Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Apache Tomcat 7 Presentation

12,499 views

Published on

Overview of key new features and standards supported in Tomcat 7.0, by the Tomcat 7 release manager Mark Thomas.

Published in: Technology
  • Be the first to comment

Introduction to Apache Tomcat 7 Presentation

  1. 1. Introduction to Apache Tomcat 7.0 Mark Thomas, Sr. Software Engineer, SpringSource August 2010 © 2009 VMware Inc. All rights reserved
  2. 2. Agenda  Introduction  Overview  Servlet 3.0  JSP 2.2  EL 2.2  Other (non-specification) features  Current status  Useful resources  Questions 2
  3. 3. Introduction  Mark Thomas  Tomcat committer (6+ years) and PMC member  Commons committer (DBCP & Pool)  Apache Software Foundation Member  Apache Security Team member  Tomcat 4 release manager  Tomcat 7 release manager  Wrote a large proportion of the updates for Tomcat 7  Lead SpringSource Security Team  tc Server developer 3
  4. 4. Overview Tomcat 4 Tomcat 5 Tomcat 6 Tomcat 7 Servlet 2.3 2.4 2.5 3.0 JSP 1.2 2.0 2.1 2.2 EL (2.0) 2.1 2.2 Java 1.2? 1.4 1.5 1.6 4
  5. 5. Servlet 3.0 5
  6. 6. Servlet 3.0 – Asynchronous processing  Prior to Servlet 3.0 request/response processing was synchronous  Response processing can now be asynchronous • Requests are still synchronous  More efficient use of Threads  All Filters and Servlets in the processing chain must support Async  Typical uses • Accessing external resources • Web services • Databases • Regular updates to users • Stock ticker • Progress indicator 6
  7. 7. Servlet 3.0 – web-fragment.xml & annotations  META-INF/web-fragment.xml • Packaged with any JAR file • Broadly same content allowed as web.xml • Rules on ordering  Annotations – Servlets, Filters & Listeners • Can be placed on any class in any JAR • Scanned on start-up • Only scanned if JAR is included in fragment ordering  Annotations – Security, File Upload • Place on Servlets • Scanned when Servlet is loaded  Both fragments and annotations give rise to security concerns • Effective web,xml can be logged 7
  8. 8. Servlet 3.0 – Dynamic configuration  Alternative to web-fragment.xml  Programmatic • More control  Used by ServletContextListeners  Addition of: • Servlets • Filters • Listeners  Change session tracking modes  Change session cookie configuration  Set initialisation parameters  Declare security roles 8
  9. 9. Servlet 3.0 – Sessions  Adds session tracking based on SSL Session ID • To URL and cookie based tracking  Session tracking methods application selectable • Configure in ServletContextListener • SSL based tracking has to be used on its own • Now possible to disable URL based tracking (used to be mandatory)  Can control default parameters for session cookies • Name – may be overridden by Tomcat • Domain – may be overridden by Tomcat • Path – may be overridden by Tomcat • MaxAge • Comment • Secure – may be overridden by Tomcat • HttpOnly – may be overridden by Tomcat 9
  10. 10. Servlet 3.0 – Miscellaneous  httpOnly • Not in any of the specifications • However, widely supported • Prevents scripts accessing the cookie content • Provide a degree of XSS protection  File upload • Very similar to commons file upload • Used by the Manager application  Programmatic login • Useful when creating a new user account • Can log the user in without redirecting them to the login page 10
  11. 11. JSP 2.2 11
  12. 12. JSP 2.2 – JSP Property Group changes  Three new configuration settings <jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <default-content-type>text/html</default-content-type> </jsp-property-group> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <buffer>4096</buffer> </jsp-property-group> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <error-on-undeclared-namespace> true </error-on-undeclared-namespace> </jsp-property-group> </jsp-config> 12
  13. 13. Expression Language 2.2 13
