Overview of key new features and standards supported in Tomcat 7.0, by the Tomcat 7 release manager Mark Thomas.

1. Introduction to Apache Tomcat 7.0
Mark Thomas, Sr. Software Engineer, SpringSource
August 2010
© 2009 VMware Inc. All rights reserved

2. Agenda
 Introduction
 Overview
 Servlet 3.0
 JSP 2.2
 EL 2.2
 Other (non-specification) features
 Current status
 Useful resources
 Questions
2

3. Introduction
 Mark Thomas
 Tomcat committer (6+ years) and PMC member
 Commons committer (DBCP & Pool)
 Apache Software Foundation Member
 Apache Security Team member
 Tomcat 4 release manager
 Tomcat 7 release manager
 Wrote a large proportion of the updates for Tomcat 7
 Lead SpringSource Security Team
 tc Server developer
3

4. Overview
Tomcat 4 Tomcat 5 Tomcat 6 Tomcat 7
Servlet 2.3 2.4 2.5 3.0
JSP 1.2 2.0 2.1 2.2
EL (2.0) 2.1 2.2
Java 1.2? 1.4 1.5 1.6
4

5. Servlet 3.0
5

6. Servlet 3.0 – Asynchronous processing
 Prior to Servlet 3.0 request/response processing was synchronous
 Response processing can now be asynchronous
• Requests are still synchronous
 More efficient use of Threads
 All Filters and Servlets in the processing chain must support Async
 Typical uses
• Accessing external resources
• Web services
• Databases
• Regular updates to users
• Stock ticker
• Progress indicator
6

7. Servlet 3.0 – web-fragment.xml & annotations
 META-INF/web-fragment.xml
• Packaged with any JAR file
• Broadly same content allowed as web.xml
• Rules on ordering
 Annotations – Servlets, Filters & Listeners
• Can be placed on any class in any JAR
• Scanned on start-up
• Only scanned if JAR is included in fragment ordering
 Annotations – Security, File Upload
• Place on Servlets
• Scanned when Servlet is loaded
 Both fragments and annotations give rise to security concerns
• Effective web,xml can be logged
7

8. Servlet 3.0 – Dynamic configuration
 Alternative to web-fragment.xml
 Programmatic
• More control
 Used by ServletContextListeners
 Addition of:
• Servlets
• Filters
• Listeners
 Change session tracking modes
 Change session cookie configuration
 Set initialisation parameters
 Declare security roles
8

9. Servlet 3.0 – Sessions
 Adds session tracking based on SSL Session ID
• To URL and cookie based tracking
 Session tracking methods application selectable
• Configure in ServletContextListener
• SSL based tracking has to be used on its own
• Now possible to disable URL based tracking (used to be mandatory)
 Can control default parameters for session cookies
• Name – may be overridden by Tomcat
• Domain – may be overridden by Tomcat
• Path – may be overridden by Tomcat
• MaxAge
• Comment
• Secure – may be overridden by Tomcat
• HttpOnly – may be overridden by Tomcat
9

10. Servlet 3.0 – Miscellaneous
 httpOnly
• Not in any of the specifications
• However, widely supported
• Prevents scripts accessing the cookie content
• Provide a degree of XSS protection
 File upload
• Very similar to commons file upload
• Used by the Manager application
 Programmatic login
• Useful when creating a new user account
• Can log the user in without redirecting them to the login page
10

11. JSP 2.2
11

12. JSP 2.2 – JSP Property Group changes
 Three new configuration settings
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<default-content-type>text/html</default-content-type>
</jsp-property-group>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<buffer>4096</buffer>
</jsp-property-group>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<error-on-undeclared-namespace>
true
</error-on-undeclared-namespace>
</jsp-property-group>
</jsp-config>
12

