How to Build Java Applications Today: July 5, 2021

TL;DR

Google’s Firebase gets new features, free Java production profiling to whither away, Sonatype Lift bundles static code analyzers, Quarkus 2.0.0, Apache Camel 3.11, and IntelliJ IDEA 2021.1.3.

README

This is issue 43 of my weekly newsletter, “How To Build Java Applications Today”. I read all the Java newsletters, so you don’t have to! And it’s “Java news with a smile”.

If you like my newsletter, then subscribe to it on Substack! Or read it on dev.to, the Java Cafe, or Medium. Even better: Share it with people who may be interested.

Quote of the Week

I used to think that the brain was the most wonderful organ in my body. Then I realized who was telling me this.‌
Emo Phillips, a US comedian (born 1956), reminds us not to blindly trust our inner voice. Or the voice of our partner when they tell us what a wonderful person they are!

Stand-Up

I hope my readers in the US (or “the colonies”, as some still call them over here in merry ol’ England) had a good Independence Day! I had a busy weekend, too, with two InfoQ articles of mine getting published. Fortunately, there isn’t a lot of summer weather distracting me here. 🌧 You’ll read about one article in the main section below.

I also booked another conference talk. And yes, it’s “How should Java developers build front-ends today?” once more. It’s the one where I shot a teaser video with - as a good friend told - terrible light. 😔 Anyhow, given that supposedly 90% of us Java developers work in the back-end, there’s an awful lot of interest in my front-end talk - 5 conferences this year and counting!

Code Review

Issue 42 from June 28, 2021

Java Applications in Windows 11 App Store

But we do know that Konstantin Terziev is an avid & helpful reader of this little newsletter! He found typos in four issues already. Last week, for instance, I wrote “Visual J+++”. Arguably, that tool didn’t even deserve two “+”. But the third one was wrong for sure! So thank you, Konstantin, for being my editor!

Bookmarks

Frameworks & Libraries

Google’s Backend-as-a-Service Firebase Gets New Features

Firebase offers many free services for Java, web & mobile apps: Authentication, configuration, push notifications, analytics, performance monitoring, mobile app distribution, and more. We pay for storing data in databases & files. But you have to like both the cloud & Google!

My current project uses the Backend-as-a-Service Firebase. Firebase is part new service, part thin layer over existing Google Cloud services. If your organization permits cloud-based services and lets you use Google services, then I can recommend Firebase. Here are the products I use or plan to use in my project:

  • Firebase handles authentication, so my Spring Boot application doesn’t store passwords, just tokens. I only use email & password for now but plan on enabling social logins (Facebook, Google, Microsoft, …) down the line.
  • Cloud Storage stores files. I can define Access Control Lists (ACL) that reference authentication properties. This is the only service I pay when the file volume exceeds my free Google Cloud tier.
  • I distribute my native iOS and Android app tests versions with App Distribution. The recipients of my test versions need a Google account.
  • I analyze iOS and Android app crashes with Crashlytics.
  • I plan to send push notifications with Firebase Cloud Messaging later this year. From what I can see, that’s free, no matter how many notifications I send.
  • I hope to use Remote Config for feature flags.

A big downside for Firebase is the cost model of its NoSQL database Firestore. Not only do we pay for storing data (1 GB/month is free), but also for reads, writes, and data transfers. Worst case: A US$30k bill in 3 days!

At Google I/O in mid-May, Firebase got a new product (App Check) and some enhancements. App Check verifies both the app and the device with tokens, whereas authentication verifies the user’s right to access specific resources. You can read more in my InfoQ article.

Firebase certainly seems to have momentum on its side: Google claims that three million apps per month actively use Firebase. That’s more than the 2.2 million apps in Apple’s App Store! And while it took 13 months (from September 2019 to October 2020) to go from 2 million apps to 2.5 million apps, it took just 7 months to add another 500k.

Tools

Free Java Production Profiling To Whither Away?

Java Flight Recorder (JFR) is an imperfect but free tool for profiling Java applications in production. The upcoming Project Loom will amplify its deficiencies. Who’ll step in to fix them?

In issue #25, I wrote about “Profiling in Production” with the JDK Flight Recorder. Oracle claims that JFR just adds 1% overhead to the monitored Java application. And in Java 16, it could record memory allocation more efficiently. So all’s well, right?

