BoxLang 🚀 A New JVM Dynamic Language Learn More...

Ortus ORM Extension

v6.5.2 Lucee Extensions

Lucee Hibernate Extension (ORM)

the Ortus ORM Extension logo

Java CI Latest


Lucee or above.


You can install this extension into a preconfigured Lucee server via Commandbox:

box install D062D72F-F8A2-46F0-8CBC91325B2F067B

This will not work unless box server start has been run first to set up the Lucee engine directories. Use --dryRun to set up the Lucee server without actually starting the server process. This will prevent ORM from attempting to initialize before the extension is installed:

box> server start --dryRun
box> install D062D72F-F8A2-46F0-8CBC91325B2F067B
box> server start


"I am the way, and the truth, and the life; no one comes to the Father, but by me (JESUS)" Jn 14:1-12


All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.


6.5.2 - 2024-02-21

🐛 Fixed

  • Fixes a regression on OOE-26 where empty string values are coerced to NULL when an ORM type is declared. Originally reported against 6.4.0, resolved in 6.5.0, then regressed in 6.5.1. - Resolves OOE-26.

6.5.1 - 2024-02-20

🐛 Fixed

  • Fixes empty string values coercing to NULL when no property type is declared. - Resolves OOE-25, introduced in 6.5.0.

6.5.0 - 2024-02-16

🐛 Fixed

  • Fixes an incorrect property name lookup for the unsavedValue persistent property attribute.
  • Fixes the pre-event listeners to ignore empty strings in entity state properties if the field type is one of string, character, or text. This resolves issues where a preInsert() or preUpdate() throws a "can't cast [] to date value" when processing event listeners if a date field (for example) is unpopulated or has an empty default attribute.

♻️ Changed

Add the entity name to the exception message when attempting to persist changes from preInsert or preUpdate event listeners. The updated exception message is now:

Error populating event state for persistance in [<entity name>] entity pre-event listener method: <error message from Hibernate>

🔐 Security

Bump Lucee build dependency to to avoid vulnerable dependencies in the build process.

6.4.0 - 2023-12-05

🔐 Security

Resolve an Uncontrolled Resource Consumption vulnerability disclosed on 12/4/2023 by upgrading logback-core to 1.3.14. See vulnerability details.

⭐ Added

New ORMQueryExecute() alias for the ORMExecuteQuery. This new alias behaves identically to the ORMExecuteQuery() method, but is named consistently with the queryExecute() method.

🐛 Fixed

  • Fixes custom configuration support via this.ormSettings.ormConfig.
  • Fixes named argument support for entityLoad() - LDEV-4285
  • Fixes named argument support for entityLoadByPK() - LDEV-4461

♻️ Changed

While not technically a change in ORM functionality, the useDBforMapping implementation has been greatly improved "under the hood", with tests to boot.

6.3.2 - 2023-09-29

🐛 Fixed

Fixed pre-event listeners to include parent component properties when checking for entity mutations to persist back to the event entity state. This resolves issues with changes made in preInsert()/preUpdate() not persisting if the changes are made on a persistent property from a parent component. Resolves OOE-14.

6.3.1 - 2023-09-26

🐛 Fixed

Refactored nullability checks to occur after pre-event listener methods fire. Resolves OOE-12

⭐ Added

Added context to the error message in CFCGetter, which handles retrieving entity values from Hibernate code. This improves odd error messages in some edge cases with the Hibernate tuplizer.

6.3.0 - 2023-08-18

🔐 Security

Switched the EHCache library to use net.sf.ehcache.internal:ehcache-core.

  • Upgrades EHCache version from 2.10.6 to
  • Drops an embedded rest-management-private-classpath directory
  • Drops a number of (unused) vulnerable jackson and jetty libraries such as jackson-core.
  • As an added bonus, this reduces the final .lex extension file size by over 6 MB. 🎉

Note: While it is not 100% clear, some of these CVEs may have been false positives.

6.2.0 - 2023-08-03

♻️ Changed

Hibernate Upgraded from 5.4 to 5.6

This brings the Hibernate dependencies up to date (released Feb. 2023), and should not change any CFML-facing features for most users. (See CLOB columns in Postgres81)

See the migration guides for more info:

CLOB columns in Postgres81

Due to the Hibernate 5.6 upgrade, if you are using the PostgreSQL81 dialect and have CLOB columns in your database, it is recommended you migrate existing text columns for LOBs to oid.

Default EHCache Configuration

The default ehcache.xml for EHCache changed to include clearOnFlush="true" and diskSpoolBufferSizeMB="30MB" properties to match Adobe ColdFusion 9's default ehCache.xml config. Both these values represent default settings in EHCache itself.

