jbossorg
diff --git a/‎src/content/posts-aggregator/1.json
+5-5 b/‎src/content/posts-aggregator/1.json
+5-5
diff --git a/‎src/content/posts-aggregator/10.json
+4-4 b/‎src/content/posts-aggregator/10.json
+4-4
@@ -1,13 +1,13 @@
 {
-  "title": "How Orange leverages Quarkus for seamless access to Telco network capabilities",
-  "link": "https://quarkus.io/blog/orange-telco-core-network-api-management-with-quarkus/",
+  "title": "Sender-constraining access tokens with Quarkus OIDC",
+  "link": "https://quarkus.io/blog/sender-constraining-tokens/",
   "author": [
     {
-      "name": "Thomas Segismont",
+      "name": "Sergey Beryozkin",
       "avatar": null
     }
   ],
-  "date": "2025-03-18T00:00:00.000Z",
+  "date": "2025-03-19T00:00:00.000Z",
   "feed_title": "Quarkus",
-  "content": "INTRODUCTION  As a global telecommunications leader, has always been at the forefront of innovation. Along with Deutsche Telekom, Telefónica, and Vodafone, Orange co-founded the , an initiative aimed at simplifying the consumption of 5G APIs for third-party application developers.  To achieve this goal, Orange needed a flexible and lightweight framework capable of handling constrained API exposure while ensuring compatibility with existing network core systems.  After a rigorous evaluation of multiple frameworks and toolkits — including Quarkus, Ktor, Micronaut, and Vert.x — Orange selected Quarkus as the ideal solution.  , software craftsman at Orange, told us why.   WHY QUARKUS? A FRAMEWORK EVALUATION  The team at Orange identified application startup time as a barrier to dynamic Kubernetes pod management. So they embarked on a comparative study to test alternatives to Spring Boot in a well-defined API wrapper exposure context. Key evaluation criteria included:   * Learning Curve: How easily could a Spring developer transition?   * Kotlin Compatibility: Could the framework work seamlessly with Kotlin?   * Runtime footprint: Could it operate efficiently in a constrained environment?   * Ease of Deployment: How smoothly could it be deployed on Kubernetes?  After extensive testing, Quarkus stood out for multiple reasons:   * Simplicity: A relatively simple learning curve, especially for those familiar    with JAX-RS / Jakarta REST.   * Dev Mode: Very fast startup, live reload and zero configuration Dev Services    (Vault, Redis) result in great developer productivity.   * Modularity: Only required dependencies were embedded, keeping applications    lean.   * Documentation: Well-organized, versioned documentation with working examples.   * Native Compilation: The ability to generate compact native binaries for    Kubernetes deployment.  Despite the strong competition from a vibrant JVM ecosystem, these advantages made Quarkus the preferred choice for exposing 5G APIs at Orange.   LESSONS LEARNED FROM ADOPTING QUARKUS   MIGRATION & DEVELOPMENT EXPERIENCE  Transitioning from Spring to Quarkus was not overly complex, especially for those familiar with JAX-RS / Jakarta REST.  The significantly enhanced productivity in dev and test modes, but required careful consideration for their CI/CD environments, where no container runtime is available.  The modular approach ensured applications remained lightweight but introduced a large number of small dependencies to manage.   SPEC-FIRST API DEVELOPMENT  As spec-first practitioners, integrating OpenAPI specification generation was a crucial requirement that Quarkus handled effectively.   JAVA & KOTLIN INTEROPERABILITY  While Quarkus supports Kotlin, writing full Kotlin extensions proved challenging at times. The team retained some Java code, and Java-Kotlin interoperability worked smoothly.   NATIVE COMPILATION & PERFORMANCE  Native compilation produced compact native executables, but the process of producing them was lengthy. The team reserved it for the final build stage when absolutely necessary.  Some fine-tuning was required to prevent class pruning issues.  When building native executables, the call tree is analyzed to determine which classes and methods are used. Everything that is not used is pruned to reduce the size of the executable and the RSS usage.  In some cases, e.g. when using reflection, you will have to declare explicitly that a class is used so that it ends up being included in the native executable.  Quarkus provides tooling to simplify this configuration.   REACTIVE PROGRAMMING & MUTINY  Having worked extensively with Reactor, the transition to Mutiny had a learning curve.  While effective and more intuitive thanks to its navigable API, it was perceived as more verbose for the simple cases.   ARCHITECTURE OVERVIEW  Orange designed a microservices-based architecture to expose 5G APIs efficiently.   MICROSERVICES & API WRAPPERS  Each API wrapper was implemented as a dedicated microservice for better version control. The team leveraged Reactive APIs wherever possible, since there are a lot of time-consuming asynchronous tasks to be performed on the core network side and saving resources is a business goal.   CI/CD & DEPLOYMENT  Each microservice had its own GitLab repository with an independent build pipeline for its Docker image.  Renovate was used to automate dependency upgrades. A dedicated deployment project pushed new Docker images to an OpenShift cluster using Kustomize + ArgoCD.   INFRASTRUCTURE COMPONENTS  Additional services included:   * Vault for secrets management   * Redis for caching   * Neo4j for database operations   * Kafka for messaging  Vert.x HTTP Proxy was used for routing and backend protection.   RESULTS & IMPACT  After implementing Quarkus in production, Orange successfully deployed ten APIs across various 4G/5G network cores. Over time, the team performed multiple Quarkus version upgrades (2.11 → 3.14), all well-managed through Renovate with minimal code adaptation—except for necessary adjustments during the migration to Jakarta EE."
