 10.x. To that regard, I
> created a
> >  branch for 9.x maintenance already. Moved main to 10.0.0-SNAPSHOT. I
> >  upgraded Tomcat already and I'm looking to upgrade CXF to its latest
> >  jakarta version. I decided to remove all the shading and patching
> all
> >  together so we get back to a Maven based dependency. We can cherry
> > pick
> > >>> on
> >  demand or even contribute to CXF if they are willing to accept the
> >  contributions.
> > 
> >  Here are a set of small actions before we enter into the actual game
> > of
> >  supporting Jakarta EE 10 and MicroProfile 6.0
> > 
> >  TODOs:
> >  - create jobs for TomEE 9.x maintenance
> >  - update tomee-tck to create a new branch for 10.x
> >  - update tomee-tck
> >  - release 9.1 API final (we have M2 for 9.0.0 final which is ok, but
> > we
> >  should release it so next time it's included).
> >  - create 10.x API and release a M1
> > 
> >  Who can help on what?
> >  Creating a JIRA with sub tasks so we can track the work to do and
> >  coordinate is also a good contribution.
> > 
> >  --
> >  Jean-Louis Monteiro
> >  http://twitter.com/jlouismonteiro
> >  http://www.tomitribe.com
> > 
> > >>>
> > >>
> >
> >
>

Re: Post TomEE 9.0.0 final release

[Jonathan Gallimore]

I was pretty interested in this too. I'll pick one of the JIRA and have a
look.

Jon

On Fri, Jan 6, 2023 at 2:24 PM Jean-Louis Monteiro 
wrote:

> I worked on BVal and CDI and we have work to do for both before we can
> merge the corresponding PRs.
>
> I looked at other candidates and it looks like many are still using the old
> school approach.
> Currently I'm downloading Concurrency TCK because it seems it's Arquillian
> based and standalone now.
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Fri, Jan 6, 2023 at 1:06 AM David Blevins 
> wrote:
>
> > > On Jan 5, 2023, at 11:11 AM, Zoltán Tichov 
> > wrote:
> > >
> > > Hi!
> > >
> > > Be it as you wrote. What should I do now?
> >
> > If you want to help learn & setup the new standalone TCKs, that’d be a
> > fantastic way to contribute.  Basically, any of the ones in this list
> that
> > isn’t already assigned is up for grabs.
> >
> >  - https://issues.apache.org/jira/browse/TOMEE-4155
> >
> > If that sounds interesting, pick a TCK and someone can assign you the
> JIRA.
> >
> > Most of these TCKs were in the main Jakarta EE TCK and were completely
> > reworked.  Spec teams were allowed to use any testing framework or
> approach
> > they liked, so we’re all starting from zero on how these new TCKs work.
> > One of the rare situations where there isn’t someone who knows how they
> > work and can provide help -- we’re all newbies on these new TCKs.
> >
> > Previously the only standalone TCKs were bean validation, CDI and the
> > MicroProfile TCKs.  They all live here:
> >
> >  - https://github.com/apache/tomee/tree/main/tck
> >
> > We should probably put all the new TCK setups there until we decide
> > otherwise.
> >
> >
> > -David
> >
> > >
> > > On Wed, Jan 4, 2023 at 9:41 PM Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com>
> > > wrote:
> > >
> > >> I think first, we should get the 2 PRs in. From experience, delaying
> > them
> > >> makes it frustrating and painful because you have to rebase all the
> > time.
> > >>
> > >> Then create a new issue assigned to version 10.x (or we can create it
> > for
> > >> you because of the new Apache restrictions). So you can create the PR
> > for
> > >> MVC in TomEE.
> > >>
> > >> What do you think?
> > >>
> > >> --
> > >> Jean-Louis Monteiro
> > >> http://twitter.com/jlouismonteiro
> > >> http://www.tomitribe.com
> > >>
> > >>
> > >> On Wed, Jan 4, 2023 at 9:34 PM Zoltán Tichov  >
> > >> wrote:
> > >>
> > >>> Hi!
> > >>>
> > >>> I could help, but I have a task, which I'm not ready yet ( put
> jakarta
> > >> mvc
> > >>> 2.0 and tck in tomee).
> > >>> What to do with this task?
> > >>>
> > >>> I also have two pending pull requests, should I synchronize them with
> > the
> > >>> new main branch?
> > >>>
> > >>> https://github.com/apache/tomee/pull/990
> > >>> https://github.com/apache/tomee/pull/962
> > >>>
> > >>> Thanks:
> > >>> Zoltán
> > >>>
> > >>>
> > >>> On Wed, Jan 4, 2023 at 9:12 PM Jean-Louis Monteiro <
> > >>> jlmonte...@tomitribe.com>
> > >>> wrote:
> > >>>
> >  Hi all,
> > 
> >  Looks like the TomEE 9.0.0 final release is in good shape and the
> vote
> > >> is
> >  about to pass. Awesome.
> > 
> >  I'm already looking forward to TomEE 10.x. To that regard, I
> created a
> >  branch for 9.x maintenance already. Moved main to 10.0.0-SNAPSHOT. I
> >  upgraded Tomcat already and I'm looking to upgrade CXF to its latest
> >  jakarta version. I decided to remove all the shading and patching
> all
> >  together so we get back to a Maven based dependency. We can cherry
> > pick
> > >>> on
> >  demand or even contribute to CXF if they are willing to accept the
> >  contributions.
> > 
> >  Here are a set of small actions before we enter into the actual game
> > of
> >  supporting Jakarta EE 10 and MicroProfile 6.0
> > 
> >  TODOs:
> >  - create jobs for TomEE 9.x maintenance
> >  - update tomee-tck to create a new branch for 10.x
> >  - update tomee-tck
> >  - release 9.1 API final (we have M2 for 9.0.0 final which is ok, but
> > we
> >  should release it so next time it's included).
> >  - create 10.x API and release a M1
> > 
> >  Who can help on what?
> >  Creating a JIRA with sub tasks so we can track the work to do and
> >  coordinate is also a good contribution.
> > 
> >  --
> >  Jean-Louis Monteiro
> >  http://twitter.com/jlouismonteiro
> >  http://www.tomitribe.com
> > 
> > >>>
> > >>
> >
> >
>

Re: [VOTE] Apache TomEE 9.0.0

[Jonathan Gallimore]

+1, with the note that we seem to have a number of bcprov jars included:

* bcprov-jdk15on-1.70.jar
* bcprov-jdk15to18-1.70.jar
* bcprov-jdk18on-1.71.jar

Not sure if that is intended, but maybe needs some cleanup for the next
release.

Jon

On Tue, Jan 3, 2023 at 9:53 AM Jean-Louis Monteiro 
wrote:

> Hi all,
>
> I'm very proud to call a vote for Apache TomEE 9.0.0 final. It's been
> almost a year since we certified the server using a bytecode enhancement
> approach. Even though it worked, it introduced a lot of restrictions
> especially with tooling (IDE, Arquillian, Embedded container, etc).
>
> We started migrating the entire server to the new jakarta namespace and the
> 9.0.0 final is the result of such work. We fully passed the entire TCK for
> Jakarta EE 9.1 and cherry on the cake, we decided to address a long time
> request to support a newer version of MicroProfile. So I'm pleased to also
> announce that this version is fully MicroProfile 5.0 compliant.
>
> - Sources
> https://dist.apache.org/repos/dist/dev/tomee/tomee_staging-1210/
>
> - Maven staging repository
> https://repository.apache.org/content/repositories/orgapachetomee-1210
>
> - Signing keys
> https://dist.apache.org/repos/dist/release/tomee/KEYS
>
> - Changelog since last milestone
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12350136
> Sub-task
> 
>
>- [TOMEE-3883 ] -
>Update example 'mvc-resteasy' to use Server/API Bom - master branch
>- [TOMEE-3950 ] -
>Support for JWT token cookies
>- [TOMEE-3951 ] - JWT
>token groups claim is now optional
>- [TOMEE-3952 ] -
>Deprecate RSA keys of 1024 bit length
>
> Bug
>
>- [TOMEE-4065 ] -
>LoginToContinue interceptor fails on custom auth mechanism
>- [TOMEE-4117 ] -
>MicroProfile OpenAPI not generating model
>- [TOMEE-4119 ] -
>TomEEJsonbProvider triggered for */* mime types
>- [TOMEE-4135 ] -
>Unable to see TomEE version in Tomcat home page with Java 17
>
> New Feature
>
>- [TOMEE-3946 ] -
>MicroProfile JWT 2.0
>- [TOMEE-4050 ] -
>Retry and Refresh for MP JWT keys supplied via HTTP
>- [TOMEE-4068 ] -
>MicroProfile 5.0
>- [TOMEE-4069 ] -
>MicroProfile Config 3.0
>- [TOMEE-4070 ] -
>MicroProfile Fault Tolerance 4.0
>- [TOMEE-4071 ] -
>MicroProfile Health 4.0
>- [TOMEE-4072 ] -
>MicroProfile Metrics 4.0
>- [TOMEE-4073 ] -
>MicroProfile Rest Client 3.0
>- [TOMEE-4074 ] -
>MicroProfile OpenAPI 3.0
>- [TOMEE-4075 ] -
>MicroProfile OpenTracing 3.0
>- [TOMEE-4076 ] -
>Public Keys in OpenSSH format
>- [TOMEE-4077 ] -
>Public Keys in SSH2 format
>- [TOMEE-4078 ] - RSA
>keys PKCS 1 format
>- [TOMEE-4079 ] -
>Elliptic Curve JWS and JWE
>- [TOMEE-4123 ] -
>Implement @AroundConstruct from Interceptor 1.2
>
> Improvement
>
>- [TOMEE-4080 ] -
>Improved Logging for Public and Private Key resolution
>- [TOMEE-4124 ] -
>Remove timing of timing just for logging
>
> Task
>
>- [TOMEE-3915 ] - Fix
>Post release pom versioning for Master branch
>
> Dependency upgrade
>
>- [TOMEE-4081 ] -
>Jackson 2.13.4
>- [TOMEE-4082 ] -
>Woodstox 6.2.6
>- [TOMEE-4103 ] -
>Update woodstox-core to mitigate CVE-2022-40153
>- [TOMEE-4107 ] -
>Jackson 2.14.0
>- [TOMEE-4109 

Re: [VOTE] Apache TomEE Patch Plugin 0.10

[Jonathan Gallimore]

+1.

Jon

On Mon, Jan 2, 2023 at 11:32 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi,
>
> I'd like to vote Apache TomEE Patch Plugin 0.10 up for vote. The changes
> are fairly minimal and consist of patching the source jar so that IDE isn't
> lost. This release is required so we can then quickly push 9.0.0 final.
>
> Changes:
>
> - TOMEE-4136 Support sources patching
>
> Sources:
>
>
> https://dist.apache.org/repos/dist/dev/tomee/tomee-patch-plugin_staging-1209/
>
> Staging Nexus Repository:
>
> https://repository.apache.org/content/repositories/orgapachetomee-1209
>
> Tag:
>
> https://github.com/apache/tomee-patch-plugin/tree/tomee-patch-parent-0.10
>
> Please vote to approve this release:
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Jean-Louis
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

MP Metrics 5

[Jonathan Gallimore]

Hi

I've been enjoying participating in the MicroProfile Metrics spec group,
working on version 5 of the spec which is part of MicroProfile 6.
Additionally, I have worked with some of the participants on SmallRye
metrics to implement this - as you may recall we have switched over to
SmallRye to implement the majority of MP specs.

MP5 implementations can (and the SmallRye one does) use Micrometer as the
basis for metrics. A few things have been removed from the API, but the
annotations from previous versions of MP Metrics are still there - its just
a Micrometer based implementation. This does bring some additional
functionality, in particular around the ability to push metrics to other
backends such as Graphite/Grafana and Elastic, for example, as opposed to
just a pull using the Prometheus-based /metrics endpoint. Micrometer has
about 20 backends and they should all work with this implementation. I
can't test them all, so if you do have the chance to try out with one of
the others and run into issues please do shout.

A PR for main should be incoming today. I'd love for us to be able to cut a
release and be named as a compatible implementation on the spec's CCR, it
would be a fantastic milestone for us.

As a side-note: if you're ever interested in participating on a
specification, I would really recommend MicroProfile. The barrier for entry
is low (just show up :-) ) and the community is very welcoming. In metrics,
for example, you wouldn't need to be a metrics expert, or an app server
expert. Providing a view from a consumer's perspective would be a very
positive contribution.

Jon

TOMEE-4112 - EAR file CDI type resolution performance regression

[Jonathan Gallimore]

Hi folks

I've had a situation where if a component in the webapp part of an
EAR-based application performs a lookup programmatically to a CDI bean, and
that bean belongs to the EJB part of the EAR application, there's a
performance issue, versus older versions of TomEE. Essentially the OWB code
in older versions used to cache resolution by type when it was both
successful, and unsuccessful. More recently, only successful lookups are
cache.

The InjectionResolver is wrapped by a WebappInjectionResolver. This will
attempt to lookup by type in the webapp bean archives. If the bean cannot
be resolved here (because it is part of the EJB module),
WebappInjectionResolver will then look it up in the parent (which will
succeed).

InjectionResolver caches the lookups, but doesn't cache lookup failures
(previously it did). The impact is that each time the lookup happens,
WebappInjectionResolver will attempt to resolve (and fail) the bean in the
webapp archives first, without looking at the cache.

This can lead to a significant performance issue, depending on the number
of beans in the archives. I have measured it as 1000 TPS vs 6 TPS.

The PR I have created introduces a parameter to enable the lookup
resolution failure cache: openejb.cache.cdi-type-resolution-failure. This
is off by default, and one should only turn it on if they are affected by
this, and are looking for the same behaviour as TomEE 1.7.x.

Jon

Re: [VOTE] Apache TomEE 9.0.0.RC1 - staging repo 1208

[Jonathan Gallimore]

+1

Jon

On Mon, Oct 31, 2022 at 10:06 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi all,
>
> As discussed, here is the vote for Apache TomEE 9.0.0.RC1. This is a
> release candidate implementing Jakarta EE 9.1 and MicroProfile 5. It is
> fully passing MicroProfile 5 TCK and only has a few failures for Jakarta
> TCK, hence the release candidate.
>
> This is a jakarta namespace compatible version. And it will result in a
> final version as soon as we can get the few TCK failures fixed.
>
> Binaries and sources
> https://dist.apache.org/repos/dist/dev/tomee/staging-1208/
>
> Staging repository
> https://repository.apache.org/content/repositories/orgapachetomee-1208
>
> CI last green build
> https://ci-builds.apache.org/job/Tomee/job/master-build-full/797/
>
> Releases notes
> = Apache TomEE 9.0.0.RC1 Release Notes
> :index-group: Release Notes
> :jbake-type: page
> :jbake-status: published
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]
> XBean
> 4.22
>  - link:https://issues.apache.org/jira/browse/TOMEE-4083[TOMEE-4083]
> Commons CLI 1.5.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] DBCP
> 2.9.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4037[TOMEE-4037]
> Eclipse Mojarra 3.0.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4036[TOMEE-4036]
> EclipseLink 3.0.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-3980[TOMEE-3980]
> HSQLDB
> 2.7.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
> HSQLDB
> 2.7.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> HSQLDB
> 2.7.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4039[TOMEE-4039]
> Hibernate 6.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4093[TOMEE-4093]
> Hibernate 6.1.4.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4038[TOMEE-4038]
> Jackson 2.13.4
>  - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
> Johnzon 1.2.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
> Log4J2
> 2.18.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4097[TOMEE-4097]
> MicroProfile Fault Tolerance API 4.0.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4098[TOMEE-4098]
> MicroProfile Health API 4.0.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4099[TOMEE-4099]
> MicroProfile Rest Client API 3.0.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-3999[TOMEE-3999]
> MyFaces 3.0.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054]
> Snakeyaml 1.33
>  - link:https://issues.apache.org/jira/browse/TOMEE-3831[TOMEE-3831] TomEE
> should support library asm9.1 support fully Java 17
>  - link:https://issues.apache.org/jira/browse/TOMEE-4040[TOMEE-4040]
> Tomcat
> 10.0.23
>  - link:https://issues.apache.org/jira/browse/TOMEE-4096[TOMEE-4096]
> Tomcat
> 10.0.27
>  - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> bcprov-jdk15on
> 
> 1.70
>  - link:https://issues.apache.org/jira/browse/TOMEE-4006[TOMEE-4006] slf4j
> 1.7.36
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101] Typo
> with EL22Adaptor implementation in openwebbeans.properties
>  - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102] TomEE
> logs SEVERE: Expected ContextBinding to have the method getThreadName()
>  - link:https://issues.apache.org/jira/browse/TOMEE-4032[TOMEE-4032] Class
> cast Exception when undeploying application with @PostConstruct LifeCycle
>  - link:https://issues.apache.org/jira/browse/TOMEE-3795[TOMEE-3795] Proxy
> class definition does not work in Java 17+
>  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> Unable
> to see TomEE version in Tomcat home page with Java 17
>  - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 CVE
> Vulnerabilities in snakeyaml-1.30.jar
>  - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> CVE-2022-34305
> 
> displaying user provided data without filtering, exposing a
> XSS vulnerability
>
> == Task
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] Move
> to Apache Rat
>  - link:https://issues.apache.org/jira/browse/TOMEE-4028[TOMEE-4028]
> Replace cucumber shading and replace with cucumber-jakarta-openejb
>  - link:https://issues.apache.org/jira/browse/TOMEE-4035[TOMEE-4035]
> Upgrade SmallRye, Jackson and others
>  - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
> Spring
> 3 Dependencies in TomEE Root POM
>  - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] Add
> workaround for CVE-2022-41853 (hsqldb)
>
> == Documentation
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023]
> 

Re: [HELP] Build times for Infra

[Jonathan Gallimore]

Taking the commands very literally, the timings for 2 machines here are
below. I'm curious though - are there any JAVA_OPTS or MAVEN_OPTS we should
use here (e.g. max heap)? The slower machine here seems to be running at an
absolute crawl 2/3rds of the way through the build here with the default
settings. The result below is after a reboot and MAVEN_OPTS="-Xmx4g".

Laptop (WSL2/Ubuntu on Windows 11, i7-12700H, 32GB Ram):

[INFO]

[INFO] BUILD FAILURE
[INFO]

[INFO] Total time:  01:36 h
[INFO] Finished at: 2022-10-14T11:10:08+01:00
[INFO]


Dell Optiplex 7040 "Server" machine (Ubuntu 20.04.5 LTS, i7-6700T, 16GB
Ram):

[INFO] BUILD FAILURE
[INFO]

[INFO] Total time:  01:57 h
[INFO] Finished at: 2022-10-14T15:16:58+01:00
[INFO]


On Fri, Oct 14, 2022 at 12:13 AM David Blevins 
wrote:

> Alright, here are some build times for the runs I've done.  Results are
> quite varied.
>
> c1.xlarge : [INFO] Total time:  03:59 h
> t2.medium : [INFO] Total time:  05:05 h
> t2.xlarge : [INFO] Total time:  02:30 h
> t3.medium : [INFO] Total time:  03:21 h
> my.laptop : [INFO] Total time:  01:56 h
>
> Specs for the AWS instances are public.  Here are the stats for my laptop:
>
> MacBook Pro (16-inch, 2019)
> 2.4 GHz 8-Core Intel Core i9
> Memory 64 GB 2667 MHz DDR4
>
> I did try some other AWS instance types, but anything with 2GB or less
> failed due to out of memory issues.  I'd be interested to try some other
> types, particularly the AMD-based types.
>
> Anyway long story short: yes, our build could be faster with better
> hardware.  Just not very clear what that hardware should be.
>
>
> -David
>
>
> > On Oct 11, 2022, at 3:05 PM, David Blevins 
> wrote:
> >
> > All,
> >
> > I'm collecting some stats on how long it takes to run our full build
> exactly as Jenkins does.  The goal is to work with them to see if we can
> get some better hardware -- I assume that will require donations, etc.
> >
> > If you'd like to help in collecting data, here's the script I'm running:
> >
> > - curl
> https://gist.githubusercontent.com/dblevins/b39cc3300bcdd89b426ca33b87b5452b/raw/7c68d4df71e9246c8bf2d0a741f8b145ca5d0820/buildtime.sh
> | bash
> >
> > Send the time reported in the build.log along with your system
> information (os, number of cores, if you disk is an SSD, etc)
> >
> >
> > --
> > David Blevins
> > http://twitter.com/dblevins
> > http://www.tomitribe.com
> >
>
>

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

[Jonathan Gallimore]

>  Not only it is ridiculous to have two JSON processing stacks cohexisting
in TomEE, but also, looking at
https://mvnrepository.com/artifact/org.apache.johnzon/johnzon-core, there
was no CVE on Johnzon for the part 5 years ; versus a huge number of CVE on
Jackson for the same period:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind

I did flag this up on the ActiveMQ dev list again, so there is some
discussion going on there. I did dig into what in ActiveMQ actually uses
Jackson, and I'm not sure its very much:

* DestinationsViewFilter
* PartitionBrokerPlugin
* ZooKeeperPartitionBroker
* Partition & Target classes
* PersistenceAdapterView

I don't think the partition and zookeeper stuff is relevant in the context
of what is embedded in TomEE, and the rest looks like a couple of things
that are exposed as stats via JMX. One option (which I'll look at) might be
to just "drop" Jackson from the build artifact and see what, if anything,
actually breaks.

In terms of the release, I'd be in favour of going ahead, and following up
with 8.0.14 quickly if the updated dependencies are released. We tend to
wait for dependencies which makes our release cadence slower.