🐛 Fixed

  • Fixes handling of "timezone"-typed column values. Previously, fields defined with ormtype="timezone" would neither use the default value nor allow new values to be set. OOE-10
  • Fixes entity state changes in preInsert()/preUpdate() listeners for properties with no default defined. OOE-9

6.1.0 - 2023-07-14

♻️ Changed

  • Lots of java source code cleanup that won't affect the CFML experience, but will aid in faster development and fewer bugs.

🐛 Fixed

  • Any hibernate exceptions returned during schema generation are once again logged to the Lucee ORM log file.

💥 Removed

  • Dropped the public getDialectNames() method from the Dialect class. This method was unused (to my knowledge) and unnecessary.

🔐 Security

[6.0.0] - 2023-07-01

⭐ Added

Second-Level Caching

The extension will now throw an error if you try to configure an unsupported cache provider like "jbosscache", "swarmcache", etc. Previously, the extension would silently switch to ehcache if any cache provider besides EHCache was configured.

Hibernate Logging

This version re-enables Hibernate logging via SLF4j and LogBack. Hibernate root and cache loggers are defaulted to ERROR level, while SQL logging is set to DEBUG if this.ormSettings.logSQL is enabled. (Set to true.)

OWASP Dependency CVE Scans

The extension GitHub Release page now generates a dependency CVE report via Jeremy Long's OWASP dependency-check maven plugin. Any known CVEs contained in dependencies ( excluding test and provided-scoped dependencies) will be noted in each release's CVE report artifact.

♻️ Changed

New Repo Layout

  • Java source moved to extension/src/main/java
  • All java classes are now under the ortus.extension.orm package
  • Dropped the java source format-on-push in favor of format-on-save IDE tooling

New Test Layout

  • Internal tests rewritten to native Testbox specs
  • Cloned all ORM tests from the Lucee repository
  • Updated to TestBox 5.0

New Build (and .jar file) Layout

We re-architected the build to inline most dependencies. I.e. we no longer copy in extension dependencies as (custom-built) OSGI bundles, but instead as compiled classes.

  • This resolves intermittent issues with bundle resolution and/or duplicate bundle collision upon installing the ORM extension into a Lucee server prior to uninstalling the Lucee Hibernate extension.
  • This also removes a number of direct dependencies on custom OSGI bundles, thus it is more reliable and will offer easier dependency upgrades with less pain.


  • The "node" attribute is deprecated in Hibernate 5.x, and is no longer generated on HBM/XML mapping files to avoid Hibernate warning that "Use of DOM4J entity-mode is considered deprecated".


  • The .fld definition file for all built-ins was missed during the conversion to a Maven build. (Since v5.4.29.25). This caused the orm*() and entity*() built-in method calls to be picked up by Lucee core before being routed to this extension. No known errors resulted from this mistake, but we feel embarrassed anyway. 😅
  • Clear ORM context data once per ORM reload, not once per ORM entity parsing. This should improve ORM startup/reload time and avoid difficult session or cache manager lifecycle issues.

[] - 2023-06-07

🐛 Fixed

We now set the JAXB ContextFactory system property based on the JRE version. If less than JRE 11, we set javax.xml.bind.context.factory=com.sun.xml.bind.v2.ContextFactory. If JRE 11 or greater, we set javax.xml.bind.JAXBContextFactory=com.sun.xml.bind.v2.ContextFactory.

This prevents the following warning from being logged on each ORM method call:

WARNING: Using non-standard property: javax.xml.bind.context.factory. Property javax.xml.bind.JAXBContextFactory should be used instead.

See OOE-3.

[] - 2023-05-29

🐛 Fixed

  • We now set a javax.xml.bind.context.factory=com.sun.xml.bind.v2.ContextFactory System property to ensure the JAXB API can find its implementation in CommandBox environments. This may trigger a log message, but shouldn't cause any concern. Vanilla Tomcat installations may need to overwrite or clear this property. LDEV-4276

[] - 2023-05-24

♻️ Changed

  • Improved logo for Lucee admin 🤩

🐛 Fixed

  • Entity changes made in onPreInsert() and onPreUpdate() do not persist OOE-2

[] - 2023-05-23

♻️ Changed

🐛 Fixed

[] - 2023-05-17

🔐 Security

[] - 2023-05-15

🐛 Fixed

  • ORMExecuteQuery ignores "unique" argument if options struct is passed

[] - 2023-05-11

⭐ Added

🐛 Fixed

♻️ Changed

  • Dramatic improvements in initialization performance
  • Cuts ORM reload time by 60%
  • Better build/test documentation
  • Improved maintenance and build docs

  • Install String
    $ install D062D72F-F8A2-46F0-8CBC91325B2F067B
  • JVM Argument
  • No collaborators yet.
    • {{ getFullDate("2023-05-11T16:52:52Z") }}
    • {{ getFullDate("2024-02-21T15:46:47Z") }}
    • 2,768
    • 21,817