Apache Tomcat 8 Preview

Transcript

1. © 2013 Pivotal Apache Tomcat 8 Preview By Daniel Mikusa

   & Stuart Williams

2. Agenda •  Introductions •  Java EE 7 •  Tomcat specific

   changes •  Timescales •  Questions

3. Introductions

4. Introductions •  Daniel Mikusa •  Active on [email protected] •  Contributing

   Author on TomcatExpert.com •  Senior Technical Support Engineer at Pivotal ◦  Tomcat / tc Server ◦  Spring Framework ◦  CloudFoundry •  Stuart Williams •  Active on [email protected] •  A committer on open source projects at Apache, Eclipse and elsewhere •  Software Engineer at Pivotal ◦  Tomcat / tc Server ◦  Architect ◦  Pivotal RT project

5. Java EE 7

6. Java EE 7 •  Tomcat 8 ◦  Servlet 3.1 ◦ 

   JSP 2.3 ◦  Expression Language 3.0 ◦  Web Sockets 1.0 ◦  Little / no demand for other Java EE 7 components in Tomcat •  Web Profile Container - Apache TomEE •  J2EE Container - Apache Geronimo

7. Servlet 3.1 •  Final: May 28th 2013 •  New Features

   ◦  Non-blocking IO ◦  HTTP Upgrade ◦  Change session id on authentication •  Improvements ◦  Protection for uncovered HTTP methods in security constraints ◦  Clarified some ambiguities ◦  Fixed some typos

8. Change Session Id •  To change the session id: ◦ 

   HttpServletRequest.changeSessionId() •  To listen for session id changes with HttpSessionIdListener •  Register HttpSessionIdListener with: ◦  ServletContext.addListener(..) ◦  @WebListener public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
 …. } }

9. Uncovered HTTP Methods •  When defining security constraints, it’s possible

   to list specific HTTP methods covered by the security constraint ◦  <http-method> ◦  <http-method-omission> •  A method is “uncovered” when… ◦  One or more methods are listed with <http-method>, any method not listed is “uncovered” ◦  One or more methods are listed with <http-method-omission>, every method list is “uncovered” •  If no methods are specifically listed then all methods are protected

10. Uncovered HTTP Methods: Ex 1 <security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>

    </web-resource-collection> <auth-constraint> <role-name>SALESCLERK</role-name> </auth-constraint> </security-constraint> Only GET is covered

11. Uncovered HTTP Methods: Ex 2 @ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value =

    "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL) }) public class Example5 extends HttpServlet { …. } Only GET & POST are covered

12. Servlet 3.1 Demos

13. JSP 2.3 •  Final: June 12th 2013 •  There is

    no JSP Expert Group •  JSP 2.3 is a maintenance release •  Changes ◦  Requires Servlet 3.1, EL 3.0 & Java 7 ◦  JSP must render identical response for GET, POST & HEAD; all other methods are undefined

14. EL 3.0 •  Final: Final May 22nd 2013 •  Significant

    Changes •  New Features ◦  Access to static fields, methods & constructors ◦  Assignment operator ◦  Semi-colon operator (chain multiple commands) ◦  String concatenation operator ◦  New Collections API, including dynamic construction of collections & the stream method and the collection pipeline ◦  Lambda Expressions •  Incompatibilities ◦  Default coercion for nulls to non-primitive types, except Strings, return null. Ex: null -> Boolean returns null, but null -> boolean returns false.