1: (a)
2: (b)

Thanks

Jon


On Sun, Oct 9, 2022 at 12:11 PM Alex The Rocker 
wrote:

> Hello,
>
> Regarding # (1): CVE-2022-42003 (jackson-databind), given that the
> only reason for having Jackson in TomEE is because of embedded TomEE;
> so the discussion here
> https://lists.apache.org/thread/ttmdc4l9z9oz9lqw3cd22sjdz451dh25 to
> replace Jackson by the Apache Johnzon (which is already part of TomEE)
> should really move on.
> Not only it is ridiculous to have two JSON processing stacks
> cohexisting in TomEE, but also, looking at
> https://mvnrepository.com/artifact/org.apache.johnzon/johnzon-core,
> there was no CVE on Johnzon for the part 5 years ; versus a huge
> number of CVE on Jackson for the same period:
>
> https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
>
> Regarding "# (2): CVE-2022-41853 (hsqldb)", I vote for solution (b)
> Add the workaround (via java args) to our startup scripts and go
> for the release , because it helps avoiding further delay at 8.0.3
> releasing, and it's better than (c) because TomEE will be "secure by
> default")
>
> That were my 2 cents,
> Alex
>
> Le dim. 9 oct. 2022 à 09:44, Richard Zowalla  a écrit :
> >
> > Hi all,
> >
> > I think, that we are soon in a good state to do a 8.0.13.
> >
> > However, there are some open points for which I want to get the
> > community's opinion.
> >
> > # (1): CVE-2022-42003 (jackson-databind)
> >
> > Were is one CVE related to jackson-databind:
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2022-42003 (before 2.14.0-rc1)
> >
> > Users are only affected, if 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to
> > enabled [1]. AFAIK, we do not enable that feature by default.
> >
> > There is an ongoing discussion about 2.14.0 final on their list but it
> > seems that it will be late October / mid November until they will
> > release that artifact.
> >
> > Question(s) to discuss is:
> >
> > (a) Do we want to ship a release with a RC version?
> > (b) Do we want to wait for 2.14.0.Final?
> > (c) Do we want to ship with 2.13.4 instead + adding a related section
> > to our release notes?
> >
> > # (2): CVE-2022-41853 (hsqldb)
> >
> > In addition, were is CVE-2022-41853, which affects HSQLDB < 2.7.1.
> > 2.7.1 isn't available yet [2]. A workaround is to set a related sytsem
> > property to mitigate the behaviour.
> >
> > Question(s) to discuss is:
> >
> > (a) Do we want to wait for a 2.7.1 release before doing 8.0.13 (AFAIK,
> > no ETA yet)
> > (b) Add the workaround (via java args) to our startup scripts and go
> > for the release
> > (c) Ship with 2.7.0 + adding a related section to our release notes?
> >
> > Keep in mind: If we do not update to the "official" fix version (even
> > if we add related infos on our release note or mitigate via the
> > official workaround), automated security scanners will complain about
> > it and ops / security people will wonder about it.
> >
> > Happy to receive feedback on these questions, so we can continue.
> >
> > Gruß
> > Richard
> >
> >
> >
> >
> > [1]
> >
> https://github.com/FasterXML/jackson/discussions/126#discussioncomment-3815395
> > [2] https://github.com/advisories/GHSA-77xx-rxvh-q682
> >
> >
> >
> >
>

Re: Thoughts : include Krazo and DeltaSpike out-of-the-box in Plume flavor

[Jonathan Gallimore]

I'm a +1 for Krazo, in fact I think MVC is now part of the spec so its
needed. It _might_ have already been done. I'm a little more on the fence
for Deltaspike. I really like it, and use it in my own projects. My
question would be, what other dependencies does it bring in, and what is
the overall impact in terms of the size of the distribution?

We can't ship Hibernate due to its license.

> When I teach my students they add Spring to their Tomcat install to gain
the automatic Repositories capabilities.

I'm curious, is that being added as an application dependency, so directly
to Tomcat (in the lib directory, for example)? I wonder if we're seeing a
lot of Spring Initializr use, and whether something like that for TomEE may
be useful?

Jon

On Tue, Oct 4, 2022 at 10:05 AM Swell  wrote:

> Hello everyone,
>
> firstly thanks for the amazing work on microprofile.
>
> I would like to share some thoughts on the Plume flavor dedicated to
> attract newcomers to TomEE.
>
> Is there room for us to include Krazo and DeltaSpike out-of-the-box, maybe
> not in all flavors, but at least in Plume ?
>
> When I teach my students they add Spring to their Tomcat install to gain
> the automatic Repositories capabilities.
> Doing so they do not need the EJB container, nor Krazo and DeltaSpike.
> since they gain Spring Controllers and Repositories with equivalent
> features.
>
> When they must add a dependency to their app they prefer to add Spring,
> which do not train the future IT pros to start using TomEE.
>
> Having Krazo, DeltaSpike and Hibernate included in Plume might attract more
> devs towards Apache solutions.
>
> if given permission, i could start a PR with added dependencies.
>
> thanks for your time.
> have a nice week,
> Swell
> --
>

Re: Cut a 8.0.13?

[Jonathan Gallimore]

+1. And yes, this willinclude the fix to mitigate CVE-2021-43980.

Jon

On Wed, Sep 28, 2022 at 6:45 PM Alex The Rocker 
wrote:

> Hi there,
>
> +1 for a TomEE 8.013 ASAP provided it includes fix for:
>
> CVE-2021-43980 Apache Tomcat - Information Disclosure
>
> Kind regards,
> Alex
>
> Le mer. 28 sept. 2022 à 18:45, Zowalla, Richard
>  a écrit :
> >
> > Hi all,
> >
> > our last 8.x release was in June and we have 22 pending updates/issues
> > for 8.0.13. Mostly dependency updates (johnzon, dbcp2, myfaces, hsqldb,
> > tomcat, jakarta faces), and some minor bugs (windows, jdk17+ related
> > backports), see below.
> >
> > We might need to go through the 3rd party libs again and see, if there
> > are additional updates we might want to include.
> >
> > Would be worth to do a release soon (Mid/End of October?), imho.
> >
> > Is there anything else we should include / patch before doing a 8.0.13?
> > Any objections?
> >
> > Wdyt?
> >
> > Gruß
> > Richard
> >
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
> BatchEE 1.0.2
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800]
> DBCP 2.9.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986]
> Hibernate Integration 5.6.9.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042]
> Jackson 2.13.4
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020]
> Jakarta Faces 2.3.18
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
> Johnzon 1.2.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
> Log4J2 2.18.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998]
> MyFaces 2.3.10
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044]
> Snakeyaml 1.32
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002]
> Tomcat 9.0.64
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051]
> Tomcat 9.0.65
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> bcprov-jdk15on 1.70
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021]
> Unexpected ehcache 3.8.1 in tomee/lib
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> Unable to see TomEE version in Tomcat home page with Java 17
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
> HSQLDB 2.7.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979]
> service.bat issue when using JRE_HOME on Windows
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4
> CVE Vulnerabilities in snakeyaml-1.30.jar
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> CVE-2022-34305 displaying user provided data without filtering, exposing a
> XSS vulnerability
> >
> > == Improvement
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4000[TOMEE-4000]
> Add security.txt to website
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878]
> Backport TOMEE-3877 to TomEE 8.x
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
> Spring 3 Dependencies in TomEE Root POM
> >
> > == Task
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022]
> Move to Apache Rat
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4
> CVE Vulnerabilities in snakeyaml-1.30.jar
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> CVE-2022-34305 displaying user provided data without filtering, exposing a
> XSS vulnerability
>

Re: [DISCUSS] Renaming of master branches to main?

[Jonathan Gallimore]

+1

On Thu, Jul 28, 2022 at 4:54 PM Richard Zowalla  wrote:

> Hi all,
>
> I would like to get the community's opinion on renaming the "master"
> branches for the TomEE related repositories to "main".
>
> I see quite a few ASF projects (and other OSS projects) have made the
> change and I personally think we should, too, for the same reason of
> promoting inclusivity (see [1]).
>
> I think we would need to update the target branch of the outstanding
> PRs, update GitHub actions, update the Jenkins build config + local
> checkouts. Anything else?
>
> Thoughts?
>
> Gruß
> Richard
>
>
> [1] https://sfconservancy.org/news/2020/jun/23/gitbranchname/
>
>

Re: Maintain 7.1.x branch (was [CANCEL] [VOTE] Apache TomEE 7.1.5)

[Jonathan Gallimore]

My general thoughts on this are:

* While I understand the desire for a patched release, forking the CXF
project feels like a lot of work, particularly if we're only looking to do
one final release from this branch. I personally would prefer to spend my
time working on Jakarta EE 9/10 support and MicroProfile support in the
more recent branches.

* It may be possible to use the patch plugin to patch CXF (assuming it
would work on the TomEE 7.1.x build) in the TomEE build, but that's also a
chunk of work.

* In either case, to get a release out the committers and PMC would need to
understand what all this is doing and ensure that releases are legal and
don't introduce bad behaviour through poor patches, so it isn't quite a
simple as one person showing up to do the work - we'd also need to be sure
we can review what's done.

* I don't really like the "EOL" label. If someone wanted to send TomEE
patches on this branch through the usual processes, I don't see any reason
why we'd reject them. I'd be ok with simply labelling it as "inactive" or
similar.

 This is probably most aligned with option "D".

Jon

On Tue, Aug 2, 2022 at 7:19 PM Richard Zowalla  wrote:

> Hi all,
>
> thanks for the thread, JL! Sorry, a bit longer than anticipated ;)
>
> As promised in the other thread, I took a look at the grype scan
> results. While were are many false positives (mostly related to the
> Geronimo specs and ActiveMQ), there are indeed some CVEs of interest:
>
> - cxf
> - tomcat (will be fixed in the next tomcat release)
> - xmlsec (should most likely be possible to update)
> - jackson-databind (should most likely be possible to update)
>
> Imho, the most important ones originate from cxf 3.1.18 for which we
> won’t get patches anymore, i.e. we would need to fork, backport the
> relevant CVE fixes and release it as shaded dependency within TomEE.
>
> I think the main issue arises from the fact, that we never communicated
> or announced some sort of EOL statement for any of the older branches
> (1.7.x, 7.0.x or 7.1.x) like it is done for example for Tomcat [1].
>
> The silent reader or the wise developer will know, that no release
> withing the last two years most certainly means eol for the respective
> series but there will be a (perhaps rather small) community of people
> waiting for a release while running with their vulnerable TomEE for
> the last years.
>
> Therefore, I see the following options (no ordering, no preferences,
> just a listing):
>
> 
>
> ## Option (A)
>
> We decide to do a release without patching the known CXF CVEs and
> announce the EOL of the 7.1.x series in a similar manner as it done in
> Tomcat [1].
>
> In this announcement, we state that security vulnerability reports will
> not be checked against the 7.1.x branch, bugs affecting only the 7.1.x
> branch will not be addressed and releases of the 7.1.x branch are
> highly unlikely. After a certain grace period, we remove the 7.1.x
> download links, the documentation from the website and the artifacts
> from the cdn. Note, that all 7.1.x releases will always be available
> from the archive.
>
> ## Option (B)
>
> We decide to do a release, patch the known CXF CVEs by forking CXF  and
> release it as shaded dependency within TomEE. Subsequently, we announce
> the EOL of the 7.1.x similar to option (A).
>
> ## Option (C)
>
> We decide, that 7.1.4  from 2020 was the final release of the 7.1.x
> series. Subsequently, we announce the EOL of the 7.1.x similar to
> option (A).
>
> ## Option (D)
>
> We don’t release a new version of the 7.1.x series and do not announce
> any sort of EOL statement (status quo). We agree to not put much effort
> into the 7.1.x series and stop maintaining it.
>
> ## Option (E)
>
> We don’t release a new version of the 7.1.x series and do not announce
> any sort of EOL statement (status quo). We agree to not put much effort
> into the 7.1.x series and stop maintaining it. To avoid user confusion,
> we remove the download links, the documentation and the artifacts from
> the cdn but all 7.1.x release will always be available from the
> archive.
>
> ## Option (F) – (Z)
>
> » Your Input Here «
>
> 
>
> Perhaps there are other options as well, but that are the ones, which
> directly went into my mind while thinking about it. A similar
> discussion needs to be done for 1.7.x and 7.0.x if we find some
> consensus for the 7.1.x series.
>
> I am a bit torn apart in this discussion. On the one hand, I am
> thinking: “Hey, we somehow “owe” the community one last release before
> declaring it eol and stop maintaining it”. On the other hand, this
> rational could also be used as an excuse to ask for a “last” 7.0.x or a
> “last” 1.7.x.
>
> I agree, that releasing a TomEE 7.1.5 with known CXF vulnerabilities
> isn’t really desirable and we cannot maintain 3rd party libs
> indefinitely. We might be better in investing resources in 8.0.x and a
> stable 9.0.x release in order to later shift our attention to EE10 ;)
>
> Gruß
> Richard
>

Re: [VOTE] Apache TomEE 9.0.0-M8

[Jonathan Gallimore]

+1

Couple of notes:

* woodstox-core appears to have gone _back_ some versions (6.2.4 -> 5.2.1)
* something is pulling in ASM as opposed to using the xbean-asm9-shaded

I don't think either of these should block the release, but we ought to
have a look as development moves forward.

Thanks for rolling the release!

Jon

On Tue, Jun 28, 2022 at 11:01 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi,
>
> As discussed, here is the vote for Apache TomEE 9.0.0-M8. This milestone
> differs from previous 9.x in the sense that we migrated all TomEE code to
> the new jakarta namespace. Previously, we used bytecode relocation but most
> of the integration was broken (tests, arquillian, etc).
>
> We are still working on some regressions and fixes in order to pass all TCK
> for Jakarta EE 9.1. But starting to gather feedback can only help sooner
> rather than later.
>
> This is a maintenance release with minor fixes and dependencies upgrades.
>
> Maven staging repo
> https://repository.apache.org/content/repositories/orgapachetomee-1205/
>
> Binaries and sources
> https://dist.apache.org/repos/dist/dev/tomee/tomee-9.0.0-M8
>
> Github Tag
> https://github.com/apache/tomee/tree/tomee-project-9.0.0-M8
>
> Commit hash
> 12e5dd91fe34affa775a68d5341576b417530008
>
> Release Notes
> https://issues.apache.org/jira/projects/TOMEE/versions/12350178
>
> Sub-task
>
>- [TOMEE-3861 ] -
>Upgrade to apache-parent-26
>- [TOMEE-3865 ] -
>Switch arquillian to the new Servlet 5 protocol
>- [TOMEE-3866 ] -
>Upgrade Hibernate to 5.6.7 / Hibernate Validator to 7.0.2 (Jakarta
> Artifact)
>- [TOMEE-3868 ] -
>Remove SAAJ Axis 1 provider
>- [TOMEE-3869 ] -
>Remove JAX-RPC
>- [TOMEE-3870 ] -
>Remove Management J2EE
>- [TOMEE-3877 ] - No
>interface view EJB proxies broken on JDK16+
>- [TOMEE-3879 ] - Add
>missing --add-opens options to itests/failover
>- [TOMEE-3881 ] - Add
>JDK --add-opens to our scripts in openejb-standalone
>- [TOMEE-3920 ] - Fix
>TomEE :: Web Examples :: Moviefun Rest
>- [TOMEE-3922 ] -
>Patch Tomcat JasperInitializer and create jira
>- [TOMEE-3925 ] - Fix
>Websocket TLS Basic Auth
>- [TOMEE-3926 ] - Fix
>Webservice SSL Client Certificate Example
>- [TOMEE-3930 ] - fix
>arquillian-tomee-moviefun-example
>- [TOMEE-3931 ] - fix
>example/cucumber-jvm
>- [TOMEE-3932 ] -
>Migration tips and tricks
>- [TOMEE-3939 ] - Fix
>Jakarta Mail API with Apache Velocity Templating
>- [TOMEE-3940 ] - Fix
>TomEE :: Examples :: JakartaMail API
>- [TOMEE-3943 ] - Fix
>TomEE :: Examples :: Multiple JPA providers
>- [TOMEE-3944 ] - Fix
>TomEE :: Examples :: Simple EAR :: Functional Tests
>- [TOMEE-3953 ] - Fix
>TomEE :: Examples :: JPA with EclipseLink
>- [TOMEE-3954 ] - Fix
>TomEE :: Examples :: JPA with Hibernate and arquillian
>- [TOMEE-3956 ] - Fix
>TomEE :: Connector Examples :: Connector in WAR
>- [TOMEE-3957 ] - Fix
>TomEE :: Examples :: DeltaSpike @ConfigProperty
>- [TOMEE-3958 ] - Fix
>TomEE :: Examples :: DeltaSpike Exception Handling
>- [TOMEE-3959 ] - Fix
>TomEE :: Examples :: DeltaSpike I18n
>- [TOMEE-3960 ] - Fix
>TomEE :: Examples :: DeltaSpike ProjectStage
>
> Bug
>
>- [TOMEE-2420 ] -
>Incorrect "Wall of fame" page layout
>- [TOMEE-3739 ] - Fix
>JAX-RS landscape / regressions introduced during TCK Work
>- [TOMEE-3740 

Re: [VOTE] Apache TomEE 8.0.12

[Jonathan Gallimore]

+1

Jon

On Tue, Jun 7, 2022 at 1:43 PM Jean-Louis Monteiro 
wrote:

> Hi,
>
> As discussed, here is the vote for Apache TomEE 8.0.12.
>
> This is a maintenance release with minor fixes and dependencies upgrades.
>
> Maven staging repo
> https://repository.apache.org/content/repositories/orgapachetomee-1203
>
> Binaries and sources
> https://dist.apache.org/repos/dist/dev/tomee/tomee-8.0.12/
>
> Github Tag
> https://github.com/apache/tomee/tree/tomee-project-8.0.12
>
> Release Notes
> https://issues.apache.org/jira/projects/TOMEE/versions/12351588
>
> Sub-task
>
>- [TOMEE-3647 ] -
>Update example 'mvc-resteasy' to use Server/API Bom
>- [TOMEE-3861 ] -
>Upgrade to apache-parent-26
>
> Bug
>
>- [TOMEE-3849 ] -
>EclipseLink JPA provider not discoverable in TomEE Plume libraries
>- [TOMEE-3903 ] -
>Investigate *.tar.gz distributions aren't installed correctly to Maven
>Repository
>- [TOMEE-3908 ] - CI
>Job für TomEE Site Publish is failing
>- [TOMEE-3919 ] - Fix
>GitHub Actions Bom Generation targeting wrong branch
>- [TOMEE-3935 ] - BOM
>Regeneration fails due to GitHub Actions permission issue
>- [TOMEE-3969 ] -
>javax.cache API not part of Jakarta EE 8
>
> Improvement
>
>- [TOMEE-3924 ] -
>Disable @dependabot via .asf.yaml
>- [TOMEE-3934 ] -
>Upgrade to Johnzon 1.2.18
>
> Task
>
>- [TOMEE-3905 ] - Fix
>Post release pom versioning for tomee-8.x branch
>
> Dependency upgrade
>
>- [TOMEE-3911 ] -
>Upgrade XBean to 4.21
>- [TOMEE-3912 ] -
>Upgrade TomEE Patch Plugin to 0.9
>- [TOMEE-3913 ] -
>Examples: Upgrade JUnit 4.12 to 4.13.2
>- [TOMEE-3918 ] -
>Upgrade Johnzon to 1.2.17
>- [TOMEE-3941 ] -
>Apache ActiveMQ 5.16.5
>- [TOMEE-3961 ] -
>Upgrade to Apache Tomcat 9.0.63 (CVE-2022-29885)
>- [TOMEE-3977 ] -
>Apache OpenWebBeans 2.0.27
>
> Documentation
>
>- [TOMEE-3846 ] -
>Inconsistence between tomee flavors comparison in website and actual
> jars
>- [TOMEE-3904 ] -
>Enhance / Update existing release documentation
>
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

Re: Release TomEE 8.0.12

[Jonathan Gallimore]

Yes, it looks like Jean-Louis has prepared everything for release. This
specific JIRA looks like it should have been closed back in 8.0.6, and has
been updated as part of a bulk update to issues for the last few releases -
that's my mistake, sorry. I've corrected the JIRA. For info, the commit is
here:
https://github.com/apache/tomee/commit/accb2418a736916d724a3abd491bde998516021f

Thanks

Jon

On Tue, Jun 7, 2022 at 11:10 AM Alex The Rocker 
wrote:

> Sorry I'm a bit lost, is TomEE 8.0.12 release vote going to take place
> soon?
> I see that TOMEE-2941 is targeted for 8.0.13, so that's a bit confusing...
>
> Thanks,
> Alex
>
> Le ven. 3 juin 2022 à 13:16, Daniel Dias Dos Santos
>  a écrit :
> >
> > +1
> >
> > On Fri, Jun 3, 2022, 04:49 Alex The Rocker  wrote:
> >
> > > +1
> > >
> > > Le ven. 3 juin 2022 à 09:14, Zowalla, Richard
> > >  a écrit :
> > > >
> > > > +1
> > > > 
> > > > Von: Jean-Louis Monteiro 
> > > > Gesendet: Freitag, 3. Juni 2022 08:49:23
> > > > An: dev@tomee.apache.org
> > > > Betreff: Release TomEE 8.0.12
> > > >
> > > > Hi all,
> > > >
> > > > We have a couple of requested fixes on the TomEE 8.x branch. Should
> we
> > > do a
> > > > release?
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > >
>

Re: Removing non Java EE / Jakarta EE APIs from our javaee-api/jakartaee-api jars

[Jonathan Gallimore]

I'm ok with it. Thanks Jean-Louis.

Jon

On Tue, May 17, 2022 at 4:17 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi all,
>
> We do have an uber jar with all Java/Jakarta EE APIs. It makes it easier
> for a user to use the server and requires less dependencies in our modules.
>
> Though it's convenient, it looks like we are embedding too many APIs in it,
> and non EE APIs, for instance javax.xml.namespace. And since Java Modules
> it does generate compilation issues with Eclipse at least but also javac.
>
> Another option is to require the users to add a module-info.java with their
> explicit requirements so there is no conflict in the javax.xml.namespace
> package.
>
> Any issue to remove all non EE APIs from our Uber jar?
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

Re: TOMEE-3824 New Jakarta EE 9 XML namespace not recognized in web-fragment.xml (was Re: How can I help?)

[Jonathan Gallimore]

Hi Zoltán

I've assigned that JIRA to you.

