introduction to apache tomcat 7 presentation
DESCRIPTION
Overview of key new features and standards supported in Tomcat 7.0, by the Tomcat 7 release manager Mark Thomas.TRANSCRIPT
![Page 1: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/1.jpg)
© 2009 VMware Inc. All rights reserved
Introduction to Apache Tomcat 7.0
Mark Thomas, Sr. Software Engineer, SpringSource
August 2010
![Page 2: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/2.jpg)
2
Agenda
Introduction
Overview
Servlet 3.0
JSP 2.2
EL 2.2
Other (non-specification) features
Current status
Useful resources
Questions
![Page 3: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/3.jpg)
3
Introduction
Mark Thomas
Tomcat committer (6+ years) and PMC member
Commons committer (DBCP & Pool)
Apache Software Foundation Member
Apache Security Team member
Tomcat 4 release manager
Tomcat 7 release manager
Wrote a large proportion of the updates for Tomcat 7
Lead SpringSource Security Team
tc Server developer
![Page 4: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/4.jpg)
4
Overview
Tomcat 4 Tomcat 5 Tomcat 6 Tomcat 7
Servlet 2.3 2.4 2.5 3.0
JSP 1.2 2.0 2.1 2.2
EL (2.0) 2.1 2.2
Java 1.2? 1.4 1.5 1.6
![Page 5: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/5.jpg)
5
Servlet 3.0
![Page 6: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/6.jpg)
6
Servlet 3.0 – Asynchronous processing
Prior to Servlet 3.0 request/response processing was synchronous
Response processing can now be asynchronous
• Requests are still synchronous
More efficient use of Threads
All Filters and Servlets in the processing chain must support Async
Typical uses
• Accessing external resources
• Web services
• Databases
• Regular updates to users
• Stock ticker
• Progress indicator
![Page 7: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/7.jpg)
7
Servlet 3.0 – web-fragment.xml & annotations
META-INF/web-fragment.xml
• Packaged with any JAR file
• Broadly same content allowed as web.xml
• Rules on ordering
Annotations – Servlets, Filters & Listeners
• Can be placed on any class in any JAR
• Scanned on start-up
• Only scanned if JAR is included in fragment ordering
Annotations – Security, File Upload
• Place on Servlets
• Scanned when Servlet is loaded
Both fragments and annotations give rise to security concerns
• Effective web,xml can be logged
![Page 8: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/8.jpg)
8
Servlet 3.0 – Dynamic configuration
Alternative to web-fragment.xml
Programmatic
• More control
Used by ServletContextListeners
Addition of:
• Servlets
• Filters
• Listeners
Change session tracking modes
Change session cookie configuration
Set initialisation parameters
Declare security roles
![Page 9: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/9.jpg)
9
Servlet 3.0 – Sessions
Adds session tracking based on SSL Session ID
• To URL and cookie based tracking
Session tracking methods application selectable
• Configure in ServletContextListener
• SSL based tracking has to be used on its own
• Now possible to disable URL based tracking (used to be mandatory)
Can control default parameters for session cookies
• Name – may be overridden by Tomcat
• Domain – may be overridden by Tomcat
• Path – may be overridden by Tomcat
• MaxAge
• Comment
• Secure – may be overridden by Tomcat
• HttpOnly – may be overridden by Tomcat
![Page 10: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/10.jpg)
10
Servlet 3.0 – Miscellaneous
httpOnly
• Not in any of the specifications
• However, widely supported
• Prevents scripts accessing the cookie content
• Provide a degree of XSS protection
File upload
• Very similar to commons file upload
• Used by the Manager application
Programmatic login
• Useful when creating a new user account
• Can log the user in without redirecting them to the login page
![Page 11: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/11.jpg)
11
JSP 2.2
![Page 12: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/12.jpg)
12
JSP 2.2 – JSP Property Group changes
Three new configuration settings
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<default-content-type>text/html</default-content-type>
</jsp-property-group>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<buffer>4096</buffer>
</jsp-property-group>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<error-on-undeclared-namespace>
true
</error-on-undeclared-namespace>
</jsp-property-group>
</jsp-config>
![Page 13: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/13.jpg)
13
Expression Language 2.2
![Page 14: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/14.jpg)
14
EL 2.2 – Method invocations
EL 2.2 adds support for method invocations
<html>
<head><title>EL method test cases</title></head>
<body>
<%
TesterBeanA beanA = new TesterBeanA();
