Did Spring4Shell exploit vulnerability affect the "Spring Tools 4 for Eclipse"? - spring-tools-4

I cannot find whether Spring4Shell exploit vulnerability affects the "Spring Tools 4 for Eclipse 4.14.0". Would you mind advising whether it affected or not?

The Spring Tools 4 are not vulnerable to CVE-2022-22965 since there is nothing from the tools that run as a packaged WAR on a Tomcat server.
The only piece that uses Spring internally is the Spring Boot Language Server component that comes as part of Spring Tools 4, but this language server doesn't run as packaged WAR file either, does not even use Spring WebMVC or WebFlux, and does not expose an outside API via some form of data binding.

Related

Use of Spring 5.3 with Servlet 3.0

I'm working on application which uses Spring Core in version 4.3.14 and Spring Web in version 4.2.13. We don't use Spring MVC. Also, from Spring Web we use just very limited set of classes:
XmlWebApplicationContext (so classes from org.springframework.web.context)
RestTemplate (so classes from org.springframework.web.client, here i expect some problems)
some util classes which probably can be refactored to use something else
My question is:
We want to migrate to Spring 5.x. Is such a migration really possible? Or should i expect some severe problems with application startup (class incompatibilites etc). This source for example: https://github.com/spring-projects/spring-framework/wiki/What%27s-New-in-Spring-Framework-5.x#whats-new-in-version-50 says that Servlet 3.1 is required
From the other side, here https://spring.io/blog/2015/06/10/feedback-welcome-spring-5-system-requirements JUERGEN HOELLER wrote that migration to Spring 5 will be a soft one. So i assume that if Application uses only features from JEE6 + Servlet 3.0, then it can be that it will also work on Spring 5.x with JEE6-compatible appserver
Does anyone have an experience in that?
As always, Spring Framework upgrades its baseline with new major versions. In this case, we're requiring JDK8+ and Java EE7+.
In practice, this means that the compiled code depends on those APIs and doesn't use reflection anymore to adapt to them. In your case, this is not only about Servlet, but also JPA, JMS, bean validation and other specs.
Your application might work fine with the arrangement you're mentioning, but the Spring team will not guarantee support for this setup.

Convert project from Spring framework to Spring boot

I have a set of projects in Spring framework and I have to Find the ones which can be converted to Spring boot.
Is there anything that is related to Spring framework and cannot be converted to spring boot ? In my research, I Could not Find something like that.
But does anyone know something, like a dependency, which would force the project to stay in Spring framework ?
Spring Boot uses the Spring Framework as a foundation and improvises on it. It simplifies Spring dependencies and runs applications straight from a command line. Spring Boot provides several features to help manage enterprise applications easily. Spring Boot is not a replacement for the Spring, but it’s a tool for working faster and easier on Spring applications. It simplifies much of the architecture by adding a layer that helps automate configuration and deployment while making it easier to add new features.
Most of the changes for migrating Spring Framework application to Spring Boot are related to configurations.This migration will have minimal impact on the application code or other custom components.Spring Boot brings a number of advantages to the development.
It simplifies Spring dependencies by taking the opinionated view.
Spring Boot provides a preconfigured set of technologies/framework to reduces error-prone configuration so we as a developer focused on building our business logic and not thinking of project setup.
You really don’t need those big XML configurations for your project.
Embed Tomcat, Jetty or Undertow directly.
Provide opinionated Maven POM to simplify your configurations.
Application metrics and health check using actuator module.
Externalization of the configuration files.
Good to refer this for migrating from Spring to Spring Boot application: https://www.javadevjournal.com/spring-boot/migrating-from-spring-to-spring-boot/

BPMN for spring boot 2

We have started new project on spring stack and using latest versions. But we have workflow requirement and I used activiti in past. But as I see there is no spring boot 2 support for activiti and camunda. Can anybody suggest which BPM is best that can be integrated with spring boot 2.
You will find a bunch of Spring Boot 2 starters in the Flowable github repo.
The documentation explains step-by-step how to create a BPM enabled Spring Boot application. There is also the blog post The road to Spring Boot 2.0 that the improved support for Flowable within Spring Boot as part of the Flowable 6.3.0 release.
You ask for suggestions on which BPM is best. Well, I cannot be objective since I am part of the Flowable Team, but I can say that our Spring Boot implementation is pretty neat:
All engines are supported (BPMN, CMMN, DMN), both embedded and exposing their respective REST APIs.
There is an automatic configuration of Spring Security to use the Flowable IDM engine (in case no other custom security is configured).
There is no "EE" version of the starter. Flowable provides Spring Boot 2 support 100% Open Source.
The Spring Actuator integration is quite powerful.
Did I mention Open Source? ;-)
In order to get the all engines you would need to use the flowable-spring-boot-starter(-rest) dependency. The (-rest) needs to be used if you want the Flowable REST APIs to be automatically configured.
There is also the option to run the BPMN, CMMN or DMN engines in standalone mode. For that you would need one of the following dependencies:
flowable-spring-boot-starter-process(-rest)
flowable-spring-boot-starter-cmmn(-rest)
flowable-spring-boot-starter-dmn(-rest)
So, compare for yourself, but for me, it's pretty clear and of course I am open to discussion.
The Activiti is working on Activiti Cloud fully based on Spring Boot 2 and Spring Cloud Finchley (targeting kubernetes deployments, but it can be used outside kubernetes if that is not your thing) if you are looking for a BPMN runtime for Cloud Native applications. We are working hard on releasing the first Beta1 release at the moment, and we will very welcome feedback about it. Hope this helps.
If you use the camunda-bpm-spring-boot-starter you can write self contained services running camunda process engine with spring boot 2.

Spring Framework hosting

I am trying Java with Spring Framework for my own web project. I've asked some traditional JSP web hosting firms which supports Tomcat and they said they do not support Spring Framework. I am confused about this situation. What is the different requirements between JSP and Spring Framework? I was thinking both of them runs on JVM such as Tomcat and they do not need any difference things. Does Spring Framework need different jar files, or different software on server?
Building a Spring application results in a jar with an embedded webserver (most of the times tomcat, but you can change this in the pom.xml/build.gradle).
I used to host my Spring applications on a VPS or Amazon EC2 instance. Something like that. You can just install Java on it and run your jar. No extra installations of webservers needed.
Ok, let get it straight, just summarizing what have been said:
Use Spring MVC, without spring boot.
Use Spring Boot, and create a war file.

Writing a JSF based spring boot app so that it can also run on a Java EE app server without change

Spring boot is great - we have an app that runs standalone fine, using JAXRS 2, JSF 2.1.6. They versions are irrelevant really, other than they are under our control.
Our corporate deployments are on fully blown Java EE app servers though, so we don't have the option of deploying the app to something simple such as Tomcat or even as a jar with embedded Tomcat.
Trying to get a Spring boot app to work on these ends up being a world of pain, as the Java EE app server will either stop you completely or partially from using different versions of jars to the ones it ships with.
So my question is, is there a magic bullet that allows Spring boot apps to fully blown app servers like WildFly,Glassfish etc. Or what are the general approaches to getting around this issue?
The only one I can think of is to code the application to exactly the same spec as the app server, and then use Maven profiles to ship the jars for the embedded up, but to have them as provided when using them in an app server. Of course this immediately takes away the advantage of Spring not being tied down to a particular version of Java EE.

Resources