© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.

Apache Tomcat 8 Preview

By Daniel Mikusa

Agenda

● Introductions● Java EE 7● Tomcat specific changes● Timescales● Questions

Introductions

Introductions● Daniel Mikusa● Active on users@tomcat.apache.org● Contributing Author on TomcatExpert.com● Senior Technical Support Engineer at

Pivotal○ Tomcat / tc Server○ Spring Framework○ CloudFoundry

Java EE 7

Java EE 7● Tomcat 8

○ Servlet 3.1 ○ JSP 2.3 ○ Expression Language 3.0○ Web Sockets 1.0○ Little / no demand for other Java EE 7 components in Tomcat

● Web Profile Container - Apache TomEE

● J2EE Container - Apache Geronimo

Servlet 3.1● Final: May 28th 2013● New Features

○ Non-blocking IO○ HTTP Upgrade○ Change session id on authentication

● Improvements○ Protection for uncovered HTTP methods in security constraints○ Clarified some ambiguities○ Fixed some typos

Change Session Id● To change the session id:

○ HttpServletRequest.changeSessionId()● To listen for session id changes with HttpSessionIdListener● Register HttpSessionIdListener with:

○ ServletContext.addListener(..)○ @WebListener

public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) { …. }}

Uncovered HTTP Methods● When defining security constraints, it’s possible to list specific HTTP methods

covered by the security constraint○ <http-method>○ <http-method-omission>

● A method is “uncovered” when…○ One or more methods are listed with <http-method>, any method not

listed is “uncovered”○ One or more methods are listed with <http-method-omission>, every

method list is “uncovered”● If no methods are specifically listed then all methods are protected

Uncovered HTTP Methods: Ex 1

<security-constraint><web-resource-collection>

<web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>

</web-resource-collection><auth-constraint>

<role-name>SALESCLERK</role-name></auth-constraint>

</security-constraint>

Only GET is covered

Uncovered HTTP Methods: Ex 2

@ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL)})public class Example5 extends HttpServlet { ….}

Only GET & POST are covered

Servlet 3.1 Demos

JSP 2.3● Final: June 12th 2013● There is no JSP Expert Group● JSP 2.3 is a maintenance release● Changes

○ Requires Servlet 3.1, EL 3.0 & Java 7○ JSP must render identical response for GET, POST & HEAD; all other

methods are undefined

EL 3.0● Final: Final May 22nd 2013● Significant Changes● New Features

○ Access to static fields, methods & constructors○ Assignment operator○ Semi-colon operator (chain multiple commands)○ String concatenation operator○ New Collections API, including dynamic construction of collections & the

stream method and the collection pipeline○ Lambda Expressions

● Incompatibilities○ Default coercion for nulls to non-primitive types, except Strings, return

null. Ex: null -> Boolean returns null, but null -> boolean returns false.

EL 3.0 Demos

WebSocket 1.0● Final: May 22nd 2013

● Tomcat 7 has supported WebSockets for a while (different API)

● Tomcat 8 implements new API

● Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.43)

● Both implement client & server APIs

WebSocket 1.0● Additional Features

○ Encoding / decoding, sub-protocols and extensions○ Annotations

● Differences○ Tomcat 7’s old implementation is blocking within a Frame○ WebSocket 1.0 is non-blocking although some writes do block

● Non-blocking○ Works with the BIO connector but obviously is not really non-blocking○ Fundamentally changes the API

Bidirectional messages

WebSocket HandshakeGET /path HTTP/1.1Upgrade: websocketConnection: Upgrade...

HTTP/1.1 101 Switching ProtocolsUpgrade: websocketConnection: Upgrade...

Initiate close(close control frame) Respond to close

(close control frame)

WebSocket Demos

Tomcat Specific Changes

Tomcat Specific Changes● Resources

○ Aliases○ VirtualDirContext / VirtualWebappLoader○ External repositories for the WebappClassLoader○ Servlet 3.0 resource JARS

● Tomcat 7 implements each of these slightly differently○ Very fragile○ Servlet 3.1 overlays would have been difficult

● New resources implementation○ Much cleaner implementation○ Overlays now simpler to implement (but have been dropped from Servlet

3.1)

Resources● Ordering

○ Pre Resources○ Main Resources (i.e. the docBase for a context)○ Jar Resources○ Post Resources

● Types○ DirResourceSet - a directory○ FileResourceSet - a single file○ JarResourceSet - a JAR file

● General recommendation is avoid using directly as this is Tomcat specific

Resources<?xml version='1.0' encoding='utf-8'?><Context>

<Resources> <PreResources className="org.apache.catalina.webresources.FileResourceSet" base="/app/files/special.txt" webAppMount="/static/special.txt" /> <PostResources className="org.apache.catalina.webresources.DirResourceSet" base="/app/files/static" webAppMount="/static" />

</Resources></Context>

RewriteValve● Rewrite Valve implements URL rewrite functionality in a way that is very

similar to mod_rewrite from Apache HTTP Server● Valve can be added in two locations

○ added in <Host> block. Configuration is in conf/Catalina/localhost/rewrite.config.

○ added in Web App’s Context. Configuration is in WEB-INF/rewrite.config.● Configuration Syntax: RewriteCond TestString CondPattern● Examples:

○ RewriteCond %{REMOTE_HOST} ^host1.* [OR]○ RewriteCond %{REMOTE_HOST} ^host2.* [OR]○ RewriteCond %{REMOTE_HOST} ^host3.*○ RewriteRule ...some special stuff for any of these hosts...

Tomcat Specific Changes (cont.)● Requires Java 7 or later● NIO connector is now the default● Additional diagnostic information in the Manager

○ SSL ciphers○ May be back-ported to Tomcat 7

● DBCP2 is now the default (supports JDBC 4.1)○ DBCP & Tomcat jdbc-pool still included as well

● Unclosed InputStream tracking○ logs InputStreams from WebResources that haven’t been closed○ removes need for anti-jar locking and extracting files to work directory

Timescales

Timescales● Java EE 7 Final has shipped● Tomcat 8.0.0

○ 8.0.0.RC5 (alpha) is available, 8.0.0-alpha expected early Dec○ Alpha has complete implementations of Servlet 3.1, JSP 2.3, EL 3.0 &

WebSocket 1.0○ Code is not ready for production usage, purpose is to gather community

feedback and fix bugs○ Additional internal refactoring will likely occur prior to a non-alpha release○ Based on past experience, 8.0.0 release will likely hit six to nine months

after initial alpha release (Feb - May 2014). Depends on community usage and feedback.

Learn More.

● Demo Code: github.com/dmikusa-pivotal/tomcat-8-features● Demo Code Running on CF: tomcat-8-demos.cfapps.io

● Website: tomcat.apache.org● Download: tomcat.apache.org/download-80.cgi● Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html● Migration Guide: tomcat.apache.org/migration.html● Mailing Lists: tomcat.apache.org/lists.html

Questions

We’re Hiring!

● Global Support Services - Spring & Middleware Team● ow.ly/qIuJ1

● Global Support Services - CloudFoundry Team

● Other Job Posting: gopivotal.com/careers