Mitch Pronschinske is the Lead Research Analyst at DZone. Researching and compiling content for DZone's research guides is his primary job. He likes to make his own ringtones, watches cartoons/anime, enjoys card and board games, and plays the accordion. Mitch is a DZone Zone Leader and has posted 2576 posts at DZone. You can read more from them at their website. View Full User Profile

Mark Thomas on Apache Tomcat 7

  • submit to reddit

A lot has been happening at Apache recently.  The Subversion project joined the list of Apache projects and the White House has begun using Drupal.  Apache also celebrated its 10 year anniversary at ApacheCon2009.  However, the biggest news was probably the timeframe announcement for Apache Tomcat version 7.  According to Jim Jagielski, chairman of the Apache board of directors, Tomcat is used in at least 75% of Java-based websites.  Mark Thomas, a member of the Apache Tomcat Project Management Committee, said that the alpha release of Tomcat 7 is expected in December 2009 or January 2010.  DZone spoke with Thomas for an exclusive interview about the upcoming version of Tomcat. 

DZone: Tomcat 7 has plans to use the still-unfinished Servlet 3.0.  How will Tomcat benefit from the Java Servlet 3.0 spec?

Mark Thomas:  Servlet 3 provides Tomcat users with a number of benefits. In no particular order:

  • The benefits of an asynchronous style of programming (scalability, async request/response) are already available to Tomcat users in Tomcat 6. The async support in the Servlet 3 spec provides a standard interface that will provide portability between containers.
  • Increased control over session tracking, in particular the ability to use the SSL session ID to track user sessions which provides additional security.
  • Use of generics throughout the Servlet 3 API allows programming errors to be detected at compile time rather than run time as well as enabling the writing of cleaner code.
  • File upload support will enable Tomcat users to use file upload functionality within their web applications with the need for additional libraries.

DZone: Tell me about the dynamic configuration planned for Tomcat 7 as part of Servlet 3.0.

Mark: There are a number of dynamic configuration features planned for Tomcat 7.  Web fragments allow libraries to provide their configuration via a web.xml fragment embedded with the library. For example, a developer using Apache Struts would no longer need to add the Struts configuration to their web application's web.xml file as Struts could ship with a web fragment embedded in the Struts JAR that contained the necessary configuration and Tomcat would automatically load it.

In addition to web fragments, annotations are also supported which provides an alternative mechanism to define and configure the servlets, filters and listeners required by a web application.

The Servlet API has also been extended to allow web application developers to add Servlets and Filters programmatically when the web application starts. Whilst the Servlet spec prohibits using this API whilst the web application is running, Tomcat 7 will provide an option to allow access to this API whilst the application is running to give web application developers even greater flexibility.

DZone: What security improvements are planned for Tomcat 7?

Mark: In addition to the SSL session tracking mentioned above, Tomcat will be adding protection against session fixation attacks as well as improving the security of the manager and host-manager applications.
The improvements to these web applications include:

  • Separate roles for script based access, web based access, JMX proxy and status page provides finer grained access control
  • Using POST for non-idempotent requests (makes some attacks harder);
  • Requiring a nonce to be provided with all non-idempotent requests to prevent CSRF attacks. The nonce is randomly generated and changes with each request.

DZone: How will Tomcat 7 make it easier to embed Tomcat applications?

Mark: Tomcat has always been embeddable but the code to achieve this was a little cumbersome. Tomcat 7 includes a new API that provides a very simple mechanism to embed Tomcat along with an alternative distribution that uses a minimal number of JARs. In Tomcat 7, you can embed Tomcat in your application and configure it to run a web application of your choosing with just eight lines of code.

The same API also provides a simple mechanism for adding additional web applications and/or individual servlets. For those users that require advanced configuration, the full Tomcat API is also available.

DZone: Are there any other new features in Tomcat 7 you can tell me about?

Mark: Other new features include:

Alias support. This provides an mechanism for web application developers to include external content from a file system or a WAR within their web application context. A typical use of this would be to add a standard, shared images or javascript directories to multiple web applications.

Logging improvements. These include a asynchronous file handler that writes the logs to disk in a separate thread so request processing threads do not suffer the associated delay if they have to write the log messages to disk and a single line log formatter that outputs Tomcat log messages on a single line rather than two lines which makes the log files easier to work with for administrators.