  14. 14. EL 2.2 – Method invocations  EL 2.2 adds support for method invocations <html> <head><title>EL method test cases</title></head> <body> <% TesterBeanA beanA = new TesterBeanA(); TesterBeanB beanB = new TesterBeanB(); beanB.setName("Tomcat"); beanA.setBean(beanB); pageContext.setAttribute("testBeanA", beanA); pageContext.setAttribute("testBeanB", beanB); %> <tags:echo echo="00-${testBeanA["bean"].sayHello('JUnit')}" /> <tags:echo echo="01-${testBeanA.bean.sayHello('JUnit')}" /> <tags:echo echo="02-${testBeanB.sayHello('JUnit')}" /> </body> </html> 14
  15. 15. Other Tomcat 7 changes 15
  16. 16. Tomcat 7 – Memory leak protection  It has been back-ported to Tomcat 6  Two aspects • Prevention for JVM context class loader based leaks • Detection (and fixing where possible) of application leaks  Application leaks includes leaks in 3rd party libraries  JDBC drivers • Should be de-registered  ThreadLocals • Should be set to null  Threads • Should be stopped  Also fixes issues with ResourceBundle, RMI & Security Policies 16
  17. 17. Tomcat 7 – Alias support  New <Context .../> attribute  aliases • “/aliasPath1=docBase1,/aliasPath2=docBase2”  docBaseN can be a WAR or a directory • Must be absolute paths  Contents NOT deleted on undeploy  Possible uses: • Providing common content to multiple web applications from a single location • Providing alternative paths to resources when embedding (e.g. WEB-INF/lib) 17
  18. 18. Tomcat 7 – Manager application  Correct use of GET and POST  CSRF protection • HTML interface only  Text interface moved • /manager to /manager/text  Split roles • manager-gui (HTML GUI) • manager-scripts (text interface for Ant, Maven etc) • manager-jmx (JMX proxy) • manager-status (just the status page)  Memory leak detection • Stopped, reloaded or un-deployed web applications • Has to trigger a full GC to detect the leak 18
  19. 19. Tomcat 7 – Embedded improvements  Based on work by Costin  Single class can create a Tomcat instance in a few lines of code • org.apache.catalina.startup.Tomcat  Very easy to embed • Tomcat uses it as the basis of most of the Tomcat 7 unit tests  ‘Bare bones’ and ‘usual defaults’ options  Full programmatic access to Tomcat internals  Smaller number of JARs 19
  20. 20. Tomcat 7 – Other improvements and changes  Prevent session fixation attacks • Session ID changed on authentication  Logging improvements • OneLineFormatter • VerbatimFormatter • AsyncFileHandler  Lots of internal code clean-up • Use of generics • Removed unused code • StringBuffer replaced with StringBuilder • Loggers made final and static where possible • Reduce code duplication in the connectors  Start switch from Valves to Filters 20
  21. 21. Tomcat 7 – Other improvements and changes  Generic CSRF protection  Access log enabled by default  LockOut Realm configured by default  Align JMX Beans with code • GSoC 2010 • Start with just a <Server .../> element in server.xml • Configure everything else via JMX 21
  22. 22. Tomcat 7 – Plans  JSP 196 implementation • The Java Authentication SPI for Containers (Servlet Container Profile)  Enhancements to the memory leak protection  Simpler configuration of JNDI resources  Integration with Windows Authentication  Fewer open bugs  More frequent releases  Review outstanding enhancement requests 22
  23. 23. Tomcat 7 – Plans  Implementing the Java EE 6 web profile is not on the roadmap • No-one is asking for it • Geronimo is in a better position to provide it • Tomcat team will monitor demand and review this regularly 23
  24. 24. Current status 24
  25. 25. Current status  First release on 29 June 2010  Current release is 7.0.2  7.0.x still considered to be in beta 25
  26. 26. Useful resources 26
  27. 27. Useful resources  http://tomcat.apache.org • http://tomcat.apache.org/download-70.cgi • http://tomcat.apache.org/tomcat-7.0-doc/index.html  http://tomcat.apache.org/migration.html  https://svn.apache.org/repos/asf/tomcat/trunk  git://git.apache.org/tomcat70.git  announce@tomcat.apache.org • Very low traffic  users@tomcat.apache.org  Usage questions  dev@tomcat.apache.org  Code changes only 27
  28. 28. Questions 28

×