+  "content": "INTRODUCTION  Single-page application (SPA) runs in the browser and uses to log-in users, without depending on Quarkus OIDC. When the authentication is complete, SPA sends the access token to access Quarkus on behalf of the authenticated user.  Have a look at the simple diagram showing how this process works, copied to this post from the :    As illustrated in the picture above, the OIDC provider authenticates the current user, SPA receives ID and access tokens and uses the access token to access the Quarkus endpoint.  The security challenge that the OAuth2 experts have been trying to address is how to prove that the client such as SPA which is sending the token actually owns this token ? There is nothing in the HTTP Authorization: Bearer <token> header that proves that SPA did not leak the token.  Two specifications for sender-constraining access tokens have emerged over the years, and .   MUTUAL TLS CLIENT AUTHENTICATION AND CERTIFICATE-BOUND ACCESS TOKENS  specification describes how access tokens can be cryptographically bound to the MTLS client certificate.  By proving that the access token is bound to the client certificate, the Quarkus application can get a high degree of confidence that the current access token is constrained to, owned by the client which authenticated to Quarkus over MTLS.    Implementing the cryptographic binding is not complex in this case. The current access token is expected to contain a confirmation with the SHA-256 certificate thumbprint and it must match the thumbprint of the current MTLS client certificate. If the token is in JWT format, then it must include a confirmation claim. If the token is binary then the confirmation must be included in the remote token introspection response.  Such a binding can only be successful if the OpenId Connect provider has access to the same client certificate which is used during the MTLS authentication to Quarkus.  The downside of using the MTLS token binding is that correctly configuring the OpenId Connect provider, ensuring that browsers can request an X509 certiticate authentication when SPA redirects the user to authenticate to the OIDC provider is complex.  If you are a Keycloak user, check the in the Advanced Configuration section of the and the community blog post.  As far as Quarkus is concerned, you only need to set a single OIDC configuration property, quarkus.oidc.token.binding.certificate=true, in addition to the Vert.x HTTP MTLS configuration, to enforce the MTLS token binding.  See the documentation for more details.   DEMONSTRATING PROOF-OF-POSSESSION (DPOP)  specification describes how access tokens can be cryptographically bound to special JWT tokens called DPoP proofs.    The SPA client generates a private and public key pair, and creates a DPoP proof token to complete the access token acquisition from the OIDC provider. It then forwards this DPoP token to Quarkus with a new DPoP proof. The access token must be bound to the DPoP proof by containing a public JSON Web Key (JWK) key thumbprint which matches the thumbprint of the public JWK key contained in the DPoP proof.  This binding can only be successful if the client uses the same public and private key pair for creating the DPoP proof to request the access token in the previous step and creating another DPoP proof for submitting it alongside the DPoP access token to Quarkus.  Quarkus OIDC will also enforce . Support for custom is also planned.  Adoption of DPoP, compared to that of the MTLS token binding, is expected to progress faster, because DPoP is an application-level protocol, with no expectation that the transport-level MTLS authentication takes place. However, correctly creating DPoP proofs at the SPA level is not straightforward and requires care.  If you are a Keycloak user, then enabling an experimental dpop feature is sufficient to get started. Also check the in the Advanced Configuration section of the and the community blog post.  As far as Quarkus is concerned, you only need to set a single OIDC configuration property, quarkus.oidc.token.authorization-scheme=dpop to accept DPoP tokens and enforce their binding to the accompanying DPoP proofs.  See the documentation for more details.   FINANCIAL-GRADE API (FAPI)  is a general high-security API profile built on top of OAuth2.  Both and specifications are included in the Financial-Grade API 2.0 .   CONCLUSION  In this article, we have discussed two important OAuth2 specifications for sender-constraining access tokens, and .  Both of these token security elevation technologies can be easily supported in Quarkus OIDC, by using a single configuration property only, without having to write a lot of custom code and configuration.  Please experiment with and in Quarkus and let us know what you think."
