Raible Designs

AppFuse now powered by Contegix and Atlassian

The AppFuse project is now hosted on a Contegix server for its documentation, demos, issues and continuous integration. Single sign-on to all of these servers is handled by Crowd. Many thanks to Atlassian for their generous donations of licenses. The free server and service from Contegix is one of the nicest things that anyone has ever done for me - thanks guys!

If you see any issues that might be related to this move, please let us know.

In addition to running the Atlassian Suite, we're also hosting our own Maven repository. We've been hosting our own for almost a year now. Now that AppFuse is residing on the same infrastructure as Maven's central repo, I wonder if it makes sense to publish to the central repo? I don't see any advantages. If we continue to retain our own, we can have more control, publish to it easily, and fix annoying bugs. What do you think - continue with our own or publish to the central repo?

Update Feb 20, 2015: All AppFuse artifacts are published to Maven Central and have been for several years.

Java Web Frameworks and XSS

In preparation for my talk at OSCON next week, I've been doing some research on cross-site scripting and how good Java web frameworks handle it. I'm disappointed to report that the handling of XSS in Java web frameworks is abysmal. First of all, the JSP EL doesn't bother to handle XSS:

With JSP 2.0 you can use the following to emit the description of a "todo" item:
${todo.description}
That's pretty nice. What happens when someone has entered a description like this?
<script type="text/javascript">alert('F#$@ you!');</script>
Well, it executes the JavaScript and pops up a nice little message to you.
...
My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out?

(Emphasis mine) If a company/developer wants to make sure their JSP-based code is not susceptible to XSS, they have two choices (as I see it):

• Do lots of code review to make sure <c:out> is used instead of ${}.
• Hack the jsp-compiler/el-engine to escape XML by default.

The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el?

Of course, the whole problem with JSP EL could be solved if Tomcat (and other containers) would allow a flag to turn on XML escaping by default. IMO, it's badly needed to make JSP-based webapps safe from XSS.

On a related note, there's a couple of web frameworks that I've found to be susceptible to XSS: namely Spring MVC and Struts 2. For Spring MVC, its <form:input> and <form:errors> tags are vulnerable. For Struts 2, OGNL expressions are evaluated, which is way worse than XSS and actually allows you to shutdown the JVM by putting %{@java.lang.System@exit(0)}" in a text field.

Even though it was surprising for me to see the issues with Struts 2 and Spring MVC, I'm somewhat glad they exist. If I hadn't discovered them, I might blissfully think that Java web frameworks aren't susceptible to XSS. However, it appears they're not only susceptible, but no one is really thinking about XSS when developing these framework. To further prove that theory, the Spring MVC and Struts 2 teams are aware of these issues, have been for quite some time - yet they've done nothing in the form of releasing upgrades or patches.

Seems kinda strange doesn't it?

AppFuse 2.0 M5 Released - now with CRUD generation and XFire support

The AppFuse Team is pleased to announce the release of AppFuse 2.0 M5! This release marks a milestone in the features of AppFuse 2.x. This release adds CRUD code generation, full source support (just like 1.x) and XFire integration. In addition, we've fixed all the issues related to switching persistence frameworks, and you should now be able to easily switch from using Hibernate to to iBATIS or JPA. The videos have been updated for M5. The Easy CRUD with Struts 2 video shows how code generation currently works.

AppFuse 2.0 is available as a Maven archetype. For information on creating a new project using this release, please see the QuickStart Guide or the Hello World video.

If you've used AppFuse 1.x, but not 2.x, you'll want to read the FAQ and join the user mailing list if you have any questions. The Maven Reference Guide has a map of Ant » Maven commands. Maven for Newbies might also be useful if you've never used Maven before. There is some support for Ant in this release.

For more information, please see the 2.0 M5 Release Notes. If you'd like to use AppFuse offline (or download everything at once), you may want to grab the dependencies and extract them into your ~/.m2/repository directory.

The 2.0 series of AppFuse has a minumum requirement of the following specification versions:

• Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
• Java 5 for Development (Java 1.4 for deployment using the Retrotranslator Plugin)

Comments and issues should be posted to the mailing list.

We appreciate the time and effort everyone has put toward contributing code and documentation, posting to the mailing lists, and logging issues. We also greatly appreciate the help from our sponsors, particularly Atlassian, Cenqua, Contegix, JetBrains, Java.net and KGBInternet. Without them, working on this project wouldn't be nearly as much fun.

Update: The videos are much lower quality than the ones I originally recorded (13 MB vs. 70 MB). If you want to view the high quality videos (they're much clearer), you can download them from java.net. If someone has a better way to compress these (I just used QuickTime's Export feature), please let me know.

