Tomcat New Evolution
Allan Huang @ esobi Inc.
Agenda
Tomcat 6 New Features Tomcat 7 New Features
Tomcat Versions
Tomcat 5.5.36 was released on 2012-10-10 Tomcat 6.0.37 was released on 2013-05-03 Tomcat 7.0.42 was released on 2013-07-05 Tomcat 8.0.0-RC3 is developing currently
Tomcat 6
Tomcat 6 Basis
Need Java 1.5 or further version Servlet 2.5, EL 2.1, JSP 2.1, and JSR 250
(Common Annotation) support Restructured code base
Merge the common, shared, and server repositories into a single folder, "$CATALINA_HOME/lib"
Reduced duplicate code Removed obsolete items Reduced distribution size
Memory Leak Causes
Web application calls standard Java APIs that will cause memory leaks Use Javax.imageio API,
java.bean.introspector.flushCaches(), XML parsing, RMI, reading resources from jar files.
JDBC drivers registration Some logging framework Storing objects in ThreadLocals and not removing
them Starting threads and not stopping them Not clear ResourceBundle cache (from Java 1.6)
Tomcat Class Loaders
Tomcat 6 New Features (1)
Ensure nothing retains a reference to the web application class loader to prevent OutOfMemoryError.
Memory Leak Prevention By making sure that Tomcat code makes the calls firstly,
the memory leaks are prevented. JreMemoryLeakPreventionListener
Memory Leak Detection When a web application is stopped, undeployed or
reloaded, Tomcat scans the code for standard causes of memory leaks, and fixes them. Implemented in the WebappClassLoader
Memory Leak Protection in Tomcat Development mode
Classes are stored in PermGen using class name Each web application has its own class loader Fix some of the common causes of Memory Leaks from the
PermGen space by removing references to objects that don't get Garbage Collected
Production mode It is a good practice to stop Tomcat, clear the work folder
and the old web application, deploy the new web application and restart Tomcat.
Cross-Site Request Forgery
Tomcat 6 New Features (2)
CSRF Protection Cross-Site Request Forgery / One-Click Attack / Session
Riding Malicious code runs in HTML emails, social media links or
flash files, riding on the open authenticated session, it opens a back door to the application for the attacker to cripple a site or control the users account.
Use a nonce / token issued in an authentication protocol to ensure that old communications cannot be reused in replay CSRF attacks. CsrfPreventionFilter
Session Fixation
Tomcat 6 New Features (3)
Session Fixation Protection Attacks attempt to exploit the vulnerability of a
system which allows one person to fixate (set) another person's session ID
Most attacks are web based, and most rely on session ID being accepted from URLs (query string) or POST data
Identity Confirmation This attack can be largely avoided by changing the
session ID when users log in.
Tomcat 6 New Features (4)
A new NIO (New I/O) Connector allows asynchronous communication of low-level I/O data.
With usage of APR (Apache Portable Runtime) or NIO APIs as the basis of its connectors, Tomcat is able to provide a number of extensions over the regular blocking IO as provided with support for the Servlet API.
I/O New I/O
Stream Oriented Buffer Oriented
Blocking I/O Non-Blocking I/O
Selectors
I/O vs. New I/OI/O New I/O
NIO Connector
Tomcat Connector ComparisonJava Blocking
ConnectorJava Non-Blocking Connector
APR / Native Connector
Class Name Http11Protocol Http11NioProtocol Http11AprProtocol
Tomcat Version 3.x onwards 6.x onwards 5.5.x onwards
Support Polling NO YES YES
Polling Size N/A maxConnections maxConnections
Read HTTP Request Blocking Non Blocking Blocking
Read HTTP Body Blocking Sim Blocking Blocking
Write HTTP Response
Blocking Sim Blocking Blocking
Wait for next Request Blocking Non Blocking Non Blocking
SSL Support Java SSL Java SSL OpenSSL
SSL Handshake Blocking Non Blocking Blocking
Max Connections maxConnections maxConnections maxConnections
Tomcat 6 New Features (5)
Comet Support Comet is a web application model in which a
long-held HTTP request allows a web server to push data to a browser, without the browser explicitly requesting it.
Ajax Push, Reverse Ajax, Two-way-web, HTTP Streaming, HTTP Server Push
Usage of Comet requires using the APR or NIO HTTP connectors.
The classic java.io HTTP connector and the AJP connectors do not support Comet.
Comet Implementation
Streaming (Tomcat Implementation) An application using streaming Comet opens a
single persistent connection from the client browser to the server for all Comet events.
