Tomcat 6 Basis
Need Java 1.5 or further version
Servlet 2.5, EL 2.1, JSP 2.1, and JSR 250
(Common Annotation) support
Restructured code base
Merge the common, shared, and server
repositories into a single folder,
Reduced duplicate code
Removed obsolete items
Reduced distribution size
Memory Leak Causes
Web application calls standard Java APIs that will
cause memory leaks
Use Javax.imageio API,
java.bean.introspector.flushCaches(), XML parsing, RMI,
reading resources from jar files.
JDBC drivers registration
Some logging framework
Storing objects in ThreadLocals and not removing
Starting threads and not stopping them
Not clear ResourceBundle cache (from Java 1.6)
Tomcat 6 New Features (1)
Ensure nothing retains a reference to the web
application class loader to prevent
Memory Leak Prevention
By making sure that Tomcat code makes the calls firstly,
the memory leaks are prevented.
Memory Leak Detection
When a web application is stopped, undeployed or
reloaded, Tomcat scans the code for standard causes of
memory leaks, and fixes them.
Implemented in the WebappClassLoader
Memory Leak Protection in Tomcat
Classes are stored in PermGen using class name
Each web application has its own class loader
Fix some of the common causes of Memory Leaks from the
PermGen space by removing references to objects that
don't get Garbage Collected
It is a good practice to stop Tomcat, clear the work folder
and the old web application, deploy the new web
application and restart Tomcat.
Tomcat 6 New Features (2)
Cross-Site Request Forgery / One-Click Attack / Session
Malicious code runs in HTML emails, social media links or
flash files, riding on the open authenticated session, it
opens a back door to the application for the attacker to
cripple a site or control the users account.
Use a nonce / token issued in an authentication protocol to
ensure that old communications cannot be reused in replay
Tomcat 6 New Features (3)
Session Fixation Protection
Attacks attempt to exploit the vulnerability of a
system which allows one person to fixate (set)
another person's session ID
Most attacks are web based, and most rely on
session ID being accepted from URLs (query
string) or POST data
This attack can be largely avoided by changing the
session ID when users log in.
Tomcat 6 New Features (4)
A new NIO (New I/O) Connector allows asynchronous
communication of low-level I/O data.
With usage of APR (Apache Portable Runtime) or NIO APIs
as the basis of its connectors, Tomcat is able to provide a
number of extensions over the regular blocking IO as
provided with support for the Servlet API.
Tomcat Connector Comparison
APR / Native
Read HTTP Request
Read HTTP Body
Wait for next Request
Tomcat 6 New Features (5)
Comet is a web application model in which a
long-held HTTP request allows a web server to
push data to a browser, without the browser
explicitly requesting it.
Ajax Push, Reverse Ajax, Two-way-web, HTTP
Streaming, HTTP Server Push
Usage of Comet requires using the APR or NIO
The classic java.io HTTP connector and the AJP
connectors do not support Comet.
Streaming (Tomcat Implementation)
An application using streaming Comet opens a
single persistent connection from the client
browser to the server for all Comet events.
The browser makes an Ajax-style request to the
server, which is kept open until the server has
new data to send to the browser.
Tomcat 6 New Features (6)
The new Executor element represents a thread pool
that can be shared between connectors in Tomcat,
but also other components when those get
configured to support executors.
Tomcat 6 New Features (7)
A limitation of java.util.logging appears to be
the inability to have per-web application
logging, as the configuration is per-VM.
Replace the default LogManager
implementation with a container friendly
implementation called JULI (Java Utility
Use tomcat-juli.jar to allows the
implementation of an alternate commonslogging adaptor such as Log4J.
Tomcat 6 New Features (8)
Tomcat provides factories for Web Services
JSR 109 which may be used to resolve web
Place the generated catalina-ws.jar as well
as jaxrpc.jar and wsdl4j.jar in the Tomcat lib
Tomcat 6 New Features (9)
Changes to the configuration rules allow
users to define multiple URL-pattern
elements within a single servlet-mapping
Tomcat 6 New Features (10)
Single Server Problems
A single server cannot handle the high number of
incoming requests efficiently.
A stateful application needs a way of preserving
session data if its server fails.
A developer requires the capability to make
configuration changes or deploy updates to their
applications without discontinuing service.
A clustered architecture solves these problems
using a combination of load balancing, multiple
servers to process the balanced load, and some
kind of session replication.
Tomcat 6 New Features (11)
HA (High Availability) – Load Balance
Static content is served directly by Apache HTTP server and any
dynamic requests forwarded to the Tomcat servers based on
JK 1.2.x native connector
Apache HTTP Server 2.x with mod_proxy
HA (High Availability) – Fail-over Solution
If the load balancer detects that one of the nodes has gone down
it will redirect all the traffic to the second instance and your
clients, apart from any on the failed node.
Tomcat Session Replication
Tomcat 7 Basis
Need Java 1.6 or further version
Servlet 3.0, EL 2.2, and JSP 2.2, WebSocket RFC
Improved security for the Manager and Host
Offers tomcat-api.jar which contains interfaces that
are shared by the Jasper and Catalina
Provides improved configurability through newly
added container components
Tomcat 7 New Features (1)
A Web application might need static
resources that increases the size of the war
file and also leads to duplication of static
Allows a new aliases attribute in the context
element that can point to the static resources
are stored outside the war file.
Tomcat 7 New Features (2)
WebSocket developed as part of the HTML5
interface, which defines a full-duplex single socket
connection over which messages can be sent
between client and server.
The WebSocket standard simplifies much of the
complexity around bi-directional web
communication and connection management.
Tomcat 7 New Features (3)
Tomcat can be embedded in an application
and it can be configured and started
A new Tomcat class uses defaults for several
configuration elements and provides an
easier and simpler way to embed Tomcat.
Tomcat 7 New Features (4)
AsyncFileHandler employs a
producer/consumer relationship with the
queue to store log messages.
Replace all occurrences of FileHandler with
AsyncFileHandler in the
The application must use java.util.Logging;
asynchronous logging does not work with
Apache Tomcat - Which Version Do I Want?
Memory Leak Protection in Tomcat 7
Tomcat Wiki – Memory Leak Protection
Cross-site Request Forgery
Session Fixation Wikipedia
The Top 3 Apache Tomcat 7 features now Available in A
Tomcat 6 – New Features, Migration, and Tomcat 7
Java NIO vs. IO
Comet (programming) Wikipedia
Apache Tomcat Configuration Reference - The Executor
A Simple Guide To Tomcat Logging
Setting up Clustering on Apache/Tomcat using Jakarta
Top 7 Features in Tomcat 7: The New and the Improved
What’s New in Tomcat 7
Tomcat 7 Changes And New Features
HTML5 WebSocket Client