Many thanks

Jon

On Fri, May 6, 2022 at 9:14 AM Zoltán Tichov 
wrote:

> Hi David!
>
> My JIRA username is eagleegg
>
> Thanks: Zoltán
>
>
> On Fri, May 6, 2022 at 1:27 AM David Blevins 
> wrote:
>
> > Hey Zoltán!
> >
> > Absolutely, you're welcome to fix the issue.  I can assign the issue to
> > you if you let me know your JIRA username.  Make a comment on the issue
> and
> > that'll be the quickest way to send it.
> >
> > We intentionally have it setup so new people can't assign issues to
> > themselves so that they're forced to come to the list where we can get
> them
> > off to the right start.
> >
> > On the issue you want to fix, most the code that would be involved in the
> > fix is here:
> >
> >  -
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/JaxbJavaee.java
> >
> > Some important history to help you.  When J2EE got renamed to Java EE,
> the
> > namespaces changed.  The TCK for full Java EE server tests that all
> > historic namespaces can be supported.  Our solution was to create an
> > org.xml.sax.XMLFilter and dynamically rewrite the namespace on any
> document
> > we were given to the then latest namespace
> > http://java.sun.com/xml/ns/javaee
> >
> >  -
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/JaxbJavaee.java#L291
> >
> > The way JAXB works is all the namespaces are hardcoded and without a
> > filter like the one we made, there'd be no way to support multiple
> > namespaces.  Those namespaces are all here:
> >
> >  -
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/ObjectFactory.java
> >
> > I did most that work, but it was 15 years ago and I don't recall all the
> > details.  Jean-Louis did the work for the Jakarta namespace.  I know
> we're
> > testing at least some those old namespaces and the new namespace.  We
> have
> > some test descriptors here:
> >
> >  -
> >
> https://github.com/apache/tomee/tree/master/container/openejb-jee/src/test/resources
> >
> > I don't recall the name of those tests offhand, but if you search for the
> > names of some of those files that should get you close.
> >
> >
> > Now a couple thoughts as I see potential for some short-term work and
> some
> > longer-term work.
> >
> >  - Long-term: We're clearly still referring to "
> > http://java.sun.com/xml/ns/javaee; as the primary namespace.  That's not
> > going to age well.  If someone has to write an email like this in 15
> years,
> > they'll likely have to explain what "javaee" is like I had to harken back
> > to "J2EE".  We should probably make the new Jakarta EE namespace be the
> > primary namespace and rework all the JAXB code and namespace filters
> > accordingly.
> >
> >  - Short-term: Do not do any of that and avoid opening that can of worms
> > at all cost.  Get the file to parse with the minimum change possible.
> Get
> > some experience with the code and a successful contribution in the can.
> >
> > This is what I'd do regardless of (or because of?) years of experience.
> I
> > always take the quick win before attempting the big one.
> >
> > If you get into the code and decide the big change sounds like fun, we
> can
> > make a ticket for it and plan it.  Probably we'd want to shore up any
> test
> > coverage we'd be lacking and also get a full TCK run to see what those
> > numbers look like so we can spot regressions.
> >
> > Hope some of this is helpful!
> >
> > Don't hesitate to be super noisy and ask lots and lots of questions.
> > Silence is death. :)
> >
> >
> > -David
> >
> >
> > > On May 5, 2022, at 3:31 PM, Zoltán Tichov 
> > wrote:
> > >
> > > Hi Richard!
> > > I found a ticket with a bug that I also encountered.The ticket is open
> > and
> > > unassigned.
> > > Should I try to fix it? If so, how can it be assigned to me?
> > > https://issues.apache.org/jira/browse/TOMEE-3824
> > >
> > > Best: Zoltán
> > >
> > > On Wed, Apr 27, 2022 at 8:36 AM Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> wrote:
> > >
> > >> Hi,
> > >>
> > >> it would certainly help to track these issues as an issue.
> > >>
> > >> Maybe they are already solved (as the code has evolved) but maybe not,
> > >> so it would be good to have them.
> > >>
> > >> Gruß
> > >> Richard
> > >>
> > >> Am Dienstag, dem 26.04.2022 um 21:54 +0200 schrieb Zoltán Tichov:
> > >>> Hi Richard!
> > >>>
> > >>> I have found two errors in Tomee 9.0.0-M7. Should I make tickets for
> > >>> these
> > >>> errors and try to fix them?
> > >>> Although they may have been fixed in the next version (9.0.0-M8)
> > >>>
> > >>> Zoltán
> > >>>
> > >>> On Sun, Apr 24, 2022 at 11:06 AM Zowalla, Richard <
> > >>> richard.zowa...@hs-heilbronn.de> wrote:
> > >>>
> >  Hi Zoltán,
> > 
> >  It's very great from you and it's truly awesome when a long time
> >  user
> >  of TomEE decides to contribute :)
> 

Re: [VOTE] Apache TomEE Patch Plugin 0.9

[Jonathan Gallimore]

+1

Jon

On Tue, May 3, 2022 at 10:01 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi,
>
> I'd like to vote Apache TomEE Patch Plugin 0.9 up for vote. The changes are
> fairly minimal and are meant to help with Maven new versions.
>
> Again, big thank you Richard for putting this together.
>
> Changes:
>
> - Fix for TOMEE-3903 (Don't attach *.tar.gz files multiple times)
>
> Sources:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1201/
>
> Staging Nexus Repository:
>
> https://repository.apache.org/content/repositories/orgapachetomee-1201/
>
> Tag:
>
>
> https://github.com/apache/tomee-patch-plugin/releases/tag/tomee-patch-parent-0.9
>
> Please vote to approve this release:
> [ ] +1 Approve the release
> [ ] -1 Don't approve the release (please provide specific comments)
>
> This vote will be open for at least 72 hours.
>
> Jean-Louis
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

Re: TomEE 9.x - from javax to jakarta namespace

[Jonathan Gallimore]

Sounds good. I'll drop the transformer from the 8.x branch (looks like we
don't use it in 9.x), and I'll create a single example to demonstrate it in
a sandbox.

Jon

On Wed, May 4, 2022 at 12:32 PM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> You are right - we can remove it imho from 8.x as we do not test with
> it and the transformed samples might not even work, e.g. dependencies
> are not migrated, etc.
>
> +1 for providing a (bigger) example.
>
> Gruß
> Richard
>
> Am Mittwoch, dem 04.05.2022 um 11:17 +0100 schrieb Jonathan Gallimore:
> > I've picked up a task related to the examples:
> > https://issues.apache.org/jira/browse/TOMEE-3873. I specifically went
> > for
> > this, as I added the Eclipse Transformer to the build for a number of
> > examples in the past, back when we were doing the transformation
> > process on
> > TomEE itself. The drawbacks here is that any tests in the examples
> > run on
> > the javax code, and we just "assume" that the transformed artifact
> > works. I
> > would suggest removing that for the master build, as it just takes
> > build
> > time, and the examples should be transformed from javax to jakarta at
> > source (if they aren't already). On the TomEE 8 build, we could
> > select a
> > few examples (no need to do them all) and find a way to run the tests
> > on
> > both javax and jakarta versions of TomEE.
> >
> > Additionally, it would likely be useful to add documentation to this.
> > If we
> > also wanted a bigger example application that specifically covers
> > transformation, I could look at that too.
> >
> > What do you think?
> >
> > Jon
> >
> >
> >
> > On Tue, Mar 22, 2022 at 12:58 PM Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com> wrote:
> >
> > > Hi,
> > >
> > > I've been working for quite a long time on TomEE 9.x, and it's been
> > > more
> > > challenging and painful than I was expecting. I thought it would be
> > > good to
> > > give you some sort of status.
> > >
> > > I created a PR for the work. As a reminder, since Java EE moved to
> > > Eclipse
> > > to become Jakarta EE, we had a switch from javax.* namespace to
> > > jakarta.*
> > > namespace. This is an impacting change, since all applications and
> > > applications servers are built on top of it.
> > >
> > > In TomEE, we decided to do that change in TomEE. We had previously
> > > a
> > > bytecode change approach like an application could do. It worked
> > > and we
> > > were able to get certified. But it had a lot of limitations, so we
> > > had to
> > > do the migration in the code and fix all compatibility issues.
> > >
> > > Here is the PR https://github.com/apache/tomee/pull/814
> > > It has 90+ commits and nearly 5000 files touched (added, removed,
> > > updated).
> > > I understand it's a lot and it makes it almost impossible to
> > > review. But I
> > > did not see much approaches in this scenario to create smaller PRs.
> > >
> > > I created a Jenkins build though available at
> > > https://ci-builds.apache.org/job/Tomee/job/master-build-quick-9.x/
> > >
> > > It makes it possible to track the progress. There have been steps
> > > forward
> > > and steps backward.
> > >
> > > All the code does not sit under TomEE, we use a bunch of third
> > > party
> > > projects and libraries. I have been able to contribute, publish
> > > jakarta
> > > compatible versions and get releases for some of them (Jakarta EE
> > > APIs Uber
> > > jar, Geronimo Connectors and Transaction Manager, Geronimo Config,
> > > Health,
> > > Metrics, OpenTracing, OpenAPI. OpenJPA, BVal, and OpenWebBeans will
> > > be
> > > released soon.
> > >
> > > The big parts is CXF, and ActiveMQ. I had to get them done in TomEE
> > > and
> > > update all group/artifact ids. It's under deps, alongside with SXC,
> > > DBCP,
> > > and others.
> > >
> > > In terms of removal, I tried to remove old stuff like SAAJ Axis 1
> > > integration, JAX RPC, Management J2EE and a couple of other old
> > > things.
> > >
> > > A lot of other libraries got updated to their latest version when
> > > available
> > > in the new jakarta namespace.
> > >
> > > I'm starting to get all the build stable and many modules are
> > > passing now,
> > > including all CXF webservices, OpenEJB Core, and others. I can get
> > > a build
> > > and run TomEE.
> > >
> > > Goal is to get a green build asap so we can start working on TCK.
> > > The "quick" build is now green. Working on the full build.
> > >
> > > I'll soon be creating a branch for TomEE 8.x maintenance and merge
> > > the PR.
> > > I'm hoping we can then have small PRs or at least more people
> > > working in
> > > parallel.
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
>

Re: TomEE 9.x - from javax to jakarta namespace

[Jonathan Gallimore]

I've picked up a task related to the examples:
https://issues.apache.org/jira/browse/TOMEE-3873. I specifically went for
this, as I added the Eclipse Transformer to the build for a number of
examples in the past, back when we were doing the transformation process on
TomEE itself. The drawbacks here is that any tests in the examples run on
the javax code, and we just "assume" that the transformed artifact works. I
would suggest removing that for the master build, as it just takes build
time, and the examples should be transformed from javax to jakarta at
source (if they aren't already). On the TomEE 8 build, we could select a
few examples (no need to do them all) and find a way to run the tests on
both javax and jakarta versions of TomEE.

Additionally, it would likely be useful to add documentation to this. If we
also wanted a bigger example application that specifically covers
transformation, I could look at that too.

What do you think?

Jon



On Tue, Mar 22, 2022 at 12:58 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi,
>
> I've been working for quite a long time on TomEE 9.x, and it's been more
> challenging and painful than I was expecting. I thought it would be good to
> give you some sort of status.
>
> I created a PR for the work. As a reminder, since Java EE moved to Eclipse
> to become Jakarta EE, we had a switch from javax.* namespace to jakarta.*
> namespace. This is an impacting change, since all applications and
> applications servers are built on top of it.
>
> In TomEE, we decided to do that change in TomEE. We had previously a
> bytecode change approach like an application could do. It worked and we
> were able to get certified. But it had a lot of limitations, so we had to
> do the migration in the code and fix all compatibility issues.
>
> Here is the PR https://github.com/apache/tomee/pull/814
> It has 90+ commits and nearly 5000 files touched (added, removed, updated).
> I understand it's a lot and it makes it almost impossible to review. But I
> did not see much approaches in this scenario to create smaller PRs.
>
> I created a Jenkins build though available at
> https://ci-builds.apache.org/job/Tomee/job/master-build-quick-9.x/
>
> It makes it possible to track the progress. There have been steps forward
> and steps backward.
>
> All the code does not sit under TomEE, we use a bunch of third party
> projects and libraries. I have been able to contribute, publish jakarta
> compatible versions and get releases for some of them (Jakarta EE APIs Uber
> jar, Geronimo Connectors and Transaction Manager, Geronimo Config, Health,
> Metrics, OpenTracing, OpenAPI. OpenJPA, BVal, and OpenWebBeans will be
> released soon.
>
> The big parts is CXF, and ActiveMQ. I had to get them done in TomEE and
> update all group/artifact ids. It's under deps, alongside with SXC, DBCP,
> and others.
>
> In terms of removal, I tried to remove old stuff like SAAJ Axis 1
> integration, JAX RPC, Management J2EE and a couple of other old things.
>
> A lot of other libraries got updated to their latest version when available
> in the new jakarta namespace.
>
> I'm starting to get all the build stable and many modules are passing now,
> including all CXF webservices, OpenEJB Core, and others. I can get a build
> and run TomEE.
>
> Goal is to get a green build asap so we can start working on TCK.
> The "quick" build is now green. Working on the full build.
>
> I'll soon be creating a branch for TomEE 8.x maintenance and merge the PR.
> I'm hoping we can then have small PRs or at least more people working in
> parallel.
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

Re: OpenJDK is no more?

[Jonathan Gallimore]

+1

On Thu, 28 Apr 2022, 10:19 Jean-Louis Monteiro, 
wrote:

> Eclipse is fine.
> Thanks
>
> Le jeu. 28 avr. 2022 à 01:22, Jenkins, Rodney J (Rod) <
> jenki...@nationwide.com> a écrit :
>
> > All,
> >
> > I was notified of the pull request below.  Long story short:   We need to
> > choose a different JDK to run on our docker images.
> >
> > At the moment I'm not sure what all the choices are.   When I looked at
> > this before, I suggested Eclipse Temurin.
> >
> > Does anyone have a preference or others to consider?
> >
> > Thanks,
> > Rod.
> >
> >
> > https://github.com/docker-library/openjdk/pull/495
> >
>

Re: ci-builds all 3.6TB disk is full!

[Jonathan Gallimore]

Looks like I missed Richard's email yesterday and he's already taken care
of it. Thanks Richard, and sorry for the noise.

Jon

On Thu, Apr 21, 2022 at 4:30 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Looks like we're top of the list, and not in a good way... :/
>
> I'm happy to help, but not sure where to start. Does anyone have any
> pointers?
>
> Jon
>
> -- Forwarded message -
> From: Gavin McDonald 
> Date: Wed, Apr 20, 2022 at 8:27 AM
> Subject: ci-builds all 3.6TB disk is full!
> To: builds 
>
>
> Hi All,
>
> Seems we need to do another cull of projects storing way too much data.
>
> Below are everyone above 1GB. Just FYI, 1GB is fine, likely 50GB is fine,
> but above
> that, its just too much. I will be removing 1TB of data from wherever I can
> get it.
>
> Please, look after your jobs, and your fellow projects by limiting what you
> keep.
>
> 1.6TTomee
> 451GKafka
> 303Gjames
> 176Gcarbondata
> 129GJackrabbit
> 71G Brooklyn
> 64G Sling
> 64G Netbeans
> 60G Ranger
> 38G AsterixDB
> 33G OODT
> 29G Tika
> 27G Syncope
> 24G Atlas
> 20G IoTDB
> 18G CXF
> 16G POI
> 11G Solr
> 11G Mesos
> 8.7GRoyale
> 7.8GLucene
> 7.6GMyFaces
> 7.6GDirectory
> 6.4GOpenJPA
> 6.0GManifoldCF
> 5.9GActiveMQ
> 5.7GLogging
> 5.6GArchiva
> 5.5GUIMA
> 5.3Gctakes
> 4.7GHeron
> 4.6GJena
> 4.0GOpenOffice
> 3.8GCloudstack
> 3.4GShiro
> 2.5GQpid
> 2.1GJSPWiki
> 2.1GJMeter
> 2.0GJClouds
> 1.8GSantuario
> 1.8GOpenMeetings
> 1.8GCamel
> 1.7GKaraf
> 1.7GHttpComponents
> 1.7GAnt
> 1.5GTapestry
> 1.5GCommons
> 1.3GDeltaSpike
> 1.2GRya
> 1.2GAries
> 1.2GAccumulo
> 1.1GPDFBox
>
> --
>
> *Gavin McDonald*
> Systems Administrator
> ASF Infrastructure Team
>

Fwd: ci-builds all 3.6TB disk is full!

[Jonathan Gallimore]

Looks like we're top of the list, and not in a good way... :/

I'm happy to help, but not sure where to start. Does anyone have any
pointers?

Jon

-- Forwarded message -
From: Gavin McDonald 
Date: Wed, Apr 20, 2022 at 8:27 AM
Subject: ci-builds all 3.6TB disk is full!
To: builds 


Hi All,

Seems we need to do another cull of projects storing way too much data.

Below are everyone above 1GB. Just FYI, 1GB is fine, likely 50GB is fine,
but above
that, its just too much. I will be removing 1TB of data from wherever I can
get it.

Please, look after your jobs, and your fellow projects by limiting what you
keep.

1.6TTomee
451GKafka
303Gjames
176Gcarbondata
129GJackrabbit
71G Brooklyn
64G Sling
64G Netbeans
60G Ranger
38G AsterixDB
33G OODT
29G Tika
27G Syncope
24G Atlas
20G IoTDB
18G CXF
16G POI
11G Solr
11G Mesos
8.7GRoyale
7.8GLucene
7.6GMyFaces
7.6GDirectory
6.4GOpenJPA
6.0GManifoldCF
5.9GActiveMQ
5.7GLogging
5.6GArchiva
5.5GUIMA
5.3Gctakes
4.7GHeron
4.6GJena
4.0GOpenOffice
3.8GCloudstack
3.4GShiro
2.5GQpid
2.1GJSPWiki
2.1GJMeter
2.0GJClouds
1.8GSantuario
1.8GOpenMeetings
1.8GCamel
1.7GKaraf
1.7GHttpComponents
1.7GAnt
1.5GTapestry
1.5GCommons
1.3GDeltaSpike
1.2GRya
1.2GAries
1.2GAccumulo
1.1GPDFBox

-- 

*Gavin McDonald*
Systems Administrator
ASF Infrastructure Team

Re: [VOTE] Apache TomEE 8.0.11 - take 2

[Jonathan Gallimore]

+1

Thanks Richard and Jean-Louis!

Jon

On Thu, Apr 14, 2022 at 4:06 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi All,
>
> This is the first attempt at a vote for a release of Apache TomEE 8.0.11
>
> I'd like to start with a big thank you and a big applause to Richard. He
> has been doing a tremendous work on the project and started to roll out his
> first release today. Per Apache rules, the release manager needs to be a
> TomEE PMC, that's why I'm starting this VOTE, but the work has been done by
> Richard, so thank you. Well done.
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1200/
>
> Binaries & Sources:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1200/tomee-8.0.11/
>
> Tags:
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.11
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12351352
>
> Here are the releases notes
> Bug
>
>- [TOMEE-3840 ] -
>TomEE WebProfile 8.0.9 does not start with security enabled
>- [TOMEE-3848 ] -
>Apache TomEE 8.0.6 onwards is packaged with quartz-2.2.4.jar
>- [TOMEE-3860 ] -
>Upgrade jackson-databind for CVE-2020-36518
>- [TOMEE-3871 ] -
>TomEE Plume is missing BatchEE / JCS Cache
>- [TOMEE-3876 ] - BOM
>generation corrupted under windows (slash problems)
>- [TOMEE-3889 ] -
>Invalid ObjectName for MDB listening to wildcard destination
>- [TOMEE-3892 ] -
>TomEE Maven Plugin does not allow to override default "-ea" in
> RemoteServer
>
> Improvement
>
>- [TOMEE-3842 ] -
>GitHub Actions fails for PullRequest Builds due to BOM auto generation
>- [TOMEE-3851 ] -
>Replace Google Analytics with ASF Matomo
>- [TOMEE-3859 ] -
>Update tomee.xml file so it refers to the right location
>
> Task
>
>- [TOMEE-3852 ] -
>Review the website in regard to external embedding of resources (JS,
> Fonts,
>CSS)
>- [TOMEE-3853 ] -
> Link
>ASF Privacy Policy from TomEE Website
>
> Dependency upgrade
>
>- [TOMEE-3841 ] -
>Upgrade SLF4J to 1.7.36
>- [TOMEE-3845 ] -
>Upgrade Tomcat to 9.0.59
>- [TOMEE-3855 ] -
>Upgrade Tomcat to 9.0.60
>- [TOMEE-3856 ] -
>Upgrade to jackson 2.13.2
>- [TOMEE-3858 ] -
>Upgrade OpenJPA to 3.2.2
>- [TOMEE-3872 ] -
>Update Hibernate Integration to 5.6.7
>- [TOMEE-3886 ] -
>Upgrade tomcat to 9.0.62
>- [TOMEE-3893 ] -
>Upgrade to jackson 2.13.2.2
>
> Documentation
>
>- [TOMEE-3814 ] -
>Commented SSL Connector fix for tomee server.xml
>- [TOMEE-3846 ] -
>Inconsistence between tomee flavors comparison in website and actual
> jars
>- [TOMEE-3847 ] -
>Exception when building website from windows os
>- [TOMEE-3854 ] -
>Provide a first draft of a link collection page targeting
>contributor/committer resources
>- [TOMEE-3888 ] -
>Cleanup documentation
>- [TOMEE-3894 ] -
>website generation broken under windows
>
>
> (Developers - please review and adjust your tickets if necessary!)
>
> Please VOTE:
>
> [+1] Yes, release it
> [+0] Not fussed
> [-1] Don't release, there's a showstopper (please specify what the
> showstopper is)
>
> Vote will be open for 72 hours.
>
> Thanks
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

TOMEE-3902 placeholders in ActivationConfig properties

[Jonathan Gallimore]

Hi,

I've pushed what I hope is a relatively straightforward, but also hopefully
useful piece of functionality.

If you consider an application that has a MDB that listens on a Topic, by
default, TomEE will use the MDB name as the Client ID that it uses to
connect to ActiveMQ. You can override this by specifying a specific
clientId activation property, or by
setting openejb.activemq.deploymentId-as-clientId = false, which will use a
randomly created unique ID.

I thought it would be useful to allow placeholders in activation
properties, such as:

{appId}
{ejbJarId}
{ejbName}
{hostName}
{uniqueId}

So, for the example I mention, you could set:

mdb.activation.clientId={ejbName}-{uniqueId}

in conf/system.properties, and the Client ID for the MDB would be set to
whatever the bean name is, with "-" and a unique ID added on the end.

The defaults remain unchanged, and this would only apply for activation
properties you explicitly set, using the placeholders above.

Let me know if you have any questions or feedback.

Thanks

Jon

Re: TOMEE-3850 https connections not reused

[Jonathan Gallimore]

That approach works great. thanks David. I'll have a test committed this
afternoon!

