A new security issue has been reported in Apache Tomcat versions 7 through 7.0.20, 6 through 6.0.33 and 5.5.0 through 5.5.33.
According to the Tomcat mailing lists:

"Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message which allowed an attacker to (amongst other things): - insert the name of an authenticated user

- insert any client IP address (potentially bypassing any client IP address filtering)
- trigger the mixing of responses between users

The following AJP connector implementations are not affected:

org.apache.jk.server.JkCoyoteHandler (5.5.x - default, 6.0.x - default)

The following AJP connector implementations are affected:
org.apache.coyote.ajp.AjpProtocol (6.0.x, 7.0.x - default)
org.apache.coyote.ajp.AjpNioProtocol (7.0.x)
org.apache.coyote.ajp.AjpAprProtocol (5.5.x, 6.0.x, 7.0.x)

Further, this issue only applies if all of the following are are true for at least one resource:
- POST requests are accepted
- The request body is not processed

Example: See https://issues.apache.org/bugzilla/show_bug.cgi?id=51698

Mitigation:

Users of affected versions should apply one of the following mitigations:
- Upgrade to a version of Apache Tomcat that includes a fix for this issue when available
- Apply the appropriate patch
 - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
 - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
 - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute
- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x)"

Prime Technology has announced the latest milestone release of PrimeFaces.  PrimeFaces 3.0.M3 is the final milestone release with the release candiate scheduled for release in November 2011.

PrimeFaces is a JSF 2 component suite featuring over 100 JSF components such as calendars, CAPTCHA, and Google Maps components.  A full showcase of components can be viewed online here.

This latest milestone release adds several new components to the suite (timeline, feed reader, sheet and subtable) as well as including many other improvements.  The complete list of changes can be read in the release announcement.

For more details about PrimeFaces, check out primefaces.org

Java EE 6 Development With NetBeans 7 aims to show developers how to write Java EE 6 applications using the latest version of Oracle’s NetBeans IDE - NetBeans 7.  The book focuses on using GlassFish as the application server used for developing applications  One of the most useful aspects of this book is that way that it teaches the reader how to use NetBeans as well as how to develop Java EE 6 applications.  Whenever there are NetBeans features (for example shortcuts) that are pertinent to the development in question, these are explained with the end effect that the reader becomes more productive in NetBeans as well as in Java EE 6.

The book starts with taking an overview of NetBeans 7 showing how to download, install and configure the software.  NetBeans 7 can be downloaded pre-configured to work with GlassFish and Java DB, but instructions are provided on how to install other applications servers (such as JBoss) and Databases (such as HSQL).  Although other Java EE 6 application servers could be used throughout the book, the focus is on Java EE 6 itself rather than on the application server.  I’d therefore recommend using GlassFish first and then re-reading if GlassFish isn’t your preferred application server.

After introducing the reader to EE 6 development using NetBeans, there are several chapters that provide a learning trail for Web Development.  First, JSPs are introduced and a simple application is developed using purely JSPs.  The application is enhanced using servlets and JSTL implementing basic security along the way. For developers new to EE 6 development, these chapters provide a good overview of how Java web development used to be and give an appreciation of the underlying technologies used within web development.  Fortunately web development has moved on from the basic JSP/Servlet model and we now have frameworks such as Java Server Faces and component libraries such as PrimeFaces.  These are described at the end of web development section of the book showing how NetBeans offers first class support for both of these technologies.

What web application would be complete without the use of a database?  Fortunately Java EE 6 provides the Java Persistence API.  NetBeans offers excellent support for managing JPA and this is described in the book.  The author doesn’t go very deep into JPA (after all, there are entire books written about it), but provides enough details to allow developers to start learning and start using the features provided by NetBeans.  Features such as creating entity classes from a RDBMS schema or generating JSF applications from JPA entities are all explained in detail.

In the next section of the book, the author describes how to implement EJBs for implementing business tiers with Session Beans and messaging solutions with Message Driven Beans.  Again, plenty of code samples are provided together with tips on how to effectively use NetBeans.  The new Contexts and Dependency Injection (CDI) framework  is also discussed showing how this can be used to integrate the business and presentation tiers of a Java EE application.

