Tomcat New Evolution

  • View

  • Download

Embed Size (px)



Text of Tomcat New Evolution

  • 1. Tomcat New Evolution Allan Huang @ esobi Inc.
  • 2. Agenda Tomcat 6 New Features Tomcat 7 New Features
  • 3. Tomcat Versions Tomcat 5.5.36 was released on 2012-10-10 Tomcat 6.0.37 was released on 2013-05-03 Tomcat 7.0.42 was released on 2013-07-05 Tomcat 8.0.0-RC3 is developing currently
  • 4. Tomcat 6
  • 5. Tomcat 6 Basis Need Java 1.5 or further version Servlet 2.5, EL 2.1, JSP 2.1, and JSR 250 (Common Annotation) support Restructured code base Merge the common, shared, and server repositories into a single folder, "$CATALINA_HOME/lib" Reduced duplicate code Removed obsolete items Reduced distribution size
  • 6. Memory Leak Causes Web application calls standard Java APIs that will cause memory leaks Use Javax.imageio API, java.bean.introspector.flushCaches(), XML parsing, RMI, reading resources from jar files. JDBC drivers registration Some logging framework Storing objects in ThreadLocals and not removing them Starting threads and not stopping them Not clear ResourceBundle cache (from Java 1.6)
  • 7. Tomcat Class Loaders
  • 8. Tomcat 6 New Features (1) Ensure nothing retains a reference to the web application class loader to prevent OutOfMemoryError. Memory Leak Prevention By making sure that Tomcat code makes the calls firstly, the memory leaks are prevented. JreMemoryLeakPreventionListener Memory Leak Detection When a web application is stopped, undeployed or reloaded, Tomcat scans the code for standard causes of memory leaks, and fixes them. Implemented in the WebappClassLoader
  • 9. Memory Leak Protection in Tomcat Development mode Classes are stored in PermGen using class name Each web application has its own class loader Fix some of the common causes of Memory Leaks from the PermGen space by removing references to objects that don't get Garbage Collected Production mode It is a good practice to stop Tomcat, clear the work folder and the old web application, deploy the new web application and restart Tomcat.
  • 10. Cross-Site Request Forgery
  • 11. Tomcat 6 New Features (2) CSRF Protection Cross-Site Request Forgery / One-Click Attack / Session Riding Malicious code runs in HTML emails, social media links or flash files, riding on the open authenticated session, it opens a back door to the application for the attacker to cripple a site or control the users account. Use a nonce / token issued in an authentication protocol to ensure that old communications cannot be reused in replay CSRF attacks. CsrfPreventionFilter
  • 12. Session Fixation
  • 13. Tomcat 6 New Features (3) Session Fixation Protection Attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session ID Most attacks are web based, and most rely on session ID being accepted from URLs (query string) or POST data Identity Confirmation This attack can be largely avoided by changing the session ID when users log in.
  • 14. Tomcat 6 New Features (4) A new NIO (New I/O) Connector allows asynchronous communication of low-level I/O data. With usage of APR (Apache Portable Runtime) or NIO APIs as the basis of its connectors, Tomcat is able to provide a number of extensions over the regular blocking IO as provided with support for the Servlet API. I/O New I/O Stream Oriented Buffer Oriented Blocking I/O Non-Blocking I/O Selectors
  • 15. I/O vs. New I/O I/O New I/O
  • 16. NIO Connector
  • 17. Tomcat Connector Comparison Java Blocking Connector Java Non-Blocking Connector APR / Native Connector Class Name Http11Protocol Http11NioProtocol Http11AprProtocol Tomcat Version 3.x onwards 6.x onwards 5.5.x onwards Support Polling NO YES YES Polling Size N/A maxConnections maxConnections Read HTTP Request Blocking Non Blocking Blocking Read HTTP Body Blocking Sim Blocking Blocking Write HTTP Response Blocking Sim Blocking Blocking Wait for next Request Blocking Non Blocking Non Blocking SSL Support Java SSL Java SSL OpenSSL SSL Handshake Blocking Non Blocking Blocking Max Connections maxConnections maxConnections maxConnections
  • 18. Tomcat 6 New Features (5) Comet Support Comet is a web application model in which a long-held HTTP request allows a web server to push data to a browser, without the browser explicitly requesting it. Ajax Push, Reverse Ajax, Two-way-web, HTTP Streaming, HTTP Server Push Usage of Comet requires using the APR or NIO HTTP connectors. The classic HTTP connector and the AJP connectors do not support Comet.
  • 19. Comet Implementation Streaming (Tomcat Implementation) An application using streaming Comet opens a single persistent connection from the client browser to the server for all Comet events. Long Polling The browser makes an Ajax-style request to the server, which is kept open until the server has new data to send to the browser.
  • 20. Comet Application Model
  • 21. Comet Example Client-Side Server-Side
  • 22. Tomcat 6 New Features (6) The new Executor element represents a thread pool that can be shared between connectors in Tomcat, but also other components when those get configured to support executors.
  • 23. Tomcat 6 New Features (7) A limitation of java.util.logging appears to be the inability to have per-web application logging, as the configuration is per-VM. Replace the default LogManager implementation with a container friendly implementation called JULI (Java Utility Logging Implementation) Use tomcat-juli.jar to allows the implementation of an alternate commonslogging adaptor such as Log4J.
  • 24. Tomcat 6 New Features (8) Tomcat provides factories for Web Services JSR 109 which may be used to resolve web services references. Place the generated catalina-ws.jar as well as jaxrpc.jar and wsdl4j.jar in the Tomcat lib folder.
  • 25. Web Service Architecture
  • 26. Tomcat 6 New Features (9) Changes to the configuration rules allow users to define multiple URL-pattern elements within a single servlet-mapping element.
  • 27. Tomcat 6 New Features (10) Common Annotations Support @HandlesTypes @HttpConstraint @HttpMethodConstraint @MultipartConfig @ServletSecurity @WebFilter @WebInitParam @WebListener @WebServlet
  • 28. Single Server Problems A single server cannot handle the high number of incoming requests efficiently. A stateful application needs a way of preserving session data if its server fails. A developer requires the capability to make configuration changes or deploy updates to their applications without discontinuing service. A clustered architecture solves these problems using a combination of load balancing, multiple servers to process the balanced load, and some kind of session replication.
  • 29. Tomcat 6 New Features (11) HA (High Availability) Load Balance Static content is served directly by Apache HTTP server and any dynamic requests forwarded to the Tomcat servers based on some algorithm. JK 1.2.x native connector Apache HTTP Server 2.x with mod_proxy HA (High Availability) Fail-over Solution If the load balancer detects that one of the nodes has gone down it will redirect all the traffic to the second instance and your clients, apart from any on the failed node. Tomcat Session Replication
  • 30. Tomcat Clustering