Jon

On Mon, Mar 7, 2022 at 4:59 PM David Blevins 
wrote:

> > On Mar 7, 2022, at 7:27 AM, Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> >
> > Currently looking at how to add a unit test. Essentially, making two
> calls
> > to a remote EJB should both come from the same source port. The http
> > connection unit tests in openejb-client don't seem to pass through the
> > Client class as far as I can tell, and I'm not sure there's enough
> > contextual information available if I deploy a EJB in an Arquillian test
> > and call it remotely. If you have any thoughts let me know - I'll keep
> > plugging away at it.
>
> One approach could be to setup the access log on the server-side so that
> it logs the details needed, then use the server-composer to create/launch a
> separate TomEE process where you can make EJB calls.  Once you've made all
> the EJB calls you like, read and parse the access log to ensure all the
> calls to the `/tomee/ejb` path came from the same client host/port.
>
> Something like that would need to go into the itests as it depends on a
> TomEE tar.gz.  Here's a test I wrote recently that uses the server-composer
> (which should look familiar):
>
>  -
> https://github.com/apache/tomee/blob/master/itests/jaxrs/src/test/java/org/apache/tomee/itests/jaxrs/applogging/ApplicationLoggingTest.java#L40-L48
>
>
> -David
>
>

TOMEE-3850 https connections not reused

[Jonathan Gallimore]

Hi All,

While looking at straightforward remote EJB lookup and invocation via https
in Wireshark, it looks like a different connection is being used each time,
which is causing a SSL handshake and knock-on performance impact. I've
committed a fix for this, which is to make sure the response is fully
consumed at the end of the request:
https://github.com/apache/tomee/commit/2c9a0a151bf3e51497d0338043c1ec09313512e0

Currently looking at how to add a unit test. Essentially, making two calls
to a remote EJB should both come from the same source port. The http
connection unit tests in openejb-client don't seem to pass through the
Client class as far as I can tell, and I'm not sure there's enough
contextual information available if I deploy a EJB in an Arquillian test
and call it remotely. If you have any thoughts let me know - I'll keep
plugging away at it.

Jon

Re: [VOTE] Apache TomEE 8.0.10

[Jonathan Gallimore]

+1

Jon

On Fri, Feb 11, 2022 at 8:54 AM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi All,
>
> This is a first attempt at a vote for a release of Apache TomEE 8.0.10
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1193/
>
> Binaries & Source:
> https://dist.apache.org/repos/dist/dev/tomee/staging_1193-TomEE-8.0.10/
>
> Tags:
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.10
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12350706
>
> Here are the releases notes
> Sub-task
>
>- [TOMEE-2117 ] -
>Rework ProcessObserverMethod integration
>- [TOMEE-2289 ] -
>MicroProfile OpenAPI Example
>- [TOMEE-2349 ] -
>Ensure each module can generate javadoc jars on release
>- [TOMEE-2350 ] -
>Create a list of existing Javadoc using html
>- [TOMEE-2351 ] -
>MicroProfile OpenTracing Example for Distributed Microservices
>- [TOMEE-2358 ] -
>MicroProfile JWT rest-mp-jwt-claim Example
>
> Bug
>
>- [TOMEE-2169 ] -
>Interceptor Bean injection does not work for EJBs
>- [TOMEE-2270 ] -
>Java11: Unable to initialize agent with embedded-maven-plugin
>- [TOMEE-2403 ] -
>AutoConnectionTrackerTest fails randomly
>- [TOMEE-2427 ] -
>Align text above the pictures
>- [TOMEE-2800 ] -
>Issue : Unable to run EJB test cases for upgradation in current project
>with Java 1.8 and WebLogic version 12.2.1.4 along with
> openejb.cxf.version
>7.0.1 / openejb.cxf.version 8 jar.
>- [TOMEE-2941 ] -
>Regression: A connection factory created with TransactionSupport of
> "none"
>only sending message when transaction completes
>- [TOMEE-3777 ] -
>
>org.apache.openjpa.persistence.ArgumentException: The persistence
> provider
>is attempting to use properties in the persistence.xml file to resolve
> the
>data source ...
>- [TOMEE-3816 ] -
>Return "this" on stateless EJB method looses container transaction
>management
>- [TOMEE-3823 ] -
>TomEE and Java 17 compatibility issue with Windows Service Tooling
>- [TOMEE-3825 ] -
>TomEE Maven Plugin does not wait for container startup, if
> "checkStarted"
>is set to true
>- [TOMEE-3832 ] -
>JAX-RS TomEEJsonbProvider not registered in tomee-embedded-maven-plugin
>when MicroProfile is present
>
> New Feature
>
>- [TOMEE-2306 ] - New
>Java EE Schemas for Java EE Deployment Descriptors
>- [TOMEE-2584 ] -
> Java
>11 compliancy
>- [TOMEE-2706 ] - New
>TomEE Embedded Bootstrap
>
> Improvement
>
>- [TOMEE-1618 ] -
>Replace three register maps in Container in favour of one
>- [TOMEE-2277 ] -
>Java11: module name for TomEE
>- [TOMEE-2425 ] -
>Generate TomEE-Cluster.html page
>- [TOMEE-2519 ] - MP
>JWT Logging Improvements
>- [TOMEE-2847 ] -
>Patch key `jakarta` namespace support
>- [TOMEE-2949 ] -
>Match TomEE tar and zip file syntax with extracted folder
>- [TOMEE-3826 ] - Add
>exclusion list maven config for patch plugin to preserve jars with
> signature
>
> Wish
>
>- [TOMEE-2347 ] - Use
>Asciidoc for all Javadoc
>
> Task
>
>- [TOMEE-2285 ] -
>Microprofile Examples
>- [TOMEE-2867 ] - Add
>Documentation links to website download page
>- [TOMEE-2868 ] - Add
>instructions on each example page
>- [TOMEE-3724 

Re: Version placeholder on the website

[Jonathan Gallimore]

Thanks for the feedback and +1s. I was just thinking that there may be some
legitimate uses of ${tomee.version} that we don't want to replace - e.g.
where we're showing a pom.xml file, and tomee.version is actually defined
as a property. I'm thinking I'll simply switch this to ${TOMEE_VERSION},
merge this in, and set about updating some of the documentation to
reference it.

Let me know if you have any objections to that.

Thanks

Jon

On Tue, Feb 8, 2022 at 2:31 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi All,
>
> I've created a PR for the site generator project:
> https://github.com/apache/tomee-site-generator/pull/32.
>
> The idea here is to allow ${tomee.version} to be specified in the
> documentation or example files, and it to be swapped for the specific
> version string (which can be specified in the Configuration class). The
> rationale here for pages to show an up-to-date version, rather than
> referencing really old versions.
>
> If folks are ok with this. I'll merge it in, and start working through the
> relevant files to add in the ${tomee.version} placeholder in the right
> places.
>
> Thanks
>
> Jon
>

Re: Re: TomEE Docker image support for arm64?

[Jonathan Gallimore]

That sounds like a good proposal to me, and I'm happy to help test.

Jon

On Mon, Jan 24, 2022 at 5:28 PM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> Hello,
>
> I would vote in favor of supporting arm64.  The question for me is how
> deep do we go?  I propose 8 and 9 with java support for 8, 11, and 17.
>
> I will get a branch created so that you can pull it down and test.
>
> Thank you,
> Rod.
>
>
> On 1/24/22, 9:17 AM, "Memo Díaz Solis"  wrote:
>
> Nationwide Information Security Warning: This is an EXTERNAL email.
> Use CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28784-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> If the community agrees on adding support for arm64 then I can test it
> if
> you don't mind.
>
> El jue, 20 ene 2022 a las 14:24, Jenkins, Rodney J (Rod) (<
> jenki...@nationwide.com>) escribió:
>
> > Hello,
> >
> > If the community would like an arm64 build, I would be happy to
> create
> > it.  I do not have the ability to test it.
> >
> > If we decided on this course, what images do we want to create?   I
> would
> > assume 8.x and 9.x.  Would we want to create versions for Java 8,
> 11, and
> > 17?  (I would have to look to see what is available.)
> >
> >
> > Thanks,
> > Rod.
> >
> >
> > On 1/17/22, 4:39 PM, "Cesar Hernandez"  wrote:
> >
> > Nationwide Information Security Warning: This is an EXTERNAL
> email.
> > Use CAUTION before clicking on links, opening attachments, or
> responding.
> > (Sender: dev-return-28775-JENKIR14=nationwide@tomee.apache.org)
> >
> >
> >
> --
> >
> >
> > Hello,
> >
> > I saw Gillermo finding about running TomEE docker image on macs
> with M1
> > architecture (arm64)
> > https://github.com/tomitribe/docker-tomee/issues/58
> >
> > I created https://issues.apache.org/jira/browse/TOMEE-3827 to
> follow
> > up
> > this topic since it seems there is a workaround [1] but
> ultimately I
> > would
> > like to know what do you think on adding support for arm64, it
> seems
> > Tomcat
> > already is doing this and our base image (openjdk:8-jre) already
> has
> > support for it [2]
> >
> >
> >
> >
> > [1] https://docs.docker.com/desktop/mac/apple-silicon/
> > [2] https://hub.docker.com/r/arm64v8/openjdk/
> > --
> > Atentamente:
> > César Hernández.
> >
> >
>
>

Re: [VOTE] Apache TomEE 8.0.9

[Jonathan Gallimore]

+1 (binding).

Jon

On Thu, Dec 23, 2021 at 12:24 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> Hi All,
>
> This is a first attempt at a vote for a release of Apache TomEE 8.0.8.
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1188
>
> Binaries & Source:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1188_tomee-8.0.9/
>
> Tags:
> https://github.com/apache/tomee/tree/tomee-project-8.0.9
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12350574
>
> Here are the releases notes
> Sub-task
>
>- [TOMEE-3596 ] -
>Update example 'injection-of-connectionfactory' to use Server/API Bom
>- [TOMEE-3652 ] -
>Update example 'quartz-app' to use Server/API Bom
>- [TOMEE-3682 ] -
>Update example 'simple-mdb-and-cdi' to use Server/API Bom
>- [TOMEE-3683 ] -
>Update example 'simple-mdb-with-descriptor' to use Server/API Bom
>- [TOMEE-3684 ] -
>Update example 'simple-mdb' to use Server/API Bom
>
> Bug
>
>- [TOMEE-3791 ] -
> Ajax
>JSF not provided in 8.0.8 builds
>- [TOMEE-3792 ] -
>Missing Public key in KEYS for Tomee
>- [TOMEE-3794 ] -
>javaVersion() in org.apache.openejb.arquillian.common.Setup breaks for
>version strings with length lower than 3
>- [TOMEE-3795 ] -
>Proxy class definition does not work in Java 17+
>- [TOMEE-3796 ] -
>myfaces-api-2.3.9.jar is modified.
>- [TOMEE-3798 ] -
>TomEE (8.0.8) is affected by CVE-2021-40690 vulnerability
>- [TOMEE-3803 ] -
>RES_NOT_FOUND in Plume 8.0.8 JSF 2.3
>- [TOMEE-3818 ] -
>Double url-decode of form parameters
>
> Improvement
>
>- [TOMEE-3000 ] - Run
>BOM Generation in every build
>- [TOMEE-3805 ] -
>Website improvements - Release notes & CVEs
>- [TOMEE-3815 ] -
>Additional logging in CdiService
>
> Wish
>
>- [TOMEE-3797 ] -
>Misassignment webapp->host hard to detect
>
> Dependency upgrade
>
>- [TOMEE-3789 ] -
>Upgrade ActiveMQ to 5.16.3
>- [TOMEE-3793 ] -
>Upgrade xbean to 4.20
>- [TOMEE-3799 ] -
>Upgrade Tomcat to 9.0.53
>- [TOMEE-3806 ] -
>Upgrade Tomcat to 9.0.54
>- [TOMEE-3809 ] -
>Upgrade to Johnzon 1.2.15
>- [TOMEE-3810 ] -
>Upgrade Geronimo Java Mail 1.6 to 1.0.1
>- [TOMEE-3817 ] -
>Upgrade Tomcat to 9.0.55
>- [TOMEE-3819 ] -
>Aapche Tomcat 9.0.56
>- [TOMEE-3820 ] -
>Apache OpenWebBeans 2.0.24
>- [TOMEE-3821 ] -
>Apache OpenWebBeans 2.0.25
>
> Documentation
>
>- [TOMEE-3811 ] -
>Provide E-Mail Example with Velocity
>
>
> (Developers - please review and adjust your tickets if necessary!)
>
> Please VOTE:
>
> [+1] Yes, release it
> [+0] Not fussed
> [-1] Don't release, there's a showstopper (please specify what the
> showstopper is)
>
> Vote will be open for 72 hours.
>
> Thanks
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>

@Startup in EAR library

[Jonathan Gallimore]

Hi All,

I have a slightly odd scenario, where I have an EAR file, with a library in
the EAR's lib folder, which has a Singleton EJB, which is annotated
with @Startup.

The code in question is a common library shared between a number of
applications. Where I want the bean to be used, I define it by including an
entry in a ejb-jar.xml file in an EJB module in an EAR file.

When deploying this EAR file, it appears that CDI picks up this class via a
scan, and attempts to start it, which fails because it isn't
ApplicationScoped - here is the error:

 Caused by: java.lang.IllegalStateException: Only normal scoped beans can
use @Startup - likely @ApplicationScoped

It looks like this behaviour is intentional, and was introduced here:
https://github.com/apache/tomee/commit/351aa3fd63bed63d5e4289693c7155ac5c413845

A couple of quick questions:

* Is this behaviour defined/required by one of the specifications?
* Can we make a change to turn it off?

Assuming it isn't required by a spec, ideally it would have been something
that one would specifically turn on, but requiring that now would be a
backwards incompatible change, so I'd propose adding a parameter to allow
it to be turned off. Would anyone object to that?

Thanks

Jon

Re: TomEE & Java 17

[Jonathan Gallimore]

I had a very quick look - I wonder if we simply need to move to
MethodHandles.Lookup.defineClass():
https://docs.oracle.com/javase/9/docs/api/java/lang/invoke/MethodHandles.Lookup.html#defineClass-byte:A-
in the LocalBeanProxyFactory. There's likely a couple of other libraries
that TomEE uses that do similar things, such as OWB and OpenJPA, so we'll
need to check that they do the right thing in Java 17 as well.

Jon

On Mon, Sep 20, 2021 at 9:08 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> Hi ladies,
>
> I wanted to start a discussion about TomEE and its Java 17
> compatibility.
>
> I did some tests in one of our demo projects It looks like that "
> --illegal-access=permit" was removed in Java 17, which leads to
> some InaccessibleObjectException [1].
>
> Does anybody know, if there are solutions / workarounds for it in Java
> 17 or do we need to fix it? If so: how? ;)
>
> I bet, that many other frameworks / containers will run in this issue,
> so maybe someone already thought about a possible solution? Discussion
> seems to be "hot" [2].
>
> Gruss
> Richard
>
>
> [1] https://gist.github.com/rzo1/5c1d0724a700e262a2e2824ded9f32ab
> [2] https://twitter.com/delabassee/status/1438446396865224705
>
>
>

Re: [RESULT][VOTE] Apache TomEE 8.0.8

[Jonathan Gallimore]

That's merged - thanks Rod!

Jon

On Sat, Sep 18, 2021 at 5:40 PM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> Jon.
>
> One more (final maybe) PR the needs to be approved.  I had to make some
> changes that Dockerhub wanted.
>
> Thanks,
> Rod.
>
>
> On 9/16/21, 6:05 AM, "Jonathan Gallimore" 
> wrote:
>
> Nationwide Information Security Warning: This is an EXTERNAL email.
> Use CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28625-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> Hi Rod
>
> That's merged. I know David is out at the moment, but we'll get him to
> add
> his key as soon as possible.
>
> Jon
>
> On Thu, Sep 16, 2021 at 2:53 AM Jenkins, Rodney J (Rod) <
> jenki...@nationwide.com> wrote:
>
> > Jon,
> >
> > The DockerHub folks did not like me removing the keys, so I added
> them
> > back.  However, they also provided a different server to pull them
> from
> > which is far more stable.  So, I have a new PR that needs to be
> approved.
> >
> > However, that leads to two additional problems:
> >
> > 1) Richard's key is missing " Key fingerprint =" in front of his key
> in
> > the KEYS file.  I had to add that manually.
> >
> > 2) David's key he used for TomEE 9.0 is not in the public key
> servers.
> >
> > The first is a minor issue, the second will become  show stopper for
> a 9
> > full release.  I am not even sure they will 9.0.0-M7 without the
> key.  We
> > will see.
> >
> >
> > Please approve this PR:
> > https://github.com/tomitribe/docker-tomee/pull/53
> >
> > Thanks,
> > Rod.
> >
> >
> >
> > On 9/15/21, 9:46 AM, "Jonathan Gallimore" <
> jonathan.gallim...@gmail.com>
> > wrote:
> >
> > Nationwide Information Security Warning: This is an EXTERNAL
> email.
> > Use CAUTION before clicking on links, opening attachments, or
> responding.
> > (Sender: dev-return-28621-JENKIR14=nationwide@tomee.apache.org)
> >
> >
> >
> --
> >
> >
> > That's merged, thanks Rod!
> >
> > On Tue, Sep 14, 2021 at 11:04 PM Jenkins, Rodney J (Rod) <
> > jenki...@nationwide.com> wrote:
> >
> > > All,
> > >
> > > I have posed 8.0.8 to tomitribe/docker-tomee
> > >
> > > A few notes about this release..
> > >
> > > 1) I had to move away from the keys.  I just could not get
> them to
> > test.
> > > We are now verifying with the sha512 file.
> > >
> > > 2) Can we please be consistent on how we produce the sha512
> files?
> > >
> > > 8.0.6 file looks like this:
> > >
> >
> 3e8fcaf50362169808f1dd09bcf844c642c2251a3a725c58100066500aa482d4c23a3c027c52178dc6a92b648f75b53106a9efdffc6e39918c7fa2e86c058bf7
> > > 8.0.8 looks like:
> > >
> >
> 5a54e24400211f6ef6e48415713996fd5e89da1d5ad29f0e12202b685821245a9d600b4f0ad30539a479a8a8129fad9f7cfb2f3c8232178c42a39e2b9a84a5dd
> > > apache-tomee-8.0.8-plume.tar.gz
> > >
> > > I do not really have a preference.  My only preference is we be
> > consistent
> > > on how we release these file.  If these change, then I have to
> alter
> > the
> > > Dockerfiles on each release.  Also, can we be consistent across
> > versions.
> > > 9.0.0-M7 follows the same convention as 8.0.6.
> > >
> > >
> > > Jon,
> > > Can you have a look at the PR,
> > > https://github.com/tomitribe/docker-tomee/pull/52.  When that
> gets
> > > approved, I will get the official images repo updated.
> > >
> > >
> > > Thanks,
> > > Rod Jenkins
> > >
> > > On 9/13/21, 8:54 AM, "Jenkins, Rodney J (Rod)" <
> > jenki...@nationwide.com>
> > > wrote:
> > >
> > >
> &g

Re: singleton with autocloseable

[Jonathan Gallimore]

Ah, perfect. Thanks for letting me know!

Jon

On Thu, Sep 16, 2021 at 2:00 PM Matthew Broadhead
 wrote:

> sorry i forgot to follow up.  docker was running out of disk space. it
> is working now
>
> On 16/09/2021 13:02, Jonathan Gallimore wrote:
> > Thanks for the stacktrace - I'll see if I can reproduce that here. That
> > AutoConnectionTracker should kick in if a connection from the resource
> > adapter isn't closed before it goes out of scope. In theory, it should
> > close the connection for you and clean up, so it sounds like something
> > isn't happening there. I might need to circle back with some questions on
> > how to specifically reproduce the issue.
> >
> > Jon
> >
> > On Wed, Sep 8, 2021 at 10:59 AM Matthew Broadhead
> >  wrote:
> >
> >> Hi Jon,
> >> My resource adapter keeps getting clogged and needs to be restarted.
> >> Any idea what might cause that?  The console is like
> >> 08-Sep-2021 10:47:07.079 INFO [ajp-nio-0.0.0.0-8009-exec-37]
> >>
> org.apache.geronimo.connector.outbound.SinglePoolConnectionInterceptor.doRemove
> >>
> >> Removing ManagedConnectionInfo:
> >> org.apache.geronimo.connector.outbound.ManagedConnectionInfo@feec628.
> >> mc:
> >>
> org.apache.tomee.chatterbox.nats.adapter.out.NATSManagedConnection@27233218
> ]
> >>
> >> from pool
> >>
> >>
> org.apache.geronimo.connector.outbound.SinglePoolConnectionInterceptor@71031d13
> >> 08-Sep-2021 10:47:07.079 WARNING [ajp-nio-0.0.0.0-8009-exec-37]
> >> org.apache.openejb.resource.AutoConnectionTracker.setEnvironment
> >> Detected abandoned connection ManagedConnectionInfo:
> >> org.apache.geronimo.connector.outbound.ManagedConnectionInfo@feec628.
> >> mc:
> >>
> org.apache.tomee.chatterbox.nats.adapter.out.NATSManagedConnection@27233218
> ]
> >>
> >> opened at java.lang.Thread.getStackTrace(Thread.java:1559),
> >>
> org.apache.openejb.resource.AutoConnectionTracker$ProxyPhantomReference.(AutoConnectionTracker.java:341),
> >>
> >>
> org.apache.openejb.resource.AutoConnectionTracker.proxyConnection(AutoConnectionTracker.java:221),
> >>
> >>
> org.apache.openejb.resource.AutoConnectionTracker.handleObtained(AutoConnectionTracker.java:161),
> >>
> >>
> org.apache.geronimo.connector.outbound.ConnectionTrackingInterceptor.getConnection(ConnectionTrackingInterceptor.java:67),
> >>
> >>
> org.apache.geronimo.connector.outbound.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:81),
> >>
> >>
> org.apache.tomee.chatterbox.nats.adapter.out.NATSConnectionFactoryImpl.getConnection(NATSConnectionFactoryImpl.java:53),
> >>
> >>
> uk.me.kissy.database.controllers.message.SchedulerController.publishStreaming(SchedulerController.java:32),
> >>
> >>
> uk.me.kissy.database.controllers.message.SchedulerController.scheduleEventWithinSeconds(SchedulerController.java:48),
> >>
> >>
> uk.me.kissy.database.controllers.message.SchedulerController$$OwbNormalScopeProxy0.scheduleEventWithinSeconds(uk/me/kissy/database/controllers/message/SchedulerController.java),
> >>
> >>
> uk.me.kissy.database.controllers.extras.NewsController.storeLatestRequest(NewsController.java:119),
> >>
> >>
> uk.me.kissy.database.controllers.extras.NewsController$$OwbInterceptProxy0.storeLatestRequest(uk/me/kissy/database/controllers/extras/NewsController.java),
> >>
> >>
> uk.me.kissy.database.controllers.extras.NewsController$$OwbNormalScopeProxy0.storeLatestRequest(uk/me/kissy/database/controllers/extras/NewsController.java),
> >>
> >>
> uk.me.kissy.api.services.cors.admin.ExtrasService.createNewStats(ExtrasService.java:293),
> >>
> >> sun.reflect.GeneratedMethodAccessor171.invoke(Unknown Source),
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),
> >>
> >> java.lang.reflect.Method.invoke(Method.java:498),
> >>
> org.apache.openejb.server.cxf.rs.PojoInvoker.performInvocation(PojoInvoker.java:43),
> >>
> >>
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96),
> >>
> >> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201),
> >> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104),
> >>
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:68),
> >>
> >>
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.j

Re: [RESULT][VOTE] Apache TomEE 8.0.8

[Jonathan Gallimore]

Hi Rod

That's merged. I know David is out at the moment, but we'll get him to add
his key as soon as possible.

