Most of the conversation around Oorian's extension ecosystem has focused on UI Extensions—wrappers around JavaScript libraries like Chart.js, AG Grid, and Leaflet that bring rich client-side components into Java code. But UI components are only half the story. Production web applications need bot protection, cookie consent, payment processing, analytics, and authentication. That's what Add-Ons are for.
What Are Add-Ons?
Add-Ons are server-side integrations that connect an Oorian application to external services and capabilities. While UI Extensions wrap JavaScript libraries to render visual components in the browser, Add-Ons handle work that happens on the server: verifying bot protection tokens, managing cookie consent, parsing content, processing payments, and authenticating users.
The distinction is straightforward:
- UI Extensions wrap a JavaScript library. They add CSS and JS files to the page, render visual components, and handle client-side interactions. Examples: Chart.js, Leaflet, SweetAlert2.
- Add-Ons provide server-side functionality. Some include a small UI component (like a consent banner or an invisible reCAPTCHA widget), but their core work happens in Java on the server. Examples: reCAPTCHA, Cookie Consent, Markdown.
Both will follow the same Oorian conventions—consistent API patterns, Java-only configuration, no custom JavaScript required—but they solve fundamentally different problems.
reCAPTCHA Add-On
The reCAPTCHA Add-On will integrate Google's reCAPTCHA v3 into Oorian forms. It handles the invisible widget, token generation, automatic token refresh, and server-side verification—all from Java.
Configuration is a one-time setup in the Application class:
ReCaptchaConfig.setSiteKey("your-site-key");
ReCaptchaConfig.setSecretKey("your-secret-key");From there, adding bot protection to a form means adding the reCAPTCHA script to the page head and dropping a ReCaptcha component into the form:
// In createHead():
ReCaptchaConfig.addScript(head);
// In your form:
form.addElement(new ReCaptcha("contact"));When the form is submitted, server-side verification is a single method call:
String token = params.getParameterValue(ReCaptcha.INPUT_NAME);
if (!ReCaptchaVerifier.verify(token, 0.5))
{
// Score below threshold - likely a bot
return;
}The verify() method sends the token to Google's API and checks the returned score against a threshold (0.0 to 1.0, where 1.0 means definitely human). reCAPTCHA v3 is completely invisible to the user—no "click all the traffic lights" puzzles. The widget silently scores user behavior, and the developer decides the threshold.
Cookie Consent Add-On
The Cookie Consent Add-On will provide a GDPR-compliant consent management system: a customizable banner, cookie category management, and server-side consent checking for conditionally loading tracking scripts.
Adding a consent banner looks like this:
CookieConsent consent = new CookieConsent();
consent.setMessage("We use cookies to improve your experience and analyze site traffic.");
consent.setPolicyUrl("/privacy");
consent.setShowCustomize(true);
body.addElement(consent);The banner renders at the bottom of the page with Accept, Reject, and Customize buttons. Customize reveals checkboxes for four cookie categories: Necessary (always enabled), Analytics, Marketing, and Preferences. The user's choice is stored in a cookie so the banner doesn't reappear.
The important part happens on the server. Before rendering a page, the application checks what the user consented to and only loads the appropriate scripts:
String consentValue = getCookieValue(CookieConsentConfig.getCookieName());
if (CookieConsentConfig.hasConsent(consentValue, CookieCategory.ANALYTICS))
{
// User consented to analytics - load Google Analytics
head.addJavaScript("https://www.googletagmanager.com/gtag/js?id=G-XXXXXX");
}This is proper GDPR compliance: tracking scripts are never sent to the browser unless the user has explicitly consented. The decision happens on the server before the page is rendered—no client-side race conditions.
Markdown Add-On
The Markdown Add-On is a pure Java Markdown parser that converts Markdown text directly into native Oorian HTML elements. No JavaScript Markdown library, no client-side rendering—the parsing happens entirely on the server.
String markdown = "# Welcome\n\n"
+ "This is **bold** and *italic* text.\n\n"
+ "- Item one\n"
+ "- Item two\n"
+ "- Item three\n";
Div content = MarkdownParser.parse(markdown);
container.addElement(content);The parse() method returns a Div containing native Oorian elements—H1, P, Ul, Li, Span, and so on. These are real Oorian objects that can be styled, manipulated, and composed like any other element.
The parser supports a comprehensive subset of Markdown and GitHub Flavored Markdown: headings, bold, italic, strikethrough, inline code, ordered and unordered lists with nesting, fenced code blocks with language identifiers, blockquotes, links, images, horizontal rules, and GFM tables with column alignment.