 }
@@ -1,13 +1,13 @@
 {
-  "title": "Running SQLite in Pure Java with Quarkus",
-  "link": "https://quarkus.io/blog/sqlite4j-pure-java-sqlite/",
+  "title": "Quarkus Newsletter #54 - March",
+  "link": "https://quarkus.io/blog/quarkus-newsletter-54/",
   "author": [
     {
-      "name": "Andrea Peruffo",
+      "name": "James Cobb",
       "avatar": null
     }
   ],
   "date": "2025-03-12T00:00:00.000Z",
   "feed_title": "Quarkus",
-  "content": "What if you could run a C-based database in pure Java, with zero configuration, and even compile it to a native image effortlessly? With the new Quarkiverse extension , you can do exactly that.  Traditionally, embedded databases in Java require reimplementing their C counterparts, often leading to differences in behavior, missing optimizations, and delayed bug fixes. However, provides a JDBC driver that leverages the original SQLite C implementation while running safely inside a sandbox.   HANDS-ON EXAMPLE  To see in action, you can start with any existing Quarkus application or one of the . If you prefer a ready-made example, check out , which integrates SQLite within a Quarkus application using Hibernate ORM.  By simply changing the JDBC driver dependency, you can embed a fully functional SQLite database inside your application while retaining all the benefits of the native SQLite implementation.  To get started, add the extension dependency to your pom.xml:  <dependency>     <groupId>io.quarkiverse.jdbc</groupId>     <artifactId>quarkus-jdbc-sqlite4j</artifactId> </dependency>  Then, configure your Quarkus application to use SQLite with standard JDBC settings:  quarkus.datasource.db-kind=sqlite quarkus.datasource.jdbc.url=jdbc:sqlite:sample.db quarkus.datasource.jdbc.min-size=1  You can now use your datasource as you normally would with Hibernate and Panache. Note that we keep a minimum connection pool size > 0 to avoid redundant copies from disk to memory of the database.   RUNNING IN A SECURE SANDBOX  Under the hood, SQLite runs in a fully in-memory sandboxed environment, ensuring security and isolation.    When a connection to a local file is opened, the following occurs:   1. The database file is copied from disk to an in-memory Virtual FileSystem.   2. A connection is established to the in-memory database.  While this approach is highly secure, many users need to persist database changes. One recommended solution is to periodically back up the in-memory database to disk. This can be achieved through a scheduled job that:   1. Backs up the in-memory database to a new file.   2. Copies the backup to the host file system.   3. Atomically replaces the old database file with the new backup.  This setup ensures a seamless experience while maintaining SQLite’s sandboxed security. You can adapt this approach to fit your specific needs.  Here’s a sample implementation:  @ApplicationScoped public class SQLiteBackup {     @ConfigProperty(name = \"quarkus.datasource.jdbc.url\")     String jdbcUrl;      @Inject     AgroalDataSource dataSource;      // Execute a backup every 10 seconds     @Scheduled(delay=10, delayUnit=TimeUnit.SECONDS, every=\"10s\")     void scheduled() { backup(); }      // Execute a backup during shutdown     public void onShutdown(@Observes ShutdownEvent event) { backup(); }      void backup() {         String dbFile = jdbcUrl.substring(\"jdbc:sqlite:\".length());          var originalDbFilePath = Paths.get(dbFile);         var backupDbFilePath = originalDbFilePath                                     .toAbsolutePath()                                     .getParent()                                     .resolve(originalDbFilePath.getFileName() + \"_backup\");          try (var conn = dataSource.getConnection();                 var stmt = conn.createStatement()) {             // Execute the backup             stmt.executeUpdate(\"backup to \" + backupDbFilePath);             // Atomically replace the DB file with its backup             Files.move(backupDbFilePath, originalDbFilePath,                 StandardCopyOption.ATOMIC_MOVE,                 StandardCopyOption.REPLACE_EXISTING);         } catch (IOException | SQLException e) {             throw new RuntimeException(\"Failed to back up the database\", e);         }     } }   TECHNICAL DEEP DIVE  compiles the official SQLite C to WebAssembly (Wasm), which is then translated into Java bytecode using the . This enables SQLite to run in a pure Java environment while maintaining its full functionality.     