The release of Apache Tomcat 7(out in beta last June) has made great strides in improving the overall security and general robustness of the world's most popular application server. In fact, over 450 improvements and issues have been resolved in this latest stable release. While these changes range from small to significant, what is notable is the mature architecture of Apache Tomcat has remained intact as we have seen little problems thus far in the backportability of the application. (See a special note at the end of the Crawler Session Manager Valve post where we note that the Apache Software Foundation (ASF) has upgraded its own bug tracker system , JIRA, which runs on Tomcat to version 7, and it just works--even though JIRA has not yet announced support for it). This consistency across versions of course means many bug fixes, as well as new features, are good candidates to be added to Tomcat 6. As of Tomcat 6.0.30 - these are the three that you should know about:
Announced in a post here on Tomcat Expert last year, the new memory leak detection and prevention feature has been a widely anticipated new feature that addresses how Tomcat can cause memory leaks in the permanent generation
(PermGen) that lead to
OutOfMemoryErrors when re-loading web applications.
This feature exists in two parts. First, it prevents memory leaks through a new life-cycle listener, the
JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory. For more details on what this listener actually does, the source code is pretty well commented.
Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the
WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job. For more on what these checks do, check out the explanation by Sylvain Laurent on the Tomcat Wiki, or of course, you can look at the source code. Start with the
Updates to these features are spread over several 6.0 versions, with 6.0.30 having the latest version of the feature.
Also described in a post here on Tomcat Expert earlier this year, cross-site request forgery (CSRF) protection provides built-in support to secure websites from a type of malicious attack that compromises the site’s trust in the web browser making calls within an authenticated session. Also sometimes called one-click attacks or session riding, these types of attacks come from embedded code in HTML emails, social media links or flash files that a user loads while they have an authenticated session to a specific application - such as Tomcat Manager itself. Once the malicious code runs, riding on the open authenticated session, it opens a back door to the application for the attacker to cripple a site or control the users account and potentially gain access to money.
The new CSRF Protection specifically prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager, as well as provides a new CSRF Prevention Filter that companies can use to protect their own applications. The fix prevents these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request, or in the case of more complicated applications, within a specific limit of the next series of requests. Since the token changes frequently, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.
Protection from CSRF (Cross-Site Request Forgery) is a new feature in 6.0.30.
Also new in Tomcat 6.0.30, the Windows Installer has received a number of improvements including the install/uninstall icons that are now available for updates and installation logs can now be created. Windows installer allows 32-bit JVMs to be selected when installing on a 64-bit platform. The .ini files can be replaced with the script equivalents. New manager and host-manager roles are ready to use. The installer provides the ability to edit the roles for the added user and also adds support for the /? command line switch. There is a full clean up after installation, and lastly you can add
DetailPrint statements for operations that may take time and improve the descriptions of the components.
Upgrading your application is always a serious consideration, and due diligence to how it will affect your applications and systems should always be fully carried out. However, if any of these three features would improve the performance, security or usability of your Apache Tomcat implementation, consider upgrading your Tomcat 6 implementation. Downloads can be found directly on the Apache Tomcat site here: http://tomcat.apache.org/download-60.cgi