Raible Designs

AppFuse Light 1.8 Released

AppFuse Light 1.8 adds CSS Framework integration, as well as support for Stripes (1.4.2) and Wicket (1.2.6). It also has significant upgrades for JSF and Tapestry; to versions 1.2 and 4.1.3 respectively. See the Release Notes for more information on what's changed since the the beta release of 1.8.

What is AppFuse Light? Click here to find out.

AppFuse Light is a lightweight version of AppFuse. I was inspired to create it while writing Spring Live and looking at the struts-blank and webapp-minimal applications that ship with Struts and Spring, respectively. These "starter" apps were not robust enough for me, and I wanted something like AppFuse, only simpler.

AppFuse Light is designed to show Java Web Developers how to start a bare-bones webapp using a Spring-managed middle-tier backend and Hibernate for persistence. By default, AppFuse Light uses Spring for its MVC framework, but you can change it to JSF/MyFaces, Stripes, Struts 1.x, Struts 2.x, WebWork, Tapestry or Wicket. In addition, there's a number of extras for Spring MVC, including Velocity and FreeMarker versions, Ajax support and Acegi Security support.

This project was formerly named Equinox and has been under development since April 2004.

AppFuse Light now offers 60 possible combinations for download:

• Web Frameworks: JSF (MyFaces), Spring MVC (with Ajax, Acegi Security, JSP, FreeMarker or Velocity), Stripes, Struts 1.x, Struts 2.x, Tapestry, WebWork, Wicket
• Persistence Frameworks: Hibernate, iBATIS, JDO (JPOX), OJB, Spring JDBC

If you have any questions about this release, please subscribe to the AppFuse user mailing list by sending a blank e-mail to [email protected]. You can also post questions in a forum-like fashion using Nabble: http://appfuse.org/forum/user.

If you're a developer of one of the frameworks that AppFuse Light uses - I'd love a code review to make sure I'm "up to snuff" on how to use your framework. I'm also more than willing to give commit rights if you'd like to improve the implementation of your framework.

Live demos are available at:

• Spring · Spring + Ajax · Spring + Acegi
• MyFaces + Facelets
• Stripes
• Struts 1 · Struts 2
• Tapestry
• WebWork
• Wicket

Yes, I realize that 60 combinations is ridiculous. I didn't create the frameworks, I'm just integrating them so you don't have to.

Unfortunately, it's a real pain to create Maven archetypes or they'd all be as easy as mvn archetype:create. Rumor is that the archetype plugin will allow you to create-from-project in the future. When that happens, I'll make sure all the combinations are available as archetypes.

Don Brown on OGNL

From the Struts Developers Mailing List:

My conclusion is OGNL is like Maven 2 - sometimes it really pisses you off, and you probably generally don't like the thing, but you've invested so much into it that it would be too painful to switch, and really, it does 95% of what you want anyways.

And with that, I'm off to Finland and Norway! See you on the other side of the pond.

AppFuse 2.0 RC1 Released

The AppFuse Team is pleased to announce the release of AppFuse 2.0 RC1! This release marks a huge step in the march to releasing AppFuse 2.0. This release puts the finishing touches on the AppFuse Maven Plugin (AMP), which offers CRUD generation, as well as the ability to change AppFuse from "embedded mode" to "full source" (like 1.x). In addition, we've addressed over 100 issues in preparation for the final 2.0 release. We hope to fix any bugs related to this release and release 2.0 Final in the next week or two.

The videos still represent how M5 works, but things have been simplified (now you don't need to run appfuse:install after appfuse:gen).

AppFuse 2.0 is available as a Maven archetype. For information on creating a new project using this release, please see the QuickStart Guide or the Hello World video.

If you've used AppFuse 1.x, but not 2.x, you'll want to read the FAQ. Join the user mailing list if you have any questions. The Maven Reference Guide has a map of Ant » Maven commands. Maven for Newbies might also be useful if you've never used Maven before. There is some support for Ant in this release.

For more information, please see the 2.0 RC1 Release Notes. The 2.0 series of AppFuse has a minimum requirement of the following specification versions:

• Java Servlet 2.4 and JSP 2.0 (2.1 for JSF)
• Java 5+

We appreciate the time and effort everyone has put toward contributing code and documentation, posting to the mailing lists, and logging issues.

