I have been doing Enterprise level java since the 90's. I love the language, I love the tools, I made the best advancements in my career with it. But I am now starting to question whether Java has a future as an enterprise programming language.
The key issue is that when you have a huge enterprise codebase you need that code to keep working, even as you apply security patches.
Considerations:
- Back in the days when Sun Microsystems owned Java backwards compatibility was almost religion. You could trust that when you downloaded the latest Java your code would continue to work, usually untouched and in rare occasions you might have needed to recompile because some library classes changed package, but never much more than that. So we went on building a huge collection of dozens of java applications in our enterprises over a decade or two.
- But since Oracle took over, Spring and Spring Security became essential and Tomcat the near-standard application server… backwards compatibility went out of the window. No problem we thought... we'll stick to Java 8 and Tomcat 8 and simply apply security patches. Then came the warnings about end of life of Java 8 / Tomcat 8 in May 2023. We extended that by a bit by switching to Amazon Corretto (if memory serves they guarantee security patches at least until May 2025) but I believe Tomcat 8 is still planned to go end-of-life in May 2023 and the newer versions of Spring and Tomcat aren't backwards compatible.
- Since security is becoming more and more important these days, we embarked on a couple year project to overhaul our code. When we started Spring 3 wasn't out and Tomcat 10 was not yet ready. So we started with Java 17, Spring 2.x and Tomcat 9. Recently I noticed the massive number of security vulnerabilities (thanks to IntelliJ warning us) and bit the bullet, first migrating our SpringBoot apps to Spring 3 / SpringSecurity 6, and just today noticing that our Spring Boot apps that deploy on Tomcat... can no longer be deployed on Tomcat 9, only Tomcat 10 is supported. So I guess we'll be migrating to that as well.
Concerns:
- Security considerations require frequent security patches. But the new short "security-patch-supported" version lifespans of Spring and Tomcat are forcing us into a continued rewrite cycle. This is not sustainable.
- I know this situation is not a problem just for us. There are many other companies that are struggling to get out of Java 8.
- Does this mean it is time to consider abandoning Java for large Enterprise application codebases? Or is there some other path that allows us to stay in Java?
- Are Oracle, Spring and Tomcat even aware that they are slowly killing Java with their lack of backwards compatibility? That they are turning Java into "hobbyist" language istead of a reliable professional one?
- If it is time to move, is C# and .NET the new "Enterprise language"? Or are there some other stable programming language that are as rich as Java for huge Enterprise codebases?
I would be very interested to hear what other Java professionals are thinking about this issue.