© 2009 VMware Inc. All rights reserved

Upgrading to Apache Tomcat 7

Filip Hanik, Systems Engineer

2

Agenda

Introduction

Specification changes (Servlet 3.0)

New features (Incl. WebSocket Deep Dive)

Current status

Future plans

Useful resources

Questions

3

Introduction

Apache Tomcat committer & PMC member

Vmware Employee and Sales Engineer

Weekend Warrior with US Army Reserve

4

What about you?

Who’s running Apache Tomcat 6?

Who’s running Apache Tomcat 5 or older?

5

What do the version numbers mean?

7.0.22

• 7 major version

• 0 minor version

• 22 build number

Major

• New JSRs / Specifications for Servlets/JSPs

• Side effect – New Java Version

6

What do the version numbers mean?

7.0.22

• 7 major version

• 0 minor version

• 22 build number

Minor

• 4.0 vs 4.1

• 5.0 vs 5.5

• Refactor of code base

• Possible changes to config files

• Possible changes to internal APIs

7

What do the version numbers mean?

7.0.22

• 7 major version

• 0 minor version

• 22 build number

Build Number

• Incremented with each build/SVN tag

• Not all builds become release

• Historically .18 has been the magic number

• Stability

• Bug fixes

• Ready for enterprises

8

When to upgrade?

Starts with application developers

Need new features in Java

Need new features in Servlet specification

Need new features in a framework built for later versions

9

So what changed?

10

Specification Changes

11

New version of Java

Less invasive as technology matures

1.5 to 1.6 should be seamless

Moving to 1.6 is beneficial from performance perspective

12

Asynchronous Servlets

No more thread per request model

Servlet API still uses blocking programming model

• Async is more complex, non blocking would have made it too complex

Well suited for ‘Web 2.0’ applications

API for developers, does not affect operations teams

13

Annotations

Alternative to XML configuration

Requires scanning of libraries

Will slow down startup time

• Performance can be improved by documenting JAR files not to be scanned

• tomcat.util.scan.DefaultJarScanner.jarsToSkip system property

• Defined in conf/catalina.properties

14

Web Fragments

Libraries can ship with its partial web.xml configuration

• Eases including frameworks

Requires scanning of libraries

Will slow down startup time

• Performance can be improved by documenting JAR files not to be scanned

• tomcat.util.scan.DefaultJarScanner.jarsToSkip system property

• Defined in conf/catalina.properties

15

Session Management

Session tracking

• Cookie, URL or SSL ID

Session cookie can be configured

• name

• domain

• path

• comment

• secure

• httpOnly

16

Programmatic Login

Easier integration with alternative authentication solutions

Calling login/logout

• Directly within an application

• Allows to retrieve credentials from alternative location

17

Other changes

JSP 2.2

• JSP property group additions

• New omit attribute for <jsp:attribute .../>

Expression Language 2.2

• Method invocations

18

New featuresTomcat evolves too

19

Management

JMX remote lifecycle listener Allows JMX communication through firewall

jconsole (or JMX client) url

20

Management

Manager application can differentiate between primary, backup and proxy sessions

21

Performance

Limit loaded JSPs with LRU cache

GZIP compressed output streams can now be flushed

Remove bottleneck in session ID generation

Crawler session manager valve

AJP NIO connector (will be in 7.0.15 onwards)

