Download ppt - Tomcat New Evolution

Transcript
Page 1: Tomcat New Evolution

Tomcat New Evolution

Allan Huang @ esobi Inc.

Page 2: Tomcat New Evolution

Agenda

Tomcat 6 New Features Tomcat 7 New Features

Page 3: Tomcat New Evolution

Tomcat Versions

Tomcat 5.5.36 was released on 2012-10-10 Tomcat 6.0.37 was released on 2013-05-03 Tomcat 7.0.42 was released on 2013-07-05 Tomcat 8.0.0-RC3 is developing currently

Page 4: Tomcat New Evolution

Tomcat 6

Page 5: Tomcat New Evolution

Tomcat 6 Basis

Need Java 1.5 or further version Servlet 2.5, EL 2.1, JSP 2.1, and JSR 250

(Common Annotation) support Restructured code base

Merge the common, shared, and server repositories into a single folder, "$CATALINA_HOME/lib"

Reduced duplicate code Removed obsolete items Reduced distribution size

Page 6: Tomcat New Evolution

Memory Leak Causes

Web application calls standard Java APIs that will cause memory leaks Use Javax.imageio API,

java.bean.introspector.flushCaches(), XML parsing, RMI, reading resources from jar files.

JDBC drivers registration Some logging framework Storing objects in ThreadLocals and not removing

them Starting threads and not stopping them Not clear ResourceBundle cache (from Java 1.6)

Page 7: Tomcat New Evolution

Tomcat Class Loaders

Page 8: Tomcat New Evolution

Tomcat 6 New Features (1)

Ensure nothing retains a reference to the web application class loader to prevent OutOfMemoryError.

Memory Leak Prevention By making sure that Tomcat code makes the calls firstly,

the memory leaks are prevented. JreMemoryLeakPreventionListener

Memory Leak Detection When a web application is stopped, undeployed or

reloaded, Tomcat scans the code for standard causes of memory leaks, and fixes them. Implemented in the WebappClassLoader

Page 9: Tomcat New Evolution

Memory Leak Protection in Tomcat Development mode

Classes are stored in PermGen using class name Each web application has its own class loader Fix some of the common causes of Memory Leaks from the

PermGen space by removing references to objects that don't get Garbage Collected

Production mode It is a good practice to stop Tomcat, clear the work folder

and the old web application, deploy the new web application and restart Tomcat.

Page 10: Tomcat New Evolution

Cross-Site Request Forgery

Page 11: Tomcat New Evolution

Tomcat 6 New Features (2)

CSRF Protection Cross-Site Request Forgery / One-Click Attack / Session

Riding Malicious code runs in HTML emails, social media links or

flash files, riding on the open authenticated session, it opens a back door to the application for the attacker to cripple a site or control the users account.

Use a nonce / token issued in an authentication protocol to ensure that old communications cannot be reused in replay CSRF attacks. CsrfPreventionFilter

Page 12: Tomcat New Evolution

Session Fixation

Page 13: Tomcat New Evolution

Tomcat 6 New Features (3)

Session Fixation Protection Attacks attempt to exploit the vulnerability of a

system which allows one person to fixate (set) another person's session ID

Most attacks are web based, and most rely on session ID being accepted from URLs (query string) or POST data

Identity Confirmation This attack can be largely avoided by changing the

session ID when users log in.

Page 14: Tomcat New Evolution

Tomcat 6 New Features (4)

A new NIO (New I/O) Connector allows asynchronous communication of low-level I/O data.

With usage of APR (Apache Portable Runtime) or NIO APIs as the basis of its connectors, Tomcat is able to provide a number of extensions over the regular blocking IO as provided with support for the Servlet API.

I/O New I/O

Stream Oriented Buffer Oriented

Blocking I/O Non-Blocking I/O

Selectors

Page 15: Tomcat New Evolution

I/O vs. New I/OI/O New I/O

Page 16: Tomcat New Evolution

NIO Connector

Page 17: Tomcat New Evolution

Tomcat Connector ComparisonJava Blocking

ConnectorJava Non-Blocking Connector

APR / Native Connector

Class Name Http11Protocol Http11NioProtocol Http11AprProtocol

Tomcat Version 3.x onwards 6.x onwards 5.5.x onwards

Support Polling NO YES YES

Polling Size N/A maxConnections maxConnections

Read HTTP Request Blocking Non Blocking Blocking

Read HTTP Body Blocking Sim Blocking Blocking

Write HTTP Response

Blocking Sim Blocking Blocking

Wait for next Request Blocking Non Blocking Non Blocking

SSL Support Java SSL Java SSL OpenSSL

SSL Handshake Blocking Non Blocking Blocking

Max Connections maxConnections maxConnections maxConnections

Page 18: Tomcat New Evolution

Tomcat 6 New Features (5)

Comet Support Comet is a web application model in which a

long-held HTTP request allows a web server to push data to a browser, without the browser explicitly requesting it.

Ajax Push, Reverse Ajax, Two-way-web, HTTP Streaming, HTTP Server Push

Usage of Comet requires using the APR or NIO HTTP connectors.

The classic java.io HTTP connector and the AJP connectors do not support Comet.

Page 19: Tomcat New Evolution

Comet Implementation

Streaming (Tomcat Implementation) An application using streaming Comet opens a

single persistent connection from the client browser to the server for all Comet events.

Long Polling The browser makes an Ajax-style request to the

server, which is kept open until the server has new data to send to the browser.