Jon

On Thu, Sep 16, 2021 at 2:53 AM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> Jon,
>
> The DockerHub folks did not like me removing the keys, so I added them
> back.  However, they also provided a different server to pull them from
> which is far more stable.  So, I have a new PR that needs to be approved.
>
> However, that leads to two additional problems:
>
> 1) Richard's key is missing " Key fingerprint =" in front of his key in
> the KEYS file.  I had to add that manually.
>
> 2) David's key he used for TomEE 9.0 is not in the public key servers.
>
> The first is a minor issue, the second will become  show stopper for a 9
> full release.  I am not even sure they will 9.0.0-M7 without the key.  We
> will see.
>
>
> Please approve this PR:
> https://github.com/tomitribe/docker-tomee/pull/53
>
> Thanks,
> Rod.
>
>
>
> On 9/15/21, 9:46 AM, "Jonathan Gallimore" 
> wrote:
>
> Nationwide Information Security Warning: This is an EXTERNAL email.
> Use CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28621-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> That's merged, thanks Rod!
>
> On Tue, Sep 14, 2021 at 11:04 PM Jenkins, Rodney J (Rod) <
> jenki...@nationwide.com> wrote:
>
> > All,
> >
> > I have posed 8.0.8 to tomitribe/docker-tomee
> >
> > A few notes about this release..
> >
> > 1) I had to move away from the keys.  I just could not get them to
> test.
> > We are now verifying with the sha512 file.
> >
> > 2) Can we please be consistent on how we produce the sha512 files?
> >
> > 8.0.6 file looks like this:
> >
> 3e8fcaf50362169808f1dd09bcf844c642c2251a3a725c58100066500aa482d4c23a3c027c52178dc6a92b648f75b53106a9efdffc6e39918c7fa2e86c058bf7
> > 8.0.8 looks like:
> >
> 5a54e24400211f6ef6e48415713996fd5e89da1d5ad29f0e12202b685821245a9d600b4f0ad30539a479a8a8129fad9f7cfb2f3c8232178c42a39e2b9a84a5dd
> > apache-tomee-8.0.8-plume.tar.gz
> >
> > I do not really have a preference.  My only preference is we be
> consistent
> > on how we release these file.  If these change, then I have to alter
> the
> > Dockerfiles on each release.  Also, can we be consistent across
> versions.
> > 9.0.0-M7 follows the same convention as 8.0.6.
> >
> >
> > Jon,
> > Can you have a look at the PR,
> > https://github.com/tomitribe/docker-tomee/pull/52.  When that gets
> > approved, I will get the official images repo updated.
> >
> >
> > Thanks,
> > Rod Jenkins
> >
> > On 9/13/21, 8:54 AM, "Jenkins, Rodney J (Rod)" <
> jenki...@nationwide.com>
> > wrote:
> >
> >
> > Thomas,
> >
> > I will get started on the Docker images later today.  I should
> have
> > the PR to the docker repos by tonight.  Then we have to go through
> the PRs
> > for the Docker Hub repo.
> >
> > Thanks,
> > Rod.
> >
> >
> > On 9/13/21, 6:32 AM, "Thomas Andraschko" <
> andraschko.tho...@gmail.com>
> > wrote:
> >
> >
> > Thanks :)
> >
> > is there also a way to update the docker images?
> >
> > Am Mo., 13. Sept. 2021 um 13:10 Uhr schrieb Zowalla, Richard
> <
> > richard.zowa...@hs-heilbronn.de>:
> >
> > > Can confirm. It is available via the mirrors.
> > > DL page now contains the links to 8.0.8
> > >
> > > Thanks to all :)
> > >
> > > Am Montag, dem 13.09.2021 um 10:14 +0200 schrieb Jean-Louis
> > Monteiro:
> > > > Should be available soon.
> > > > Just pushed
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > >
> > > > On Mon, Sep 13, 2021 at 8:51 AM Jean-Louis Monteiro <
> > > > jlmonte...@tomitribe.com

Re: singleton with autocloseable

[Jonathan Gallimore]

controllers.extras.NewsController$$OwbNormalScopeProxy0.storeLatestRequest(uk/me/kissy/database/controllers/extras/NewsController.java),
>
> uk.me.kissy.api.services.cors.admin.ExtrasService.createNewStats(ExtrasService.java:293),
>
> sun.reflect.GeneratedMethodAccessor171.invoke(Unknown Source),
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),
>
> java.lang.reflect.Method.invoke(Method.java:498),
> org.apache.openejb.server.cxf.rs.PojoInvoker.performInvocation(PojoInvoker.java:43),
>
> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96),
>
> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201),
> org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104),
> org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:68),
>
> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59),
>
> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96),
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308),
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121),
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267),
>
> org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:262),
>
> org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:99),
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
>
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53),
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
>
> org.apache.openejb.server.httpd.EEFilter.doFilter(EEFilter.java:65),
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
>
> uk.me.kissy.api.filters.SimpleCorsFilter.doFilter(SimpleCorsFilter.java:44),
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:188),
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96),
>
> org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45),
> org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67),
>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:666),
>
> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181),
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139),
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92),
>
> org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97),
>
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690),
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74),
>
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343),
>
> org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:432),
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65),
>
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868),
>
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590),
>
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49),
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149),
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624),
>
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61),
>
> java.lang.Thread.run(Thread.java:748)
> 08-Sep-2021 10:47:07.079 INFO [ajp-nio-0.0.0.0-8009-exec-37]
> org.apache.geronimo.connector.outbound.SinglePoolConnectionInterceptor.doRemove
>
> Removing ManagedConnectionInfo:
> org.apache.geronimo.connector.outbound.ManagedConnectionInfo@248c479f.
> mc:
> org.apache.tomee.chatterbox.nats.adapter.out.NATSManagedConnection@328626fa]
>
> from pool
>
> org.apache.ger

Re: [RESULT][VOTE] Apache TomEE 8.0.8

[Jonathan Gallimore]

That's merged, thanks Rod!

On Tue, Sep 14, 2021 at 11:04 PM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> All,
>
> I have posed 8.0.8 to tomitribe/docker-tomee
>
> A few notes about this release..
>
> 1) I had to move away from the keys.  I just could not get them to test.
> We are now verifying with the sha512 file.
>
> 2) Can we please be consistent on how we produce the sha512 files?
>
> 8.0.6 file looks like this:
> 3e8fcaf50362169808f1dd09bcf844c642c2251a3a725c58100066500aa482d4c23a3c027c52178dc6a92b648f75b53106a9efdffc6e39918c7fa2e86c058bf7
> 8.0.8 looks like:
> 5a54e24400211f6ef6e48415713996fd5e89da1d5ad29f0e12202b685821245a9d600b4f0ad30539a479a8a8129fad9f7cfb2f3c8232178c42a39e2b9a84a5dd
> apache-tomee-8.0.8-plume.tar.gz
>
> I do not really have a preference.  My only preference is we be consistent
> on how we release these file.  If these change, then I have to alter the
> Dockerfiles on each release.  Also, can we be consistent across versions.
> 9.0.0-M7 follows the same convention as 8.0.6.
>
>
> Jon,
> Can you have a look at the PR,
> https://github.com/tomitribe/docker-tomee/pull/52.  When that gets
> approved, I will get the official images repo updated.
>
>
> Thanks,
> Rod Jenkins
>
> On 9/13/21, 8:54 AM, "Jenkins, Rodney J (Rod)" 
> wrote:
>
>
> Thomas,
>
> I will get started on the Docker images later today.  I should have
> the PR to the docker repos by tonight.  Then we have to go through the PRs
> for the Docker Hub repo.
>
> Thanks,
> Rod.
>
>
> On 9/13/21, 6:32 AM, "Thomas Andraschko" 
> wrote:
>
>
> Thanks :)
>
> is there also a way to update the docker images?
>
> Am Mo., 13. Sept. 2021 um 13:10 Uhr schrieb Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de>:
>
> > Can confirm. It is available via the mirrors.
> > DL page now contains the links to 8.0.8
> >
> > Thanks to all :)
> >
> > Am Montag, dem 13.09.2021 um 10:14 +0200 schrieb Jean-Louis
> Monteiro:
> > > Should be available soon.
> > > Just pushed
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Mon, Sep 13, 2021 at 8:51 AM Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> wrote:
> > >
> > > > I'll move the dist today.
> > > > Did it on Friday but forgot the SVN CI ...
> > > >
> > > > Le lun. 13 sept. 2021 à 08:11, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > >
> > > > > Hi Thomas,
> > > > >
> > > > > looks like it is available via Maven Central but the
> distribution
> > > > > zips
> > > > > / tar.gz are not yet synced to the dl-cdn (+ archive).
> Perhaps an
> > > > > additiona step is needed?
> > > > >
> > > > > The related page update is available as a PR [1], which
> can be
> > > > > merged,
> > > > > after the files are available.
> > > > >
> > > > > Gruss
> > > > > Richard
> > > > >
> > > > >
> > > > > [1] https://github.com/apache/tomee-site-generator/pull/29
> > > > >
> > > > > Am Sonntag, dem 12.09.2021 um 23:19 +0200 schrieb Thomas
> > > > > Andraschko:
> > > > > > Hi,
> > > > > >
> > > > > > is the release already done?
> > > > > > the download page still shows 8.0.6
> > > > > >
> > > > > > Am Do., 9. Sept. 2021 um 11:29 Uhr schrieb Jean-Louis
> Monteiro
> > > > > > <
> > > > > > jlmonte...@tomitribe.com>:
> > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > Closing the vote now.
> > > > > > > Vote passes with 11 +1 and no other vote.
> > > > > > >
> > > > > > > Richard, Daniel, Luis, Thomas, Alexandre, Martin: +1
> (non
> > > > > > > binding)
> > > > > > > Cesar, Jean-Louis, Mark, Jonathan, David: +1 (binding)
> > > > > > >
> > > > > > > I'll proceed with the release process.
> > > > > > >
> > > > > > > Thanks everyone for voting and Richard for helping.
> > > > > > >
> > > > > > > --
> > > > > > > Jean-Louis Monteiro
> > > > > > > http://twitter.com/jlouismonteiro
> > > > > > > http://www.tomitribe.com
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Sep 1, 2021 at 3:49 PM Jean-Louis Monteiro <
> > > > > > > jlmonte...@tomitribe.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > This is a first attempt at a vote for a release of
> Apache
> > > > > > > > TomEE
> > > > > > > > 8.0.8.
> > > > > > > >
> > > > > > > > Maven Repo:
> > 

Re: [VOTE] Apache TomEE 8.0.8

[Jonathan Gallimore]

+1

Jon

On Wed, Sep 1, 2021 at 2:49 PM Jean-Louis Monteiro 
wrote:

> Hi All,
>
> This is a first attempt at a vote for a release of Apache TomEE 8.0.8.
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1186
>
> Binaries & Source:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1186/
>
> Tags:
> https://github.com/apache/tomee/tree/tomee-project-8.0.8
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12350177=Html=12312320
>
> Here is an adoc generated version (Thanks Richard)
>
> > = Apache TomEE 8.0.8 Release Notes
> > :index-group: Release Notes
> > :jbake-type: page
> > :jbake-status: published
> > == Dependency upgrade
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2990[TOMEE-2990]
> > BatchEE 0.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3750[TOMEE-3750]
> > BatchEE 1.0.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2987[TOMEE-2987] CXF
> > 3.4.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3756[TOMEE-3756]
> > HSQLDB 2.3.4
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772]
> > JUnit 4.13.2
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3734[TOMEE-3734]
> > Johnzon 1.2.11
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3755[TOMEE-3755]
> > Johnzon 1.2.13
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3770[TOMEE-3770]
> > Johnzon 1.2.14
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3732[TOMEE-3732]
> > MyFaces 2.3.9
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3753[TOMEE-3753]
> > OpenJPA 3.2.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2997[TOMEE-2997]
> > OpenSAML V3.4.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2809[TOMEE-2809]
> > OpenWebBeans 2.0.22
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2998[TOMEE-2998]
> > Tomcat 9.0.45
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3760[TOMEE-3760]
> > Tomcat 9.0.48
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3773[TOMEE-3773]
> > Tomcat 9.0.50
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3787[TOMEE-3787]
> > Tomcat 9.0.52
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939]
> > bcprov-jdk15on 1.67
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3765[TOMEE-3765]
> > bountycastle 1.69
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3764[TOMEE-3764]
> > commons-dbcp 2.3.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3759[TOMEE-3759]
> > commons-io 2.10.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2972[TOMEE-2972]
> > latest OWB version run on Java16
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2988[TOMEE-2988]
> > xbean 4.18+ (Java 16 support)
> > == New Feature
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3730[TOMEE-3730] Add
> > JSONP and JSONB Providers JAX-RS Client
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2365[TOMEE-2365]
> > Implement Java EE Security API from EE 8
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2966[TOMEE-2966]
> > Provide a pure JUnit5 OpenEJB Extension
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2977[TOMEE-2977]
> > Provide a ApplicationComposer JUnit 5 Extension
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2993[TOMEE-2993] API
> > pom for each TomEE distribution
> > == Bug
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3774[TOMEE-3774]
> > Problems with master branch in Windows 10
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3731[TOMEE-3731]
> > Remove non-compliant JAX-RS Provider sorting
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3768[TOMEE-3768]
> > TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to
> > Apache CXF
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125]
> > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and
> > MinEvictableIdleTimeMillis are ignored
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3727[TOMEE-3727]
> > Ensure java.io.File is not seen as a JSONB serializable type
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3728[TOMEE-3728]
> > Ensure java.io.Reader is not seen as a JSONB serializable type
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3729[TOMEE-3729] Do
> > not scan classpath for @Provider when there is a JAX-RS Application
> >  - link:https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968]
> > Postgres connection error when a password contains "}"
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3740[TOMEE-3740] Fix
> > Test Failures in "openejb-core" introduced during TCK work
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3743[TOMEE-3743]
> > TomEEJsonbProvider not registered anymore as of TomEE 8.0.7? Causes
> failing
> > REST-services.
> >  - link:https://issues.apache.org/jira/browse/TOMEE-3739[TOMEE-3739] Fix
> > JAX-RS landscape / 

Re: jwt loginmodule

[Jonathan Gallimore]

Hi Matthew,

Its not a JAAS login module, but take a look at
https://github.com/apache/tomee/tree/master/examples/mp-rest-jwt-public-key
- the ability to validate access via a JWT was introduced in MicroProfile
fairly early on.

Jon

On Thu, Aug 12, 2021 at 8:29 AM Matthew Broadhead
 wrote:

> Is there a JWT loginmodule?
> Would be nice to have an extended SQLLoginModule that used Bearer
> instead of Basic Auth
>

Re: singleton with autocloseable

[Jonathan Gallimore]

I haven't had a chance to try yet - I'll take a look at the test you
pointed out.

Jon

On Wed, Jul 28, 2021 at 8:35 PM Matthew Broadhead
 wrote:

> Is it possible to mock an RA during testing with ApplicationComposer?
> it isn't possible to run any tests without errors once it is used in the
> program as far as i can see
>
> On 07/07/2021 08:56, Matthew Broadhead wrote:
> > Romain has pointer me to this file which seems to do what I want but I
> > can't make it work
> >
> https://github.com/apache/tomee/blob/861e65ba7fe11f28c52a020f26bfe368a294f665/container/openejb-core/src/test/java/org/apache/openejb/config/ConnectorProxyTest.java
> >
> >
> > I can't get any of my other tests running since I added the RA. it
> > just blows up :(
> >
> > On 28/06/2021 23:32, Jonathan Gallimore wrote:
> >> Do you have a test you can post? Off the top of my head, I'm not
> >> sure, but
> >> I imagine we can figure something out.
> >>
> >> P.S. thanks for the PR - I merged it in. Is that your first TomEE
> >> commit?
> >> If so, congratulations :)
> >>
> >> Jon
> >>
> >> On Mon, 28 Jun 2021, 22:04 Matthew Broadhead,
> >>  wrote:
> >>
> >>> Hi Jon,
> >>>
> >>> Have you got any tips for mocking the NATSConnectionFactory? I am
> >>> trying to start doing some tests with SingleApplicationComposerRunner
> >>> and I get
> >>>
> >>> org.apache.openejb.OpenEJBException: Can't find resource for class
> >>> tld.domain.controllers.message.SchedulerController#cf. (No provider
> >>> available for resource-ref 'null' of type
> >>> 'org.apache.tomee.chatterbox.nats.api.NATSConnectionFactory' for
> >>> 'NotificationTimer'.)
> >>>   at
> >>>
> >>>
> org.apache.openejb.config.AutoConfig.processResourceRef(AutoConfig.java:1224)
>
> >>>
> >>>   at
> >>> org.apache.openejb.config.AutoConfig.deploy(AutoConfig.java:892)
> >>>   at
> >>> org.apache.openejb.config.AutoConfig.deploy(AutoConfig.java:200)
> >>>   at
> >>>
> >>>
> org.apache.openejb.config.ConfigurationFactory$Chain.deploy(ConfigurationFactory.java:420)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.config.ConfigurationFactory.configureApplication(ConfigurationFactory.java:1033)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.ApplicationComposers.deployApp(ApplicationComposers.java:723)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.SingleApplicationComposerRunner$2.deployApp(SingleApplicationComposerRunner.java:148)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.ApplicationComposers.before(ApplicationComposers.java:386)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.SingleApplicationComposerRunner.start(SingleApplicationComposerRunner.java:169)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.SingleApplicationComposerRunner.access$100(SingleApplicationComposerRunner.java:43)
>
> >>>
> >>>   at
> >>>
> >>>
> org.apache.openejb.testing.SingleApplicationComposerRunner$1$1.evaluate(SingleApplicationComposerRunner.java:103)
>
> >>>
> >>>   at
> >>> org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
> >>>   at
> >>>
> >>>
> org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
>
> >>>
> >>>   at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
> >>>   at
> >>>
> >>>
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
>
> >>>
> >>>   at
> >>>
> >>>
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
>
> >>>
> >>>   at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
> >>>   at
> >>> org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
> >>>   at
> >>> org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
> >>>   at
> >>> org.j

Re: Docker image change requests

[Jonathan Gallimore]

Fantastic, thank you for the update Rod!

Jon

On Thu, Jul 15, 2021 at 3:28 AM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> All,
>
> All of the Docker images have been rebuild.  While I have issues using the
> key servers, it does not appear that the automated build process does not.
> I will look in to this a bit further.
>
> Rod.
>
>
> From: Jenkins, Rodney J (Rod) 
> Date: Wednesday, July 14, 2021 at 12:09 PM
> To: dev@tomee.apache.org 
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28498-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> Jon,
>
> I will get started on that.  I will move to SHA512 and should be able to
> release 9.0.
>
> Thanks,
> Rod.
>
> From: Jonathan Gallimore 
> Date: Wednesday, July 14, 2021 at 11:49 AM
> To: dev@tomee.apache.org 
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28497-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> I'm fine with the sha512 change - go for it.
>
>
> Jon
>
> On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), <
> jenki...@nationwide.com>
> wrote:
>
> > Jon,
> >
> > Here is a link with more info on the key server issues:
> > https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
> >
> > I was able to reproduce these.  I have not been able to reliably built an
> > image in the last couple weeks.
> >
> > There is another issue blocking TomEE 9.0.  It looks like there is a
> > missing key fingerprint from David’s new keys he uploaded.  See the email
> > on this list on 5/29.
> >
> > In my opinion, it is simpler to use the SHA and seems to be more
> reliable.
> >
> > I have a PR request out there to remove the windows files.  David did
> give
> > me access to approve that, but I am assuming that we would prefer someone
> > else to approve it.
> >
> > I will start on a list of new tags to add to the images.
> >
> > Thanks,
> > Rod.
> >
> >
> > From: Jonathan Gallimore 
> > Date: Wednesday, July 14, 2021 at 5:07 AM
> > To: dev@tomee.apache.org 
> > Subject: [EXTERNAL] Re: Docker image change requests
> > Nationwide Information Security Warning: This is an EXTERNAL email. Use
> > CAUTION before clicking on links, opening attachments, or responding.
> > (Sender: dev-return-28494-JENKIR14=nationwide@tomee.apache.org)
> >
> >
> >
> --
> >
> >
> > Hi Rod,
> >
> > Can you elaborate on what the keyserver issue is? That sounds like the
> > immediate blocker.
> >
> > We publish SHA512 checksums so I'm fine with using them, although a GPG
> > check is also nice.
> >
> > I'm a +1 on the additional tags, and removing the .exes from the bin
> > directory.
> >
> > Jon
> >
> > On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> > jenki...@nationwide.com> wrote:
> >
> > > All,
> > >
> > > There are two requests and one issue at
> > > https://github.com/tomitribe/docker-tomee/issues
> > >
> > > The issue needs to be resolved sooner rather than later.  The base
> Debian
> > > image as a vulnerability in it, we need to rebuild it.  I will get that
> > > going.  However, I am concerned with the key server issues.  I would
> > like a
> > > discussion on moving to the sha512 checksums.
> > >
> > > Adding additional tags was requested back in 2017.  I like this idea.
> > For
> > > example we would point the “plus” tag at the latest 8 version on the
> > newest
> > > jre.  Additional tagging is something we should be doing.
> > >
> > > Cleanup of the bin directory is an easy fix.  This would make our
> images
> > a
> > > bit smaller, which users like.
> > >
> > > I am happy to make these changes, or have a discussion.
> > >
> > > Please advise,
> > > Rod.
> > >
> > >
> >
>

Re: Docker image change requests

[Jonathan Gallimore]

I'm fine with the sha512 change - go for it.