Also, this release contains the first release of the AppFuse Maven Plugin. This plugin is largely based on Hibernate Tools. We modified many of the FreeMarker templates from Hibernate Tools to default to certain annotations, as well as clean up the formatting. These templates are currently available in AppFuse's SVN. Hopefully making them available is enough to satisfy Hibernate's LGPL license.

Subversion Hosting

In years past, I never had much of a need for source control outside of open source projects I worked on. Now, as I create more and more training materials and presentations - it's essential. While I could host a Subversion repository myself, it doesn't seem like it's worth the hassle. I'd prefer to have it hosted (and backed up regularly) outside of my house. This week I'm looking to setup svn.raibledesigns.com.

I'm not really looking to get my own Linux box hosted somewhere. I pay around $60/month to KGB Internet for raibledesigns.com, demo.appfuse.org and appfuse.org. To get my own "managed" box is somewhere around $300/month. When I say "managed", I mean Contegix-style where I can say "install this", "do that" and they handle all the sys-admin for you. So all I'm looking for is a reasonable SVN hosting provider that'll give me 1-2 GB for a reasonable price. What's reasonable? I'd say $25-50 per month.

I did some googling and there's a lot of Subversion hosting providers. I e-mailed a few of them with my main question - "can I point my subdomain at your servers?" A few of them have gotten back to me, but now I'm curious to hear from folks using these services. Are you using a Subversion hosting provider for your business? If so, which one?

I'm more interested in bad reviews than good ones - but if you're happy with a service, I'd love to hear about it.

The cheapest one I found is SVNRepository.com. However, it's been an hour since I e-mailed them and I haven't had a response. Nevertheless, $10/month for 5 GB, unlimited repositories, Trac instances, etc. sounds pretty nice.

Update August 2, 2007: I ended up going with SVNRepository.com (Level Two - $6.95/month) and I've been very happy with them. I'm using them for Raible Designs' artifacts (presentations, training materials) so I don't use it on a daily basis - more like monthly.

Sonatype - a new company around Maven

From Jason van Zyl's Maven Diaries:

Since my departure from Mergere I've been quietly and steadily working to help start a Maven related company that I'm proud to say I'm a part of. No grandiose launch, no marketing hype, no VCs, haven't talked to a single analyst, and we hope that you can actually understand what we do by looking at our website. The company's name is Sonatype and I'm finally happy with the people involved and the direction we're headed in. We are focused on facilitating the adoption of Maven through our partners network, providing training, and delivering Maven related products for software development.

Having two companies wrapped around Maven can't be a bad thing. However, let's hope Sonatype has some funding to pay folks to work on the project more, rather than other products that may or may not be successful.

Two things that could make this company very well liked in the open source community:

• Clean up the Maven Repository: Add/delete/modify as requested by users. There's other projects using the repo now and even folks campaigning against Maven. If Maven folks are responsible for cleaning it up, they'll be heroes.
• Provide repository statistics: A lot of open source projects like to track their download statistics. It's a metric for measuring success (in addition to mailing list traffic). If they move to a full Maven-based distribution model (like AppFuse is), there's no more statistics.

Are there other things you think Sonatype can do to make Maven easier to use and more successful?

Congrats to Neel, Jason, John, Kenney, Andrew, Eric and Eirik. I hope you succeed in your mission. I think w/o the VCs and the get-rich-quick folks, it should be a lot easier. Cash isn't always the key indicator of success - more often happiness and job satisfaction are.

Ant vs. Maven

I found a good post from Steve Loughran on what's wrong with Maven's repositories. I agree with most of his points, but would like to point out mvnrepository.com. This site seems to provide good XML Feeds for what's been uploaded to Maven's Central Repository. If you're using Maven, you should probably subscribe to its Atom Feed.

In related news, Timothy M. O'Brien has an entry about Steve's upcoming book: Ant in Action. This book is the 2nd edition of Java Development with Ant. I have a hard time believing Erik Hatcher is helping Steve write Ant in Action - AFAIK, he's off in Rails-land enjoying himself. Regardless, I'm sure Ant in Action will be an excellent book. Java Development with Ant is one of my favorite technical books of all time and is largely responsible for inspiring me to write AppFuse. I read JDwA way back in October 2002 and used a lot of its code to develop AppFuse 1.x's Ant-based build system.

Like Tim, I still like Ant. However, AppFuse 2.x uses Maven 2 and most of the projects I work on these days use Maven 2. It may surprise some folks, but I actually like Maven 2 (not Maven 1). Sure it has issues, but after a year of using it in anger, I know how to solve most of its quirks. AppFuse 2.x users will benefit from this greatly and I'm thinking of changing its tagline to "We make Maven work."