SECURITY AND ISOLATION  One of the key benefits of this approach is security. Running SQLite inside a Wasm sandbox ensures memory safety and isolates it from the host system, making it an excellent choice for applications that require embedded databases while avoiding the risks of native code execution.   CONCLUSION  With the new extension, you get the best of both worlds: the power and reliability of SQLite combined with the safety and portability of Java. This extension seamlessly integrates SQLite into Quarkus applications while maintaining a lightweight and secure architecture. Best of all, everything compiles effortlessly with native-image.  Ready to try it out? Give a spin in your projects and experience the benefits of running SQLite in pure Java with Quarkus!   PRIOR ART   *    * "
+  "content": "Make sure you read Mario Fusco’s two-part blog about Agentic AI with Quarkus, where he discusses common workflows and agentic AI patterns and architectures, with practical examples using Quarkus and LangChain4j. Learn about the power of intelligent applications by combining the robustness of Java, the efficiency of Quarkus, and the advanced capabilities of RAG in a great article by Daniel Oh. Emil Lefkof gives a real-world example of how LangChain4j and AI can be leveraged to automatically extract structured metadata from PDF documents. Leveraging the combination of LangChain4j and Google Gemini AI proves to be a powerful approach for automating document analysis workflows. \"Performance & Productivity: Rethinking Java Dependencies for the Cloud Era\" by Markus Eisele discusses how Quarkus extensions are curated, lightweight, and optimized for microservices and serverless.  You will also see the latest Quarkus Insights episodes, top tweets/discussions and upcoming Quarkus attended events.  Check out !  Want to get newsletters in your inbox? using the on page form."
 }
Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`		`- "title": "How Orange leverages Quarkus for seamless access to Telco network capabilities",`
`3`		`- "link": "https://quarkus.io/blog/orange-telco-core-network-api-management-with-quarkus/",`
	`2`	`+ "title": "Sender-constraining access tokens with Quarkus OIDC",`
	`3`	`+ "link": "https://quarkus.io/blog/sender-constraining-tokens/",`
`4`	`4`	`"author": [`
`5`	`5`	`{`
`6`		`- "name": "Thomas Segismont",`
	`6`	`+ "name": "Sergey Beryozkin",`
`7`	`7`	`"avatar": null`
`8`	`8`	`}`
`9`	`9`	`],`
`10`		`- "date": "2025-03-18T00:00:00.000Z",`
	`10`	`+ "date": "2025-03-19T00:00:00.000Z",`
`11`	`11`	`"feed_title": "Quarkus",`
`12`		- "content": "INTRODUCTION As a global telecommunications leader, has always been at the forefront of innovation. Along with Deutsche Telekom, Telefónica, and Vodafone, Orange co-founded the , an initiative aimed at simplifying the consumption of 5G APIs for third-party application developers. To achieve this goal, Orange needed a flexible and lightweight framework capable of handling constrained API exposure while ensuring compatibility with existing network core systems. After a rigorous evaluation of multiple frameworks and toolkits — including Quarkus, Ktor, Micronaut, and Vert.x — Orange selected Quarkus as the ideal solution. , software craftsman at Orange, told us why. WHY QUARKUS? A FRAMEWORK EVALUATION The team at Orange identified application startup time as a barrier to dynamic Kubernetes pod management. So they embarked on a comparative study to test alternatives to Spring Boot in a well-defined API wrapper exposure context. Key evaluation criteria included: * Learning