Jon

On Wed, 14 Jul 2021, 15:39 Jenkins, Rodney J (Rod), 
wrote:

> Jon,
>
> Here is a link with more info on the key server issues:
> https://github.com/tomitribe/docker-tomee/pull/47#issuecomment-872093674
>
> I was able to reproduce these.  I have not been able to reliably built an
> image in the last couple weeks.
>
> There is another issue blocking TomEE 9.0.  It looks like there is a
> missing key fingerprint from David’s new keys he uploaded.  See the email
> on this list on 5/29.
>
> In my opinion, it is simpler to use the SHA and seems to be more reliable.
>
> I have a PR request out there to remove the windows files.  David did give
> me access to approve that, but I am assuming that we would prefer someone
> else to approve it.
>
> I will start on a list of new tags to add to the images.
>
> Thanks,
> Rod.
>
>
> From: Jonathan Gallimore 
> Date: Wednesday, July 14, 2021 at 5:07 AM
> To: dev@tomee.apache.org 
> Subject: [EXTERNAL] Re: Docker image change requests
> Nationwide Information Security Warning: This is an EXTERNAL email. Use
> CAUTION before clicking on links, opening attachments, or responding.
> (Sender: dev-return-28494-JENKIR14=nationwide@tomee.apache.org)
>
>
> --
>
>
> Hi Rod,
>
> Can you elaborate on what the keyserver issue is? That sounds like the
> immediate blocker.
>
> We publish SHA512 checksums so I'm fine with using them, although a GPG
> check is also nice.
>
> I'm a +1 on the additional tags, and removing the .exes from the bin
> directory.
>
> Jon
>
> On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
> jenki...@nationwide.com> wrote:
>
> > All,
> >
> > There are two requests and one issue at
> > https://github.com/tomitribe/docker-tomee/issues
> >
> > The issue needs to be resolved sooner rather than later.  The base Debian
> > image as a vulnerability in it, we need to rebuild it.  I will get that
> > going.  However, I am concerned with the key server issues.  I would
> like a
> > discussion on moving to the sha512 checksums.
> >
> > Adding additional tags was requested back in 2017.  I like this idea.
> For
> > example we would point the “plus” tag at the latest 8 version on the
> newest
> > jre.  Additional tagging is something we should be doing.
> >
> > Cleanup of the bin directory is an easy fix.  This would make our images
> a
> > bit smaller, which users like.
> >
> > I am happy to make these changes, or have a discussion.
> >
> > Please advise,
> > Rod.
> >
> >
>

Re: Docker image change requests

[Jonathan Gallimore]

Hi Rod,

Can you elaborate on what the keyserver issue is? That sounds like the
immediate blocker.

We publish SHA512 checksums so I'm fine with using them, although a GPG
check is also nice.

I'm a +1 on the additional tags, and removing the .exes from the bin
directory.

Jon

On Fri, Jul 9, 2021 at 7:35 PM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> All,
>
> There are two requests and one issue at
> https://github.com/tomitribe/docker-tomee/issues
>
> The issue needs to be resolved sooner rather than later.  The base Debian
> image as a vulnerability in it, we need to rebuild it.  I will get that
> going.  However, I am concerned with the key server issues.  I would like a
> discussion on moving to the sha512 checksums.
>
> Adding additional tags was requested back in 2017.  I like this idea.  For
> example we would point the “plus” tag at the latest 8 version on the newest
> jre.  Additional tagging is something we should be doing.
>
> Cleanup of the bin directory is an easy fix.  This would make our images a
> bit smaller, which users like.
>
> I am happy to make these changes, or have a discussion.
>
> Please advise,
> Rod.
>
>

Re: singleton with autocloseable

[Jonathan Gallimore]

ncher.core.EngineExecutionOrchestrator.execute(EngineExecutionOrchestrator.java:52)
>  at
>
> org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:96)
>  at
>
> org.junit.platform.launcher.core.DefaultLauncher.execute(DefaultLauncher.java:84)
>  at
>
> org.eclipse.jdt.internal.junit5.runner.JUnit5TestReference.run(JUnit5TestReference.java:98)
>  at
>
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:40)
>  at
>
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:541)
>  at
>
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:768)
>  at
>
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:464)
>  at
>
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:210)
>
>
>
> On 23/06/2021 13:14, Jonathan Gallimore wrote:
> > Hi Matthew
> >
> > Can you submit a PR against https://github.com/apache/tomee-chatterbox?
> >
> > Looking into embedding the rar into the webapp, but as it stands right at
> > the moment, I'm either doing something wrong, or hitting an unusual bug
> > with the resource creation. I'm debugging through it.
> >
> > Jon
> >
> > On Fri, Jun 18, 2021 at 7:39 AM Matthew Broadhead
> >  wrote:
> >
> >> I have pointed WST to the TomEE install and that works fine.  it might
> >> be nice to embed the rar into the webapp.  does that work for production
> >> as well?
> >>
> >> where do i submit the PR?
> https://github.com/jgallimore/tomee-chatterbox
> >> or https://github.com/apache/tomee-chatterbox ?  it is by no means
> >> complete but it allows me to set ackWait and durableName
> >>
> >>
> >> On 17/06/2021 15:37, Jonathan Gallimore wrote:
> >>> On Thu, Jun 17, 2021 at 1:48 PM Matthew Broadhead
> >>>  wrote:
> >>>
> >>>> i added ackWait and durableName as Strings in NATSActivationSpec so it
> >>>> is working for me ok.
> >>>>
> >>> Very nice! Can you send a PR for that? I'll get it merged in. Nice work
> >> :).
> >>>
> >>>> i have managed to deploy TomEE with docker fine.  But when deploying
> >>>> with Eclipse WST I have to manually copy the rar into the apps folder
> in
> >>>> org.eclipse.wst.server.core.  Is there a way to automate the process
> >>>> using the launch configuration?
> >>>>
> >>> It's been a while since I've used Eclipse, so the short answer is "I
> >> don't
> >>> know". I tended to point WST to use a TomEE install, and to actually
> take
> >>> control of the install (as opposed to using a folder
> >>> in org.eclipse.wst.server.core). That way you'd just set it up once.
> >>>
> >>> There is one other alternative, which is to embed the .rar in the
> webapp
> >>> itself. I'll hack up an example this evening for this adapter, but the
> >>> general gist of it is that you'd include the chatterbox-nats-api and
> >>> chatterbox-nats-impl jars in WEB-INF/lib (along with the dependencies),
> >> and
> >>> configure the resource adapter in WEB-INF/resources.xml (which is
> >> basically
> >>> a version of tomee.xml that is local to the application). Its
> similar-ish
> >>> to packaging the rar in an ear, but keeps your deployable as a rar (and
> >>> should work with WST).
> >>>
> >>> Jon
> >>>
> >>>
> >>>
> >>>> On 17/06/2021 11:52, Matthew Broadhead wrote:
> >>>>> maybe it is possible to put the Subscription option in the
> >>>>> NATSActivationSpec
> >>>>>
> >>>>> On 17/06/2021 09:43, Matthew Broadhead wrote:
> >>>>>> Hi Jon,
> >>>>>>
> >>>>>> I was wondering how to set the SubscriptionOptions.  If you look at
> >>>>>> the example below they are the third argument to the subscribe
> >>>>>> function after the MessageHandler.  In my case I might want to have
> >>>>>> control over the ackWait time and switch between manualAcks and
> >>>>>> autoAcks.  The durable name is quite important too.
> >>>>>> startWithLastReceived can be changed to getting all the messages or
> >>>>>> some number of messages.  Sorry if I didn't mention these before
> >

Re: singleton with autocloseable

[Jonathan Gallimore]

Managed to figure out my config mistakes, and pushed an example with the
resource adapter embedded in the .war file:
https://github.com/apache/tomee-chatterbox/commit/18290594eb924c0a0625f7560e096635d8b92416

Hope that helps!

Jon

On Wed, Jun 23, 2021 at 12:14 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi Matthew
>
> Can you submit a PR against https://github.com/apache/tomee-chatterbox?
>
> Looking into embedding the rar into the webapp, but as it stands right at
> the moment, I'm either doing something wrong, or hitting an unusual bug
> with the resource creation. I'm debugging through it.
>
> Jon
>
> On Fri, Jun 18, 2021 at 7:39 AM Matthew Broadhead
>  wrote:
>
>> I have pointed WST to the TomEE install and that works fine.  it might
>> be nice to embed the rar into the webapp.  does that work for production
>> as well?
>>
>> where do i submit the PR? https://github.com/jgallimore/tomee-chatterbox
>> or https://github.com/apache/tomee-chatterbox ?  it is by no means
>> complete but it allows me to set ackWait and durableName
>>
>>
>> On 17/06/2021 15:37, Jonathan Gallimore wrote:
>> > On Thu, Jun 17, 2021 at 1:48 PM Matthew Broadhead
>> >  wrote:
>> >
>> >> i added ackWait and durableName as Strings in NATSActivationSpec so it
>> >> is working for me ok.
>> >>
>> > Very nice! Can you send a PR for that? I'll get it merged in. Nice work
>> :).
>> >
>> >
>> >> i have managed to deploy TomEE with docker fine.  But when deploying
>> >> with Eclipse WST I have to manually copy the rar into the apps folder
>> in
>> >> org.eclipse.wst.server.core.  Is there a way to automate the process
>> >> using the launch configuration?
>> >>
>> > It's been a while since I've used Eclipse, so the short answer is "I
>> don't
>> > know". I tended to point WST to use a TomEE install, and to actually
>> take
>> > control of the install (as opposed to using a folder
>> > in org.eclipse.wst.server.core). That way you'd just set it up once.
>> >
>> > There is one other alternative, which is to embed the .rar in the webapp
>> > itself. I'll hack up an example this evening for this adapter, but the
>> > general gist of it is that you'd include the chatterbox-nats-api and
>> > chatterbox-nats-impl jars in WEB-INF/lib (along with the dependencies),
>> and
>> > configure the resource adapter in WEB-INF/resources.xml (which is
>> basically
>> > a version of tomee.xml that is local to the application). Its
>> similar-ish
>> > to packaging the rar in an ear, but keeps your deployable as a rar (and
>> > should work with WST).
>> >
>> > Jon
>> >
>> >
>> >
>> >> On 17/06/2021 11:52, Matthew Broadhead wrote:
>> >>> maybe it is possible to put the Subscription option in the
>> >>> NATSActivationSpec
>> >>>
>> >>> On 17/06/2021 09:43, Matthew Broadhead wrote:
>> >>>> Hi Jon,
>> >>>>
>> >>>> I was wondering how to set the SubscriptionOptions.  If you look at
>> >>>> the example below they are the third argument to the subscribe
>> >>>> function after the MessageHandler.  In my case I might want to have
>> >>>> control over the ackWait time and switch between manualAcks and
>> >>>> autoAcks.  The durable name is quite important too.
>> >>>> startWithLastReceived can be changed to getting all the messages or
>> >>>> some number of messages.  Sorry if I didn't mention these before
>> >>>>
>> >>>> streamingConnection.subscribe("scheduler:notify", new
>> MessageHandler() {
>> >>>>  @Override
>> >>>>  public void onMessage(Message m) {
>> >>>>  ...
>> >>>>  m.ack();
>> >>>>  }
>> >>>> }, new
>> >>>>
>> >>
>> SubscriptionOptions.Builder().startWithLastReceived().manualAcks().ackWait(Duration.ofSeconds(60))
>> >>>>  .durableName("scheduler-service").build());
>> >>>>
>> >>>> On 16/06/2021 16:43, Jonathan Gallimore wrote:
>> >>>>> Pushed. I've made client Id and cluster id configuration options and
>> >>>>> added
>> >>>>> a README. If it working for you, I'd suggest we cut a 0.

Re: singleton with autocloseable

[Jonathan Gallimore]

Hi Matthew

Can you submit a PR against https://github.com/apache/tomee-chatterbox?

Looking into embedding the rar into the webapp, but as it stands right at
the moment, I'm either doing something wrong, or hitting an unusual bug
with the resource creation. I'm debugging through it.

Jon

On Fri, Jun 18, 2021 at 7:39 AM Matthew Broadhead
 wrote:

> I have pointed WST to the TomEE install and that works fine.  it might
> be nice to embed the rar into the webapp.  does that work for production
> as well?
>
> where do i submit the PR? https://github.com/jgallimore/tomee-chatterbox
> or https://github.com/apache/tomee-chatterbox ?  it is by no means
> complete but it allows me to set ackWait and durableName
>
>
> On 17/06/2021 15:37, Jonathan Gallimore wrote:
> > On Thu, Jun 17, 2021 at 1:48 PM Matthew Broadhead
> >  wrote:
> >
> >> i added ackWait and durableName as Strings in NATSActivationSpec so it
> >> is working for me ok.
> >>
> > Very nice! Can you send a PR for that? I'll get it merged in. Nice work
> :).
> >
> >
> >> i have managed to deploy TomEE with docker fine.  But when deploying
> >> with Eclipse WST I have to manually copy the rar into the apps folder in
> >> org.eclipse.wst.server.core.  Is there a way to automate the process
> >> using the launch configuration?
> >>
> > It's been a while since I've used Eclipse, so the short answer is "I
> don't
> > know". I tended to point WST to use a TomEE install, and to actually take
> > control of the install (as opposed to using a folder
> > in org.eclipse.wst.server.core). That way you'd just set it up once.
> >
> > There is one other alternative, which is to embed the .rar in the webapp
> > itself. I'll hack up an example this evening for this adapter, but the
> > general gist of it is that you'd include the chatterbox-nats-api and
> > chatterbox-nats-impl jars in WEB-INF/lib (along with the dependencies),
> and
> > configure the resource adapter in WEB-INF/resources.xml (which is
> basically
> > a version of tomee.xml that is local to the application). Its similar-ish
> > to packaging the rar in an ear, but keeps your deployable as a rar (and
> > should work with WST).
> >
> > Jon
> >
> >
> >
> >> On 17/06/2021 11:52, Matthew Broadhead wrote:
> >>> maybe it is possible to put the Subscription option in the
> >>> NATSActivationSpec
> >>>
> >>> On 17/06/2021 09:43, Matthew Broadhead wrote:
> >>>> Hi Jon,
> >>>>
> >>>> I was wondering how to set the SubscriptionOptions.  If you look at
> >>>> the example below they are the third argument to the subscribe
> >>>> function after the MessageHandler.  In my case I might want to have
> >>>> control over the ackWait time and switch between manualAcks and
> >>>> autoAcks.  The durable name is quite important too.
> >>>> startWithLastReceived can be changed to getting all the messages or
> >>>> some number of messages.  Sorry if I didn't mention these before
> >>>>
> >>>> streamingConnection.subscribe("scheduler:notify", new
> MessageHandler() {
> >>>>  @Override
> >>>>  public void onMessage(Message m) {
> >>>>  ...
> >>>>  m.ack();
> >>>>  }
> >>>> }, new
> >>>>
> >>
> SubscriptionOptions.Builder().startWithLastReceived().manualAcks().ackWait(Duration.ofSeconds(60))
> >>>>  .durableName("scheduler-service").build());
> >>>>
> >>>> On 16/06/2021 16:43, Jonathan Gallimore wrote:
> >>>>> Pushed. I've made client Id and cluster id configuration options and
> >>>>> added
> >>>>> a README. If it working for you, I'd suggest we cut a 0.3 release
> >>>>> unless
> >>>>> there are any objections.
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>> On Wed, Jun 16, 2021 at 12:16 PM Jonathan Gallimore <
> >>>>> jonathan.gallim...@gmail.com> wrote:
> >>>>>
> >>>>>> Sorry, tied up with a couple of things here. Literally just opened
> >>>>>> the IDE
> >>>>>> to finish this off. :)
> >>>>>>
> >>>>>> Jon
> >>>>>>
> >>>>>> On Wed, Jun 16, 2021 at 9:46 AM Matthew Broadhead
> >&g

Re: singleton with autocloseable

[Jonathan Gallimore]

On Thu, Jun 17, 2021 at 1:48 PM Matthew Broadhead
 wrote:

> i added ackWait and durableName as Strings in NATSActivationSpec so it
> is working for me ok.
>

Very nice! Can you send a PR for that? I'll get it merged in. Nice work :).


> i have managed to deploy TomEE with docker fine.  But when deploying
> with Eclipse WST I have to manually copy the rar into the apps folder in
> org.eclipse.wst.server.core.  Is there a way to automate the process
> using the launch configuration?
>

It's been a while since I've used Eclipse, so the short answer is "I don't
know". I tended to point WST to use a TomEE install, and to actually take
control of the install (as opposed to using a folder
in org.eclipse.wst.server.core). That way you'd just set it up once.

There is one other alternative, which is to embed the .rar in the webapp
itself. I'll hack up an example this evening for this adapter, but the
general gist of it is that you'd include the chatterbox-nats-api and
chatterbox-nats-impl jars in WEB-INF/lib (along with the dependencies), and
configure the resource adapter in WEB-INF/resources.xml (which is basically
a version of tomee.xml that is local to the application). Its similar-ish
to packaging the rar in an ear, but keeps your deployable as a rar (and
should work with WST).

Jon



>
> On 17/06/2021 11:52, Matthew Broadhead wrote:
> > maybe it is possible to put the Subscription option in the
> > NATSActivationSpec
> >
> > On 17/06/2021 09:43, Matthew Broadhead wrote:
> >> Hi Jon,
> >>
> >> I was wondering how to set the SubscriptionOptions.  If you look at
> >> the example below they are the third argument to the subscribe
> >> function after the MessageHandler.  In my case I might want to have
> >> control over the ackWait time and switch between manualAcks and
> >> autoAcks.  The durable name is quite important too.
> >> startWithLastReceived can be changed to getting all the messages or
> >> some number of messages.  Sorry if I didn't mention these before
> >>
> >> streamingConnection.subscribe("scheduler:notify", new MessageHandler() {
> >> @Override
> >> public void onMessage(Message m) {
> >> ...
> >> m.ack();
> >> }
> >> }, new
> >>
> SubscriptionOptions.Builder().startWithLastReceived().manualAcks().ackWait(Duration.ofSeconds(60))
> >> .durableName("scheduler-service").build());
> >>
> >> On 16/06/2021 16:43, Jonathan Gallimore wrote:
> >>> Pushed. I've made client Id and cluster id configuration options and
> >>> added
> >>> a README. If it working for you, I'd suggest we cut a 0.3 release
> >>> unless
> >>> there are any objections.
> >>>
> >>> Jon
> >>>
> >>> On Wed, Jun 16, 2021 at 12:16 PM Jonathan Gallimore <
> >>> jonathan.gallim...@gmail.com> wrote:
> >>>
> >>>> Sorry, tied up with a couple of things here. Literally just opened
> >>>> the IDE
> >>>> to finish this off. :)
> >>>>
> >>>> Jon
> >>>>
> >>>> On Wed, Jun 16, 2021 at 9:46 AM Matthew Broadhead
> >>>>  wrote:
> >>>>
> >>>>> hi Jon,
> >>>>>
> >>>>> Is there anything else you need from my end?  It feels like it is
> >>>>> nearly
> >>>>> finished.  Could it pass the parameters in a similar way to how it is
> >>>>> done in the chatterbox-imap?  sending them in from the tomee.xml?
> >>>>>
> >>>>>
> >>>>> On 10/06/2021 19:07, Jonathan Gallimore wrote:
> >>>>>> Thank you! That worked. I have pushed an update to my code, and I've
> >>>>> been
> >>>>>> able to send a message to NATS from a REST endpoint, and receive a
> >>>>> message
> >>>>>> from NATS via an MDB.
> >>>>>>
> >>>>>> I still need to extract the cluster ID and client ID into
> >>>>>> properties for
> >>>>>> the resource adapter, and of course, try and write up how this
> >>>>>> works.
> >>>>> Code
> >>>>>> is here:
> >>>>>> https://github.com/jgallimore/tomee-chatterbox/tree/nats, but
> >>>>> I'll
> >>>>>> merge it in once I have done these couple of changes.
> >>>>>>
> >>>>>

Re: singleton with autocloseable

[Jonathan Gallimore]

Pushed. I've made client Id and cluster id configuration options and added
a README. If it working for you, I'd suggest we cut a 0.3 release unless
there are any objections.