If you need to provide interoperability with non-Java EE based systems, then perhaps you need to look at Web Services.  The final two chapters of the book provide an overview of how developers can use NetBeans to write both SOAP and RESTful web services using JAX-WS and JAX-RS.  Development of web services is one of the areas where the combination of GlassFish and NetBeans provides a superior developer experience to other environments.  The ability to develop and modify web services using simple wizards (or via code if you don’t like wizards) and then easily deploy and test is one of the key advantages of Oracle’s Java EE 6 Development/Deploy environment.  As in the rest of the book, there are plenty of samples and the descriptions are informative and easy to understand.  

Finally, the book contains 2 appendices showing how NetBeans can be used to debug and profile enterprise applications - two features that will probably be used widely by all enterprise developers.

Packt Publishing describe the book as being “aimed at Java developers who wish to develop Java EE applications while taking advantage of NetBeans functionality to automate repetitive tasks and to ease their software development efforts.  Familiarity with NetBeans or Java EE is not assumed.”  I’d agree with that and would recommend the book to any developer starting out with Java EE 6.  Even if NetBeans isn’t your preferred IDE, using it in conjunction with this book will almost certainly allow you to learn and become more productive in Java EE 6.

Recommended reading for anyone wishing to learn NetBeans and Java EE 6.

Java EE 6 Development with NetBeans 7 by David R Heffelfinger, 374 pages, ISBN 978-1-849512-70-1

Thanks to Nicole at Packt Publishing for providing me with a copy of this book to review.

We've just posted a new article on how to Deploy a Java EE Web Application to Open Shift Express using JBoss AS 7.  You can read the entire article here.

According to jboss.org:

The JBoss team have just released 2 new versions of the JBoss Application Server.

JBoss 7.0.1, RedHat's latest Java EE 6 Web Profile certified application server includes nearly 140 resolved issues over the initial release of the product. The list of resolved issues in 7.0.1 can be found here.

JBoss 6.1.0, includes almost 100 resolved issues over the initial release.  The list of resolved issues in JBoss AS 6.1.0 can be found here.

Both products can be downloaded from the JBoss Community Downloads page.

JBoss AS 7 is described by RedHat as "Lightning Fast" providing "efficient development as a result of fast, concurrent deployment and the ability to edit static resources without redeployment in a flexible deployment structure".  Have you used JBoss AS 7?  What are your thoughts about it?  Log on now and leave your comments.

The latest release of Apache Tomcat, v7.0.20 has been released and is available for immediate download.

In the release notification, Mark Thomas notes:

"Apache Tomcat 7.0.20 includes bug fixes and the following new features and fixes compared to version 7.0.19:

• JSP files with dependencies in JARs are no longer recompiled on every access thereby improving performance.
  
• Update to version 1.1.22 of the native component of the AJP and HTTP APR/native connectors.
  
• Update to Commons Daemon 1.0.7.
  
• Converted unit tests to JUnit 4.
  

Please refer to the change log for the complete list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures."

Recently, we reviewed the EJB 3.1 Cookbook by Richard Reese.  We thought that it was an "excellent resource in an EJB developer's library".

Now, thanks to Packt Publishing, you can win a free e-book copy of the book.  All you have to do is leave a comment detailing why you would like the book, or what features of the book you think would be most useful to you.

To enter, simply leave your comment here in our forums.

The competition is open until Friday 2nd September when we'll chose a random winner to receive a free copy of the EJB 3.1 e-book courtesy of Packt Publishing.

You can get more details of the book Packt's web site at: 

The Tomcat team has announced that as of 30th September 2012 Tomcat 5.5 will be unsupported.
Mark Thomas states in the Tomcat mailing lists:

"This means that after 30 September 2012:
- releases from the 5.5.x branch are highly unlikely
- bugs affecting only the 5.5.x branch will not be addressed
- security vulnerability reports will not be checked against the 5.5.x branch

Three months later (i.e. after 31 December 2012)
- the 5.5.x download pages will be removed
- the latest 5.5.x release will be removed from the mirror system
- the 5.5.x branch in svn will move from /tomcat/tc5.5.x to /tomcat/archive/tc5.5.x
- the links to the 5.5.x documentation will be removed from tomcat.apache.org
- The bugzilla project for 5.5.x will be made read-only

Note that all 5.5.x releases will always be available from the archive."