Nope: Marcus Hirt, one of the founders of the JRockit JVM that eventually merged with the Sun JVM, sounds the alarm. JRockit is where JFR was born (as the “JRockit Flight Recorder”). Marcus, now at Datadog, identifies four weaknesses of JFR:

  • The first is the recording context - associating the data recorded by JFR with the “thread of execution”. With reactive programming today, many connections share a Java thread, so that link is already broken. And the Virtual Threads of Project Loom (see issue #39) won’t connect with JFR out of the box, either.
  • Marcus also thinks JFR needs wall-clock profiling. That is a low-overhead way to dump thread stacks. Once more, the Virtual Threads of Project Loom make that harder still.
  • The current CPU profiling in JFR doesn’t include native libraries or native JVM threads. It should, according to Marcus.
  • JFR can produce “millions of events per minute” on a 96 core machine, “resulting in recording sizes of hundreds of megabytes per minute”. Now that certainly doesn’t sound like the 1% overhead that Oracle promises! Datadog fixed this already for memory allocation with a rate-limited profiler in Java 16. But Marcus thinks it’s also needed in other areas.

This article is a cry for help because Marcus & his employer Datadog can’t do all this work by themselves. But his calls to action are rather vague (highlights are mine): “For JFR to remain the premium, best in class, production profiling platform, some investment will be needed. […] The OpenJDK community will need to be involved.” So who does what by when here?! I don’t know. But I do hope that the proper actions will be taken!

Sonatype Lift Bundles Static Code Analyzers for Java & Other Languages

Static Code Analyzers find bugs that tests often don’t. Sonatype Lift bundles many open-source analyzers for Java and other languages. Lift is free for public Git repositories but not for private ones.

I use static Java code analyzers because they show me errors in my code. And yes, I don’t write enough unit tests - none these days, really. I know I should, but I don’t. 😔 I do floss each night and eat my vegetables if that is any consolation.

Anyhow, I use two common static analyzers: PMD and the FindBugs successor SpotBugs. They both are separate Gradle targets that I run when putting together a release at the latest. In contrast to these two, Google’s Error Prone always runs during Java compilation, so it gives me much more immediate feedback.

Sonatype bundles 25 static analyzers for Java, JavaScript, C++, and other programming languages in a product called Lift. Lift works on Git repositories in GitHub, GitLab, and Atlassian’s BitBucket and creates pull requests with fixes. You know, like Snyk does for vulnerabilities in dependencies.

Sounds good, so how much does it cost? It’s “free forever on public repositories” and costs $25/month/developer for private repositories.

The beauty of bundling open-source static analyzers is that we can integrate these analyzers ourselves! Here are the ones Lift currently uses for Java: Facebook’s Infer, Error Prone, the SpotBugs plugin “Find Security Bugs”, Quandary, Semgrep, and PMD (disabled by default). So if I’m bored over the next couple of months, I could now add more static analyzers to my project! 👍🏻

If Lift is not for you, I’d say: Start with Error Prone and SpotBugs. Between these two, you’ll find a lot of bugs!

Releases

Quarkus 2.0.0

Spring Boot’s most humble competitor adds continuous testing, a CLI, and a GraphQL client in version 2.0. JDK 11 is now the minimal version, and dependencies got upgraded.

“Quarkus makes Java supersonic, subatomic”, to quote the Quarkus 2.0 website. In other words: It’s a modern microservice framework that creates small & fast native images with GraalVM. How popular is Quarkus?

Snyk “JVM Ecosystems Report 2021” makes Quarkus the leader of the “Hip Framework Pack Chasing Spring Boot” with 11% (see issue #41). The “JRebel 2021 Java Technology Report” (see issue #27) gives that honor to DropWizard (9%), with Quarkus following (6%).

Now back to version 2.0. Despite the big jump from 1.x, the summary above already told you nearly all you need to know: Three new features, JDK 11, and dependency upgrades. These upgrades are GraalVM 21.1, Eclipse Vert.x 4, Eclipse MicroProfile 4, and Hibernate ORM 5.5.

Apache Camel 3.11

Part of that release is Camel Quarkus 2.0.0 that - you probably guessed it already - integrates Camel with Quarkus 2.0.0.

IntelliJ IDEA 2021.1.3

If you’ve used IntelliJ IDEA, then it probably already nagged you to upgrade to this new version.

When I read that it fixed “UI freezes”, I thought for a moment it fixed the ones that I occasionally experience. But sadly, it’s other freezes. 😒

About

Karsten Silz is the author of this newsletter. He is a full-stack web & mobile developer with 22 years of Java experience, author, speaker, and marathon runner. Karsten got a Master's degree in Computer Science at the Dresden University of Technology (Germany) in 1996.

Karsten has worked in Europe and the US. He co-founded a software start-up in the US in 2004. Karsten led product development for 13 years and left after the company was sold successfully. He co-founded the UK SaaS start-up "Your Home in Good Hands" as CTO in 2020. Since 2019, Karsten also works as a contractor in the UK.

Karsten has this newsletter, a developer website, and a contractor site. He's on LinkedInTwitter, and GitHub. Karsten is also an author at InfoQ.

17