22

Performance

Tomcat jdbc-pool

Alternative to commons-dbcp

Well fitted for multi core machines

Documented at tomcat.apache.org

23

Resources

New singleton attribute Create new object on JNDI lookup

New closeMethod attribute Close resources upon shutdown/undeploy

24

Deployment

Support parallel deployment

Existing sessions go to the original applications

New users go to the new application

Defer undeployment

DEMO

25

Deployment

Copying of /META-INF/context.xml to

$CATALINA_BASE/<engine>/<host>/contextname.xml

now optional and disabled by default

One of the most confusing features in old version

Often resulted in administrators unaware of accidental deployment

Natural behaviour is that no files get created outside of application

26

Deployment

Improved memory leak detection and prevention

Prevents common memory leaks during undeployment

Warns on unpreventable memory leaks

27

Security

Cross-site request forgery (CSRF) protection filter

CSRF protection added to manager application

• role names & some URLs changed

LockOutRealm used by default

Access log enabled by default

exec is disabled by default for SSI

DefaultServlet serves content from root of context by default

28

Security

Graceful handling of users book-marking the login page

Session IDs generated using SecureRandom by default

SSL renegotiation & RFC 5746

HTTP NIO connector now supports SSL renegotiation Not having this made Apache Tomcat not be vulnerable to the man in the middle

attack recently discovered

Cookie paths end in /

29

Embedding and Extending

New o.a.catalina.startup.Tomcat class for embedding

Binary and source JARs provided for Apache Maven

Customisable JAR scanning

30

Embedding and Extending

New o.a.catalina.startup.Tomcat class for embedding

Adding a servlet

31

Code clean-up

Generics

Better definition of Lifecycle interface

Comet classes have moved to o.a.catalina.comet

Expanded the unit tests

Added Checkstyle and FindBugs to the build process

Removed unused / deprecated / duplicated code

Custom components using Tomcat internals are likely to require changes

32

Windows

Windows installer detects 32-bit or 64-bit JVM and installs correct native binaries

Windows native authentication (SPNEGO) Integration with

MS Active DirectoryandDomain Controller

Single Sign On based on Kerberos/SPNEGO

33

Current status

Apache Tomcat 7 is stable as of 7.0.6 Current release is 7.0.27

Continuing to provide a release a month

All releases have passed the Servlet 3.0, JSP 2.2 and EL 2.2 TCKs

Servlet TCK is tested with the following combinations

• HTTP BIO, NIO & APR/native

• mod_jk + AJP BIO, NIO & APR/native

• mod_proxy_http + HTTP BIO, NIO & APR/native

• mod_proxy_ajp + AJP BIO, NIO & APR/native

34

What to expect from an upgrade

Tomcat 4 to Tomcat 7

Tomcat 5 to Tomcat 7

Tomcat 6 to Tomcat 7

35

Web SocketsNew in Tomcat 7.027

Part of HTML 5

36

WebSockets – Bi-drectional protocol (binary/text)

37

Event Based on both Server and Client

38

Client - Initiating a WebSocket

39

Client - Initiating a WebScoket

40

Network – Opening WebSocket Request

41

In Tomcat 7 – Extend WebSocketServlet

42

In Tomcat 7 – Create a StreamInbound object

43

44

Network – Opening WebSocket - Response

45

Socket Opened – First Event

46

47

Client - Send a Message

48

In Tomcat 7 – Receive the message

49

50

51

Client – Receive the Message

52

Future Plans

Servlet 3.1 addition

Commons DBCP v2

Socket IO

Keep on top of open bugs

Continue reviewing enhancement requests

53

Useful Resources

54

Useful resources

http://www.tomcatexpert.com

http://tomcat.apache.org

• http://blogs.apache.org/tomcat

Mailing lists

• users

• dev

• announce

http://tomcat.markmail.org

http://svn.apache.org/repos/asf/tomcat/trunk/webapps/ docs/changelog.xml

http://ci.apache.org/projects/tomcat/tomcat7/docs/

http://s.apache.org/tomcat-7-open-issues

55

References

56

References

TomcatExpert.comhttp://www.tomcatexpert.com/blog/2012/04/24/websockets-tomcat-7http://www.tomcatexpert.com/blog/2012/05/01/how-apache-tomcat-implemented-websocket

Net.tutsplus.comhttp://net.tutsplus.com/tutorials/javascript-ajax/start-using-html5-websockets-today/

57

Vmware Supported Platform

58

Questions