For single-line inline Markdown, there's parseInline():
Span formatted = MarkdownParser.parseInline("Check out **Oorian** at [oorian.com](https://oorian.com)");
container.addElement(formatted);This will be useful for CMS-driven content, documentation pages, user-generated text, or anywhere content is stored as Markdown and needs to be rendered as HTML.
RSS Add-On
The RSS Add-On provides a complete RSS 2.0 feed generator that builds valid XML feeds entirely in Java. It handles the boilerplate of RSS formatting—date formatting, XML escaping, namespace declarations, content encoding—so the developer just provides the data.
Creating a feed is straightforward:
RssFeedBuilder feed = new RssFeedBuilder();
feed.setTitle("My Application Blog");
feed.setLink("https://example.com/blog");
feed.setDescription("Latest posts from our blog");
for (BlogPost post : blogPosts)
{
RssItem item = feed.addItem();
item.setTitle(post.getTitle());
item.setLink(post.getLink());
item.setPubDate(post.getPubDate());
item.setAuthor(post.getAuthor());
item.setCategory(post.getCategory());
item.setDescription(post.getDescription());
item.setContent(post.getContent());
}
String xml = feed.toXml();The builder produces a fully compliant RSS 2.0 document with content:encoded for full HTML content, dc:creator for authors, atom:link for self-referencing, and proper RFC 822 date formatting. Image enclosures, channel images, and custom namespaces are all supported.
For Oorian web applications, the Add-On also provides an RssFeedFile base class that extends HttpFile, making it easy to serve the feed at any URL:
@Page("/feed.xml")
public class BlogFeed extends RssFeedFile
{
@Override
protected RssFeedBuilder createFeed()
{
RssFeedBuilder feed = new RssFeedBuilder();
feed.setTitle("My Blog");
feed.setLink("https://example.com/blog");
// Add items...
return feed;
}
}The base class handles content type headers (application/rss+xml), character encoding, cache control, and XML output. The developer just implements createFeed() to provide the content.
This is a pure server-side Add-On—no JavaScript, no client-side rendering. It generates XML on the server and serves it as a file. It pairs naturally with the Markdown Add-On for applications where content is authored in Markdown and syndicated via RSS.
What Else Is Planned
reCAPTCHA, Cookie Consent, Markdown, and RSS are the first four Add-Ons being developed, but there are 14 more on the roadmap. Here's what we're planning:
Analytics & Tracking
- Google Analytics / GA4 — Traffic and usage analytics using the GA4 measurement protocol.
- Google Tag Manager — Tag management for deploying marketing and analytics tags without code changes.
- Matomo Analytics — Self-hosted web analytics with full data ownership.
- Plausible Analytics — Lightweight, privacy-friendly analytics without cookies.
- PostHog — Product analytics with session recording, feature flags, and A/B testing.
Authentication & Security
- OAuth 2.0 / Social Login — OAuth 2.0 client support for Google, GitHub, and other identity providers.
- TOTP / Two-Factor Authentication — Time-based one-time passwords for login security.
Payments & Commerce
- Stripe Elements — Payment processing for subscriptions, one-time payments, and invoicing.
- PayPal Buttons — PayPal checkout, subscriptions, and payouts.
- LemonSqueezy — All-in-one payment and subscription management for digital products.
Error Tracking & Monitoring
- Sentry — Real-time error tracking and performance monitoring.
PWA & Push Notifications
- PWA Support — Service workers, offline capability, and installability.
- Web Push Notifications — Browser push notifications for re-engaging users.
Third-Party Integrations
- Jira Issues — Create, query, and manage Jira issues from an Oorian application.
- Zoom — Schedule, launch, and manage video conferences.
Every Add-On will follow the same pattern: configure once in the Application class, use from Java, no JavaScript required. They're designed to be drop-in additions that integrate naturally with the rest of an Oorian application.
Add-Ons vs. UI Extensions
| UI Extensions | Add-Ons | |
|---|---|---|
| Purpose | Rich client-side UI components | Server-side integrations and services |
| Wraps | JavaScript library (CSS + JS files) | External API or server-side logic |
| Rendering | Client-side (browser) | Server-side (Java) |
| Examples | Chart.js, AG Grid, Leaflet | reCAPTCHA, Cookie Consent, Stripe, RSS |
Together, UI Extensions and Add-Ons will provide a complete toolkit for building production web applications entirely in Java—from interactive charts and maps to bot protection, GDPR compliance, and payment processing.