Jon

On Wed, Jun 16, 2021 at 12:16 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Sorry, tied up with a couple of things here. Literally just opened the IDE
> to finish this off. :)
>
> Jon
>
> On Wed, Jun 16, 2021 at 9:46 AM Matthew Broadhead
>  wrote:
>
>> hi Jon,
>>
>> Is there anything else you need from my end?  It feels like it is nearly
>> finished.  Could it pass the parameters in a similar way to how it is
>> done in the chatterbox-imap?  sending them in from the tomee.xml?
>>
>>
>> On 10/06/2021 19:07, Jonathan Gallimore wrote:
>> > Thank you! That worked. I have pushed an update to my code, and I've
>> been
>> > able to send a message to NATS from a REST endpoint, and receive a
>> message
>> > from NATS via an MDB.
>> >
>> > I still need to extract the cluster ID and client ID into properties for
>> > the resource adapter, and of course, try and write up how this works.
>> Code
>> > is here: https://github.com/jgallimore/tomee-chatterbox/tree/nats, but
>> I'll
>> > merge it in once I have done these couple of changes.
>> >
>> > One other thing on my mind is that I'd like to try and find some way to
>> > make all this easier. If you've used JMS, you've used JCA, possibly
>> without
>> > realizing it, but the spec still feels very hard to get into - I wonder
>> if
>> > there is anything we can propose in that regard to try and make creating
>> > simple connectors a bit easier.
>> >
>> > Jon
>> >
>> > On Wed, Jun 9, 2021 at 4:31 PM Matthew Broadhead
>> >  wrote:
>> >
>> >> hi, it was my fault putting a confusing value in the docker compose
>> >> file.  it should work like this
>> >>
>> >> StreamingConnectionFactory cf = new
>> >>StreamingConnectionFactory(new
>> >> Options.Builder().natsUrl("nats://localhost:4222")
>> >>.clusterId("yourclientid").clientId("anything").build());
>> >>
>> >> but you could change the docker-compose.yml to have a -cid of
>> >> yourclusterid and then do this
>> >>
>> >> StreamingConnectionFactory cf = new
>> >>StreamingConnectionFactory(new
>> >> Options.Builder().natsUrl("nats://localhost:4222")
>> >>.clusterId("yourclusterid").clientId("yourclientid").build());
>> >>
>> >> On 09/06/2021 17:15, Jonathan Gallimore wrote:
>> >>> Thanks. If I can get that test going, I can probably get the rest
>> >> working.
>> >>> I suspect there are some other bugs in there.
>> >>>
>> >>> Jon
>> >>>
>> >>> On Wed, Jun 9, 2021 at 4:04 PM Matthew Broadhead
>> >>>  wrote:
>> >>>
>> >>>> Thanks I will have a look now
>> >>>>
>> >>>> On 09/06/2021 15:19, Jonathan Gallimore wrote:
>> >>>>> Ok, I'm stuck. If I boot up a NATS server with your
>> docker-compose.yml
>> >>>>> file, and run the following test:
>> >>>>>
>> >>>>>@Test
>> >>>>>public void testShouldConnect() throws Exception {
>> >>>>>StreamingConnectionFactory cf = new
>> >>>>>StreamingConnectionFactory(new
>> >>>>> Options.Builder().natsUrl("nats://localhost:4222")
>> >>>>>
>> >>>> .clusterId("cluster-id").clientId("yourclientid").build());
>> >>>>>final StreamingConnection connection =
>> cf.createConnection();
>> >>>>>Assert.assertNotNull(connection);
>> >>>>>
>> >>>>>connection.close();
>> >>>>>}
>> >>>>>
>> >>>>> It fails with a timeout.
>> >>>>>
>> >>>>> I monitored the connection with wireshark, and see the following
>> >>>>>
>> >>>>> < = from server to client
>> >>>>>> = from client to server
>> >>>>> > >>>>>
>> >>
>> <{"server_id&q

Re: singleton with autocloseable

[Jonathan Gallimore]

Sorry, tied up with a couple of things here. Literally just opened the IDE
to finish this off. :)

Jon

On Wed, Jun 16, 2021 at 9:46 AM Matthew Broadhead
 wrote:

> hi Jon,
>
> Is there anything else you need from my end?  It feels like it is nearly
> finished.  Could it pass the parameters in a similar way to how it is
> done in the chatterbox-imap?  sending them in from the tomee.xml?
>
>
> On 10/06/2021 19:07, Jonathan Gallimore wrote:
> > Thank you! That worked. I have pushed an update to my code, and I've been
> > able to send a message to NATS from a REST endpoint, and receive a
> message
> > from NATS via an MDB.
> >
> > I still need to extract the cluster ID and client ID into properties for
> > the resource adapter, and of course, try and write up how this works.
> Code
> > is here: https://github.com/jgallimore/tomee-chatterbox/tree/nats, but
> I'll
> > merge it in once I have done these couple of changes.
> >
> > One other thing on my mind is that I'd like to try and find some way to
> > make all this easier. If you've used JMS, you've used JCA, possibly
> without
> > realizing it, but the spec still feels very hard to get into - I wonder
> if
> > there is anything we can propose in that regard to try and make creating
> > simple connectors a bit easier.
> >
> > Jon
> >
> > On Wed, Jun 9, 2021 at 4:31 PM Matthew Broadhead
> >  wrote:
> >
> >> hi, it was my fault putting a confusing value in the docker compose
> >> file.  it should work like this
> >>
> >> StreamingConnectionFactory cf = new
> >>StreamingConnectionFactory(new
> >> Options.Builder().natsUrl("nats://localhost:4222")
> >>.clusterId("yourclientid").clientId("anything").build());
> >>
> >> but you could change the docker-compose.yml to have a -cid of
> >> yourclusterid and then do this
> >>
> >> StreamingConnectionFactory cf = new
> >>StreamingConnectionFactory(new
> >> Options.Builder().natsUrl("nats://localhost:4222")
> >>.clusterId("yourclusterid").clientId("yourclientid").build());
> >>
> >> On 09/06/2021 17:15, Jonathan Gallimore wrote:
> >>> Thanks. If I can get that test going, I can probably get the rest
> >> working.
> >>> I suspect there are some other bugs in there.
> >>>
> >>> Jon
> >>>
> >>> On Wed, Jun 9, 2021 at 4:04 PM Matthew Broadhead
> >>>  wrote:
> >>>
> >>>> Thanks I will have a look now
> >>>>
> >>>> On 09/06/2021 15:19, Jonathan Gallimore wrote:
> >>>>> Ok, I'm stuck. If I boot up a NATS server with your
> docker-compose.yml
> >>>>> file, and run the following test:
> >>>>>
> >>>>>@Test
> >>>>>public void testShouldConnect() throws Exception {
> >>>>>StreamingConnectionFactory cf = new
> >>>>>StreamingConnectionFactory(new
> >>>>> Options.Builder().natsUrl("nats://localhost:4222")
> >>>>>
> >>>> .clusterId("cluster-id").clientId("yourclientid").build());
> >>>>>final StreamingConnection connection =
> cf.createConnection();
> >>>>>Assert.assertNotNull(connection);
> >>>>>
> >>>>>connection.close();
> >>>>>}
> >>>>>
> >>>>> It fails with a timeout.
> >>>>>
> >>>>> I monitored the connection with wireshark, and see the following
> >>>>>
> >>>>> < = from server to client
> >>>>>> = from client to server
> >>>>>  >>>>>
> >>
> <{"server_id":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","server_name":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","version":"2.1.4","proto":1,"git_commit":"fb009af","go":"go1.13.7","host":"0.0.0.0","port":4222,"max_payload":1048576,"client_id":10}
> >>>>>> CONNECT
> >>
> {"lang":"java","version":"2.6.5","name":"yourclientid","protocol":1,"verbose":false,"peda

Re: singleton with autocloseable

[Jonathan Gallimore]

Thank you! That worked. I have pushed an update to my code, and I've been
able to send a message to NATS from a REST endpoint, and receive a message
from NATS via an MDB.

I still need to extract the cluster ID and client ID into properties for
the resource adapter, and of course, try and write up how this works. Code
is here: https://github.com/jgallimore/tomee-chatterbox/tree/nats, but I'll
merge it in once I have done these couple of changes.

One other thing on my mind is that I'd like to try and find some way to
make all this easier. If you've used JMS, you've used JCA, possibly without
realizing it, but the spec still feels very hard to get into - I wonder if
there is anything we can propose in that regard to try and make creating
simple connectors a bit easier.

Jon

On Wed, Jun 9, 2021 at 4:31 PM Matthew Broadhead
 wrote:

> hi, it was my fault putting a confusing value in the docker compose
> file.  it should work like this
>
> StreamingConnectionFactory cf = new
>   StreamingConnectionFactory(new
> Options.Builder().natsUrl("nats://localhost:4222")
>   .clusterId("yourclientid").clientId("anything").build());
>
> but you could change the docker-compose.yml to have a -cid of
> yourclusterid and then do this
>
> StreamingConnectionFactory cf = new
>   StreamingConnectionFactory(new
> Options.Builder().natsUrl("nats://localhost:4222")
>   .clusterId("yourclusterid").clientId("yourclientid").build());
>
> On 09/06/2021 17:15, Jonathan Gallimore wrote:
> > Thanks. If I can get that test going, I can probably get the rest
> working.
> > I suspect there are some other bugs in there.
> >
> > Jon
> >
> > On Wed, Jun 9, 2021 at 4:04 PM Matthew Broadhead
> >  wrote:
> >
> >> Thanks I will have a look now
> >>
> >> On 09/06/2021 15:19, Jonathan Gallimore wrote:
> >>> Ok, I'm stuck. If I boot up a NATS server with your docker-compose.yml
> >>> file, and run the following test:
> >>>
> >>>   @Test
> >>>   public void testShouldConnect() throws Exception {
> >>>   StreamingConnectionFactory cf = new
> >>>   StreamingConnectionFactory(new
> >>> Options.Builder().natsUrl("nats://localhost:4222")
> >>>
> >> .clusterId("cluster-id").clientId("yourclientid").build());
> >>>   final StreamingConnection connection = cf.createConnection();
> >>>   Assert.assertNotNull(connection);
> >>>
> >>>   connection.close();
> >>>   }
> >>>
> >>> It fails with a timeout.
> >>>
> >>> I monitored the connection with wireshark, and see the following
> >>>
> >>> < = from server to client
> >>>> = from client to server
> >>>  >>>
> >>
> <{"server_id":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","server_name":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","version":"2.1.4","proto":1,"git_commit":"fb009af","go":"go1.13.7","host":"0.0.0.0","port":4222,"max_payload":1048576,"client_id":10}
> >>>> CONNECT
> >>
> {"lang":"java","version":"2.6.5","name":"yourclientid","protocol":1,"verbose":false,"pedantic":false,"tls_required":false,"echo":true}
> >>>> PING
> >>>  >>>> SUB _STAN.acks.LP4bdY88abuVJ19Qo5HVuk 1
> >>>> SUB _INBOX.LP4bdY88abuVJ19Qo5HVn8 2
> >>>> SUB _INBOX.LP4bdY88abuVJ19Qo5HVqw 3
> >>>> SUB _INBOX.F0vVy1N0sQM3xseeEWMIAL.* 4
> >>>> PUB _STAN.discover.cluster-id
> >>> _INBOX.F0vVy1N0sQM3xseeEWMIAL.F0vVy1N0sQM3xseeEWMISH 75
> >>
> .yourclientid.._INBOX.LP4bdY88abuVJ19Qo5HVn8..".LP4bdY88abuVJ19Qo5HVjK(.0.
> >>>  >>>> PONG
> >>>> UNSUB 1
> >>>> UNSUB 2
> >>>> UNSUB 3
> >>> So there does appear to be some communication between my test and the
> >> NATS
> >>> server - I have no idea why it times out.
> >>>
> >>> My code is here if you want to have a go:
> >>> https://github.com/jgallimore/tomee-chatterbox/tree/nats
> >>>
> >>> Jon
> >>>
> >>> On Wed, Jun 9, 2021 at 11:56 AM Jonathan Gallimore <
> >>> jonathan.gallim...

Re: singleton with autocloseable

[Jonathan Gallimore]

Thanks. If I can get that test going, I can probably get the rest working.
I suspect there are some other bugs in there.

Jon

On Wed, Jun 9, 2021 at 4:04 PM Matthew Broadhead
 wrote:

> Thanks I will have a look now
>
> On 09/06/2021 15:19, Jonathan Gallimore wrote:
> > Ok, I'm stuck. If I boot up a NATS server with your docker-compose.yml
> > file, and run the following test:
> >
> >  @Test
> >  public void testShouldConnect() throws Exception {
> >  StreamingConnectionFactory cf = new
> >  StreamingConnectionFactory(new
> > Options.Builder().natsUrl("nats://localhost:4222")
> >
> .clusterId("cluster-id").clientId("yourclientid").build());
> >
> >  final StreamingConnection connection = cf.createConnection();
> >  Assert.assertNotNull(connection);
> >
> >  connection.close();
> >  }
> >
> > It fails with a timeout.
> >
> > I monitored the connection with wireshark, and see the following
> >
> > < = from server to client
> >> = from client to server
> >  >
> <{"server_id":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","server_name":"NDMRYDSGUSH2QR6SZWMFB44ND5CODXGKNYTQ5IPLUGYUDBI6G54CIGF6","version":"2.1.4","proto":1,"git_commit":"fb009af","go":"go1.13.7","host":"0.0.0.0","port":4222,"max_payload":1048576,"client_id":10}
> >
> >> CONNECT
> >
> {"lang":"java","version":"2.6.5","name":"yourclientid","protocol":1,"verbose":false,"pedantic":false,"tls_required":false,"echo":true}
> >> PING
> >  >> SUB _STAN.acks.LP4bdY88abuVJ19Qo5HVuk 1
> >> SUB _INBOX.LP4bdY88abuVJ19Qo5HVn8 2
> >> SUB _INBOX.LP4bdY88abuVJ19Qo5HVqw 3
> >> SUB _INBOX.F0vVy1N0sQM3xseeEWMIAL.* 4
> >> PUB _STAN.discover.cluster-id
> > _INBOX.F0vVy1N0sQM3xseeEWMIAL.F0vVy1N0sQM3xseeEWMISH 75
> >>
> .yourclientid.._INBOX.LP4bdY88abuVJ19Qo5HVn8..".LP4bdY88abuVJ19Qo5HVjK(.0.
> >  >> PONG
> >> UNSUB 1
> >> UNSUB 2
> >> UNSUB 3
> > So there does appear to be some communication between my test and the
> NATS
> > server - I have no idea why it times out.
> >
> > My code is here if you want to have a go:
> > https://github.com/jgallimore/tomee-chatterbox/tree/nats
> >
> > Jon
> >
> > On Wed, Jun 9, 2021 at 11:56 AM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> >> Nervermind, I figured out my mistake. I'll post back when I have
> something
> >> going.
> >>
> >> Jon
> >>
> >> On Wed, Jun 9, 2021 at 11:44 AM Jonathan Gallimore <
> >> jonathan.gallim...@gmail.com> wrote:
> >>
> >>> I think I have something wired up, but when executing this:
> >>>
> >>>  cf = new
> >>>  StreamingConnectionFactory(new
> >>> Options.Builder().natsUrl(baseAddress)
> >>>
> >>> .clusterId("cluster-id").clientId("client-id").build());
> >>>
> >>>  connection = cf.createConnection();
> >>>
> >>>
> >>> connection is null. Any pointers?
> >>>
> >>> Jon
> >>>
> >>> On Wed, Jun 9, 2021 at 8:16 AM Matthew Broadhead
> >>>  wrote:
> >>>
> >>>> i have never used a JCA adapter before.  is it loaded in using the
> >>>> tomee.xml as a Resource?  and then injected into a singleton for
> >>>> subscribing to messages?
> >>>>
> >>>> On 08/06/2021 17:15, Jonathan Gallimore wrote:
> >>>>> Definitely sounds like a good case for a JCA adapter. I'll take a
> quick
> >>>>> swing at hooking up an example for you.
> >>>>>
> >>>>> Jon
> >>>>>
> >>>>> On Tue, Jun 8, 2021 at 9:02 AM Matthew Broadhead
> >>>>>  wrote:
> >>>>>
> >>>>>> Hi Jon,
> >>>>>>
> >>>>>> NATS is basically a message queue, like ActiveMQ I suppose.
> >>>>>>
> >>>>>> I included the adapter into the project using maven
> >>>>>> 
> >>>>>> io.nats
> &g

Re: singleton with autocloseable

[Jonathan Gallimore]

Ok, I'm stuck. If I boot up a NATS server with your docker-compose.yml
file, and run the following test:

@Test
public void testShouldConnect() throws Exception {
StreamingConnectionFactory cf = new
StreamingConnectionFactory(new
Options.Builder().natsUrl("nats://localhost:4222")
.clusterId("cluster-id").clientId("yourclientid").build());

final StreamingConnection connection = cf.createConnection();
Assert.assertNotNull(connection);

connection.close();
}

It fails with a timeout.

I monitored the connection with wireshark, and see the following

< = from server to client
> = from client to server

CONNECT
{"lang":"java","version":"2.6.5","name":"yourclientid","protocol":1,"verbose":false,"pedantic":false,"tls_required":false,"echo":true}
>PING
SUB _STAN.acks.LP4bdY88abuVJ19Qo5HVuk 1
>SUB _INBOX.LP4bdY88abuVJ19Qo5HVn8 2
>SUB _INBOX.LP4bdY88abuVJ19Qo5HVqw 3
>SUB _INBOX.F0vVy1N0sQM3xseeEWMIAL.* 4
>PUB _STAN.discover.cluster-id
_INBOX.F0vVy1N0sQM3xseeEWMIAL.F0vVy1N0sQM3xseeEWMISH 75
>
>.yourclientid.._INBOX.LP4bdY88abuVJ19Qo5HVn8..".LP4bdY88abuVJ19Qo5HVjK(.0.
PONG
>UNSUB 1
>UNSUB 2
>UNSUB 3

So there does appear to be some communication between my test and the NATS
server - I have no idea why it times out.

My code is here if you want to have a go:
https://github.com/jgallimore/tomee-chatterbox/tree/nats

Jon

On Wed, Jun 9, 2021 at 11:56 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Nervermind, I figured out my mistake. I'll post back when I have something
> going.
>
> Jon
>
> On Wed, Jun 9, 2021 at 11:44 AM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
>> I think I have something wired up, but when executing this:
>>
>> cf = new
>> StreamingConnectionFactory(new
>> Options.Builder().natsUrl(baseAddress)
>>
>> .clusterId("cluster-id").clientId("client-id").build());
>>
>> connection = cf.createConnection();
>>
>>
>> connection is null. Any pointers?
>>
>> Jon
>>
>> On Wed, Jun 9, 2021 at 8:16 AM Matthew Broadhead
>>  wrote:
>>
>>> i have never used a JCA adapter before.  is it loaded in using the
>>> tomee.xml as a Resource?  and then injected into a singleton for
>>> subscribing to messages?
>>>
>>> On 08/06/2021 17:15, Jonathan Gallimore wrote:
>>> > Definitely sounds like a good case for a JCA adapter. I'll take a quick
>>> > swing at hooking up an example for you.
>>> >
>>> > Jon
>>> >
>>> > On Tue, Jun 8, 2021 at 9:02 AM Matthew Broadhead
>>> >  wrote:
>>> >
>>> >> Hi Jon,
>>> >>
>>> >> NATS is basically a message queue, like ActiveMQ I suppose.
>>> >>
>>> >> I included the adapter into the project using maven
>>> >> 
>>> >>io.nats
>>> >>java-nats-streaming
>>> >>2.2.3
>>> >> 
>>> >>
>>> >> i started up a nats server using docker.  here is my
>>> docker-compose.yml
>>> >> version: '3.1'
>>> >> services:
>>> >> nats-docker:
>>> >>   image: nats-streaming:0.17.0
>>> >>   restart: always
>>> >>   command:
>>> >> - '-p'
>>> >> - '4222'
>>> >> - '-m'
>>> >> - '8222'
>>> >> - '-hbi'
>>> >> - '5s'
>>> >> - '-hbt'
>>> >> - '5s'
>>> >> - '-hbf'
>>> >> - '2'
>>> >> - '-SD'
>>> >> - '-cid'
>>> >> - 'yourclientid'
>>> >>   environment:
>>> >> TZ: Europe/London
>>> >> LANG: en_GB.UTF-8
>>> >> LANGUAGE: en_GB:en
>>> >> LC_ALL: en_GB.UTF-8
>>> >>   ports:
>>> >> - '4222:4222'
>>> >> - '8222:8222'
>>> >>   expose:
>>> >> - 4222
>>> >> - 8222
>>> >>   networks:
>>> >> - backend
>>> >> networks:
>>> >> backend:
>>> >>   driver: bridge
>>> 

Re: singleton with autocloseable

[Jonathan Gallimore]

Nervermind, I figured out my mistake. I'll post back when I have something
going.

Jon

On Wed, Jun 9, 2021 at 11:44 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> I think I have something wired up, but when executing this:
>
> cf = new
> StreamingConnectionFactory(new
> Options.Builder().natsUrl(baseAddress)
>
> .clusterId("cluster-id").clientId("client-id").build());
>
> connection = cf.createConnection();
>
>
> connection is null. Any pointers?
>
> Jon
>
> On Wed, Jun 9, 2021 at 8:16 AM Matthew Broadhead
>  wrote:
>
>> i have never used a JCA adapter before.  is it loaded in using the
>> tomee.xml as a Resource?  and then injected into a singleton for
>> subscribing to messages?
>>
>> On 08/06/2021 17:15, Jonathan Gallimore wrote:
>> > Definitely sounds like a good case for a JCA adapter. I'll take a quick
>> > swing at hooking up an example for you.
>> >
>> > Jon
>> >
>> > On Tue, Jun 8, 2021 at 9:02 AM Matthew Broadhead
>> >  wrote:
>> >
>> >> Hi Jon,
>> >>
>> >> NATS is basically a message queue, like ActiveMQ I suppose.
>> >>
>> >> I included the adapter into the project using maven
>> >> 
>> >>io.nats
>> >>java-nats-streaming
>> >>2.2.3
>> >> 
>> >>
>> >> i started up a nats server using docker.  here is my docker-compose.yml
>> >> version: '3.1'
>> >> services:
>> >> nats-docker:
>> >>   image: nats-streaming:0.17.0
>> >>   restart: always
>> >>   command:
>> >> - '-p'
>> >> - '4222'
>> >> - '-m'
>> >> - '8222'
>> >> - '-hbi'
>> >> - '5s'
>> >> - '-hbt'
>> >> - '5s'
>> >> - '-hbf'
>> >> - '2'
>> >> - '-SD'
>> >> - '-cid'
>> >> - 'yourclientid'
>> >>   environment:
>> >> TZ: Europe/London
>> >> LANG: en_GB.UTF-8
>> >> LANGUAGE: en_GB:en
>> >>     LC_ALL: en_GB.UTF-8
>> >>   ports:
>> >> - '4222:4222'
>> >> - '8222:8222'
>> >>   expose:
>> >> - 4222
>> >> - 8222
>> >>   networks:
>> >> - backend
>> >> networks:
>> >> backend:
>> >>   driver: bridge
>> >>
>> >> JCA sounds good if it solves the threading issue.  it is very kind of
>> >> you to offer to help write an adapter.  looking at the code you sent it
>> >> looks complicated but i can have a stab at it if you don't have much
>> time
>> >>
>> >> let me know if you need more info
>> >>
>> >> Matthew
>> >>
>> >> On 07/06/2021 17:48, Jonathan Gallimore wrote:
>> >>> At the risk of sounding a bit ignorant... what is NATS?
>> >>>
>> >>>   From what I can tell, it sounds like you're receiving a stream of
>> events
>> >>> (over websocket) and want to do some processing in an EJB or CDI bean
>> for
>> >>> each event. The connection to the NATS server isn't in the context of
>> a
>> >>> HTTP (or any other type of) request, and just runs all the time while
>> the
>> >>> server is running - does that sound about right?
>> >>>
>> >>> Assuming that sounds right, it sounds a bit like the Slack JCA
>> connector
>> >> I
>> >>> wrote a while back:
>> >>>
>> https://github.com/apache/tomee-chatterbox/tree/master/chatterbox-slack.
>> >>> Essentially, the resource adapter connects to slack and runs all the
>> >> time.
>> >>> Messages that come into the server from slack are processed in MDBs
>> that
>> >>> implement the InboundListener interface.
>> >>>
>> >>> JCA certainly feels complex, especially when compared with your
>> >>> Singleton @Startup bean approach, but I usually find that if I try and
>> >> work
>> >>> with threads in EJBs, things usually go in the wrong direction.
>> >> Conversely,
>> >>> JCA even gives you a work manager to potent

Re: singleton with autocloseable

[Jonathan Gallimore]

I think I have something wired up, but when executing this:

cf = new
StreamingConnectionFactory(new
Options.Builder().natsUrl(baseAddress)
.clusterId("cluster-id").clientId("client-id").build());

connection = cf.createConnection();


connection is null. Any pointers?