Long Polling The browser makes an Ajax-style request to the
server, which is kept open until the server has new data to send to the browser.
Comet Application Model
Comet Example
Server-SideClient-Side
Tomcat 6 New Features (6)
The new Executor element represents a thread pool that can be shared between connectors in Tomcat, but also other components when those get configured to support executors.
Tomcat 6 New Features (7)
A limitation of java.util.logging appears to be the inability to have per-web application logging, as the configuration is per-VM.
Replace the default LogManager implementation with a container friendly implementation called JULI (Java Utility Logging Implementation)
Use tomcat-juli.jar to allows the implementation of an alternate commons-logging adaptor such as Log4J.
Tomcat 6 New Features (8)
Tomcat provides factories for Web Services JSR 109 which may be used to resolve web services references.
Place the generated catalina-ws.jar as well as jaxrpc.jar and wsdl4j.jar in the Tomcat lib folder.
Web Service Architecture
Tomcat 6 New Features (9)
Changes to the configuration rules allow users to define multiple URL-pattern elements within a single servlet-mapping element.
Tomcat 6 New Features (10)
Common Annotations Support @HandlesTypes @HttpConstraint @HttpMethodConstraint @MultipartConfig @ServletSecurity @WebFilter @WebInitParam @WebListener @WebServlet
Single Server Problems
A single server cannot handle the high number of incoming requests efficiently.
A stateful application needs a way of preserving session data if its server fails.
A developer requires the capability to make configuration changes or deploy updates to their applications without discontinuing service.
A clustered architecture solves these problems using a combination of load balancing, multiple servers to process the balanced load, and some kind of session replication.
Tomcat 6 New Features (11)
HA (High Availability) – Load Balance Static content is served directly by Apache HTTP server and any
dynamic requests forwarded to the Tomcat servers based on some algorithm.
JK 1.2.x native connector Apache HTTP Server 2.x with mod_proxy
HA (High Availability) – Fail-over Solution If the load balancer detects that one of the nodes has gone down
it will redirect all the traffic to the second instance and your clients, apart from any on the failed node.
Tomcat Session Replication
Tomcat Clustering
Apache + Tomcat + MySQL
Tomcat 7
Tomcat 7 Basis
Need Java 1.6 or further version Servlet 3.0, EL 2.2, and JSP 2.2, WebSocket RFC
6455 support Improved security for the Manager and Host
Manager applications Offers tomcat-api.jar which contains interfaces that
are shared by the Jasper and Catalina Provides improved configurability through newly
added container components
Tomcat 7 New Features (1)
A Web application might need static resources that increases the size of the war file and also leads to duplication of static resources.
Allows a new aliases attribute in the context element that can point to the static resources are stored outside the war file.
Tomcat 7 New Features (2)
WebSocket Support WebSocket developed as part of the HTML5
initiative — introduced the WebSocket JavaScript interface, which defines a full-duplex single socket connection over which messages can be sent between client and server.
The WebSocket standard simplifies much of the complexity around bi-directional web communication and connection management.
WebSocket Structure
WebSocket ExampleServer-Side
Client-Side
Tomcat 7 New Features (3)
Tomcat can be embedded in an application and it can be configured and started programmatically.
A new Tomcat class uses defaults for several configuration elements and provides an easier and simpler way to embed Tomcat.
Embedded Tomcat Example
Tomcat 7 New Features (4)
AsyncFileHandler employs a producer/consumer relationship with the queue to store log messages.
Replace all occurrences of FileHandler with AsyncFileHandler in the "$CATALINA_HOME/conf/logging.properties" file.
The application must use java.util.Logging; asynchronous logging does not work with Log4j.
AsynFileHandler Class Diagram
Reference (1)
Apache Tomcat - Which Version Do I Want? Memory Leak Protection in Tomcat 7 Tomcat Wiki – Memory Leak Protection Cross-site Request Forgery Session Fixation Wikipedia The Top 3 Apache Tomcat 7 features now Available
in Apache Tomcat 6 Tomcat 6 – New Features, Migration, and Tomcat 7 Java NIO vs. IO
Reference (2)
Comet (programming) Wikipedia Apache Tomcat Configuration Reference - The Executor
(thread pool) A Simple Guide To Tomcat Logging Setting up Clustering on Apache/Tomcat using Jakarta
mod_jk Top 7 Features in Tomcat 7: The New and the Improved What’s New in Tomcat 7 Tomcat 7 Changes And New Features HTML5 WebSocket Client WebSocket Wikipedia
Q&A