TesterBeanB beanB = new TesterBeanB();
beanB.setName("Tomcat");
beanA.setBean(beanB);
pageContext.setAttribute("testBeanA", beanA);
pageContext.setAttribute("testBeanB", beanB);
%>
<tags:echo echo="00-${testBeanA[\"bean\"].sayHello('JUnit')}" />
<tags:echo echo="01-${testBeanA.bean.sayHello('JUnit')}" />
<tags:echo echo="02-${testBeanB.sayHello('JUnit')}" />
</body>
</html>
![Page 15: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/15.jpg)
15
Other Tomcat 7 changes
![Page 16: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/16.jpg)
16
Tomcat 7 – Memory leak protection
It has been back-ported to Tomcat 6
Two aspects
• Prevention for JVM context class loader based leaks
• Detection (and fixing where possible) of application leaks
Application leaks includes leaks in 3rd party libraries
JDBC drivers
• Should be de-registered
ThreadLocals
• Should be set to null
Threads
• Should be stopped
Also fixes issues with ResourceBundle, RMI & Security Policies
![Page 17: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/17.jpg)
17
Tomcat 7 – Alias support
New <Context .../> attribute
aliases
• “/aliasPath1=docBase1,/aliasPath2=docBase2”
docBaseN can be a WAR or a directory
• Must be absolute paths
Contents NOT deleted on undeploy
Possible uses:
• Providing common content to multiple web applications from a single location
• Providing alternative paths to resources when embedding (e.g. WEB-INF/lib)
![Page 18: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/18.jpg)
18
Tomcat 7 – Manager application
Correct use of GET and POST
CSRF protection
• HTML interface only
Text interface moved
• /manager to /manager/text
Split roles
• manager-gui (HTML GUI)
• manager-scripts (text interface for Ant, Maven etc)
• manager-jmx (JMX proxy)
• manager-status (just the status page)
Memory leak detection
• Stopped, reloaded or un-deployed web applications
• Has to trigger a full GC to detect the leak
![Page 19: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/19.jpg)
19
Tomcat 7 – Embedded improvements
Based on work by Costin
Single class can create a Tomcat instance in a few lines of code
• org.apache.catalina.startup.Tomcat
Very easy to embed
• Tomcat uses it as the basis of most of the Tomcat 7 unit tests
‘Bare bones’ and ‘usual defaults’ options
Full programmatic access to Tomcat internals
Smaller number of JARs
![Page 20: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/20.jpg)
20
Tomcat 7 – Other improvements and changes
Prevent session fixation attacks
• Session ID changed on authentication
Logging improvements
• OneLineFormatter
• VerbatimFormatter
• AsyncFileHandler
Lots of internal code clean-up
• Use of generics
• Removed unused code
• StringBuffer replaced with StringBuilder
• Loggers made final and static where possible
• Reduce code duplication in the connectors
Start switch from Valves to Filters
![Page 21: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/21.jpg)
21
Tomcat 7 – Other improvements and changes
Generic CSRF protection
Access log enabled by default
LockOut Realm configured by default
Align JMX Beans with code
• GSoC 2010
• Start with just a <Server .../> element in server.xml
• Configure everything else via JMX
![Page 22: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/22.jpg)
22
Tomcat 7 – Plans
JSP 196 implementation
• The Java Authentication SPI for Containers (Servlet Container Profile)
Enhancements to the memory leak protection
Simpler configuration of JNDI resources
Integration with Windows Authentication
Fewer open bugs
More frequent releases
Review outstanding enhancement requests
![Page 23: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/23.jpg)
23
Tomcat 7 – Plans
Implementing the Java EE 6 web profile is not on the roadmap
• No-one is asking for it
• Geronimo is in a better position to provide it
• Tomcat team will monitor demand and review this regularly
![Page 24: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/24.jpg)
24
Current status
![Page 25: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/25.jpg)
25
Current status
First release on 29 June 2010
Current release is 7.0.2
7.0.x still considered to be in beta
![Page 26: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/26.jpg)
26
Useful resources
![Page 27: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/27.jpg)
27
Useful resources
http://tomcat.apache.org
• http://tomcat.apache.org/download-70.cgi
• http://tomcat.apache.org/tomcat-7.0-doc/index.html
http://tomcat.apache.org/migration.html
https://svn.apache.org/repos/asf/tomcat/trunk
git://git.apache.org/tomcat70.git
• Very low traffic
Usage questions
Code changes only
![Page 28: Introduction to Apache Tomcat 7 Presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052315/5552defcb4c905014c8b4c91/html5/thumbnails/28.jpg)
28
Questions