2. Agenda
Introduction
Specification changes (Servlet 3.0)
New features (Incl. WebSocket Deep Dive)
Current status
Future plans
Useful resources
Questions
2
3. Introduction
Apache Tomcat
committer &
PMC member
Vmware Employee and
Sales Engineer
Weekend Warrior with
US Army Reserve
3
4. What about you?
Who’s running Apache Tomcat 6?
Who’s running Apache Tomcat 5 or older?
4
5. What do the version numbers mean?
7.0.22
• 7 major version
• 0 minor version
• 22 build number
Major
• New JSRs / Specifications for Servlets/JSPs
• Side effect – New Java Version
5
6. What do the version numbers mean?
7.0.22
• 7 major version
• 0 minor version
• 22 build number
Minor
• 4.0 vs 4.1
• 5.0 vs 5.5
• Refactor of code base
• Possible changes to config files
• Possible changes to internal APIs
6
7. What do the version numbers mean?
7.0.22
• 7 major version
• 0 minor version
• 22 build number
Build Number
• Incremented with each build/SVN tag
• Not all builds become release
• Historically .18 has been the magic number
• Stability
• Bug fixes
• Ready for enterprises
7
8. When to upgrade?
Starts with application developers
Need new features in Java
Need new features in Servlet specification
Need new features in a framework built for later versions
8
11. New version of Java
Less invasive as technology matures
1.5 to 1.6 should be seamless
Moving to 1.6 is beneficial from performance perspective
11
12. Asynchronous Servlets
No more thread per request model
Servlet API still uses blocking programming model
• Async is more complex, non blocking would have made it too complex
Well suited for ‘Web 2.0’ applications
API for developers, does not affect operations teams
12
13. Annotations
Alternative to XML configuration
Requires scanning of libraries
Will slow down startup time
• Performance can be improved by documenting JAR files not to be scanned
• tomcat.util.scan.DefaultJarScanner.jarsToSkip system property
• Defined in conf/catalina.properties
13
14. Web Fragments
Libraries can ship with its partial web.xml configuration
• Eases including frameworks
Requires scanning of libraries
Will slow down startup time
• Performance can be improved by documenting JAR files not to be scanned
• tomcat.util.scan.DefaultJarScanner.jarsToSkip system property
• Defined in conf/catalina.properties
14
15. Session Management
Session tracking
• Cookie, URL or SSL ID
Session cookie can be configured
• name
• domain
• path
• comment
• secure
• httpOnly
15
16. Programmatic Login
Easier integration with alternative authentication solutions
Calling login/logout
• Directly within an application
• Allows to retrieve credentials from alternative location
16
17. Other changes
JSP 2.2
• JSP property group additions
• New omit attribute for <jsp:attribute .../>
Expression Language 2.2
• Method invocations
17
21. Performance
Limit loaded JSPs with LRU cache
GZIP compressed output streams can now be flushed
Remove bottleneck in session ID generation
Crawler session manager valve
AJP NIO connector (will be in 7.0.15 onwards)
21
22. Performance
Tomcat jdbc-pool
Alternative to commons-dbcp
Well fitted for multi core machines
Documented at tomcat.apache.org
22
23. Resources
New singleton attribute
Create new object on JNDI lookup
New closeMethod attribute
Close resources upon shutdown/undeploy
23
24. Deployment
Support parallel deployment
Existing sessions go to the original applications
New users go to the new application
Defer undeployment
DEMO
24
25. Deployment
Copying of
/META-INF/context.xml to
$CATALINA_BASE/<engine>/<host>/contextname.xml
now optional and disabled by default
One of the most confusing features in old version
Often resulted in administrators unaware of accidental deployment
Natural behaviour is that no files get created outside of application
25
26. Deployment
Improved memory leak detection and prevention
Prevents common memory leaks during undeployment
Warns on unpreventable memory leaks
26
27. Security
Cross-site request forgery (CSRF) protection filter
CSRF protection added to manager application
• role names & some URLs changed
LockOutRealm used by default
Access log enabled by default
exec is disabled by default for SSI
DefaultServlet serves content from root of context by default
27
28. Security
Graceful handling of users book-marking the login page
Session IDs generated using SecureRandom by default
SSL renegotiation & RFC 5746
HTTP NIO connector now supports SSL renegotiation
Not having this made Apache Tomcat not be vulnerable to the man in the middle
attack recently discovered
Cookie paths end in /
28
29. Embedding and Extending
New o.a.catalina.startup.Tomcat class for embedding
Binary and source JARs provided for Apache Maven
Customisable JAR scanning
29
31. Code clean-up
Generics
Better definition of Lifecycle interface
Comet classes have moved to o.a.catalina.comet
Expanded the unit tests
Added Checkstyle and FindBugs to the build process
Removed unused / deprecated / duplicated code
Custom components using Tomcat internals are likely to require
changes
31
32. Windows
Windows installer detects 32-bit or 64-bit JVM and installs correct
native binaries
Windows native authentication (SPNEGO)
Integration with
MS Active Directory
and
Domain Controller
Single Sign On based on
Kerberos/SPNEGO
32
33. Current status
Apache Tomcat 7 is stable as of 7.0.6
Current release is 7.0.27
Continuing to provide a release a month
All releases have passed the Servlet 3.0, JSP 2.2 and EL 2.2 TCKs
Servlet TCK is tested with the following combinations
• HTTP BIO, NIO & APR/native
• mod_jk + AJP BIO, NIO & APR/native
• mod_proxy_http + HTTP BIO, NIO & APR/native
• mod_proxy_ajp + AJP BIO, NIO & APR/native
33
34. What to expect from an upgrade
Tomcat 4 to Tomcat 7
Tomcat 5 to Tomcat 7
Tomcat 6 to Tomcat 7
34