TomcatExpert

The Top 3 Apache Tomcat 7 features now Available in Apache Tomcat 6

posted by mthomas on June 30, 2011 08:39 AM

The release of Apache Tomcat 7(out in beta last June) has made great strides in improving the overall security and general robustness of the world's most popular application server. In fact, over 450 improvements and issues have been resolved in this latest stable release. While these changes range from small to significant, what is notable is the mature architecture of Apache Tomcat has remained intact as we have seen little problems thus far in the backportability of the application. (See a special note at the end of the Crawler Session Manager Valve post where we note that the Apache Software Foundation (ASF) has upgraded its own bug tracker system , JIRA, which runs on Tomcat to version 7, and it just works--even though JIRA has not yet announced support for it). This consistency across versions of course means many bug fixes, as well as new features, are good candidates to be added to Tomcat 6. As of Tomcat 6.0.30 - these are the three that you should know about:

Memory Leak Detection/Prevention

Announced in a post here on Tomcat Expert last year, the new memory leak detection and prevention feature has been a widely anticipated new feature that addresses how Tomcat can cause memory leaks in the permanent generation (PermGen) that lead to OutOfMemoryErrors when re-loading web applications.

This feature exists in two parts. First, it prevents memory leaks through a new life-cycle listener, the JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory. For more details on what this listener actually does, the source code is pretty well commented.

Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job. For more on what these checks do, check out the explanation by Sylvain Laurent on the Tomcat Wiki, or of course, you can look at the source code. Start with the clearReferences() method.

Updates to these features are spread over several 6.0 versions, with 6.0.30 having the latest version of the feature.

 

CSRF Protection

Also described in a post here on Tomcat Expert earlier this year, cross-site request forgery (CSRF) protection provides built-in support to secure websites from a type of malicious attack that compromises the site’s trust in the web browser making calls within an authenticated session. Also sometimes called one-click attacks or session riding, these types of attacks come from embedded code in HTML emails, social media links or flash files that a user loads while they have an authenticated session to a specific application - such as Tomcat Manager itself. Once the malicious code runs, riding on the open authenticated session, it opens a back door to the application for the attacker to cripple a site or control the users account and potentially gain access to money.

The new CSRF Protection specifically prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager, as well as provides a new CSRF Prevention Filter that companies can use to protect their own applications. The fix prevents these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request, or in the case of more complicated applications, within a specific limit of the next series of requests. Since the token changes frequently, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.

Protection from CSRF (Cross-Site Request Forgery) is a new feature in 6.0.30.

Windows Installer

Also new in Tomcat 6.0.30, the Windows Installer has received a number of improvements including the install/uninstall icons that are now available for updates and installation logs can now be created. Windows installer allows 32-bit JVMs to be selected when installing on a 64-bit platform. The .ini files can be replaced with the script equivalents. New manager and host-manager roles are ready to use. The installer provides the ability to edit the roles for the added user and also adds support for the /? command line switch. There is a full clean up after installation, and lastly you can add DetailPrint statements for operations that may take time and improve the descriptions of the components.

Conclusion

Upgrading your application is always a serious consideration, and due diligence to how it will affect your applications and systems should always be fully carried out. However, if any of these three features would improve the performance, security or usability of your Apache Tomcat implementation, consider upgrading your Tomcat 6 implementation. Downloads can be found directly on the Apache Tomcat site here: http://tomcat.apache.org/download-60.cgi

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

Comments

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.