15. EL 3.0 Demos

16. WebSocket 1.0 •  Final: May 22nd 2013 •  Tomcat 7

    has supported WebSockets for a while (different API) •  Tomcat 8 implements new API •  Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.43) •  Both implement client & server APIs

17. WebSocket 1.0 •  Additional Features ◦  Encoding / decoding (lots

    of debate here) ◦  Annotations •  Differences ◦  Tomcat 7’s implementation is blocking within a Frame ◦  WebSocket 1.0 is non-blocking although some writes do block •  Non-blocking ◦  Works with the BIO connector but obviously is not really non-blocking ◦  Fundamentally changes the API

18. Bidirectional messages WebSocket Handshake GET /path HTTP/1.1 Upgrade: websocket Connection:

    Upgrade ... HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade ... Initiate close (close control frame) Respond to close (close control frame)

19. WebSocket Code Example

20. Tomcat Specific Changes

21. Tomcat Specific Changes •  Resources ◦  Aliases ◦  VirtualDirContext /

    VirtualWebappLoader ◦  External repositories for the WebappClassLoader ◦  Servlet 3.0 resource JARS •  Tomcat 7 implements each of these slightly differently ◦  Very fragile ◦  Servlet 3.1 overlays would have been difficult •  New resources implementation ◦  Much cleaner implementation ◦  Overlays now simpler to implement (but have been dropped from Servlet 3.1)

22. Resources •  Ordering ◦  Pre Resources ◦  Main Resources (i.e.

    the docBase for a context) ◦  Jar Resources ◦  Post Resources •  Types ◦  DirResourceSet - a directory ◦  FileResourceSet - a single file ◦  JarResourceSet - a JAR file •  General recommendation is avoid using directly as this is Tomcat specific

23. Resources <?xml version='1.0' encoding='utf-8'?> <Context> <Resources>
 <PreResources className="org.apache.catalina.webresources.FileResourceSet" base="/app/ files/special.txt"

    webAppMount="/static/special.txt" /> <PostResources className="org.apache.catalina.webresources.DirResourceSet" base="/app/ files/static" webAppMount="/static" /> </Resources> </Context>

24. RewriteValve •  Rewrite Valve implements URL rewrite functionality in a

    way that is very similar to mod_rewrite from Apache HTTPD Server •  Valve can be added in two locations o  added in <Host> block. Configuration is in conf/Catalina/localhost/ rewrite.config. o  added in Web App’s Context. Configuration is in WEB-INF/ rewrite.config. •  Configuration Syntax: RewriteCond TestString CondPattern •  Examples: o  RewriteCond %{REMOTE_HOST} ^host1.* [OR] o  RewriteCond %{REMOTE_HOST} ^host2.* [OR] o  RewriteCond %{REMOTE_HOST} ^host3.* o  RewriteRule ...some special stuff for any of these hosts...

25. Tomcat Specific Changes (cont.) •  Requires Java 7 or later

    •  NIO connector is now the default •  Additional diagnostic information in the Manager ◦  SSL ciphers ◦  May be back-ported to Tomcat 7 •  DBCP2 is now the default (supports JDBC 4.1) ◦  DBCP & Tomcat jdbc-pool still included as well •  Unclosed InputStream Tracking ◦  logs InputStreams from WebResources that haven’t been closed ◦  removes need for anti-jar locking and extracting files to work directory

26. Timescales

27. Timescales •  Java EE 7 Final has shipped •  Tomcat

    8.0 ◦  8.0.1 (beta) is available ◦  8.0.3 (beta) is being voted on as of 2/9/2014 ◦  Implementations of Servlet 3.1, JSP 2.3, EL 3.0 & WebSocket 1.0 is complete ◦  Code is not ready for production usage, currently deemed beta quality ◦  This release has been quick. Past experience shows an alpha release will hit six to nine months after initial alpha release (Feb - May 2014). Beta release is already available. This is due to great community usage and feedback.

28. Questions

29. Learn More. Stay Connected. •  Demo Code: github.com/swilliams-pivotal/s2gx-tomcat github.com/dmikusa-pivotal/tomcat-8-features • 

    Looking for support, training or consulting? Email [email protected] •  Website: tomcat.apache.org •  Download: tomcat.apache.org/download-80.cgi •  Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html •  Migration Guide: tomcat.apache.org/migration.html •  Mailing Lists: tomcat.apache.org/lists.html •  Find Session replays on YouTube: spring.io/video