One of the most interesting things about moving to Maven is we were easily able to make AppFuse more like a framework than a project starter kit. We thought this is what most folks wanted - especially the ability to upgrade a project to the latest version of AppFuse. While some folks wanted this, it seems like most folks liked the full-source version that was a pain-in-the-ass to upgrade. I don't blame them. On the project I'm on, I'll likely be converting to a full-source version before the project is over. That's why APF-675 exists. I doubt we'll make it happen for the 2.0 final release, but it is on our radar of things to do shortly after. With any luck, we'll create a way to migrate projects using embedded AppFuse to full-source AppFuse.

I'd also like to point out something ironic. With AppFuse 1.x, there were a lot of folks that advocated we move to Maven. Their primary reasoning - the Ant build scripts were too long and complicated. How about a good ol' lines of XML comparison for those folks:

• Lines of Ant-related XML in AppFuse 1.x: 1655
• Lines of Maven-related XML in AppFuse 2.x: 2847

Oh wait, that's not a fair comparison. The above number is for AppFuse in SVN, which end users won't deal with. A new project created with AppFuse 2.x will likely have a pom.xml with 634 lines. That's about 1/3 of the amount needed for Ant in AppFuse 1.x. Maven hasn't exactly gotten us away from XML hell though. How about a LOC count for archetypes vs. installers:

• Lines of Ant-related XML for AppFuse 1.x framework installers: 2786
• Lines of Maven-related XML for AppFuse 2.x archetypes (including archetype's pom.xml files): Too much to count. Creating archetypes is waayyyy too complicated IMO. Basic archetypes seem to be around 740 lines (pom.xml for archetype project, archetype.xml and archetype's pom.xml), modular archetypes are around 870. 740 x 4 + 870 x 4 = 6440. I'm guessing the full-source archetypes will add another 5000 lines of XML. Ugh.

This XML-for-archetypes comparison might be unfair as well. With 1.x, you could only create a webapp, with 2.x, you can create a modular application and chop off the web-portion if you so choose.

Of course, the real benefits of moving to Maven are elsewhere. We've seen quite an uptick on the mailing list in the last few months. There's tools cropping up and I've gotten quite a few inquiries about training (yes, I do have a 3-day course on Spring, Hibernate, Ajax, Maven and AppFuse). To me, AppFuse 2.x seems more complicated than 1.x, but it seems the community thinks otherwise. Judging from the increased amount of developer activity on the project, developers seem more interested in a Maven-based system too. Then again, we are making Maven work!

Artifactory - a new Maven 2 Repository Manager for Enterprises

From the Maven 2 user list:

We would like to announce the immediate availability of Artifactory, a Maven 2 enterprise proxy.

Artifactory offers advanced proxying, caching and security facilities to answer the needs of a robust, reproducible and independent build environment using Maven 2. It uses a JSR-170 Java Content Repository (JCR) for storage, which makes it extremely easy to manage searchable metadata, and provide extended features such as security, transacted operations, auditing, locking, etc.

Artifactory is distributed under APLv2 at http://artifactory.sourceforge.net. It is currently available as a downloadable archive, that can be run out of the box (with default settings). An install script to run it as a Linux service is also provided. A (limited) guest live demo is available at http://www.jfrog.org/artifactory (username/password is guest/guest).

You are welcome to give it a go!

Cheers,

Yoav Landman,
The Artifactory Team

So how does this compare to Archiva, Proximity and Maven Proxy? One user writes (formatted for better reading):

It's interesting to see that Artifactory's UI is powered by Wicket and Dojo. The demo seems kind of sluggish, but I don't believe this application is meant to handle more than 10 users at a time. For more information on Artifactory's features, see its introduction page.

It's great to see a (seemingly) good tool come out for internal repository management.

I spent a couple days last week analyzing the best open source continuous integration server for Maven 2 projects. Hudson turned out to be the clear winner with the best UI and easiest setup. It also actually worked, which is a lot more than I can say for Continuum. While I did get Continuum to work, it required turning on anonymous SVN (no, putting the username/password in the URL did not work). CruiseControl worked as well, but required config.xml knowledge, which sometimes scares admins. Pulse and Bamboo continue to be the best commercial Maven 2 testers, while TeamCity failed my 10-minute test (twice!). One of the features I was looking for was Trac integration and that only exists for CruiseControl and Continuum.

It's amazing to see projects like Continuum and Archiva. If they're any reflection of the Maven team's ability to develop software, that's frightening. My advice: discontinue both of these projects as they're a waste of anyone's time to even research them.

Update October 2009: Fast forward a couple years and I take back what I said about the Maven's team ability to develop good software. Nexus is a kick-ass Repository Manager.

