Welcome to TomcatExpert


You Can Help Improve Apache Tomcat Adoption in the Enterprise!

How? Share your insights, use cases, comments and questions on best practices for deploying, managing and operating Apache Tomcat in the Enterprise.


Blog : Case Study: Hyperic Goes Lean with Spring & Apache Tomcat

posted by Stacey Schneider on November 29, 2010 01:03 PM

Last fall, software provider Hyperic started on a release plan that by all accounts is a major shift in infrastructure by migrating their EJB layer to Spring 3.0 and their internal server to Apache Tomcat. Originally built in 2002, and released as open source in 2006, the Hyperic software, a web infrastructure monitoring and management application, helps some of the largest web shops in the world monitor and manage their production web applications. For any well established software, such a fundemental change to the application architecture is surely not a decision that was made lightly.

So Why Such The Change?

The obvious answer is to follow the proven mantra of eating your own dog food. In 2009, Hyperic was acquired by SpringSource, who has significant investment in both their flagship product Spring and the Apache Tomcat, through their commercial distribution of Tomcat, vFabric tc Server, and the number of Tomcat committers and experts employed directly by the company. By adopting the "company standards", they have better access to engineering support and follow software best practices of using their products just like their customers do.

However, with such an established code base and number of production customers, a shift of this magnitude is bound to delay the development of new features and potentially bug fixes, which are critical improvements needed to keep customers happy. This type of a decision therefore needs to translate quickly into financial or customer benefit.

So why the change? The answer is the Hyperic engineering team wanted to move towards lean software development, a system of development processes popular with the Agile development community. The result of the move would allow future development and bug fixes of the product to happen more quickly through simpler configuration, reduced code complexity, decreased application start time, and faster debugging process which improves the maintainability, testibility, and reliability and their Hyperic HQ 4.5 software, which was released this month. In essence, a temporary delay on a stable product release would quickly pay dividends to their development costs and ultimately provide faster development of features for their customers.

For more information on the rationale, and a detailed walk through of the migration itself, check out the complete webinar that Hyperic technical lead, Jennifer Hickey originally delivered at the SpringOne 2GX conference held in Chicago in October. A link to an audio recording of her presentation with her original slides can be found in the Knowledge Based section of the Tomcat Community here: Hyperic's Migration to Spring and Apache Tomcat Case Study presentation.

Read More



Developers | code migration, Hyperic, Spring Framework

Blog : Apache Tomcat Manager Application XSS Vulnerability

posted by Stacey Schneider on November 22, 2010 04:57 AM

Announced this afternoon by the Apache Tomcat team.


CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability

Severity: Tomcat 7.0.x - Low, Tomcat 6.0.x - Moderate

Vendor: The Apache Software Foundation

Versions Affected:

  • Tomcat 7.0.0 to 7.0.4
    • Not affected in default configuration.
    • Affected if CSRF protection is disabled
    • Additional XSS issues if web applications are untrusted
  • Tomcat 6.0.12 to 6.0.29
    • Affected in default configuration
    • Additional XSS issues if web applications are untrusted
  • Tomcat 5.5.x
    • Not affected


The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.

Read More



Developers | Tomcat 6, Tomcat 7, Tomcat Manager

Blog : Apache Tomcat Connectors 1.2.31 stable

posted by Stacey Schneider on November 1, 2010 07:07 AM

Announced this morning by the Apache Tomcat team:

The Apache Tomcat team announces the immediate availability of
Apache Tomcat Connectors 1.2.31 stable.

Apache Tomcat Connectors 1.2.31 concentrates mainly on bug fixes.

Please refer to the change log for the list of changes:


Please note that syncing the release to the download mirrors
might take up to 48 hours.

Thank you
The Apache Tomcat Team

Read More



Developers | Tomcat Connectors

Blog : The Art of Cloud Computing

posted by jbrisbin on October 27, 2010 05:05 PM

It's not exactly accurate to use words like "legacy" when describing systems like IBM's i5 (it will always be the AS/400 to me). Our "legacy" systems are so critical to our ($1B) business it's not an overstatement to say that our restaurants could not transact business without them. The simple majority of our development time, energy, and money is spent writing new RPG code, introducing new green screen applications, and finding new ways to make the 400 work with the rest of our expanding private cloud infrastructure. Calling something legacy has usually implied that newer systems are taking the place of the "old" way of doing things. I suppose you could say that programmers use the word "legacy" interchangeably with "obsolete".

Our AS/400 is not going away. For that reason, it's silly to call it obsolete.

I've gotten some great feedback from the session on private cloud infrastructures I did at this year's SpringOne 2GX in Chicago. People are very interested in how these traditional systems can work with the new cloud services many are introducing into their enterprise. Plenty of organizations have decades of business knowledge and data tied up in "legacy" systems and they want to know how in the world they can get a fancy new cloud application server like tc Server to talk to their AS/400 (through more than SQL and JDBC).

Read More



| cloud computing, SpringOne G2X, tc Server

Blog : Apache Tomcat 7.0.4 Beta Released

posted by Stacey Schneider on October 25, 2010 02:38 PM

Friday, the Apache Tomcat team announced the release of the Tomcat 7.0.4 beta via email announcement


The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.4 beta.

Apache Tomcat 7.0 includes new features over Apache Tomcat 6.0, including support for the new Servlet 3.0, JSP 2.2 and EL 2.2 specifications, web application memory leak detection and prevention, improved security for the Manager and Host Manager applications, Generic CSRF protection, support for including external content directly in a web application (aliases), re-factoring (connectors, life-cycle) and lots of internal code clean-up.

The 7.0.4 release contains numerous bug fixes compared to 7.0.2.

Please refer to the change log for the list of changes:

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.



Migration guide from Apache Tomcat 5.5.x and 6.0.x:

Thank you,

-- The Apache Tomcat Team


Read More



Developers | Tomcat 7