Jon

On Wed, Jun 9, 2021 at 8:16 AM Matthew Broadhead
 wrote:

> i have never used a JCA adapter before.  is it loaded in using the
> tomee.xml as a Resource?  and then injected into a singleton for
> subscribing to messages?
>
> On 08/06/2021 17:15, Jonathan Gallimore wrote:
> > Definitely sounds like a good case for a JCA adapter. I'll take a quick
> > swing at hooking up an example for you.
> >
> > Jon
> >
> > On Tue, Jun 8, 2021 at 9:02 AM Matthew Broadhead
> >  wrote:
> >
> >> Hi Jon,
> >>
> >> NATS is basically a message queue, like ActiveMQ I suppose.
> >>
> >> I included the adapter into the project using maven
> >> 
> >>io.nats
> >>java-nats-streaming
> >>2.2.3
> >> 
> >>
> >> i started up a nats server using docker.  here is my docker-compose.yml
> >> version: '3.1'
> >> services:
> >> nats-docker:
> >>   image: nats-streaming:0.17.0
> >>   restart: always
> >>   command:
> >> - '-p'
> >> - '4222'
> >> - '-m'
> >> - '8222'
> >> - '-hbi'
> >> - '5s'
> >> - '-hbt'
> >> - '5s'
> >> - '-hbf'
> >> - '2'
> >> - '-SD'
> >> - '-cid'
> >> - 'yourclientid'
> >>   environment:
> >> TZ: Europe/London
> >> LANG: en_GB.UTF-8
> >> LANGUAGE: en_GB:en
> >> LC_ALL: en_GB.UTF-8
> >>   ports:
> >> - '4222:4222'
> >> - '8222:8222'
> >>   expose:
> >> - 4222
> >>     - 8222
> >>   networks:
> >> - backend
> >> networks:
> >> backend:
> >>   driver: bridge
> >>
> >> JCA sounds good if it solves the threading issue.  it is very kind of
> >> you to offer to help write an adapter.  looking at the code you sent it
> >> looks complicated but i can have a stab at it if you don't have much
> time
> >>
> >> let me know if you need more info
> >>
> >> Matthew
> >>
> >> On 07/06/2021 17:48, Jonathan Gallimore wrote:
> >>> At the risk of sounding a bit ignorant... what is NATS?
> >>>
> >>>   From what I can tell, it sounds like you're receiving a stream of
> events
> >>> (over websocket) and want to do some processing in an EJB or CDI bean
> for
> >>> each event. The connection to the NATS server isn't in the context of a
> >>> HTTP (or any other type of) request, and just runs all the time while
> the
> >>> server is running - does that sound about right?
> >>>
> >>> Assuming that sounds right, it sounds a bit like the Slack JCA
> connector
> >> I
> >>> wrote a while back:
> >>>
> https://github.com/apache/tomee-chatterbox/tree/master/chatterbox-slack.
> >>> Essentially, the resource adapter connects to slack and runs all the
> >> time.
> >>> Messages that come into the server from slack are processed in MDBs
> that
> >>> implement the InboundListener interface.
> >>>
> >>> JCA certainly feels complex, especially when compared with your
> >>> Singleton @Startup bean approach, but I usually find that if I try and
> >> work
> >>> with threads in EJBs, things usually go in the wrong direction.
> >> Conversely,
> >>> JCA even gives you a work manager to potentially handle that stuff.
> >>>
> >>> If you can give me some pointers to running a NATS server, I'd be happy
> >> to
> >>> help with a sample adapter and application.
> >>>
> >>> Jon
> >>>
> >>> On Mon, Jun 7, 2021 at 11:49 AM Matthew Broadhead
> >>>  wrote:
> >>>
> >>>> I am trying to subscribe to a NATS streaming server with
> >>>> https://github.com/nats-io/stan.java which is
> java.lang.Autocloseable.
> >>>>
> >>>> At first it wasn't closing properly as seen in my ori

Re: singleton with autocloseable

[Jonathan Gallimore]

At the risk of sounding a bit ignorant... what is NATS?

>From what I can tell, it sounds like you're receiving a stream of events
(over websocket) and want to do some processing in an EJB or CDI bean for
each event. The connection to the NATS server isn't in the context of a
HTTP (or any other type of) request, and just runs all the time while the
server is running - does that sound about right?

Assuming that sounds right, it sounds a bit like the Slack JCA connector I
wrote a while back:
https://github.com/apache/tomee-chatterbox/tree/master/chatterbox-slack.
Essentially, the resource adapter connects to slack and runs all the time.
Messages that come into the server from slack are processed in MDBs that
implement the InboundListener interface.

JCA certainly feels complex, especially when compared with your
Singleton @Startup bean approach, but I usually find that if I try and work
with threads in EJBs, things usually go in the wrong direction. Conversely,
JCA even gives you a work manager to potentially handle that stuff.

If you can give me some pointers to running a NATS server, I'd be happy to
help with a sample adapter and application.

Jon

On Mon, Jun 7, 2021 at 11:49 AM Matthew Broadhead
 wrote:

> I am trying to subscribe to a NATS streaming server with
> https://github.com/nats-io/stan.java which is java.lang.Autocloseable.
>
> At first it wasn't closing properly as seen in my original gist:
> https://gist.github.com/chongma/2a3ab451f2aeabc98340a9b897394cfe
>
> This was solved with this
>
> https://stackoverflow.com/questions/39080296/hazelcast-threads-prevent-tomee-from-stopping
>
>
> creating a default producer:
> @ApplicationScoped
> public class NatsConnectionProducer {
>
>  @Resource(name = "baseAddressNats")
>  private String baseAddressNats;
>
>  @Produces
>  @ApplicationScoped
>  public StreamingConnection instance() throws IOException,
> InterruptedException {
>  StreamingConnectionFactory cf = new
> StreamingConnectionFactory(new Options.Builder().natsUrl(baseAddressNats)
> .clusterId("cluster-id").clientId("client-id").build());
>  return cf.createConnection();
>  }
>
>  public void destroy(@Disposes final StreamingConnection instance)
>  throws IOException, TimeoutException, InterruptedException {
>  instance.close();
>  }
> }
>
> But now i am creating a new thread because any injections with JPA had
> cacheing issues and this seems to work but i am not sure it is
> broadcasting to websockets correctly
> @Singleton
> @Lock(LockType.READ)
> @Startup
> public class SchedulerEvents {
>  private static final Logger log =
> Logger.getLogger(SchedulerEvents.class.getName());
>
>  @Inject
>  private StreamingConnection streamingConnection;
>
>  @Inject
>  private SomeController someController;
>
>  @PostConstruct
>  private void construct() {
> //log.fine(Thread.currentThread().getName());
>  try {
>  streamingConnection.subscribe("scheduler:notify", new
> MessageHandler() {
>  @Override
>  public void onMessage(Message m) {
>  try {
>  log.fine(Thread.currentThread().getName());
>  // this needs to spawn a new thread otherwise
> injections are stale
>  Thread thread = new Thread(new Runnable() {
>  public void run() {
> log.fine(Thread.currentThread().getName());
>  process(m.getData());
>  }
>  });
>  thread.start();
>  while (thread.isAlive()) {
>  // wait
>  }
>  log.fine("Thread finished OK");
>  m.ack();
>  } catch (Exception e) {
>  emailController.emailStackTrace(e);
>  }
>  }
>  }, new
>
> SubscriptionOptions.Builder().startWithLastReceived().manualAcks().ackWait(Duration.ofSeconds(60))
>  .durableName("scheduler-service").build());
>  } catch (IOException | InterruptedException | TimeoutException e)
> {
>  e.printStackTrace();
>  }
>  }
>
>  private void process(byte[] data) {
>  String raw = new String(data);
>  JsonReader jsonReader = Json.createReader(new StringReader(raw));
>  JsonObject jo = jsonReader.readObject();
>  jsonReader.close();
>  String type = utilityDao.readJsonString(jo, "type");
>  int id = utilityDao.readJsonInteger(jo, "id");
>  if (type == null || id == 0) {
>  emailController.emailThrowable(new Throwable(), raw);
>  return;
>  }
>  log.info("Received a message: id: " + id + ", type:" + type);
> 

Re: TOMEE-3752 - Injection of WebServiceContext

[Jonathan Gallimore]

I went ahead and merged this. Please let me know if it causes and problems,
I'll be happy to revert and look again.

Jon

On Wed, May 26, 2021 at 11:25 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi All,
>
> I noticed an issue with injecting a WebServiceContext into a field
> using @Resource when the endpoint uses CDI interceptors. I've created a PR
> with a test and fix. Essentially, the field is being injected into the OWB
> proxy, but being accessed from the underlying instance (resulting in a
> NullPointerException).
>
> The PR is here: https://github.com/apache/tomee/pull/799 - please do let
> me know if you have any feedback.
>
> Thanks
>
> Jon
>

TOMEE-3752 - Injection of WebServiceContext

[Jonathan Gallimore]

Hi All,

I noticed an issue with injecting a WebServiceContext into a field
using @Resource when the endpoint uses CDI interceptors. I've created a PR
with a test and fix. Essentially, the field is being injected into the OWB
proxy, but being accessed from the underlying instance (resulting in a
NullPointerException).

The PR is here: https://github.com/apache/tomee/pull/799 - please do let me
know if you have any feedback.

Thanks

Jon

Re: Java 16 via 8.0.7-SNAPSHOT - JVM Crash - Any Thoughts?

[Jonathan Gallimore]

I'll take a look anyway - I'm wondering if we can do anything to avoid the
need for --illegal-access=permit.

Jon

On Thu, Apr 8, 2021 at 1:09 PM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> A little update: It seems the problematic thing is "JEP 396: Strongly
> Encapsulate JDK Internals by Default", which was introduced with Java
> 16. Adding "--illegal-access=permit" (default of Java 9) to the
> commandline arguments restored the behaviour of pre-Java 16.
>
> Creating the minimal example as well as the related exception instead
> of a JVM crash helped a lot.
>
> The JVM crash in the project is gone and everything seems to work like
> a charm (deployment, ...). I will run some additional tests with the
> deployed application but it is looking good at the moment, so for now:
>
> Java 16 seem to work fine with the current 8.0.7-SNAPSHOT + OpenJPA
> 3.1.3-SNAPSHOT).
>
> Gruss
> Richard
>
> Am Donnerstag, den 08.04.2021, 11:42 + schrieb Zowalla, Richard:
> > Sadly, I cannot reproduce the JVM crash in my minimal example.
> >
> > However, it reveals some other (probably access-related) issues in
> > LocalBeanProxyFactory.createProxy(...) which might have lead to the
> > crash in the actual project.
> >
> > It can be found here: https://github.com/rzo1/jdk16-testing
> >
> > Gruss
> > Richard
> >
> >
> > Am Donnerstag, den 08.04.2021, 11:55 +0100 schrieb Jonathan
> > Gallimore:
> > > A minimal example would be a big help, thank you!
> > >
> > > Jon
> > >
> > > On Thu, Apr 8, 2021 at 11:00 AM Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> wrote:
> > >
> > > > Hi Jon,
> > > >
> > > > thanks for your response.
> > > >
> > > > I am using the latest OpenJDK 16 build from AdoptOpenJDK (
> > > > https://adoptopenjdk.net/?variant=openjdk16=hotspot)
> > > > on
> > > > a
> > > > Ubuntu 20.04 LTS system.
> > > >
> > > > If it helps: I could try to create a minimal example to reproduce
> > > > the
> > > > crash and push it to Github.
> > > >
> > > > Gruss
> > > > Richard
> > > >
> > > > Am Donnerstag, den 08.04.2021, 10:39 +0100 schrieb Jonathan
> > > > Gallimore:
> > > > > I did some of the original work on LocalBeanProxyFactory way
> > > > > back.
> > > > > I'm
> > > > > happy to take a look. Are you building your own JDK from
> > > > > source,
> > > > > or
> > > > > downloading a specific binary (if so, which one)?
> > > > >
> > > > > Jon
> > > > >
> > > > > On Thu, Apr 8, 2021 at 8:07 AM Zowalla, Richard <
> > > > > richard.zowa...@hs-heilbronn.de> wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I am doing some bleeding edge testing related to JDK/JRE 16
> > > > > > with
> > > > > > the
> > > > > > latest TomEE 8.0.7-SNAPSHOT as we have included some 3rd
> > > > > > party
> > > > > > patches,
> > > > > > which should support JDK/JRE 16. One remaining thing is
> > > > > > OpenJPA,
> > > > > > which
> > > > > > will support J16 with 3.1.3-SNAPSHOT (so I have patched it in
> > > > > > my
> > > > > > test).
> > > > > >
> > > > > > I get this weird JVM crash [1] probably related to
> > > > > > LocalBeanProxyFactory when deploying a JSF/JAX-RS WAR archive
> > > > > > via
> > > > > > the
> > > > > > TomEE Maven Plugin. Maybe someone has some thoughts on it (or
> > > > > > a
> > > > > > hint)?
> > > > > >
> > > > > > Gruss
> > > > > > Richard
> > > > > >
> > > > > >
> > > > > > [1]
> > > > > > https://gist.github.com/rzo1/cf70056a0a27d4cb5a714d6211dc7563
> > > > > >
> > > > > >
> > > > --
> > > > Richard Zowalla, M.Sc.
> > > > Research Associate, PhD Student | Medical Informatics
> > > >
> > > > Hochschule Heilbronn – University of Applied Sciences
> > > > Max-Planck-Str. 39
> > > > D-74081 Heilbronn
> > > > phone: +49 7131 504 6791
> > > > mail: richard.zowa...@hs-heilbronn.de
> > > > web: https://www.mi.hs-heilbronn.de/
> > > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: richard.zowa...@hs-heilbronn.de
> web: https://www.mi.hs-heilbronn.de/
>

Re: Java 16 via 8.0.7-SNAPSHOT - JVM Crash - Any Thoughts?

[Jonathan Gallimore]

A minimal example would be a big help, thank you!

Jon

On Thu, Apr 8, 2021 at 11:00 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> Hi Jon,
>
> thanks for your response.
>
> I am using the latest OpenJDK 16 build from AdoptOpenJDK (
> https://adoptopenjdk.net/?variant=openjdk16=hotspot) on a
> Ubuntu 20.04 LTS system.
>
> If it helps: I could try to create a minimal example to reproduce the
> crash and push it to Github.
>
> Gruss
> Richard
>
> Am Donnerstag, den 08.04.2021, 10:39 +0100 schrieb Jonathan Gallimore:
> > I did some of the original work on LocalBeanProxyFactory way back.
> > I'm
> > happy to take a look. Are you building your own JDK from source, or
> > downloading a specific binary (if so, which one)?
> >
> > Jon
> >
> > On Thu, Apr 8, 2021 at 8:07 AM Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> wrote:
> >
> > > Hi,
> > >
> > > I am doing some bleeding edge testing related to JDK/JRE 16 with
> > > the
> > > latest TomEE 8.0.7-SNAPSHOT as we have included some 3rd party
> > > patches,
> > > which should support JDK/JRE 16. One remaining thing is OpenJPA,
> > > which
> > > will support J16 with 3.1.3-SNAPSHOT (so I have patched it in my
> > > test).
> > >
> > > I get this weird JVM crash [1] probably related to
> > > LocalBeanProxyFactory when deploying a JSF/JAX-RS WAR archive via
> > > the
> > > TomEE Maven Plugin. Maybe someone has some thoughts on it (or a
> > > hint)?
> > >
> > > Gruss
> > > Richard
> > >
> > >
> > > [1] https://gist.github.com/rzo1/cf70056a0a27d4cb5a714d6211dc7563
> > >
> > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: richard.zowa...@hs-heilbronn.de
> web: https://www.mi.hs-heilbronn.de/
>

Re: Java 16 via 8.0.7-SNAPSHOT - JVM Crash - Any Thoughts?

[Jonathan Gallimore]

I did some of the original work on LocalBeanProxyFactory way back. I'm
happy to take a look. Are you building your own JDK from source, or
downloading a specific binary (if so, which one)?

Jon

On Thu, Apr 8, 2021 at 8:07 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> Hi,
>
> I am doing some bleeding edge testing related to JDK/JRE 16 with the
> latest TomEE 8.0.7-SNAPSHOT as we have included some 3rd party patches,
> which should support JDK/JRE 16. One remaining thing is OpenJPA, which
> will support J16 with 3.1.3-SNAPSHOT (so I have patched it in my test).
>
> I get this weird JVM crash [1] probably related to
> LocalBeanProxyFactory when deploying a JSF/JAX-RS WAR archive via the
> TomEE Maven Plugin. Maybe someone has some thoughts on it (or a hint)?
>
> Gruss
> Richard
>
>
> [1] https://gist.github.com/rzo1/cf70056a0a27d4cb5a714d6211dc7563
>
>

Re: [VOTE] Apache TomEE on Jakarta EE Compatible Products page

[Jonathan Gallimore]

I'd prefer option A.

Jon

On Sun, Mar 28, 2021 at 12:05 AM David Blevins 
wrote:

> Please see Rob Tompkins' email "[jarkarta-ee] Is there apatite to ever use
> Jakarta EE logos on the TomEE site"
>
> This vote is strictly limited to 1) getting Jakarta EE Platform and
> Jakarta EE Web Profile implementations at the ASF listed on the jakarta.ee
> compatible products page[1] and 2) use of the "Jakarta EE Compatible"[2]
> logo on apache.org websites.
>
> The rules for either of these require you to be a member of the Jakarta EE
> Working Group.
>
> As I've been on the Working Group from the start and knew this would be
> affecting us as Apache is is not a member of the Working Group, I've
> ensured we have two options.  The vote is to gather feedback on which of
> the two options you prefer.
>
>  - Option A: Apache joins the Jakarta EE Working Group and gains the
> ability to get Apache TomEE and any other ASF Jakarta EE Platform and
> Jakarta EE Web Profile implementations listed on the compatible products
> page[1].  As a Member, Apache TomEE and any other ASF Jakarta EE Platform
> and Jakarta EE Web Profile implementations can use the "Jakarta EE
> Compatible"[2] logo on tomee.apache.org and other *.apache.org sites.  In
> this path the TCK results summary of tests passed must be hosted on
> tomee.apache.org for each certified server version, tck version, jdk and
> os combination.  The entry for Apache TomEE on the jakarta.ee website
> will contain one link to tomee.apache.org for the TCK results summary and
> one link to download Apache TomEE at tomee.apache.org.
>
>  - Option B: Apache does not join, however, Strategic Members of the
> Jakarta EE Working Group could get Apache TomEE listed on the compatible
> products page[1] as an open source implementation they support.  As Apache
> is not itself a member, we would not be able to use the "Jakarta EE
> Compatible"[2] logo on tomee.apache.org.  We could use the general
> Jakarta EE logo, however.  In this path the project does not need to host
> TCK result summaries on tomee.apache.org.  The entry for Apache TomEE on
> the jakarta.ee website will contain one link to said Strategic Member's
> website for the TCK results summary and one link to download Apache TomEE
> at tomee.apache.org.
>
> I'm confident we can make either work.
>
> This vote will close on April 14th so Rob can make his recommendation to
> the Board in time for the April 21st Board Meeting.  Additionally, the
> Jakarta EE 9.1 release is scheduled to go up for vote end of April and
> there is some chance we could be compatible by then.
>
> Note: Even if we vote A, that does not guarantee Apache will join the
> Working Group.  It would just be an indication that's what we desire.  The
> desires of all projects and the foundation in general will be considered
> and it's ultimately Rob and the Board who make this decision.
>
>
> -David
>
>
> [1] https://jakarta.ee/compatibility/
> [2] https://jakarta.ee/images/jakarta/jakarta-ee-compatible-logo-color.svg

Re: CVE-2019-20367 - TomEE not affected

[Jonathan Gallimore]

Thanks for the update Rod!

> PS:  It is not lost on me that it is a fairly old vulnerability.  I am
not sure why it started to notify us today, something else I will have to
research.

I tend to get duplicate notifications when CVEs are updated. Looks like
there have been some recent-ish updates to this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2019-20367#VulnChangeHistorySection

Jon

On Thu, Apr 1, 2021 at 5:06 AM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> All,
>
> Just an FYI….
>
> Today, our vulnerability scanners started alerting us to this CVE when we
> pulled the Official Tomcat image.  I have opened a ticket with
> docker-library-tocmat to see if they can rebuild the images, as this was
> address in the OpenJDK layer.  After I sorted that out, I wondered if TomEE
> was vulnerable as well.  The good news is we are not.  The difference is
> Tomcat is build OpenJDK’s JDK and we use the JRE.  It would seem the
> affecting library, libbsd0, is not found on the JRE.
>
> Again, there is nothing for us to do, but I thought you may all want to be
> aware.
>
> If you have any questions, please reach out.
>
> Thanks,
> Rod.
>
>
> PS:  It is not lost on me that it is a fairly old vulnerability.  I am not
> sure why it started to notify us today, something else I will have to
> research.
>

Re: Release related Issues created by INFRA

[Jonathan Gallimore]

On Wed, Mar 24, 2021 at 9:17 PM David Blevins 
wrote:

> Thanks or pushing this back up to the top.  Some thoughts below.
>

I had just come here to say the same thing - thank you Richard!


>
> > On Mar 24, 2021, at 12:46 AM, Richard Zowalla  wrote:
> >
> > It seems, we are already providing SHA256/SHA512 checksums for newer
> > releases. To rephrase my comment: If we would switch to Maven
> > repository links instead, we would need to upgrade the parent project
> > in order to deploy SHA256/SHA512 to Maven repositories.
>
> I'm curious what others think, but to me it would seem the best source to
> point at for the signatures is something on apache.org.  I completely
> understand how having the mirror be the source of signatures to verify
> files on the mirror completely defeats the point :)
>

We should be linking to signatures on apache.org, and not the mirrors.


> The most natural source for me would be linking signatures back to the
> mirror source which is https://dist.apache.org/repos/dist/release/tomee/
>
> > - How to deploy changes conducted in
> > https://github.com/apache/tomee-site-generator ?
> >
> > The documentation is outdated and I have no idea of the steps required
> > to get the changes "live". If someone can explain the process, I am
> > happy to update the documentation as well.
>
Thank you in advance for the help!  When David and I did work here we
> didn't really document outside the list conversations.
>
> The short version is if you push modified html to this repo, it shows up
> live eventually:
>
>  - https://github.com/apache/tomee-site-pub
>
> You can regenerate the site with a `mvn compile` as mentioned here:
>
>  - https://github.com/apache/tomee-site-generator#build
>
> The documentation says "you just need to sync it with CMS repo", but
> doesn't give details.
>
>
>
 I tend to do that manually with Beyond Compare, and I'm happy to do that
for you if that helps. It would be great to have a less manual way to do it
though.

Jon