© 2009 VMware Inc. All rights reserved

Introduction to Apache Tomcat 7.0

Mark Thomas, Sr. Software Engineer, SpringSource

August 2010

2

Agenda

Introduction

Overview

Servlet 3.0

JSP 2.2

EL 2.2

Other (non-specification) features

Current status

Useful resources

Questions

3

Introduction

Mark Thomas

Tomcat committer (6+ years) and PMC member

Commons committer (DBCP & Pool)

Apache Software Foundation Member

Apache Security Team member

Tomcat 4 release manager

Tomcat 7 release manager

Wrote a large proportion of the updates for Tomcat 7

Lead SpringSource Security Team

tc Server developer

4

Overview

Tomcat 4 Tomcat 5 Tomcat 6 Tomcat 7

Servlet 2.3 2.4 2.5 3.0

JSP 1.2 2.0 2.1 2.2

EL (2.0) 2.1 2.2

Java 1.2? 1.4 1.5 1.6

5

Servlet 3.0

6

Servlet 3.0 – Asynchronous processing

Prior to Servlet 3.0 request/response processing was synchronous

Response processing can now be asynchronous

• Requests are still synchronous

More efficient use of Threads

All Filters and Servlets in the processing chain must support Async

Typical uses

• Accessing external resources

• Web services

• Databases

• Regular updates to users

• Stock ticker

• Progress indicator

7

Servlet 3.0 – web-fragment.xml & annotations

META-INF/web-fragment.xml

• Packaged with any JAR file

• Broadly same content allowed as web.xml

• Rules on ordering

Annotations – Servlets, Filters & Listeners

• Can be placed on any class in any JAR

• Scanned on start-up

• Only scanned if JAR is included in fragment ordering

Annotations – Security, File Upload

• Place on Servlets

• Scanned when Servlet is loaded

Both fragments and annotations give rise to security concerns

• Effective web,xml can be logged

8

Servlet 3.0 – Dynamic configuration

Alternative to web-fragment.xml

Programmatic

• More control

Used by ServletContextListeners

Addition of:

• Servlets

• Filters

• Listeners

Change session tracking modes

Change session cookie configuration

Set initialisation parameters

Declare security roles

9

Servlet 3.0 – Sessions

Adds session tracking based on SSL Session ID

• To URL and cookie based tracking

Session tracking methods application selectable

• Configure in ServletContextListener

• SSL based tracking has to be used on its own

• Now possible to disable URL based tracking (used to be mandatory)

Can control default parameters for session cookies

• Name – may be overridden by Tomcat

• Domain – may be overridden by Tomcat

• Path – may be overridden by Tomcat

• MaxAge

• Comment

• Secure – may be overridden by Tomcat

• HttpOnly – may be overridden by Tomcat

10

Servlet 3.0 – Miscellaneous

httpOnly

• Not in any of the specifications

• However, widely supported

• Prevents scripts accessing the cookie content

• Provide a degree of XSS protection

File upload

• Very similar to commons file upload

• Used by the Manager application

Programmatic login

• Useful when creating a new user account

• Can log the user in without redirecting them to the login page

11

JSP 2.2

12

JSP 2.2 – JSP Property Group changes

Three new configuration settings

<jsp-config>

<jsp-property-group>

<url-pattern>*.jsp</url-pattern>

<default-content-type>text/html</default-content-type>

</jsp-property-group>

<jsp-property-group>

<url-pattern>*.jsp</url-pattern>

<buffer>4096</buffer>

</jsp-property-group>

<jsp-property-group>

<url-pattern>*.jsp</url-pattern>

<error-on-undeclared-namespace>

true

</error-on-undeclared-namespace>

</jsp-property-group>

</jsp-config>

13

Expression Language 2.2

14

EL 2.2 – Method invocations

EL 2.2 adds support for method invocations

<html>

<head><title>EL method test cases</title></head>

<body>

<%

TesterBeanA beanA = new TesterBeanA();

