© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Apache Tomcat 8 Preview
By Daniel Mikusa & Stuart Williams
Agenda
● Introductions● Java EE 7● Tomcat specific changes● Timescales● Questions
Introductions
Introductions● Daniel Mikusa● Active on [email protected]● Contributing Author on TomcatExpert.com● Senior Technical Support Engineer at
Pivotal○ Tomcat / tc Server○ Spring Framework○ CloudFoundry
● Stuart Williams● Active on [email protected]● A committer on open source projects at
Apache, Eclipse and elsewhere● Consulting Architect at Pivotal
Java EE 7
Java EE 7● Tomcat 8
○ Servlet 3.1 ○ JSP 2.3 ○ Expression Language 3.0○ Web Sockets 1.0○ Little / no demand for other Java EE 7 components in Tomcat
■ Java Authentication SPI for Containers (JASPIC JSR 196)
● Web Container - Apache TomEE
● J2EE Container - Apache Geronimo
Servlet 3.1● Final: May 28th 2013● New Features
○ Non-blocking IO○ HTTP Upgrade○ Change session id on authentication
● Improvements○ Protection for uncovered HTTP methods in security constraints○ Clarified some ambiguities○ Fixed some typos
Change Session Id● To change the session id:
○ HttpServletRequest.changeSessionId()● To listen for session id changes with HttpSessionIdListener● Register HttpSessionIdListener with:
○ ServletContext.addListener(..)○ @WebListener
public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) { …. }}
Uncovered HTTP Methods● When defining security constraints, it’s possible to list specific HTTP methods
covered by the security constraint○ <http-method>○ <http-method-omission>
● A method is “uncovered” when…○ One or more methods are listed with <http-method>, any method not
listed is “uncovered”○ One or more methods are listed with <http-method-omission>, every
method list is “uncovered”● If no methods are specifically listed then all methods are protected
Uncovered HTTP Methods: Ex 1
<security-constraint><web-resource-collection>
<web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>
</web-resource-collection><auth-constraint>
<role-name>SALESCLERK</role-name></auth-constraint>
</security-constraint>
Only GET is covered
Uncovered HTTP Methods: Ex 2
@ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL)})public class Example5 extends HttpServlet { ….}
Only GET & POST are covered
Servlet 3.1 Demos
JSP 2.3● Final: June 12th 2013● There is no JSP Expert Group● JSP 2.3 is a maintenance release● Changes
○ Requires Servlet 3.1, EL 3.0 & Java 7○ JSP must render identical response for GET, POST & HEAD; all other
methods are undefined
EL 3.0● Final: Final May 22nd 2013● Significant Changes● New Features
○ Access to static fields, methods & constructors○ Assignment operator○ Semi-colon operator (chain multiple commands)○ String concatenation operator○ New Collections API, including dynamic construction of collections & the
stream method and the collection pipeline○ Lambda Expressions
● Incompatibilities○ Default coercion for nulls to non-primitive types, except Strings, return
null. Ex: null -> Boolean returns null, but null -> boolean returns false.
EL 3.0 Demos
WebSocket 1.0● Final: May 22nd 2013● Tomcat 7 has supported WebSockets for a while (different API)● Tomcat 8 implements new API● Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.4x)● Both implement client & server APIs● Additional Features
○ Encoding / decoding (lots of debate here)○ Annotations
● Differences○ Tomcat 7’s implementation is blocking within a Frame○ WebSocket 1.0 is non-blocking although some writes do block
● Non-blocking○ Works with the BIO connector but obviously is not really non-blocking○ Fundamentally changes the API
Tomcat Specific Changes
Tomcat Specific Changes● Resources
○ Aliases○ VirtualDirContext / VirtualWebappLoader○ External repositories for the WebappClassLoader○ Servlet 3.0 resource JARS
● Tomcat 7 implements each of these slightly differently○ Very fragile○ Servlet 3.1 overlays would have been difficult
● New resources implementation○ Much cleaner implementation○ Overlays now simpler to implement (but have been dropped from Servlet
3.1)
Resources● Ordering
○ Pre Resources○ Main Resources (i.e. the docBase for a context)○ Jar Resources○ Post Resources
● Types○ DirResourceSet - a directory○ FileResourceSet - a single file○ JarResourceSet - a JAR file
● General recommendation is avoid using directly as this is Tomcat specific
Resources<?xml version='1.0' encoding='utf-8'?><Context>
<Resources> <PreResources className="org.apache.catalina.webresources.FileResourceSet" base="/app/files/special.txt" webAppMount="/static/special.txt" /> <PostResources className="org.apache.catalina.webresources.DirResourceSet" base="/app/files/static" webAppMount="/static" />
</Resources></Context>
Tomcat Specific Changes (cont.)● NIO connector is now the default● Additional diagnostic information in the Manager
○ SSL ciphers○ May be back-ported to Tomcat 7
● API changing clean-up○ Remove duplicated functionality○ Move Manager, Loader & Resources from Container to Context○ Move Mapper from Connector to Service
● Code clean-up○ Reduce warnings○ IDE, FindBugs, Javadocs, Checkstyle, etc...
Timescales
Timescales● Java EE 7 Final has shipped● Tomcat 8.0.0
○ 8.0.0.RC1 (alpha) is available○ Alpha has complete implementations of Servlet 3.1, JSP 2.3, EL 3.0 &
WebSocket 1.0○ Code is not ready for production usage, purpose is to gather community
feedback○ Additional internal refactoring will likely occur prior to a non-alpha release○ Based on past experience, 8.0.0 release will likely hit six to nine months
after initial alpha release (Feb - May 2014). Depends on community usage and feedback.
Questions
Learn More. Stay Connected.
● Demo Code: github.com/swilliams-vmw/s2gx-tomcat● Website: tomcat.apache.org● Download: tomcat.apache.org/download-80.cgi● Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html● Migration Guide: tomcat.apache.org/migration.html● Mailing Lists: tomcat.apache.org/lists.html
● Find Session replays on YouTube: spring.io/video