We also greatly appreciate the help from our sponsors, particularly Atlassian, Contegix, JetBrains, and Java.net. Atlassian and Contegix are especially awesome: Atlassian has donated licenses to all its products and Contegix has donated an entire server to the AppFuse project. Thanks guys - you rock!

Comments and issues should be posted to the mailing list.

Update: I've uploaded a 247-page PDF version of the RC1 documentation to java.net. This PDF contains the relevant pages from the wiki that help you develop with AppFuse 2.0. Who knew I'd end up writing another book?

Jetty 6.x versus Tomcat 6.x

An AppFuse user asks:

Has anyone done any performance benchmarking between Jetty 6.x and Tomcat 6.x to see which one is better for production use in terms of scalability, performance and ease-of-use? I'm gearing towards Jetty 6.1 but want to hear other's opinions first.

I admit, I completely changed the wording in this quote to make it more readable.

Most of the companies I've worked with in recent years have been using Tomcat (very successfully) in production. However, I also know the Contegix and JavaLobby guys continue to swear by Resin for the most part. What's your opinion?

IMHO, I don't think it really matters - they're all good enough for production use.

AppFuse now powered by Contegix and Atlassian

The AppFuse project is now hosted on a Contegix server for its documentation, demos, issues and continuous integration. Single sign-on to all of these servers is handled by Crowd. Many thanks to Atlassian for their generous donations of licenses. The free server and service from Contegix is one of the nicest things that anyone has ever done for me - thanks guys!

If you see any issues that might be related to this move, please let us know.

In addition to running the Atlassian Suite, we're also hosting our own Maven repository. We've been hosting our own for almost a year now. Now that AppFuse is residing on the same infrastructure as Maven's central repo, I wonder if it makes sense to publish to the central repo? I don't see any advantages. If we continue to retain our own, we can have more control, publish to it easily, and fix annoying bugs. What do you think - continue with our own or publish to the central repo?

Update Feb 20, 2015: All AppFuse artifacts are published to Maven Central and have been for several years.

Java Web Frameworks and XSS

In preparation for my talk at OSCON next week, I've been doing some research on cross-site scripting and how good Java web frameworks handle it. I'm disappointed to report that the handling of XSS in Java web frameworks is abysmal. First of all, the JSP EL doesn't bother to handle XSS:

With JSP 2.0 you can use the following to emit the description of a "todo" item:
${todo.description}
That's pretty nice. What happens when someone has entered a description like this?
<script type="text/javascript">alert('F#$@ you!');</script>
Well, it executes the JavaScript and pops up a nice little message to you.
...
My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out?

(Emphasis mine) If a company/developer wants to make sure their JSP-based code is not susceptible to XSS, they have two choices (as I see it):

• Do lots of code review to make sure <c:out> is used instead of ${}.
• Hack the jsp-compiler/el-engine to escape XML by default.

The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el?

Of course, the whole problem with JSP EL could be solved if Tomcat (and other containers) would allow a flag to turn on XML escaping by default. IMO, it's badly needed to make JSP-based webapps safe from XSS.

On a related note, there's a couple of web frameworks that I've found to be susceptible to XSS: namely Spring MVC and Struts 2. For Spring MVC, its <form:input> and <form:errors> tags are vulnerable. For Struts 2, OGNL expressions are evaluated, which is way worse than XSS and actually allows you to shutdown the JVM by putting %{@java.lang.System@exit(0)}" in a text field.

Even though it was surprising for me to see the issues with Struts 2 and Spring MVC, I'm somewhat glad they exist. If I hadn't discovered them, I might blissfully think that Java web frameworks aren't susceptible to XSS. However, it appears they're not only susceptible, but no one is really thinking about XSS when developing these framework. To further prove that theory, the Spring MVC and Struts 2 teams are aware of these issues, have been for quite some time - yet they've done nothing in the form of releasing upgrades or patches.

Seems kinda strange doesn't it?

How popular is your web framework?

From the Struts user mailing list:

Since its release in June 2001, Apache Struts has become the most popular web framework for Java. Six years later, by any objective measure, Struts is still Java's most popular web framework.

