Apache Tomcat 7 Becomes Latest Stable Release

| by Charles Humble Follow 905 Followers on Jan 24, 2011. Estimated reading time: 2 minutes |

Tomcat version 7.0.6, released on January 11th 2011, has been voted stable. This is the first stable release of the Tomcat 7 branch, superseding version 6 which was introduced in February 2007.

Apache have decided not to add support for the full Java EE 6 web profile to Tomcat, at least for the moment. Thus version 7 simply adds support for Servlet 3.0 - introduced in Java EE 6 - as well as JavaServer Pages 2.2 and EL 2.2. It requires Java SE 6 or higher.

Servlet 3.0 is however a significant update, adding a number of refinements to the specification. Key ones include:

  1. The introduction of standardised support for asynchronous HTTP requests and responses. Whilst asynchronous support was available in Tomcat 6 through a non-standard API, standarisation means that the Servlet 3 version is portable between containers.
  2. Dynamic configuration: Support for Web Fragments, which can be used by libraries to provide their configuration, eliminating the need for developers to add library-specific configuration to their application’s web.xml file.
  3. The use of annotations for configuring filters, listeners and servlets, further reducing the amount of XML developers need to write.

Servlet 3.0 has also been overhauled to use generics, has improvements to session tracking, and includes new file upload functionality.

Not all the improvements in Tomcat 7 are down to the Servlet 3.0 API. Tomcat also sees a number of important security improvements. There are now separate roles for script-based, web-based, JMX proxy, and status page access, allowing more specific access control. To prevent Cross-site request forgery (CSRF) attacks, a randomly generated nonce will be required for all non-idempotent requests (that is, an operation which will not produce the same results if executed multiple times). Preventative measures have also been taken to protect against session fixation attacks. A session fixation attack is designed to force the session ID of a client to an explicit, known value.

The development team have also continued to work on common problems with memory leaks in the container, improved the logging system, and improved the container start-up times.

Finally Tomcat 7 provides a lightweight API allowing a developer to embed the container with just a few lines of code.

Developers wanting to use the full Java EE 6 Web Profile can, of course, include the APIs in their projects themselves. However a community led project, Simple Web Profile Application Server, has sprung up to fill the gap. In addition Apache Geronimo, for which Tomcat provides the servlet container, will be supporting the web profile as well as the full Java EE 6 profile.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you