2. Agenda
Introduction
Overview
Servlet 3.0
JSP 2.2
EL 2.2
Other (non-specification) features
Current status
Useful resources
Questions
2
3. Introduction
Mark Thomas
Tomcat committer (6+ years) and PMC member
Commons committer (DBCP & Pool)
Apache Software Foundation Member
Apache Security Team member
Tomcat 4 release manager
Tomcat 7 release manager
Wrote a large proportion of the updates for Tomcat 7
Lead SpringSource Security Team
tc Server developer
3
6. Servlet 3.0 – Asynchronous processing
Prior to Servlet 3.0 request/response processing was synchronous
Response processing can now be asynchronous
• Requests are still synchronous
More efficient use of Threads
All Filters and Servlets in the processing chain must support Async
Typical uses
• Accessing external resources
• Web services
• Databases
• Regular updates to users
• Stock ticker
• Progress indicator
6
7. Servlet 3.0 – web-fragment.xml & annotations
META-INF/web-fragment.xml
• Packaged with any JAR file
• Broadly same content allowed as web.xml
• Rules on ordering
Annotations – Servlets, Filters & Listeners
• Can be placed on any class in any JAR
• Scanned on start-up
• Only scanned if JAR is included in fragment ordering
Annotations – Security, File Upload
• Place on Servlets
• Scanned when Servlet is loaded
Both fragments and annotations give rise to security concerns
• Effective web,xml can be logged
7
8. Servlet 3.0 – Dynamic configuration
Alternative to web-fragment.xml
Programmatic
• More control
Used by ServletContextListeners
Addition of:
• Servlets
• Filters
• Listeners
Change session tracking modes
Change session cookie configuration
Set initialisation parameters
Declare security roles
8
9. Servlet 3.0 – Sessions
Adds session tracking based on SSL Session ID
• To URL and cookie based tracking
Session tracking methods application selectable
• Configure in ServletContextListener
• SSL based tracking has to be used on its own
• Now possible to disable URL based tracking (used to be mandatory)
Can control default parameters for session cookies
• Name – may be overridden by Tomcat
• Domain – may be overridden by Tomcat
• Path – may be overridden by Tomcat
• MaxAge
• Comment
• Secure – may be overridden by Tomcat
• HttpOnly – may be overridden by Tomcat
9
10. Servlet 3.0 – Miscellaneous
httpOnly
• Not in any of the specifications
• However, widely supported
• Prevents scripts accessing the cookie content
• Provide a degree of XSS protection
File upload
• Very similar to commons file upload
• Used by the Manager application
Programmatic login
• Useful when creating a new user account
• Can log the user in without redirecting them to the login page
10
16. Tomcat 7 – Memory leak protection
It has been back-ported to Tomcat 6
Two aspects
• Prevention for JVM context class loader based leaks
• Detection (and fixing where possible) of application leaks
Application leaks includes leaks in 3rd party libraries
JDBC drivers
• Should be de-registered
ThreadLocals
• Should be set to null
Threads
• Should be stopped
Also fixes issues with ResourceBundle, RMI & Security Policies
16
17. Tomcat 7 – Alias support
New <Context .../> attribute
aliases
• “/aliasPath1=docBase1,/aliasPath2=docBase2”
docBaseN can be a WAR or a directory
• Must be absolute paths
Contents NOT deleted on undeploy
Possible uses:
• Providing common content to multiple web applications from a single location
• Providing alternative paths to resources when embedding (e.g. WEB-INF/lib)
17
18. Tomcat 7 – Manager application
Correct use of GET and POST
CSRF protection
• HTML interface only
Text interface moved
• /manager to /manager/text
Split roles
• manager-gui (HTML GUI)
• manager-scripts (text interface for Ant, Maven etc)
• manager-jmx (JMX proxy)
• manager-status (just the status page)
Memory leak detection
• Stopped, reloaded or un-deployed web applications
• Has to trigger a full GC to detect the leak
18
19. Tomcat 7 – Embedded improvements
Based on work by Costin
Single class can create a Tomcat instance in a few lines of code
• org.apache.catalina.startup.Tomcat
Very easy to embed
• Tomcat uses it as the basis of most of the Tomcat 7 unit tests
‘Bare bones’ and ‘usual defaults’ options
Full programmatic access to Tomcat internals
Smaller number of JARs
19
20. Tomcat 7 – Other improvements and changes
Prevent session fixation attacks
• Session ID changed on authentication
Logging improvements
• OneLineFormatter
• VerbatimFormatter
• AsyncFileHandler
Lots of internal code clean-up
• Use of generics
• Removed unused code
• StringBuffer replaced with StringBuilder
• Loggers made final and static where possible
• Reduce code duplication in the connectors
Start switch from Valves to Filters
20
21. Tomcat 7 – Other improvements and changes
Generic CSRF protection
Access log enabled by default
LockOut Realm configured by default
Align JMX Beans with code
• GSoC 2010
• Start with just a <Server .../> element in server.xml
• Configure everything else via JMX
21
22. Tomcat 7 – Plans
JSP 196 implementation
• The Java Authentication SPI for Containers (Servlet Container Profile)
Enhancements to the memory leak protection
Simpler configuration of JNDI resources
Integration with Windows Authentication
Fewer open bugs
More frequent releases
Review outstanding enhancement requests
22
23. Tomcat 7 – Plans
Implementing the Java EE 6 web profile is not on the roadmap
• No-one is asking for it
• Geronimo is in a better position to provide it
• Tomcat team will monitor demand and review this regularly
23