Curve: How easily could a Spring developer transition? * Kotlin Compatibility: Could the framework work seamlessly with Kotlin? * Runtime footprint: Could it operate efficiently in a constrained environment? * Ease of Deployment: How smoothly could it be deployed on Kubernetes? After extensive testing, Quarkus stood out for multiple reasons: * Simplicity: A relatively simple learning curve, especially for those familiar with JAX-RS / Jakarta REST. * Dev Mode: Very fast startup, live reload and zero configuration Dev Services (Vault, Redis) result in great developer productivity. * Modularity: Only required dependencies were embedded, keeping applications lean. * Documentation: Well-organized, versioned documentation with working examples. * Native Compilation: The ability to generate compact native binaries for Kubernetes deployment. Despite the strong competition from a vibrant JVM ecosystem, these advantages made Quarkus the preferred choice for exposing 5G APIs at Orange. LESSONS LEARNED FROM ADOPTING QUARKUS MIGRATION & DEVELOPMENT EXPERIENCE Transitioning from Spring to Quarkus was not overly complex, especially for those familiar with JAX-RS / Jakarta REST. The significantly enhanced productivity in dev and test modes, but required careful consideration for their CI/CD environments, where no container runtime is available. The modular approach ensured applications remained lightweight but introduced a large number of small dependencies to manage. SPEC-FIRST API DEVELOPMENT As spec-first practitioners, integrating OpenAPI specification generation was a crucial requirement that Quarkus handled effectively. JAVA & KOTLIN INTEROPERABILITY While Quarkus supports Kotlin, writing full Kotlin extensions proved challenging at times. The team retained some Java code, and Java-Kotlin interoperability worked smoothly. NATIVE COMPILATION & PERFORMANCE Native compilation produced compact native executables, but the process of producing them was lengthy. The team reserved it for the final build stage when absolutely necessary. Some fine-tuning was required to prevent class pruning issues. When building native executables, the call tree is analyzed to determine which classes and methods are used. Everything that is not used is pruned to reduce the size of the executable and the RSS usage. In some cases, e.g. when using reflection, you will have to declare explicitly that a class is used so that it ends up being included in the native executable. Quarkus provides tooling to simplify this configuration. REACTIVE PROGRAMMING & MUTINY Having worked extensively with Reactor, the transition to Mutiny had a learning curve. While effective and more intuitive thanks to its navigable API, it was perceived as more verbose for the simple cases. ARCHITECTURE OVERVIEW Orange designed a microservices-based architecture to expose 5G APIs efficiently. MICROSERVICES & API WRAPPERS Each API wrapper was implemented as a dedicated microservice for better version control. The team leveraged Reactive APIs wherever possible, since there are a lot of time-consuming asynchronous tasks to be performed on the core network side and saving resources is a business goal. CI/CD & DEPLOYMENT Each microservice had its own GitLab repository with an independent build pipeline for its Docker image. Renovate was used to automate dependency upgrades. A dedicated deployment project pushed new Docker images to an OpenShift cluster using Kustomize + ArgoCD. INFRASTRUCTURE COMPONENTS Additional services included: * Vault for secrets management * Redis for caching * Neo4j for database operations * Kafka for messaging Vert.x HTTP Proxy was used for routing and backend protection. RESULTS & IMPACT After implementing Quarkus in production, Orange successfully deployed ten APIs across various 4G/5G network cores. Over time, the team performed multiple Quarkus version upgrades (2.11 → 3.14), all well-managed through Renovate with minimal code adaptation—except for necessary adjustments during the migration to Jakarta EE."