In February and March 2007, the group released both Struts 1.3.8 and Struts 2.0.6 to the general public, and Struts downloads zoomed to over 340,000 a month from the Apache site alone. And this is just the tip of the iceberg. Most copies of Struts are downloaded from an network of mirrors or obtained from Maven repositories.

So how popular is Struts compared to the other heavy hitters like Spring and Hibernate? Spring has about 1/2 as many (80K) downloads in the same period and so does Hibernate. How do MyFaces, Wicket and Tapestry stack up? Here's their best download numbers in the past few months:

• MyFaces: ~12K (and that's only because of a rate 3-times-normal spike)
• Tapestry: ~12K
• Wicket: ~10K

Sorry JSF, you appear to be losing. Badly. This is an incorrect statement as pointed out by commentors. Thanks for keeping me honest guys.

Disclaimer: Yes, I realize that these statistics are not very accurate, especially considering Maven. Unfortunately, until Maven has repository download stats, this information is the best we've got.

AppFuse 2.0 Status Update

It's been far too long since the release of AppFuse 2.0 M5. When we released that version, I fully expected to finish up RC1 a week or two later, and follow that with 2.0 Final a week later. Fast forward a month and a half, and there's still 38 issues left for 2.0 RC1. What happened?

Life got in the way.

There's probably less than 40 hours left to complete 2.0. I could say that I haven't had the time, but you all know that's a lie. Everyone has time. When someone says "I don't have time to do X right now", this really means "that's not on my priority list and I'm not going to make time to do it". So unfortunately AppFuse hasn't been on my priority list. Finding a new gig, vacationing with my family and buying a new mountain bike were on my priority list.

So if there's only 40 hours worth of work left, why didn't I just work a couple hours a day on it? Primarily because when I work on AppFuse it possesses me. I tend to get caught up in it and it's tough for me to concentrate on other things, especially work that I'm supposed to be doing during the day. Since I've had two new clients in the past few weeks, I've been aware of this and purposely stayed away from working on it.

The good news is things should settle down soon. I have a couple weekends on the horizon that look to be free, so hopefully I can crank it out and finish it up in the next month or so. As far as the project itself, there's plenty of users happily using the 2.0 milestone releases and there's still lots of traffic on the mailing list. It's crazy to think that the planning for AppFuse 2.0 started over a year ago and development started one year ago next month. If I knew it'd take this long, would I still have done it? Absolutely. I've never heard so many positive comments from users.

In other AppFuse News, Contegix has graciously donated an entire managed server to the project. We have licenses for the Atlassian Suite (JIRA, Confluence, Bamboo and Crowd) and will be moving/installing everything over the next week or so.

Thanks Contegix!

As anyone that uses them knows, they're simply the best hosting company in existence today. Their customer support and response time is incredible.

JAR Hell with XFire 1.2.6

I discovered something somewhat disturbing last week. As part of AppFuse 2.0 M5, we added "xfire-all" as a dependency so web services could be supported out-of-the-box. What I didn't know is that xfire-all has transitive dependencies to 40 other libraries, which total 13.4 MB in size. Yikes!

Does XFire take the cake for the most bloated library you can use or are we just including too much (xfire-all vs. fine-grained dependencies)? I tried changing to the recommended Maven configuration and there's still 28 JARs added by XFire.

The WEB-INF/lib directory of a basic Struts 2 + Spring + Hibernate AppFuse application is already 19.2 MB to start. Adding XFire for web services increases the size to 29.2 MB. While disk space may be cheap, some users have noticed "mvn jetty:run" is much slower with XFire (presumably from the JAR processing that happens at startup). Is there an uber XFire JAR we can use instead?

A couple of good blog posts

Here's a couple of good blog entries I've enjoyed reading over the past few days - in case you missed them:

• Why hasn't Tapestry been more widely adopted?
• In defense of the RDBMS

Warner is spot on when it comes to Tapestry's biggest problem. Let's hope Tapestry 5 is the end-all-be-all that Howard thinks it will be. As for Gavin's post, I like it because it's mostly true and the f-bomb makes it enjoyable to read. ;-)