Develop Reference

Inquiry on UiPath's logging framework - concerns on Log4Shell vulnerability

I wish to inquire if there is any concern from UiPath in regards to the threat posed by the Apache Log4j vulnerability (https://amp.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell). I know UiPath orchestrator runs on MS IIS and wanted to know what logging framework is used.

regarding this post in the UiPath forum Robots and Orchstrator are using NLog, which is a different framework.
Also it is mentioned that UiPath Insight is using Log4j. They are currently evaluating the impact. See here

spring integration industry usage

I am evaluating options for a new messaging system. I have been looking at spring integration, mulesoft and camel. Key to any framework is it's industry footprint and support. I haven't been able to find any good indication of the spring integration module being used widely and searches return blogs and the like from the early 2010s not more recent.
Does spring integration have a significant industry footprint?
Thanks

This survey is a few years old. The framework is still very actively developed and used. One gauge of that would be to look at the question history here. We get several tens of questions per month.
It now has a popular Java DSL and no longer requires XML configuration (although that is still supported for those who prefer it).
Disclaimer: I am a previous project lead and still a committer, but the DZone survey was independent.

Does Hazelcast follow JSR-107

Read about JSR-107 and JCache recently.
Would like to know whether Hazelcast or Ehcache follow this JSR?

JSR107 (JCache) made good progress and we already notified the spec committee that Hazelcast will implement the JCache spec. Having JCache part of Java EE 8 will be significant achievement so Hazelcast is now committed to JCache.
-talip (hazelcast founder)

As far as Hazelcast goes, here is a response from Talip Ozturk:
> 1. Does hazelcast have any plans to support JSR107? If so, any release date?
It shouldn't be hard to support JSR107 but it is a 10 years old JSR
that is never been finalized. We don't want to spend time on it until
we see an official release of the spec.
Found on this page.
As far as Ehcache goes, here is a possible implementation that may work: https://github.com/jsr107/ehcache-jcache

Hazelcast 3.3.1 passed the JSR107 final TCK and was accepted by the JCP as compatible. Makes sense since the JCache spec co-author is the CEO of Hazelcast
You can download it at http://hazelcast.org/download

If you need an implementation of JCache, the only one that I'm aware of being available today is Oracle Coherence; see: http://docs.oracle.com/middleware/1213/coherence/develop-applications/jcache_part.htm
For the sake of full disclosure, I work at Oracle. The opinions and views expressed in this post are my own, and do not necessarily reflect the opinions or views of my employer.

Hazelcast is now fully complied with Jsr107 or Jcache. This is announced in the official Blog
On the opening day of JavaOne and Oracle Open World, Hazelcast, the leading In-Memory Data Grid provider is announcing the release of Hazelcast 3.3.1 JCache, the JCache compatible version of Hazelcast.
And acording to this
Hazelcast JCache implementation is 100% TCK (Technology Compatibility Kit) compliant and therefore passes all specification requirements.
The samples in hazel cast makes it somewhat easy to learn jcache as there is really poor JavaDocs and other resources

Spring/Spring Security 3.0.x execution flow

I'm currently in the process of migrating an application from Spring 2.5.6 to Spring 3.0.4 and Spring Security 3.0.2 and I was wondering if there was some kind of execution flow for both of these framework so that developpers could know what is being called before what.
For those of you who are doing this kind of migration, I can tell you that it's not a simple task that's why I was wondering if some experts, out there, in the wild, would have some references about these flow.
Thanks

You should start here:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html
This is a detailed overview of how spring works and will get you up to speed on the changes. Additionally I highly recommend the book by Peter Mularien - Spring Security 3.
With these two references you'll be on your way in no time.
Grant

Java Security Framework

Security always tends to take the last place in a new project. Or you use a framework like Spring where security is already build-in and can be switched on easily.
I try to find an open security framework that can be plugged-in to both Swing and Web applications (and JavaFX?), maybe easy to digest. I looked at plain JAAS, JGuard and JSecurity but its just too complicated to get started.
Any recommendations or experience to share ?
I am working with NB, Glassfish and MySQL.
Thanks
Sven

I have just taken a view of this http://shiro.apache.org/
Apache Shiro is a powerful and
easy-to-use Java security framework
that performs authentication,
authorization, cryptography, and
session management. With Shiro’s
easy-to-understand API, you can
quickly and easily secure any
application – from the smallest mobile
applications to the largest web and
enterprise applications.

I would strongly recommend learning JAAS. It really isn't that difficult to pick up, and there are some useful tutorials and a reference guide on the Sun web site.
In my experience, JAAS is pretty widely used, so it's definitely something you'll be able to reuse once you're learnt it. It also happens to be one of the building blocks for the Glassfish authentication mechanism!

I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework addressing security at a different "layer" then traditional web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.
JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.
However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.
On the other hand, Acegi, aka Spring Security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.
At the end of the day, it is important to learn which "layer" of the J2EE-J2SE security issue you are tackling and choose the write tool(s) for the problem.

I would recommend you take a look at OACC (http://oaccframework.org). OACC was designed for solving the problem of application security. Unlike most frameworks OACC is able to store/manage the authorization relationships in your application. OACC's authorization model is more powerful that Shiro or Spring Security.

There is alternative from JBoss. A new version for PicketBox. More information here:
https://docs.jboss.org/author/display/SECURITY/Java+Application+Security

apache shiro miserably fails when you stress a web application under JBoss (say 2 million requests of a simple GET with a concurrency of 50 threads).
was very dissapointing to find out this.
it happens when you use filters.

You can read http://code4reference.com/2013/08/guest-posttop-java-security-frameworks-for-developing-defensive-java-applications/
It gives 1000mile view from various Java Security framework, such as JAAS, Shiro or Spring Security. All are depended on your requirements and technology stacks that you choose