3. Tomcat Versions
Tomcat 5.5.36 was released on 2012-10-10
Tomcat 6.0.37 was released on 2013-05-03
Tomcat 7.0.42 was released on 2013-07-05
Tomcat 8.0.0-RC3 is developing currently
5. Tomcat 6 Basis
Need Java 1.5 or further version
Servlet 2.5, EL 2.1, JSP 2.1, and JSR 250
(Common Annotation) support
Restructured code base
Merge the common, shared, and server
repositories into a single folder,
"$CATALINA_HOME/lib"
Reduced duplicate code
Removed obsolete items
Reduced distribution size
6. Memory Leak Causes
Web application calls standard Java APIs that will
cause memory leaks
Use Javax.imageio API,
java.bean.introspector.flushCaches(), XML parsing, RMI,
reading resources from jar files.
JDBC drivers registration
Some logging framework
Storing objects in ThreadLocals and not removing
them
Starting threads and not stopping them
Not clear ResourceBundle cache (from Java 1.6)
8. Tomcat 6 New Features (1)
Ensure nothing retains a reference to the web
application class loader to prevent
OutOfMemoryError.
Memory Leak Prevention
By making sure that Tomcat code makes the calls firstly,
the memory leaks are prevented.
JreMemoryLeakPreventionListener
Memory Leak Detection
When a web application is stopped, undeployed or
reloaded, Tomcat scans the code for standard causes of
memory leaks, and fixes them.
Implemented in the WebappClassLoader
9. Memory Leak Protection in Tomcat
Development mode
Classes are stored in PermGen using class name
Each web application has its own class loader
Fix some of the common causes of Memory Leaks from the
PermGen space by removing references to objects that
don't get Garbage Collected
Production mode
It is a good practice to stop Tomcat, clear the work folder
and the old web application, deploy the new web
application and restart Tomcat.
11. Tomcat 6 New Features (2)
CSRF Protection
Cross-Site Request Forgery / One-Click Attack / Session
Riding
Malicious code runs in HTML emails, social media links or
flash files, riding on the open authenticated session, it
opens a back door to the application for the attacker to
cripple a site or control the users account.
Use a nonce / token issued in an authentication protocol to
ensure that old communications cannot be reused in replay
CSRF attacks.
CsrfPreventionFilter
13. Tomcat 6 New Features (3)
Session Fixation Protection
Attacks attempt to exploit the vulnerability of a
system which allows one person to fixate (set)
another person's session ID
Most attacks are web based, and most rely on
session ID being accepted from URLs (query
string) or POST data
Identity Confirmation
This attack can be largely avoided by changing the
session ID when users log in.
14. Tomcat 6 New Features (4)
A new NIO (New I/O) Connector allows asynchronous
communication of low-level I/O data.
With usage of APR (Apache Portable Runtime) or NIO APIs
as the basis of its connectors, Tomcat is able to provide a
number of extensions over the regular blocking IO as
provided with support for the Servlet API.
I/O
New I/O
Stream Oriented
Buffer Oriented
Blocking I/O
Non-Blocking I/O
Selectors
17. Tomcat Connector Comparison
Java Blocking
Connector
Java Non-Blocking
Connector
APR / Native
Connector
Class Name
Http11Protocol
Http11NioProtocol
Http11AprProtocol
Tomcat Version
3.x onwards
6.x onwards
5.5.x onwards
Support Polling
NO
YES
YES
Polling Size
N/A
maxConnections
maxConnections
Read HTTP Request
Blocking
Non Blocking
Blocking
Read HTTP Body
Blocking
Sim Blocking
Blocking
Write HTTP
Response
Blocking
Sim Blocking
Blocking
Wait for next Request
Blocking
Non Blocking
Non Blocking
SSL Support
Java SSL
Java SSL
OpenSSL
SSL Handshake
Blocking
Non Blocking
Blocking
Max Connections
maxConnections
maxConnections
maxConnections
18. Tomcat 6 New Features (5)
Comet Support
Comet is a web application model in which a
long-held HTTP request allows a web server to
push data to a browser, without the browser
explicitly requesting it.
Ajax Push, Reverse Ajax, Two-way-web, HTTP
Streaming, HTTP Server Push
Usage of Comet requires using the APR or NIO
HTTP connectors.
The classic java.io HTTP connector and the AJP
connectors do not support Comet.
19. Comet Implementation
Streaming (Tomcat Implementation)
An application using streaming Comet opens a
single persistent connection from the client
browser to the server for all Comet events.