Database Profiles in AppFuse 2.0

Last night, I added several database profiles to AppFuse 2.0 and its archetypes. What does this mean? It means AppFuse should work out-of-the-box with several databases, including:

• H2
• HSQLDB
• MySQL
• PostgreSQL
• SQL Server

For example, here's how to test a new AppFuse project works with H2:

mvn archetype:create -DarchetypeGroupId=org.appfuse -DarchetypeArtifactId=appfuse-basic-struts -DremoteRepositories=http://static.appfuse.org/repository -DarchetypeVersion=1.0-m4-SNAPSHOT -DgroupId=com.mycompany -DartifactId=myproject

Yeah, I wish there was a way to shorten this command (or prompt for choices) too.

After doing this, you can cd into the "myproject" directory and run mvn integration-test -Ph2. AppFuse 2.0 projects are configured for MySQL by default, so if you want to permanently activate one of these profiles, you can add the following between the <id> and <properties> section of the profile.

    <activation>
        <activeByDefault>true</activeByDefault>
    </activation>

In addition to the profiles listed above, I tried to get Oracle Express and embedded Derby working. No dice on either one. I took a brief look at DB2 Express as well, but with a 400 MB download and 3 JARs required for its JDBC Driver - it seemed like a lot more trouble than it was worth.

Maven 2's build profiles are a powerful feature that we hope to make easy to use. For example, to test your new project with H2 and JBoss, you can simply run mvn integration-test -Ph2,jboss. Thanks to the power of Cargo, this will download JBoss 4.0.5, install it, and run all the Canoo WebTests within it. Of course, this will take a while the first time - especially since JBoss is a 77MB download. Fortunately, we allow you to change one small setting in your pom.xml and use an existing install instead.

Maven 2 is a kick-ass build/deploy/test tool once you figure it out. With AppFuse 2.0, we're doing all the "figuring out" for you.

NOTE: I would add more server profiles, but Cargo's Maven Plugin (version 0.2) has issues with Geronimo 1.1, Jetty 6.x and Resin 3.x. Strangely enough, Jetty's Maven Plugin version 6.0.0 works great, but 6.1.0 throws stack traces.

Update: Support for Oracle and Derby (in networked mode) has been added. We'll consider adding support for DB2 if IBM can figure out how to package their JDBC Driver into a single JAR.

AppFuse 2.0 M3 Released

The AppFuse team is pleased to announce the release of AppFuse 2.0 M3! This release marks a milestone in our documentation efforts. We've completed all of the web framework tutorials and ensured that all the archetypes work properly. Turkish language support was added and native2ascii was integrated so all i18n bundles should work properly.

The major things missing from this release are code generation (AppGen) and web services (XFire) support. We hope to add both of these before the final release.

AppFuse 2.0 is available as a Maven archetype. For information on creating a new project using this release, please see the QuickStart Guide.

The 2.0 series of AppFuse has a minumum requirement of the following specification versions:

• Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
• Java 2 Standard Platform Edition (J2SE) 5.0

For more information, please see the 2.0 M3 Release Notes.

We appreciate the time and effort everyone has put toward contributing code and documentation, posting to the mailing lists, and logging issues. We also greatly appreciate the help from our sponsors, particularly Atlassian, Cenqua, Contegix, JetBrains, Java.net and KGBInternet. Without them, working on this project wouldn't be nearly as much fun.

Maven 2 hates Commons Logging

It's true that most people hate commons-logging, but Maven 2 hates it even more. There are many open source projects that use this library, so you're likely to depend on it when you never intended to. Of course, this is Maven 2's transitive dependencies fault - but currently there's no option to turn transitivity off. I tried changing to SLF4J, but that causes some Maven plugins to fail.

Since the Maven team refuses to fix this (even though it's an *obvious* exception to their rule about not changing anything), I've fixed it myself. The AppFuse repo has a fixed version of commons-logging's pom.xml. To get the fixed version of commons-logging, delete it from your local repo, then add AppFuse's repository to your pom.xml:

    <repositories>
        <repository>
            <id>appfuse</id>
            <url>http://static.appfuse.org/repository</url>
        </repository>
    </repositories>

Since the burden of this issue clearly rests upon the shoulders of the commons-logging developers - can we please get a new release with a fixed pom? Pretty please?

Update: I tried to get slf4j to work again today. While I succeeded, I found a critical bug. The bug is that log messages don't print out the method name, just debug(), info() or whatever from your classes. It's possible to fix this by using slf4j instead of clogging. However, that won't help you get method names printed when cranking up the logging for 3rd party libraries like Spring and Hibernate. Since this won't be fixed, it seems better to stick with commons-logging. I doubt I'd have any luck getting all the libraries that AppFuse uses to move away from commons-logging.