Apache Tomcat 8 Preview

Transcript

1. © 2013 Pivotal Apache Tomcat 8 Preview By Daniel Mikusa

   & Stuart Williams

2. Agenda • Introductions • Java EE 7 • Tomcat specific

   changes • Timescales • Questions

3. Introductions

4. Introductions • Daniel Mikusa • Active on [email protected] • Contributing

   Author on TomcatExpert.com • Senior Technical Support Engineer at Pivotal ◦ Tomcat / tc Server ◦ Spring Framework ◦ CloudFoundry • Stuart Williams • Active on [email protected] • A committer on open source projects at Apache, Eclipse and elsewhere • Software Engineer at Pivotal ◦ Tomcat / tc Server ◦ Architect ◦ Pivotal RT project

5. Java EE 7

6. Java EE 7 • Tomcat 8 ◦ Servlet 3.1 ◦

   JSP 2.3 ◦ Expression Language 3.0 ◦ Web Sockets 1.0 ◦ Little / no demand for other Java EE 7 components in Tomcat • Web Profile Container - Apache TomEE • J2EE Container - Apache Geronimo

7. Servlet 3.1 • Final: May 28th 2013 • New Features

   ◦ Non-blocking IO ◦ HTTP Upgrade ◦ Change session id on authentication • Improvements ◦ Protection for uncovered HTTP methods in security constraints ◦ Clarified some ambiguities ◦ Fixed some typos

8. Change Session Id • To change the session id: ◦

   HttpServletRequest.changeSessionId() • To listen for session id changes with HttpSessionIdListener • Register HttpSessionIdListener with: ◦ ServletContext.addListener(..) ◦ @WebListener public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) { …. } }

9. Uncovered HTTP Methods • When defining security constraints, it’s possible

   to list specific HTTP methods covered by the security constraint ◦ <http-method> ◦ <http-method-omission> • A method is “uncovered” when… ◦ One or more methods are listed with <http-method>, any method not listed is “uncovered” ◦ One or more methods are listed with <http-method-omission>, every method list is “uncovered” • If no methods are specifically listed then all methods are protected

10. Uncovered HTTP Methods: Ex 1 <security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>

    </web-resource-collection> <auth-constraint> <role-name>SALESCLERK</role-name> </auth-constraint> </security-constraint> Only GET is covered

11. Uncovered HTTP Methods: Ex 2 @ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value =

    "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL) }) public class Example5 extends HttpServlet { …. } Only GET & POST are covered

12. Servlet 3.1 Demos

13. JSP 2.3 • Final: June 12th 2013 • There is

    no JSP Expert Group • JSP 2.3 is a maintenance release • Changes ◦ Requires Servlet 3.1, EL 3.0 & Java 7 ◦ JSP must render identical response for GET, POST & HEAD; all other methods are undefined

14. EL 3.0 • Final: Final May 22nd 2013 • Significant

    Changes • New Features ◦ Access to static fields, methods & constructors ◦ Assignment operator ◦ Semi-colon operator (chain multiple commands) ◦ String concatenation operator ◦ New Collections API, including dynamic construction of collections & the stream method and the collection pipeline ◦ Lambda Expressions • Incompatibilities ◦ Default coercion for nulls to non-primitive types, except Strings, return null. Ex: null -> Boolean returns null, but null -> boolean returns false.

15. EL 3.0 Demos

16. WebSocket 1.0 • Final: May 22nd 2013 • Tomcat 7

    has supported WebSockets for a while (different API) • Tomcat 8 implements new API • Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.43) • Both implement client & server APIs

17. WebSocket 1.0 • Additional Features ◦ Encoding / decoding (lots

    of debate here) ◦ Annotations • Differences ◦ Tomcat 7’s implementation is blocking within a Frame ◦ WebSocket 1.0 is non-blocking although some writes do block • Non-blocking ◦ Works with the BIO connector but obviously is not really non-blocking ◦ Fundamentally changes the API

18. Bidirectional messages WebSocket Handshake GET /path HTTP/1.1 Upgrade: websocket Connection:

    Upgrade ... HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade ... Initiate close (close control frame) Respond to close (close control frame)

19. WebSocket Demos

20. Tomcat Specific Changes

21. Tomcat Specific Changes • Resources ◦ Aliases ◦ VirtualDirContext /

    VirtualWebappLoader ◦ External repositories for the WebappClassLoader ◦ Servlet 3.0 resource JARS • Tomcat 7 implements each of these slightly differently ◦ Very fragile ◦ Servlet 3.1 overlays would have been difficult • New resources implementation ◦ Much cleaner implementation ◦ Overlays now simpler to implement (but have been dropped from Servlet 3.1)

22. Resources • Ordering ◦ Pre Resources ◦ Main Resources (i.e.

    the docBase for a context) ◦ Jar Resources ◦ Post Resources • Types ◦ DirResourceSet - a directory ◦ FileResourceSet - a single file ◦ JarResourceSet - a JAR file • General recommendation is avoid using directly as this is Tomcat specific

23. Resources <?xml version='1.0' encoding='utf-8'?> <Context> <Resources> <PreResources className="org.apache.catalina.webresources. FileResourceSet" base="/app/files/special.txt"

    webAppMount="/static/special. txt" /> <PostResources className="org.apache.catalina.webresources. DirResourceSet" base="/app/files/static" webAppMount="/static" /> </Resources> </Context>

24. RewriteValve • Rewrite Valve implements URL rewrite functionality in a

    way that is very similar to mod_rewrite from Apache HTTPD Server • Valve can be added in two locations ◦ added in <Host> block. Configuration is in conf/Catalina/localhost/rewrite.config. ◦ added in Web App’s Context. Configuration is in WEB-INF/rewrite. config. • Configuration Syntax: RewriteCond TestString CondPattern • Examples: ◦ RewriteCond %{REMOTE_HOST} ^host1.* [OR] ◦ RewriteCond %{REMOTE_HOST} ^host2.* [OR] ◦ RewriteCond %{REMOTE_HOST} ^host3.* ◦ RewriteRule ...some special stuff for any of these hosts...

25. Tomcat Specific Changes (cont.) • Requires Java 7 or later

    • NIO connector is now the default • Additional diagnostic information in the Manager ◦ SSL ciphers ◦ May be back-ported to Tomcat 7 • DBCP2 is now the default (supports JDBC 4.1) ◦ DBCP & Tomcat jdbc-pool still included as well • Unclosed InputStream Tracking ◦ logs InputStreams from WebResources that haven’t been closed ◦ removes need for anti-jar locking and extracting files to work directory

26. Timescales

27. Timescales • Java EE 7 Final has shipped • Tomcat

    8.0 ◦ 8.0.1 (beta) is available ◦ 8.0.3 (beta) is being voted on as of 2/9/2014 ◦ Implementations of Servlet 3.1, JSP 2.3, EL 3.0 & WebSocket 1.0 is complete ◦ Code is not ready for production usage, currently deemed beta quality ◦ This release has been quick. Past experience shows an alpha release will hit six to nine months after initial alpha release (Feb - May 2014). Beta release is already available. This is due to great community usage and feedback.

28. Questions

29. Learn More. Stay Connected. • Demo Code: github.com/swilliams-pivotal/s2gx-tomcat github.com/dmikusa-pivotal/tomcat-8-features •

    Website: tomcat.apache.org • Download: tomcat.apache.org/download-80.cgi • Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html • Migration Guide: tomcat.apache.org/migration.html • Mailing Lists: tomcat.apache.org/lists.html • Find Session replays on YouTube: spring.io/video