Long Polling
The browser makes an Ajax-style request to the
server, which is kept open until the server has
new data to send to the browser.
22. Tomcat 6 New Features (6)
The new Executor element represents a thread pool
that can be shared between connectors in Tomcat,
but also other components when those get
configured to support executors.
23. Tomcat 6 New Features (7)
A limitation of java.util.logging appears to be
the inability to have per-web application
logging, as the configuration is per-VM.
Replace the default LogManager
implementation with a container friendly
implementation called JULI (Java Utility
Logging Implementation)
Use tomcat-juli.jar to allows the
implementation of an alternate commonslogging adaptor such as Log4J.
24. Tomcat 6 New Features (8)
Tomcat provides factories for Web Services
JSR 109 which may be used to resolve web
services references.
Place the generated catalina-ws.jar as well
as jaxrpc.jar and wsdl4j.jar in the Tomcat lib
folder.
26. Tomcat 6 New Features (9)
Changes to the configuration rules allow
users to define multiple URL-pattern
elements within a single servlet-mapping
element.
27. Tomcat 6 New Features (10)
Common Annotations
Support
@HandlesTypes
@HttpConstraint
@HttpMethodConstraint
@MultipartConfig
@ServletSecurity
@WebFilter
@WebInitParam
@WebListener
@WebServlet
28. Single Server Problems
A single server cannot handle the high number of
incoming requests efficiently.
A stateful application needs a way of preserving
session data if its server fails.
A developer requires the capability to make
configuration changes or deploy updates to their
applications without discontinuing service.
A clustered architecture solves these problems
using a combination of load balancing, multiple
servers to process the balanced load, and some
kind of session replication.
29. Tomcat 6 New Features (11)
HA (High Availability) – Load Balance
Static content is served directly by Apache HTTP server and any
dynamic requests forwarded to the Tomcat servers based on
some algorithm.
JK 1.2.x native connector
Apache HTTP Server 2.x with mod_proxy
HA (High Availability) – Fail-over Solution
If the load balancer detects that one of the nodes has gone down
it will redirect all the traffic to the second instance and your
clients, apart from any on the failed node.
Tomcat Session Replication
33. Tomcat 7 Basis
Need Java 1.6 or further version
Servlet 3.0, EL 2.2, and JSP 2.2, WebSocket RFC
6455 support
Improved security for the Manager and Host
Manager applications
Offers tomcat-api.jar which contains interfaces that
are shared by the Jasper and Catalina
Provides improved configurability through newly
added container components
34. Tomcat 7 New Features (1)
A Web application might need static
resources that increases the size of the war
file and also leads to duplication of static
resources.
Allows a new aliases attribute in the context
element that can point to the static resources
are stored outside the war file.
35. Tomcat 7 New Features (2)
WebSocket Support
WebSocket developed as part of the HTML5
initiative — introduced the WebSocket JavaScript
interface, which defines a full-duplex single socket
connection over which messages can be sent
between client and server.
The WebSocket standard simplifies much of the
complexity around bi-directional web
communication and connection management.
38. Tomcat 7 New Features (3)
Tomcat can be embedded in an application
and it can be configured and started
programmatically.
A new Tomcat class uses defaults for several
configuration elements and provides an
easier and simpler way to embed Tomcat.
40. Tomcat 7 New Features (4)
AsyncFileHandler employs a
producer/consumer relationship with the
queue to store log messages.
Replace all occurrences of FileHandler with
AsyncFileHandler in the
"$CATALINA_HOME/conf/logging.properties" file.
The application must use java.util.Logging;
asynchronous logging does not work with
Log4j.
42. Reference (1)
Apache Tomcat - Which Version Do I Want?
Memory Leak Protection in Tomcat 7
Tomcat Wiki – Memory Leak Protection
Cross-site Request Forgery
Session Fixation Wikipedia
The Top 3 Apache Tomcat 7 features now Available in A
Tomcat 6 – New Features, Migration, and Tomcat 7
Java NIO vs. IO
43. Reference (2)
Comet (programming) Wikipedia
Apache Tomcat Configuration Reference - The Executor
(thread pool)
A Simple Guide To Tomcat Logging
Setting up Clustering on Apache/Tomcat using Jakarta
mod_jk
Top 7 Features in Tomcat 7: The New and the Improved
What’s New in Tomcat 7
Tomcat 7 Changes And New Features
HTML5 WebSocket Client
WebSocket Wikipedia