	`12`	+ "content": "INTRODUCTION Single-page application (SPA) runs in the browser and uses to log-in users, without depending on Quarkus OIDC. When the authentication is complete, SPA sends the access token to access Quarkus on behalf of the authenticated user. Have a look at the simple diagram showing how this process works, copied to this post from the : As illustrated in the picture above, the OIDC provider authenticates the current user, SPA receives ID and access tokens and uses the access token to access the Quarkus endpoint. The security challenge that the OAuth2 experts have been trying to address is how to prove that the client such as SPA which is sending the token actually owns this token ? There is nothing in the HTTP Authorization: Bearer <token> header that proves that SPA did not leak the token. Two specifications for sender-constraining access tokens have emerged over the years, and . MUTUAL TLS CLIENT AUTHENTICATION AND CERTIFICATE-BOUND ACCESS TOKENS specification describes how access tokens can be cryptographically bound to the MTLS client certificate. By proving that the access token is bound to the client certificate, the Quarkus application can get a high degree of confidence that the current access token is constrained to, owned by the client which authenticated to Quarkus over MTLS. Implementing the cryptographic binding is not complex in this case. The current access token is expected to contain a confirmation with the SHA-256 certificate thumbprint and it must match the thumbprint of the current MTLS client certificate. If the token is in JWT format, then it must include a confirmation claim. If the token is binary then the confirmation must be included in the remote token introspection response. Such a binding can only be successful if the OpenId Connect provider has access to the same client certificate which is used during the MTLS authentication to Quarkus. The downside of using the MTLS token binding is that correctly configuring the OpenId Connect provider, ensuring that browsers can request an X509 certiticate authentication when SPA redirects the user to authenticate to the OIDC provider is complex. If you are a Keycloak user, check the in the Advanced Configuration section of the and the community blog post. As far as Quarkus is concerned, you only need to set a single OIDC configuration property, quarkus.oidc.token.binding.certificate=true, in addition to the Vert.x HTTP MTLS configuration, to enforce the MTLS token binding. See the documentation for more details. DEMONSTRATING PROOF-OF-POSSESSION (DPOP) specification describes how access tokens can be cryptographically bound to special JWT tokens called DPoP proofs. The SPA client generates a private and public key pair, and creates a DPoP proof token to complete the access token acquisition from the OIDC provider. It then forwards this DPoP token to Quarkus with a new DPoP proof. The access token must be bound to the DPoP proof by containing a public JSON Web Key (JWK) key thumbprint which matches the thumbprint of the public JWK key contained in the DPoP proof. This binding can only be successful if the client uses the same public and private key pair for creating the DPoP proof to request the access token in the previous step and creating another DPoP proof for submitting it alongside the DPoP access token to Quarkus. Quarkus OIDC will also enforce . Support for custom is also planned. Adoption of DPoP, compared to that of the MTLS token binding, is expected to progress faster, because DPoP is an application-level protocol, with no expectation that the transport-level MTLS authentication takes place. However, correctly creating DPoP proofs at the SPA level is not straightforward and requires care. If you are a Keycloak user, then enabling an experimental dpop feature is sufficient to get started. Also check the in the Advanced Configuration section of the and the community blog post. As far as Quarkus is concerned, you only need to set a single OIDC configuration property, quarkus.oidc.token.authorization-scheme=dpop to accept DPoP tokens and enforce their binding to the accompanying DPoP proofs. See the documentation for more details. FINANCIAL-GRADE API (FAPI) is a general high-security API profile built on top of OAuth2. Both and specifications are included in the Financial-Grade API 2.0 . CONCLUSION In this article, we have discussed two important OAuth2 specifications for sender-constraining access tokens, and . Both of these token security elevation technologies can be easily supported in Quarkus OIDC, by using a single configuration property only, without having to write a lot of custom code and configuration. Please experiment with and in Quarkus and let us know what you think."
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`		`- "title": "Running SQLite in Pure Java with Quarkus",`
`3`		`- "link": "https://quarkus.io/blog/sqlite4j-pure-java-sqlite/",`
	`2`	`+ "title": "Quarkus Newsletter #54 - March",`
	`3`	`+ "link": "https://quarkus.io/blog/quarkus-newsletter-54/",`
`4`	`4`	`"author": [`
`5`	`5`	`{`
`6`		`- "name": "Andrea Peruffo",`
	`6`	`+ "name": "James Cobb",`
`7`	`7`	`"avatar": null`
`8`	`8`	`}`
`9`	`9`	`],`
`10`	`10`	`"date": "2025-03-12T00:00:00.000Z",`
`11`	`11`	`"feed_title": "Quarkus",`
