Mark Thomas on Apache Tomcat 7
A lot has been happening at Apache recently. The Subversion project joined the list of Apache projects and the White House has begun using Drupal. Apache also celebrated its 10 year anniversary at ApacheCon2009. However, the biggest news was probably the timeframe announcement for Apache Tomcat version 7. According to Jim Jagielski, chairman of the Apache board of directors, Tomcat is used in at least 75% of Java-based websites. Mark Thomas, a member of the Apache Tomcat Project Management
Committee, said that the alpha release of Tomcat 7 is expected in
December 2009 or January 2010. DZone spoke with Thomas for an exclusive interview about the upcoming version of Tomcat.
DZone: Tomcat 7 has plans to use the still-unfinished Servlet 3.0. How will Tomcat benefit from the Java Servlet 3.0 spec?
Mark Thomas: Servlet 3 provides Tomcat users with a number of benefits. In no particular order:
- The benefits of an asynchronous style of programming (scalability, async request/response) are already available to Tomcat users in Tomcat 6. The async support in the Servlet 3 spec provides a standard interface that will provide portability between containers.
- Increased control over session tracking, in particular the ability to use the SSL session ID to track user sessions which provides additional security.
- Use of generics throughout the Servlet 3 API allows programming errors to be detected at compile time rather than run time as well as enabling the writing of cleaner code.
- File upload support will enable Tomcat users to use file upload functionality within their web applications with the need for additional libraries.
DZone: Tell me about the dynamic configuration planned for Tomcat 7 as part of Servlet 3.0.
Mark: There are a number of dynamic configuration features planned for Tomcat 7. Web fragments allow libraries to provide their configuration via a web.xml fragment embedded with the library. For example, a developer using Apache Struts would no longer need to add the Struts configuration to their web application's web.xml file as Struts could ship with a web fragment embedded in the Struts JAR that contained the necessary configuration and Tomcat would automatically load it.
In addition to web fragments, annotations are also supported which provides an alternative mechanism to define and configure the servlets, filters and listeners required by a web application.
The Servlet API has also been extended to allow web application developers to add Servlets and Filters programmatically when the web application starts. Whilst the Servlet spec prohibits using this API whilst the web application is running, Tomcat 7 will provide an option to allow access to this API whilst the application is running to give web application developers even greater flexibility.
DZone: What security improvements are planned for Tomcat 7?
Mark: In addition to the SSL session tracking mentioned above, Tomcat will be adding protection against session fixation attacks as well as improving the security of the manager and host-manager applications.
The improvements to these web applications include:
- Separate roles for script based access, web based access, JMX proxy and status page provides finer grained access control
- Using POST for non-idempotent requests (makes some attacks harder);
- Requiring a nonce to be provided with all non-idempotent requests to prevent CSRF attacks. The nonce is randomly generated and changes with each request.
DZone: How will Tomcat 7 make it easier to embed Tomcat applications?
Mark: Tomcat has always been embeddable but the code to achieve this was a little cumbersome. Tomcat 7 includes a new API that provides a very simple mechanism to embed Tomcat along with an alternative distribution that uses a minimal number of JARs. In Tomcat 7, you can embed Tomcat in your application and configure it to run a web application of your choosing with just eight lines of code.
The same API also provides a simple mechanism for adding additional web applications and/or individual servlets. For those users that require advanced configuration, the full Tomcat API is also available.
DZone: Are there any other new features in Tomcat 7 you can tell me about?
Mark: Other new features include:
Logging improvements. These include a asynchronous file handler that writes the logs to disk in a separate thread so request processing threads do not suffer the associated delay if they have to write the log messages to disk and a single line log formatter that outputs Tomcat log messages on a single line rather than two lines which makes the log files easier to work with for administrators.
Additional spec compliance options. There are a number of areas where a strict adherence to the specifications can cause problems for web applications. Cookie handling is once such area. Tomcat 7 will include additional options to enable system administrators to control how strictly Tomcat enforces the Servlet, Cookie and HTTP specifications. The defaults will provide a secure environment where most applications will work correctly but administrators will be able to tighten or relax Tomcat's enforcement of the specifications as required for the correct operation of their applications.
Additional memory leak protection. This is a large topic which could easily fill an article all on its own. The edited highlights are that Tomcat has a long history of memory leaks on web application reload. Whilst a small percentage of these may have been caused by Tomcat bugs in the past, the associated Tomcat bugs were fixed several years ago. Today, memory leaks on reload are caused by bugs in web applications, bugs in the libraries web applications use and even the JVM. A number of these causes are well known and understood and Tomcat will be providing work-arounds for them. The Tomcat developers will also continue to work with the rest of the Tomcat community to identify additional causes of memory leaks and to provide work-arounds for them wherever possible.
Mark Thomas is a member of the Apache Tomcat Project Management Committee, and senior software engineer at the Covalent division of SpringSource. He made the presentation on Tomcat at ApacheCon two days ago. His full bio can be found here.