Page 20: Tomcat New Evolution

Comet Application Model

Page 21: Tomcat New Evolution

Comet Example

Server-SideClient-Side

Page 22: Tomcat New Evolution

Tomcat 6 New Features (6)

The new Executor element represents a thread pool that can be shared between connectors in Tomcat, but also other components when those get configured to support executors.

Page 23: Tomcat New Evolution

Tomcat 6 New Features (7)

A limitation of java.util.logging appears to be the inability to have per-web application logging, as the configuration is per-VM.

Replace the default LogManager implementation with a container friendly implementation called JULI (Java Utility Logging Implementation)

Use tomcat-juli.jar to allows the implementation of an alternate commons-logging adaptor such as Log4J.

Page 24: Tomcat New Evolution

Tomcat 6 New Features (8)

Tomcat provides factories for Web Services JSR 109 which may be used to resolve web services references.

Place the generated catalina-ws.jar as well as jaxrpc.jar and wsdl4j.jar in the Tomcat lib folder.

Page 25: Tomcat New Evolution

Web Service Architecture

Page 26: Tomcat New Evolution

Tomcat 6 New Features (9)

Changes to the configuration rules allow users to define multiple URL-pattern elements within a single servlet-mapping element.

Page 27: Tomcat New Evolution

Tomcat 6 New Features (10)

Common Annotations Support @HandlesTypes @HttpConstraint @HttpMethodConstraint @MultipartConfig @ServletSecurity @WebFilter @WebInitParam @WebListener @WebServlet

Page 28: Tomcat New Evolution

Single Server Problems

A single server cannot handle the high number of incoming requests efficiently.

A stateful application needs a way of preserving session data if its server fails.

A developer requires the capability to make configuration changes or deploy updates to their applications without discontinuing service.

A clustered architecture solves these problems using a combination of load balancing, multiple servers to process the balanced load, and some kind of session replication.

Page 29: Tomcat New Evolution

Tomcat 6 New Features (11)

HA (High Availability) – Load Balance Static content is served directly by Apache HTTP server and any

dynamic requests forwarded to the Tomcat servers based on some algorithm.

JK 1.2.x native connector Apache HTTP Server 2.x with mod_proxy

HA (High Availability) – Fail-over Solution If the load balancer detects that one of the nodes has gone down

it will redirect all the traffic to the second instance and your clients, apart from any on the failed node.

Tomcat Session Replication

Page 30: Tomcat New Evolution

Tomcat Clustering

Page 31: Tomcat New Evolution

Apache + Tomcat + MySQL

Page 32: Tomcat New Evolution

Tomcat 7

Page 33: Tomcat New Evolution

Tomcat 7 Basis

Need Java 1.6 or further version Servlet 3.0, EL 2.2, and JSP 2.2, WebSocket RFC

6455 support Improved security for the Manager and Host

Manager applications Offers tomcat-api.jar which contains interfaces that

are shared by the Jasper and Catalina Provides improved configurability through newly

added container components

Page 34: Tomcat New Evolution

Tomcat 7 New Features (1)

A Web application might need static resources that increases the size of the war file and also leads to duplication of static resources.

Allows a new aliases attribute in the context element that can point to the static resources are stored outside the war file.

Page 35: Tomcat New Evolution

Tomcat 7 New Features (2)

WebSocket Support WebSocket developed as part of the HTML5

initiative — introduced the WebSocket JavaScript interface, which defines a full-duplex single socket connection over which messages can be sent between client and server.

The WebSocket standard simplifies much of the complexity around bi-directional web communication and connection management.

Page 36: Tomcat New Evolution

WebSocket Structure

Page 37: Tomcat New Evolution

WebSocket ExampleServer-Side

Client-Side

Page 38: Tomcat New Evolution

Tomcat 7 New Features (3)

Tomcat can be embedded in an application and it can be configured and started programmatically.

A new Tomcat class uses defaults for several configuration elements and provides an easier and simpler way to embed Tomcat.

Page 39: Tomcat New Evolution

Embedded Tomcat Example

Page 40: Tomcat New Evolution

Tomcat 7 New Features (4)

AsyncFileHandler employs a producer/consumer relationship with the queue to store log messages.

Replace all occurrences of FileHandler with AsyncFileHandler in the "$CATALINA_HOME/conf/logging.properties" file.

The application must use java.util.Logging; asynchronous logging does not work with Log4j.

Page 41: Tomcat New Evolution

AsynFileHandler Class Diagram

Page 42: Tomcat New Evolution

Reference (1)

Apache Tomcat - Which Version Do I Want? Memory Leak Protection in Tomcat 7 Tomcat Wiki – Memory Leak Protection Cross-site Request Forgery Session Fixation Wikipedia The Top 3 Apache Tomcat 7 features now Available

in Apache Tomcat 6 Tomcat 6 – New Features, Migration, and Tomcat 7 Java NIO vs. IO

Page 43: Tomcat New Evolution

Reference (2)

Comet (programming) Wikipedia Apache Tomcat Configuration Reference - The Executor

(thread pool) A Simple Guide To Tomcat Logging Setting up Clustering on Apache/Tomcat using Jakarta

mod_jk Top 7 Features in Tomcat 7: The New and the Improved What’s New in Tomcat 7 Tomcat 7 Changes And New Features HTML5 WebSocket Client WebSocket Wikipedia

Page 44: Tomcat New Evolution

Q&A