TesterBeanB beanB = new TesterBeanB();

beanB.setName("Tomcat");

beanA.setBean(beanB);

pageContext.setAttribute("testBeanA", beanA);

pageContext.setAttribute("testBeanB", beanB);

%>

<tags:echo echo="00-${testBeanA[\"bean\"].sayHello('JUnit')}" />

<tags:echo echo="01-${testBeanA.bean.sayHello('JUnit')}" />

<tags:echo echo="02-${testBeanB.sayHello('JUnit')}" />

</body>

</html>

15

Other Tomcat 7 changes

16

Tomcat 7 – Memory leak protection

It has been back-ported to Tomcat 6

Two aspects

• Prevention for JVM context class loader based leaks

• Detection (and fixing where possible) of application leaks

Application leaks includes leaks in 3rd party libraries

JDBC drivers

• Should be de-registered

ThreadLocals

• Should be set to null

Threads

• Should be stopped

Also fixes issues with ResourceBundle, RMI & Security Policies

17

Tomcat 7 – Alias support

New <Context .../> attribute

aliases

• “/aliasPath1=docBase1,/aliasPath2=docBase2”

docBaseN can be a WAR or a directory

• Must be absolute paths

Contents NOT deleted on undeploy

Possible uses:

• Providing common content to multiple web applications from a single location

• Providing alternative paths to resources when embedding (e.g. WEB-INF/lib)

18

Tomcat 7 – Manager application

Correct use of GET and POST

CSRF protection

• HTML interface only

Text interface moved

• /manager to /manager/text

Split roles

• manager-gui (HTML GUI)

• manager-scripts (text interface for Ant, Maven etc)

• manager-jmx (JMX proxy)

• manager-status (just the status page)

Memory leak detection

• Stopped, reloaded or un-deployed web applications

• Has to trigger a full GC to detect the leak

19

Tomcat 7 – Embedded improvements

Based on work by Costin

Single class can create a Tomcat instance in a few lines of code

• org.apache.catalina.startup.Tomcat

Very easy to embed

• Tomcat uses it as the basis of most of the Tomcat 7 unit tests

‘Bare bones’ and ‘usual defaults’ options

Full programmatic access to Tomcat internals

Smaller number of JARs

20

Tomcat 7 – Other improvements and changes

Prevent session fixation attacks

• Session ID changed on authentication

Logging improvements

• OneLineFormatter

• VerbatimFormatter

• AsyncFileHandler

Lots of internal code clean-up

• Use of generics

• Removed unused code

• StringBuffer replaced with StringBuilder

• Loggers made final and static where possible

• Reduce code duplication in the connectors

Start switch from Valves to Filters

21

Tomcat 7 – Other improvements and changes

Generic CSRF protection

Access log enabled by default

LockOut Realm configured by default

Align JMX Beans with code

• GSoC 2010

• Start with just a <Server .../> element in server.xml

• Configure everything else via JMX

22

Tomcat 7 – Plans

JSP 196 implementation

• The Java Authentication SPI for Containers (Servlet Container Profile)

Enhancements to the memory leak protection

Simpler configuration of JNDI resources

Integration with Windows Authentication

Fewer open bugs

More frequent releases

Review outstanding enhancement requests

23

Tomcat 7 – Plans

Implementing the Java EE 6 web profile is not on the roadmap

• No-one is asking for it

• Geronimo is in a better position to provide it

• Tomcat team will monitor demand and review this regularly

24

Current status

25

Current status

First release on 29 June 2010

Current release is 7.0.2

7.0.x still considered to be in beta

26

Useful resources

27

Useful resources

http://tomcat.apache.org

• http://tomcat.apache.org/download-70.cgi

• http://tomcat.apache.org/tomcat-7.0-doc/index.html

http://tomcat.apache.org/migration.html

https://svn.apache.org/repos/asf/tomcat/trunk

git://git.apache.org/tomcat70.git

announce@tomcat.apache.org

• Very low traffic

users@tomcat.apache.org

Usage questions

dev@tomcat.apache.org

Code changes only

28

Questions