[unscaled]

Nobody here was saying you should always write your own framework, which is what your engineers were trying to do. Vert.x is a a low-level framework when compared to Spring, so it doesn't provide much organization for your code. This is betrayed by the fact that there are higher-level frameworks written on top of Vert.x, like Quarkus.

What you are describing above is a skill issue. If the developers are bad, they'll be bad with any framework. As a proof, I can give you dozens of bloated, slow, buggy and hard to maintain Spring projects I've seen during my career. I can also list a bunch of successful projects we've built with Vert.x and a custom framework. At the same time, we also have a bunch of successful Spring projects. This has more to do with the skills of the team involved rather than the framework selection.

But when it comes to selecting your framework, there are good reasons we avoid Spring. Spring shines when it comes to having a bunch of built-in modules for everything: authentication, configuration, dependency injection, monitoring, various template engines and databases - whatever you want. The advantage is that you don't need to spend time investigating and arguing dependencies - they're all right there. It's also easy to structure your projects and to hire developers who claim to know Spring (whether they actually do understand how Spring works is another story).

But Spring has a lot of issues too:

- Performance: This is the main reason we avoid it for most projects. Spring is slow. This appears to be the main reason OP has created a Rust version of the Spring framework. Of course, Rust has less overhead than Java, but there are many Java frameworks that are faster than Spring. Spring is just proudly underoptimized. Almost anything else I could say about Spring or you could say about other frameworks may be subjective or anecdotal — but speed is easy to quantify. If you look at the TechEmpower benchmarks, there is an order of magnitude of difference between Spring and lightweight frameworks like Vert.x and Jooby and even some optimized heavyweight frameworks like Quarkus[1]. If you care about performance you just cannot use Spring.

- Inscrutable Magic: Spring has a lot of annotation-based magic. A lot of Spring enthusiasts like it, since it gets stuff done and reduces boilerplate. But it also makes your framework behavior hard to understand and scrutinize. If you want to know what an annotation does, you can't just click "go to definition" in your editor and look at its source code. You need to find out where all the possible annotation processors are and then read all the relevant code until you find how that particular annotation is processed into generated code or wrapper classes or whatever.

- Security: I beg to differ here. Spring Security can save you from the bugs that you would have if you wrote your own authentication code, but the code that Spring itself brings to the table does not have a very good track record. The sheer amount of CVEs found in Spring[2] is staggering. A lot of is due to popularity and exposure, but this is also due to Spring's desire to include everything under the sun and do as much as possible behind the scenes, with automagic. A great example of this approach is how Spring Actuator used to expose a lot of sensitive endpoints (including a full heapdump endpoint) by default, on a standard path. This needed you to add the actuator module, but a lot of servers included it because this is the standard way to enable health checks in Spring, and almost every cloud infrastructure nowadays requires health checks. The end result is that if you wanted your Spring Boot 1.5 web server to be secure, you'd had to explicitly disable these endpoints[3]. Even with modern Spring versions, the sensitive "/actuator/info" endpoint is still exposed by default.

[1] https://www.techempower.com/benchmarks/#hw=ph&test=fortune&s...

[2] https://spring.io/security

[3] https://docs.stackhawk.com/vulnerabilities/40042/

[dzonga]

I think you're leaving something out.

- the affinity for 'traditional' java guys to make code seem so complicated and be wrapped in so many layers.

the JVM is an excellent platform bar none. But if you work on a java codebase with the traditional guys - I feel sorry for you. there has to be so many "best practices" - Impl, Factory, Wrapper what what . what was supposed to be a simple endpoint - then a simple function for business logic is now wrapped in 5 or so classes.

then you add the magic of "Spring" and productivity & everything else slows down to molasses.

End of day if you're working on web services or internet stuff - you take in JSON, transform JSON, spit out JSON. That's been my experience. & that's not complicated to do. maybe other people can differ.

[npstr]

The performance argument I cannot subscribe to. We did extensive load testing in the past on different products, and the bottleneck in the end was always the DB (or more recently, getting screwed by OpenSSL v3). Sure Spring might not be the fastest in its class, but it's a cheap problem to solve, just fire up more or bigger VMs (as long as you've kept it stateless).

The security concerns about actuator I cannot subscribe to either. Why are your endpoints exposed to the outside by default? Why is the management port reachable from the outside? Why are devs not reading the docs and only enabling the endpoints they need?

The magic annotations part can definitely be a problem. Would recommend to stay away as much as possible and keep that simple. Only use it as a last resort, but boy can it be powerful. Need your own request scope that is bound to transactional commit/rollback? You can have that to for example only send out side effects when the transaction succeeds, or to build transparent caching solutions on request scope.

[signal11]

Spring’s security record prior to 6 was pretty interesting. They had a bunch of RCE causing vulns they wouldn’t even recognise as vulns (eg due to Java deserialisation issues), which wasn’t a great look for something in use in many large companies.

To be fair, Spring devs did say “don’t use it like that”, but devs of all skill levels use Spring, so that’s not great advice.

It is much better now, but of course the latest thing is that it’s now owned by Broadcom. So if you as a contractor are foisting Spring upon your clients, I hope you’re ready with a security/fixes strategy, because don’t expect Broadcom to support old versions of Spring forever. Or else you could just pay Broadcom $$$.

Good time to mention: users of open source Spring 5, it goes end of life this month. Hope you’re ready!

[chii]

> Inscrutable Magic ... need to find out where all the possible annotation processors are

or you read the documentation.

[marginalia_nu]

I don't think this is a good take.

Magic doesn't belong in software, and a well-designed library or framework doesn't need it to succinctly express the program logic in a way that isn't boilerplaty and bloated, not even in Java.

[weinzierl]

I may be as old and cynical as House MD but if there is anything decades in the business taught me it's that customers and documentation (esp. code comments) always lie.