Java News from Monday, June 28, 2004 has released lint4j 0.6, a free-beer "static Java source code analyzer that detects locking and threading issues, performance and scalability problems, and checks complex contracts such as Java serialization by performing type, data flow, and lock graph analysis." Version 0.6 checks for a few more potential problems, adds an Ant task, and fixes bugs.

I ran this across the XOM code base. It didn't find anything useful; and did report numerous false positives. In at least one case it was actively wrong — it reported that a local variable in a subclass shadowed a field in the superclass, but the similarly named superclass field was private. Some of its claims were also questionable. Foir instance, it hated the numerous times I used == instead of equals() in XOM, saying this was OK if "there only exists a well defined number of instances." However, in almost all the cases I was very deliberately testing for object identity rather than object equality because that's what the semantics of algorithm required. Perhaps this tool would be useful on a less polished code base than XOM's, but I didn't see evidence of that. :-(

David Hovemeyer has posted FindBugs 0.8.1, an automated open source tool for finding potential bugs in Java code. This release adds a detector for string concatenation inside loops that should probably be replaced by StringBuffers. It also reduces the rate of false positives.

I tested this release on the latest XOM code base. The new detector found one area where it thought I should use a StringBuffer. However, it was actually a fairly complicated section involving heavy use of substrings as well a sstring concatenation. Given XOM's need to run in pre-1.4 VMs that don't support substring operations on StringBuffers, makign the change seemeed inadvisable. Java 1.4 or later is required. FindBugs is published under the LGPL.

Dan Creswell has released version 2.1.2 of the Blitz JavaSpaces Server Edition, an open source (BSD license) implementation of JavaSpaces that is Jini 2.0 enabled and implements smart indexing, tuneable persistence, and active/passive lease cleanup. This release adds an experimental hot backup facility, a storage lock to prevent execution of multiple instances against one database, a cleanup system for database log files, and fixes various bugs.

Mark Lindner has posted the Jolt JVM Daemon 0.7.1, a free-as-in-speecg (LGPL) wrapper program for Linux and Solaris that enables multiple invocations of java, javac, javadoc, and jar to reuse the same virtual machine for faster startup. Given the problems caused already by classpath and class loader issues, and the number of times I've had to specify fork="true" in my ant build files to make everything work, I'm not sure this is such a good idea.

iPOV has posted jSai 0.8, an open source (Apache license) Servlet Authentication Implementation. based on J2SE + servlets. A J2EE application server is not required. jSai supports basic JDBC and XML backed user stores, as well as an LDAP user store. According to iPOV,

While there are several attempts to create authentication and authorization standards for J2EE applications, they tend to be overly complex; and more importantly have little support for providing information to an application. For instance, the security constraints specified for Servlet Containers allow security mappings that are potentially quite rich; but the only security information provided to a running servlet application is request.getUserPrincipal() and request.isUserInRole() - so in order to display menus based on user privalages the servlet/JSP writer needs to know the mapping of rolenames and users to security levels. Wounldn't it be much more logical to have a way to proactively check to see if a user will be able to access a web resource without needing to know the runtime configuration, a canAccess(user, url) method as it were? We think so. This enables system administrators to change security settings without needing to re-code application logic. You no longer need to choose between displaying a link to a site section that many users would not be authorized to view, or hardcoding in the restriction parameters.
jSai is implemented as a servlet Filter, a set of JSP Tags, and a supporting library (for servlets). Users, and group information can be stored in XML files, a JDBC accessable databases, or in LDAP. The JSP Tags as well as library calls enable web application developers to access important authentication information.