Apache ActiveMQ 5.17.0 is there!
Finally, after several months of work, Apache ActiveMQ 5.17.0 has been released. This is a major milestone in Apache ActiveMQ roadmap, bringing lot of changes, and already preparing ActiveMQ 5.18.x. Let's take a quick tour on some major changes in ActiveMQ 5.17.0.
JDK 11+If ActiveMQ 5.16.x already supported JDK 11+ at runtime, the build was still using JDK 8. ActiveMQ 5.17.0 now requires JDK 11+ for both build and runtime.
Spring 5.xBefore ActiveMQ 5.17.0, we used Spring 4.x, a deprecated (not maintained) version of Spring. It was a concern as Spring 5.x includes improvements and fixes, especially CVE fixes. So, it made sense to bump to Spring 5.x (latest available major version right now). From an user standpoint, nothing change, the main
conf/activemq.xmlis basically the same.
Log4j 2.xIf ActiveMQ 5.16.4 switched from log4j 1.x to reload4j, in order to fix CVE issues (see Apache ActiveMQ 5.16.4, reload4j and more for details). In ActiveMQ 5.17.x, we decided to upgrade to log4j 2.17.1, including major CVE issues fixed. From an user standpoint, this upgrade has two impacts:
- the log4j configuration has been updated and is now defined in
conf/log4j2.propertiesfile, of course using log4j2 format
- fabric8 insight log query bean has been removed from default
conf/activemq.xmlas it only supports log4j1 (not log4j2)
Jetty update and security enforcementIf Jetty update is a "classic" in any ActiveMQ release, ActiveMA 5.17.0 changed the used Jetty artifacts. In previous ActiveMQ releases, we use the Jetty all aggregate uber jar. This approach is not recommended (deprecated) by Jetty anymore. Instead, in ActiveMQ 5.17.0, we are now using the "atomic" jetty component jar files. It reduces the overall jar sizes by selecting only the Jetty jar files we actually need. Again, from an user standpoint, no impact:
conf/jetty.xmlis still the same from a Jetty perspective. Another change is about improving security on the webconsole in
conf/jetty.xml. Basically, we improved the Jetty security constraint mapping:
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping"> <property name="constraint" ref="securityConstraint" /> <property name="pathSpec" value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" /> </bean>
OSGi/Karaf improvementsA complete cleanup of the OSGi headers (in ActiveMQ bundles) and also Karaf features have been performed. The major changes are:
- support of JMS 2 API (even if the broker is still JMS 1.1, JMS 2 dependency is now used). It avoid lot of refresh
- better hierarchy of Karaf features, in order to have fine grained features matching exactly users expectation