13. Expression Language 2.2
13

14. EL 2.2 – Method invocations
 EL 2.2 adds support for method invocations
<html>
<head><title>EL method test cases</title></head>
<body>
<%
TesterBeanA beanA = new TesterBeanA();
TesterBeanB beanB = new TesterBeanB();
beanB.setName("Tomcat");
beanA.setBean(beanB);
pageContext.setAttribute("testBeanA", beanA);
pageContext.setAttribute("testBeanB", beanB);
%>
<tags:echo echo="00-${testBeanA["bean"].sayHello('JUnit')}" />
<tags:echo echo="01-${testBeanA.bean.sayHello('JUnit')}" />
<tags:echo echo="02-${testBeanB.sayHello('JUnit')}" />
</body>
</html>
14

15. Other Tomcat 7 changes
15

16. Tomcat 7 – Memory leak protection
 It has been back-ported to Tomcat 6
 Two aspects
• Prevention for JVM context class loader based leaks
• Detection (and fixing where possible) of application leaks
 Application leaks includes leaks in 3rd party libraries
 JDBC drivers
• Should be de-registered
 ThreadLocals
• Should be set to null
 Threads
• Should be stopped
 Also fixes issues with ResourceBundle, RMI & Security Policies
16

17. Tomcat 7 – Alias support
 New <Context .../> attribute
 aliases
• “/aliasPath1=docBase1,/aliasPath2=docBase2”
 docBaseN can be a WAR or a directory
• Must be absolute paths
 Contents NOT deleted on undeploy
 Possible uses:
• Providing common content to multiple web applications from a single location
• Providing alternative paths to resources when embedding (e.g. WEB-INF/lib)
17

18. Tomcat 7 – Manager application
 Correct use of GET and POST
 CSRF protection
• HTML interface only
 Text interface moved
• /manager to /manager/text
 Split roles
• manager-gui (HTML GUI)
• manager-scripts (text interface for Ant, Maven etc)
• manager-jmx (JMX proxy)
• manager-status (just the status page)
 Memory leak detection
• Stopped, reloaded or un-deployed web applications
• Has to trigger a full GC to detect the leak
18

19. Tomcat 7 – Embedded improvements
 Based on work by Costin
 Single class can create a Tomcat instance in a few lines of code
• org.apache.catalina.startup.Tomcat
 Very easy to embed
• Tomcat uses it as the basis of most of the Tomcat 7 unit tests
 ‘Bare bones’ and ‘usual defaults’ options
 Full programmatic access to Tomcat internals
 Smaller number of JARs
19

20. Tomcat 7 – Other improvements and changes
 Prevent session fixation attacks
• Session ID changed on authentication
 Logging improvements
• OneLineFormatter
• VerbatimFormatter
• AsyncFileHandler
 Lots of internal code clean-up
• Use of generics
• Removed unused code
• StringBuffer replaced with StringBuilder
• Loggers made final and static where possible
• Reduce code duplication in the connectors
 Start switch from Valves to Filters
20

21. Tomcat 7 – Other improvements and changes
 Generic CSRF protection
 Access log enabled by default
 LockOut Realm configured by default
 Align JMX Beans with code
• GSoC 2010
• Start with just a <Server .../> element in server.xml
• Configure everything else via JMX
21

22. Tomcat 7 – Plans
 JSP 196 implementation
• The Java Authentication SPI for Containers (Servlet Container Profile)
 Enhancements to the memory leak protection
 Simpler configuration of JNDI resources
 Integration with Windows Authentication
 Fewer open bugs
 More frequent releases
 Review outstanding enhancement requests
22

23. Tomcat 7 – Plans
 Implementing the Java EE 6 web profile is not on the roadmap
• No-one is asking for it
• Geronimo is in a better position to provide it
• Tomcat team will monitor demand and review this regularly
23

24. Current status
24

25. Current status
 First release on 29 June 2010
 Current release is 7.0.2
 7.0.x still considered to be in beta
25

26. Useful resources
26

27. Useful resources
 http://tomcat.apache.org
• http://tomcat.apache.org/download-70.cgi
• http://tomcat.apache.org/tomcat-7.0-doc/index.html
 http://tomcat.apache.org/migration.html
 https://svn.apache.org/repos/asf/tomcat/trunk
 git://git.apache.org/tomcat70.git
 announce@tomcat.apache.org
• Very low traffic
 users@tomcat.apache.org
 Usage questions
 dev@tomcat.apache.org
 Code changes only
27

28. Questions
28