© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.

Apache Tomcat 8 Preview

By Daniel Mikusa & Stuart Williams

Agenda

● Introductions● Java EE 7● Tomcat specific changes● Timescales● Questions

Introductions

Introductions● Daniel Mikusa● Active on users@tomcat.apache.org● Contributing Author on TomcatExpert.com● Senior Technical Support Engineer at

Pivotal○ Tomcat / tc Server○ Spring Framework○ CloudFoundry

● Stuart Williams● Active on users@tomcat.apache.org● A committer on open source projects at

Apache, Eclipse and elsewhere● Consulting Architect at Pivotal

Java EE 7

Java EE 7● Tomcat 8

○ Servlet 3.1 ○ JSP 2.3 ○ Expression Language 3.0○ Web Sockets 1.0○ Little / no demand for other Java EE 7 components in Tomcat

■ Java Authentication SPI for Containers (JASPIC JSR 196)

● Web Container - Apache TomEE

● J2EE Container - Apache Geronimo

Servlet 3.1● Final: May 28th 2013● New Features

○ Non-blocking IO○ HTTP Upgrade○ Change session id on authentication

● Improvements○ Protection for uncovered HTTP methods in security constraints○ Clarified some ambiguities○ Fixed some typos

Change Session Id● To change the session id:

○ HttpServletRequest.changeSessionId()● To listen for session id changes with HttpSessionIdListener● Register HttpSessionIdListener with:

○ ServletContext.addListener(..)○ @WebListener

public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) { …. }}

Uncovered HTTP Methods● When defining security constraints, it’s possible to list specific HTTP methods

covered by the security constraint○ <http-method>○ <http-method-omission>

● A method is “uncovered” when…○ One or more methods are listed with <http-method>, any method not

listed is “uncovered”○ One or more methods are listed with <http-method-omission>, every

method list is “uncovered”● If no methods are specifically listed then all methods are protected

Uncovered HTTP Methods: Ex 1

<security-constraint><web-resource-collection>

<web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>

</web-resource-collection><auth-constraint>

<role-name>SALESCLERK</role-name></auth-constraint>

</security-constraint>

Only GET is covered

Uncovered HTTP Methods: Ex 2

@ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL)})public class Example5 extends HttpServlet { ….}

Only GET & POST are covered

Servlet 3.1 Demos

JSP 2.3● Final: June 12th 2013● There is no JSP Expert Group● JSP 2.3 is a maintenance release● Changes

○ Requires Servlet 3.1, EL 3.0 & Java 7○ JSP must render identical response for GET, POST & HEAD; all other

methods are undefined

EL 3.0● Final: Final May 22nd 2013● Significant Changes● New Features

○ Access to static fields, methods & constructors○ Assignment operator○ Semi-colon operator (chain multiple commands)○ String concatenation operator○ New Collections API, including dynamic construction of collections & the

stream method and the collection pipeline○ Lambda Expressions

● Incompatibilities○ Default coercion for nulls to non-primitive types, except Strings, return

null. Ex: null -> Boolean returns null, but null -> boolean returns false.

EL 3.0 Demos

WebSocket 1.0● Final: May 22nd 2013● Tomcat 7 has supported WebSockets for a while (different API)● Tomcat 8 implements new API● Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.4x)● Both implement client & server APIs● Additional Features

○ Encoding / decoding (lots of debate here)○ Annotations

● Differences○ Tomcat 7’s implementation is blocking within a Frame○ WebSocket 1.0 is non-blocking although some writes do block

● Non-blocking○ Works with the BIO connector but obviously is not really non-blocking○ Fundamentally changes the API

Tomcat Specific Changes

Tomcat Specific Changes● Resources

○ Aliases○ VirtualDirContext / VirtualWebappLoader○ External repositories for the WebappClassLoader○ Servlet 3.0 resource JARS

● Tomcat 7 implements each of these slightly differently○ Very fragile○ Servlet 3.1 overlays would have been difficult

● New resources implementation○ Much cleaner implementation○ Overlays now simpler to implement (but have been dropped from Servlet

3.1)

Resources● Ordering

○ Pre Resources○ Main Resources (i.e. the docBase for a context)○ Jar Resources○ Post Resources

● Types○ DirResourceSet - a directory○ FileResourceSet - a single file○ JarResourceSet - a JAR file

● General recommendation is avoid using directly as this is Tomcat specific

Resources<?xml version='1.0' encoding='utf-8'?><Context>

<Resources> <PreResources className="org.apache.catalina.webresources.FileResourceSet" base="/app/files/special.txt" webAppMount="/static/special.txt" /> <PostResources className="org.apache.catalina.webresources.DirResourceSet" base="/app/files/static" webAppMount="/static" />

</Resources></Context>

Tomcat Specific Changes (cont.)● NIO connector is now the default● Additional diagnostic information in the Manager

○ SSL ciphers○ May be back-ported to Tomcat 7

● API changing clean-up○ Remove duplicated functionality○ Move Manager, Loader & Resources from Container to Context○ Move Mapper from Connector to Service

● Code clean-up○ Reduce warnings○ IDE, FindBugs, Javadocs, Checkstyle, etc...

Timescales

Timescales● Java EE 7 Final has shipped● Tomcat 8.0.0

○ 8.0.0.RC1 (alpha) is available○ Alpha has complete implementations of Servlet 3.1, JSP 2.3, EL 3.0 &

WebSocket 1.0○ Code is not ready for production usage, purpose is to gather community

feedback○ Additional internal refactoring will likely occur prior to a non-alpha release○ Based on past experience, 8.0.0 release will likely hit six to nine months

after initial alpha release (Feb - May 2014). Depends on community usage and feedback.

Questions

Learn More. Stay Connected.

● Demo Code: github.com/swilliams-vmw/s2gx-tomcat● Website: tomcat.apache.org● Download: tomcat.apache.org/download-80.cgi● Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html● Migration Guide: tomcat.apache.org/migration.html● Mailing Lists: tomcat.apache.org/lists.html

● Find Session replays on YouTube: spring.io/video