Introduction to Apache Tomcat 7 Presentation

10,797 views
10,654 views

Published on

Overview of key new features and standards supported in Tomcat 7.0, by the Tomcat 7 release manager Mark Thomas.

Published in: Technology

Introduction to Apache Tomcat 7 Presentation

  1. 1. Introduction to Apache Tomcat 7.0 Mark Thomas, Sr. Software Engineer, SpringSource August 2010 © 2009 VMware Inc. All rights reserved
  2. 2. Agenda  Introduction  Overview  Servlet 3.0  JSP 2.2  EL 2.2  Other (non-specification) features  Current status  Useful resources  Questions 2
  3. 3. Introduction  Mark Thomas  Tomcat committer (6+ years) and PMC member  Commons committer (DBCP & Pool)  Apache Software Foundation Member  Apache Security Team member  Tomcat 4 release manager  Tomcat 7 release manager  Wrote a large proportion of the updates for Tomcat 7  Lead SpringSource Security Team  tc Server developer 3
  4. 4. Overview Tomcat 4 Tomcat 5 Tomcat 6 Tomcat 7 Servlet 2.3 2.4 2.5 3.0 JSP 1.2 2.0 2.1 2.2 EL (2.0) 2.1 2.2 Java 1.2? 1.4 1.5 1.6 4
  5. 5. Servlet 3.0 5
  6. 6. Servlet 3.0 – Asynchronous processing  Prior to Servlet 3.0 request/response processing was synchronous  Response processing can now be asynchronous • Requests are still synchronous  More efficient use of Threads  All Filters and Servlets in the processing chain must support Async  Typical uses • Accessing external resources • Web services • Databases • Regular updates to users • Stock ticker • Progress indicator 6
  7. 7. Servlet 3.0 – web-fragment.xml & annotations  META-INF/web-fragment.xml • Packaged with any JAR file • Broadly same content allowed as web.xml • Rules on ordering  Annotations – Servlets, Filters & Listeners • Can be placed on any class in any JAR • Scanned on start-up • Only scanned if JAR is included in fragment ordering  Annotations – Security, File Upload • Place on Servlets • Scanned when Servlet is loaded  Both fragments and annotations give rise to security concerns • Effective web,xml can be logged 7
  8. 8. Servlet 3.0 – Dynamic configuration  Alternative to web-fragment.xml  Programmatic • More control  Used by ServletContextListeners  Addition of: • Servlets • Filters • Listeners  Change session tracking modes  Change session cookie configuration  Set initialisation parameters  Declare security roles 8
  9. 9. Servlet 3.0 – Sessions  Adds session tracking based on SSL Session ID • To URL and cookie based tracking  Session tracking methods application selectable • Configure in ServletContextListener • SSL based tracking has to be used on its own • Now possible to disable URL based tracking (used to be mandatory)  Can control default parameters for session cookies • Name – may be overridden by Tomcat • Domain – may be overridden by Tomcat • Path – may be overridden by Tomcat • MaxAge • Comment • Secure – may be overridden by Tomcat • HttpOnly – may be overridden by Tomcat 9
  10. 10. Servlet 3.0 – Miscellaneous  httpOnly • Not in any of the specifications • However, widely supported • Prevents scripts accessing the cookie content • Provide a degree of XSS protection  File upload • Very similar to commons file upload • Used by the Manager application  Programmatic login • Useful when creating a new user account • Can log the user in without redirecting them to the login page 10
  11. 11. JSP 2.2 11
  12. 12. JSP 2.2 – JSP Property Group changes  Three new configuration settings <jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <default-content-type>text/html</default-content-type> </jsp-property-group> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <buffer>4096</buffer> </jsp-property-group> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <error-on-undeclared-namespace> true </error-on-undeclared-namespace> </jsp-property-group> </jsp-config> 12
  13. 13. Expression Language 2.2 13