Additional spec compliance options. There are a number of areas where a strict adherence to the specifications can cause problems for web applications. Cookie handling is once such area. Tomcat 7 will include additional options to enable system administrators to control how strictly Tomcat enforces the Servlet, Cookie and HTTP specifications. The defaults will provide a secure environment where most applications will work correctly but administrators will be able to tighten or relax Tomcat's enforcement of the specifications as required for the correct operation of their applications.

Additional memory leak protection. This is a large topic which could easily fill an article all on its own. The edited highlights are that Tomcat has a long history of memory leaks on web application reload. Whilst a small percentage of these may have been caused by Tomcat bugs in the past, the associated Tomcat bugs were fixed several years ago. Today, memory leaks on reload are caused by bugs in web applications, bugs in the libraries web applications use and even the JVM. A number of these causes are well known and understood and Tomcat will be providing work-arounds for them. The Tomcat developers will also continue to work with the rest of the Tomcat community to identify additional causes of memory leaks and to provide work-arounds for them wherever possible.


Mark Thomas is a member of the Apache Tomcat Project Management Committee, and senior software engineer at the Covalent division of SpringSource.  He made the presentation on Tomcat at ApacheCon two days ago.  His full bio can be found here.

29450_Thomas_medium.jpg5.69 KB


vijay nalawade replied on Sat, 2009/11/07 - 2:19am

I'm very disappointed to see that Tomcat has no plans to support the EE 6 web profile. Anyone know if it was considered?

Andreas Fink replied on Sun, 2009/11/08 - 7:02am

Drupal based on Lucene? That would be news to me. Other than that, interesting read!

Anonymous Coward replied on Sun, 2009/11/08 - 12:09pm in response to: vijay nalawade

Agreed - the lack of support for the web profile from Tomcat is a serious disappointment to me to and pretty feeble really given Apache have most of the bits they need - but I don't think its very likely to happen. Springsource, by dint of the amount of code they contribute to Tomcat, have a lot influence over its development these days and were keen for the web profile to be just servlets and JSPs. They've been publicly critical of the resulting spec and I think are likely to block any moves for Tomcat to support it. Might be time to look for an alternative web container.

Ivan Lazarte replied on Mon, 2009/11/09 - 11:06am

The ability to reference a static file path is huge. I've been waiting for this for a while.

Anders Åberg replied on Thu, 2009/11/12 - 4:35am

Where did you guys find out that Tomcat won't support the EE6 web profile? Are there any other projects aiming for the web profile at this point?

Mark Thomas replied on Wed, 2010/01/27 - 8:14am in response to: Anders Åberg

At this stage, the Apache Tomcat project has no plans to support the J2EE 6 web-profile. The main reason is that there has been zero demand for it from the Tomcat community. A search of the mailing list archives turned up only a single mention and that was from the Apache Geronimo project providing a heads up on their plans for supporting the web-profile.

Apache Geronimo's plans for web-profile support can be found on that project's wiki: Given the large number of additional specifactions that Tomcat would be required to implement to meet the web profile, using Geronimo as a starting point makes a lot more sense to me than starting with Tomcat.

Should a strong demand for Tomcat to support the web-profile emerge from the Tomcat community, then the Tomcat project would obviously take that into account and re-consider whether or not to provide support for the web profile.


Note: These are my personal views. I am not speaking on behalf of either the ASF or SpringSource.

Sura Sos replied on Mon, 2010/07/19 - 3:11pm

Please no web profile...

 If you need to use ejb, stick with jboss or weblogic.. NO need to complicate web development with ejb lite crap.

Alex Soto replied on Thu, 2011/01/27 - 6:09am

Hello I am developing an example of embedding Tomcat 7 and adding new Servlet. Just don't know why, I am sure I am doing something wrong, but after server is started the servlet is not available.


Code is:


        Tomcat tomcat = new Tomcat();
        Context ctx = tomcat.addContext("/hello", ".");
        Tomcat.addServlet(ctx, "world", new HelloWorldServlet());



Thank you very much

Carla Brian replied on Sun, 2012/07/29 - 5:26am

I think this is a reliable souce. I want to download this one. I want to study more on this and will search more of its tutorials. - Instant  Tax Solutions Ratings

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.