Tomcat 7 Beta Debuts Servlet 3.0 Support, Security Upgrades and Operations-Friendly Updates
The Apache Software Foundation's Tomcat web server has reached 7.0 beta, the first release more than 3 years. The new release has been in development for around 18 months. The release can be downloaded from the project's download page at the Apache Software Foundation.
The release features implementations of many new specifications, including Servlet 3.0, JSP 2.2, and EL 2.2. The introduction of Servlet 3.0 support brings the worlds most used Java web container up to date with the latest servlet specifications, as introduced by the Java EE 6 specification. Servlet 3.0 promises many refinements (the API has been genericized, for example) and introduces a number of new features designed to make developers lives easier, making it faster to build scalable applications. A key feature the Servlet 3.0 specification is support for standardized (as these features are, technically, already available through non-standard APIs for Tomcat, Jetty, and other containers) asynchronous HTTP requests and responses. The specification describes baked-in support for file uploads, negating the need for a third party library like the Apache project's Commons File Upload component.
The specification also defines support for dynamically configuring a web application which has an impact in a number of places. Web-tier constructs like servlets may be defined using annotations, negating the need for registration in the
WEB-INF/web.xml deployment descriptor file. Additionally, the new specification defines an API by which Servlets, Filters, etc., may be programmatically registered with a container at runtime. Along these same lines, web fragments enable third party libraries to ship web.xml descriptors with the library and the configuration will be added to the web application's main web.xml. You might imagine, for example, simply dropping a web framework's .jar files in the
WEB-INF/lib folder of your application and seeing it configured automatically.
Tomcat 7 adds protection against session fixation attacks. A session fixation attack is designed to force the session ID of a client to an explicit, known value. Additionally, it supports SSL session tracking, and more granular permissions for the various access mechanisms (JMX, web-based, and script access, for example.).
The new release is more flexible for developers who would like to embed the container; it exposes a lightweight API for embedding the container in client code. Additionally, Tomcat requires fewer .jars, making it easier to build Tomcat a la carte.
The release features several features to ease administration and management of the server. It supports an asynchronous logging thread to write requests/responses independent of the request/response pipeline. Tomcat 7 features sophisticated support for preventing, identifying and trapping memory leaks. The crux of this memory leak busting support lies in Tomcat 7's improved class loader and a JreLeakPreventionListener class. Tomcat 7 debuts support for what it calls "aliases," very much like the Apache server's feature of the same name. It lets applications in Tomcat see content from external sources, like a fileysytem.
Finally, one thing you'll not see in Tomcat 7 is support for the Java EE 6 web-profile. The Java EE 6 web profile defines a subset of the whole Java EE specification geared towards enabling web-facing applications. For more on the Java EE 6 spec, including the web profile, see Java EE 6 Platform Draft Published featuring the Web Profile. Conceptually, this reduces the onus on application server vendors to maintain complete backwards compatability simply to remain "certified." The Java EE 6 web profile is also ideal for servlet containers that wish to obtain certification. The Simple Web Profile Application Server project aims to build a Java EE 6 web-profile compliant server using Apache Software Foundation components, with Apache Tomcat 7 as the base.
Martin Thompson Jul 27, 2014