  14. 14. EL 2.2 – Method invocations  EL 2.2 adds support for method invocations <html> <head><title>EL method test cases</title></head> <body> <% TesterBeanA beanA = new TesterBeanA(); TesterBeanB beanB = new TesterBeanB(); beanB.setName("Tomcat"); beanA.setBean(beanB); pageContext.setAttribute("testBeanA", beanA); pageContext.setAttribute("testBeanB", beanB); %> <tags:echo echo="00-${testBeanA["bean"].sayHello('JUnit')}" /> <tags:echo echo="01-${testBeanA.bean.sayHello('JUnit')}" /> <tags:echo echo="02-${testBeanB.sayHello('JUnit')}" /> </body> </html> 14
  15. 15. Other Tomcat 7 changes 15
  16. 16. Tomcat 7 – Memory leak protection  It has been back-ported to Tomcat 6  Two aspects • Prevention for JVM context class loader based leaks • Detection (and fixing where possible) of application leaks  Application leaks includes leaks in 3rd party libraries  JDBC drivers • Should be de-registered  ThreadLocals • Should be set to null  Threads • Should be stopped  Also fixes issues with ResourceBundle, RMI & Security Policies 16
  17. 17. Tomcat 7 – Alias support  New <Context .../> attribute  aliases • “/aliasPath1=docBase1,/aliasPath2=docBase2”  docBaseN can be a WAR or a directory • Must be absolute paths  Contents NOT deleted on undeploy  Possible uses: • Providing common content to multiple web applications from a single location • Providing alternative paths to resources when embedding (e.g. WEB-INF/lib) 17
  18. 18. Tomcat 7 – Manager application  Correct use of GET and POST  CSRF protection • HTML interface only  Text interface moved • /manager to /manager/text  Split roles • manager-gui (HTML GUI) • manager-scripts (text interface for Ant, Maven etc) • manager-jmx (JMX proxy) • manager-status (just the status page)  Memory leak detection • Stopped, reloaded or un-deployed web applications • Has to trigger a full GC to detect the leak 18
  19. 19. Tomcat 7 – Embedded improvements  Based on work by Costin  Single class can create a Tomcat instance in a few lines of code • org.apache.catalina.startup.Tomcat  Very easy to embed • Tomcat uses it as the basis of most of the Tomcat 7 unit tests  ‘Bare bones’ and ‘usual defaults’ options  Full programmatic access to Tomcat internals  Smaller number of JARs 19
  20. 20. Tomcat 7 – Other improvements and changes  Prevent session fixation attacks • Session ID changed on authentication  Logging improvements • OneLineFormatter • VerbatimFormatter • AsyncFileHandler  Lots of internal code clean-up • Use of generics • Removed unused code • StringBuffer replaced with StringBuilder • Loggers made final and static where possible • Reduce code duplication in the connectors  Start switch from Valves to Filters 20
  21. 21. Tomcat 7 – Other improvements and changes  Generic CSRF protection  Access log enabled by default  LockOut Realm configured by default  Align JMX Beans with code • GSoC 2010 • Start with just a <Server .../> element in server.xml • Configure everything else via JMX 21
  22. 22. Tomcat 7 – Plans  JSP 196 implementation • The Java Authentication SPI for Containers (Servlet Container Profile)  Enhancements to the memory leak protection  Simpler configuration of JNDI resources  Integration with Windows Authentication  Fewer open bugs  More frequent releases  Review outstanding enhancement requests 22
  23. 23. Tomcat 7 – Plans  Implementing the Java EE 6 web profile is not on the roadmap • No-one is asking for it • Geronimo is in a better position to provide it • Tomcat team will monitor demand and review this regularly 23
  24. 24. Current status 24
  25. 25. Current status  First release on 29 June 2010  Current release is 7.0.2  7.0.x still considered to be in beta 25
  26. 26. Useful resources 26
  27. 27. Useful resources  http://tomcat.apache.org • http://tomcat.apache.org/download-70.cgi • http://tomcat.apache.org/tomcat-7.0-doc/index.html  http://tomcat.apache.org/migration.html  https://svn.apache.org/repos/asf/tomcat/trunk  git://git.apache.org/tomcat70.git  announce@tomcat.apache.org • Very low traffic  users@tomcat.apache.org  Usage questions  dev@tomcat.apache.org  Code changes only 27
  28. 28. Questions 28

×