`12`		- "content": "What if you could run a C-based database in pure Java, with zero configuration, and even compile it to a native image effortlessly? With the new Quarkiverse extension , you can do exactly that. Traditionally, embedded databases in Java require reimplementing their C counterparts, often leading to differences in behavior, missing optimizations, and delayed bug fixes. However, provides a JDBC driver that leverages the original SQLite C implementation while running safely inside a sandbox. HANDS-ON EXAMPLE To see in action, you can start with any existing Quarkus application or one of the . If you prefer a ready-made example, check out , which integrates SQLite within a Quarkus application using Hibernate ORM. By simply changing the JDBC driver dependency, you can embed a fully functional SQLite database inside your application while retaining all the benefits of the native SQLite implementation. To get started, add the extension dependency to your pom.xml: <dependency> <groupId>io.quarkiverse.jdbc</groupId> <artifactId>quarkus-jdbc-sqlite4j</artifactId> </dependency> Then, configure your Quarkus application to use SQLite with standard JDBC settings: quarkus.datasource.db-kind=sqlite quarkus.datasource.jdbc.url=jdbc:sqlite:sample.db quarkus.datasource.jdbc.min-size=1 You can now use your datasource as you normally would with Hibernate and Panache. Note that we keep a minimum connection pool size > 0 to avoid redundant copies from disk to memory of the database. RUNNING IN A SECURE SANDBOX Under the hood, SQLite runs in a fully in-memory sandboxed environment, ensuring security and isolation. When a connection to a local file is opened, the following occurs: 1. The database file is copied from disk to an in-memory Virtual FileSystem. 2. A connection is established to the in-memory database. While this approach is highly secure, many users need to persist database changes. One recommended solution is to periodically back up the in-memory database to disk. This can be achieved through a scheduled job that: 1. Backs up the in-memory database to a new file. 2. Copies the backup to the host file system. 3. Atomically replaces the old database file with the new backup. This setup ensures a seamless experience while maintaining SQLite’s sandboxed security. You can adapt this approach to fit your specific needs. Here’s a sample implementation: @ApplicationScoped public class SQLiteBackup { @ConfigProperty(name = \"quarkus.datasource.jdbc.url\") String jdbcUrl; @Inject AgroalDataSource dataSource; // Execute a backup every 10 seconds @Scheduled(delay=10, delayUnit=TimeUnit.SECONDS, every=\"10s\") void scheduled() { backup(); } // Execute a backup during shutdown public void onShutdown(@Observes ShutdownEvent event) { backup(); } void backup() { String dbFile = jdbcUrl.substring(\"jdbc:sqlite:\".length()); var originalDbFilePath = Paths.get(dbFile); var backupDbFilePath = originalDbFilePath .toAbsolutePath() .getParent() .resolve(originalDbFilePath.getFileName() + \"_backup\"); try (var conn = dataSource.getConnection(); var stmt = conn.createStatement()) { // Execute the backup stmt.executeUpdate(\"backup to \" + backupDbFilePath); // Atomically replace the DB file with its backup Files.move(backupDbFilePath, originalDbFilePath, StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING); } catch (IOException \| SQLException e) { throw new RuntimeException(\"Failed to back up the database\", e); } } } TECHNICAL DEEP DIVE compiles the official SQLite C to WebAssembly (Wasm), which is then translated into Java bytecode using the . This enables SQLite to run in a pure Java environment while maintaining its full functionality. SECURITY AND ISOLATION One of the key benefits of this approach is security. Running SQLite inside a Wasm sandbox ensures memory safety and isolates it from the host system, making it an excellent choice for applications that require embedded databases while avoiding the risks of native code execution. CONCLUSION With the new extension, you get the best of both worlds: the power and reliability of SQLite combined with the safety and portability of Java. This extension seamlessly integrates SQLite into Quarkus applications while maintaining a lightweight and secure architecture. Best of all, everything compiles effortlessly with native-image. Ready to try it out? Give a spin in your projects and experience the benefits of running SQLite in pure Java with Quarkus! PRIOR ART * * "
	`12`	+ "content": "Make sure you read Mario Fusco’s two-part blog about Agentic AI with Quarkus, where he discusses common workflows and agentic AI patterns and architectures, with practical examples using Quarkus and LangChain4j. Learn about the power of intelligent applications by combining the robustness of Java, the efficiency of Quarkus, and the advanced capabilities of RAG in a great article by Daniel Oh. Emil Lefkof gives a real-world example of how LangChain4j and AI can be leveraged to automatically extract structured metadata from PDF documents. Leveraging the combination of LangChain4j and Google Gemini AI proves to be a powerful approach for automating document analysis workflows. \"Performance & Productivity: Rethinking Java Dependencies for the Cloud Era\" by Markus Eisele discusses how Quarkus extensions are curated, lightweight, and optimized for microservices and serverless. You will also see the latest Quarkus Insights episodes, top tweets/discussions and upcoming Quarkus attended events. Check out ! Want to get newsletters in your inbox? using the on page form."
`13`	`13`	`}`