JDK 23 Release Candidates | Restrictive JAXP Configuration Heads-up
by David Delabassee
Welcome to the latest OpenJDK Quality Outreach update!
Everything is on track for the General Availability of Java 23 on September 17th [1] as the JDK 23 Release Candidate builds (RC2 - builds 37) are now available [2]. And before shifting your attention to JDK 24, make sure to check the Heads-Up below as it is related to an important JAXP update in JDK 23.
The JVM Language Summit took place earlier this month in Santa Clara (California). During this unique conference, key updates around the Java platforms were presented and discussed. So, make sure to watch the JVMLS 2024 playlist [3] as videos are added regularly. And it's not really a surprise but Valhalla was a highly discussed topic. In his session [4], Brian Goetz (Java Language Architect) explained the proposed solution: value classes, null-restricted types, improved definite assignment analysis, and strict initialization. Around the same time-frame, Valhalla Early-Access builds implementing Value Classes and Objects were also made available [5], see the Release Notes [6] for the details. As usual, feedback should be reported to the proper mailing list [7].
[1] https://openjdk.org/projects/jdk/23/
[2] https://jdk.java.net/23/
[3] https://www.youtube.com/playlist?list=PLX8CzqL3ArzUEYnTa6KYORRbP3nhsK0L1
[4] https://www.youtube.com/watch?v=IF9l8fYfSnI
[5] https://jdk.java.net/valhalla/
[6] https://openjdk.org/projects/valhalla/early-access
[7] https://mail.openjdk.org/mailman/listinfo/valhalla-dev
## Heads-up - JDK 23: Prepare for a More Restrictive JAXP Configuration
The Java platform supports XML processing with JAXP (Java APIs for XML Processing) that are based on a wide range of XML technologies and standards, which can make them challenging to secure. To mitigate risks, JAXP offers comprehensive security features [8], but the default settings of some security features are not strict, making them opt-in. To improve out-of-the-box security, future JDK releases will make XML processing more restrictive by default and JDKs 21 to 23 help developers prepare for these changes.
### JDK 21: JAXP Configuration File
JDK 21 added `$JAVA_HOME/conf/jaxp.properties` as the default JAXP configuration file, property settings in this file reflect the current, built-in defaults for the JDK. JDK 21 also added the system property `java.xml.config.file` for specifying the location of a custom configuration file. For details, refer to JDK-8303530 [9] or the `java.xml` documentation [10].
### JDK 23: Restrictive JAXP Configuration File Template
JDK 23 adds `$JAVA_HOME/conf/jaxp-strict.properties.template`, a JAXP configuration file template that specifies more restrictive XML processing settings. It is recommended to test applications on these more restrictive settings to prepare them for a future JDK release that has them as default.
The following steps should be used to test an application with that template:
* copy the template file to a location outside of `$JAVA_HOME/conf`, e.g. `/<my_path>/jaxp-strict.properties`
* run the application with the system property `java.xml.config.file` set to the file's path, e.g. `java -Djava.xml.config.file=/<my_path>/jaxp-strict.properties myApp`
For details, please refer to JDK-8330542 [11].
[8] https://docs.oracle.com/en/java/javase/22/security/java-api-xml-processin...
[9] https://bugs.openjdk.org/browse/JDK-8303530
[10] https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/module-summar...
[11] https://bugs.openjdk.org/browse/JDK-8330542
## JDK 24 Early-Access Builds
The JDK 24 early-access builds 12 are available [12], and are provided under the GNU General Public License v2, with the Classpath Exception. The Release Notes are available here [13].
### Changes in recent JDK 24 builds that may be of interest:
- JDK-8335638: Calling VarHandle.{access-mode} methods reflectively throws wrong exception
- JDK-8329471: Remove GTK2
- JDK-8333772: Incorrect Kerberos behavior when udp_preference_limit = 0
- JDK-8304929: MethodTypeDesc throws an unchecked exception than ReflectiveOperationException …
- JDK-4966250: SSLSessionContext.setSessionTimeout() documentation could be updated
- JDK-8337506: Disable "best-fit" mapping on Windows command line
- JDK-8336479: Provide Process.waitFor(Duration)
- JDK-8336999: Verification for resource area allocated data structures in C2
- JDK-8335480: Only deoptimize threads if needed when closing shared arena
- JDK-8335939: Hide element writing across the ClassFile API
- JDK-8336489: Track scoped accesses in JVMCI compiled code
- JDK-8334492: DiagnosticCommands (jcmd) should accept %p in output filenames and substitute PID
- JDK-8334495: Use FFM instead of jdk.internal.misc.Unsafe in java.desktop font implementation
- JDK-8333396: Use StringBuilder internally for java.text.Format.* formatting
- JDK-8336815: Several methods in java.net.Socket and ServerSocket do not s…
Note: A more exhaustive list of changes can be found here [14].
[12] https://jdk.java.net/24/
[13] https://jdk.java.net/24/release-notes
[14] https://github.com/openjdk/jdk/compare/jdk-24+7...jdk-24+12
# Project Loom New Early-Access Builds
The latest Loom early access builds (Builds 24-loom+3-33 -2024/7/27) are now available [15]. These builds, based on an incomplete version of JDK 24, improve the implementation of Java monitors (synchronized methods) to work better with virtual threads. These builds are intended for developers looking to "kick the tires" and provide feedback or bug reports. Feedback should be reported to the Loom mailing list [16] (subscription required).
[15] https://jdk.java.net/loom/
[16] http://mail.openjdk.org/mailman/listinfo/loom-dev
# JavaFX Early-Access Builds
These are early access builds of the JavaFX 23 and 24 Runtime built from openjdk/jfx [17]. These builds enable JavaFX application developers to build and test their applications with JavaFX 23 and 24 on JDK 23 and 24 respectively. And although these builds are designed to work with JDK 23 EA, they are also known to work with JDK 21 and later versions.
The latest early access builds of JavaFX 23 (Builds 27) are available [18], under the GNU General Public License, version 2, with the Classpath Exception. And similarly, the latest early access builds of JavaFX 24 (Builds 4) are available here [19].
[17] https://github.com/openjdk/jfx
[18] https://jdk.java.net/javafx23/
[19] https://jdk.java.net/javafx24/
## Topics of Interest
- JDK 23 G1/Parallel/Serial GC changes
https://tschatzl.github.io/2024/07/22/jdk23-g1-serial-parallel-gc-changes...
- How to Read a JDK Enhancement Proposal
https://inside.java/2024/08/01/newscast-74/
- JFR Event to Detect Invocations of Deprecated Methods
https://egahlin.github.io/2024/05/31/deprecated-event.html
- JVMLS: Valhalla - Where Are We?
https://www.youtube.com/watch?v=IF9l8fYfSnI
- JVMLS: An Opinionated Overview on Static Analysis for Java
https://inside.java/2024/08/20/jvmls-static-analysis/
- JVMLS: Rethinking Java String Concatenation
https://inside.java/2024/08/19/jvmls-string-concatention/
- JVMLS: Project Babylon - Code Reflection
https://inside.java/2024/08/14/jvmls-code-reflection/
- JVMLS: A Code Reflection Example - Translating Java to SPIR-V
https://inside.java/2024/08/16/jvmls-spir-v/
- JVMLS: Java in 2024 Keynote
https://inside.java/2024/08/12/jvmls-keynote/
~
As always, please ping me if you encounter issues with an early-access build. And see you next month for the Java 23 launch!
--David
2 months, 4 weeks
