TomcatExpert

Blogs

Blog : Cross-site Scripting (XSS) Prevention in Apache Tomcat 7

posted by mthomas on January 26, 2011 07:28 AM

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.

Read More

1 comments   |  

0
Rating
  |  

Security | Cross-site Scripting, security, Tomcat 7

Blog : Apache Tomcat 7.0.6 Released - First Stable Build

posted by Stacey Schneider on January 14, 2011 08:02 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.6.

This is the first stable release of the Tomcat 7 branch.

Apache Tomcat 7.0.6 contains further performance improvements in session management, a new binary distribution targeted at users embedding Tomcat in other applications and several enhancements to the memory leak detection and prevention features.

The 7.0.6 release also contains numerous bug fixes compared to 7.0.5.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers | Tomcat 7

Blog : Apache Tomcat 6.0.30 Released

posted by joannad on January 13, 2011 11:15 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.30 stable. This release includes bug-fixes over Apache Tomcat 6.0.29.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

2 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 6

Blog : Field Report: Apache Tomcat 7 In Action

posted by avanabs on January 11, 2011 08:21 AM

With some help from friends at several of my (now-ex) consulting clients, I've been trying out the latest build of Tomcat 7 on some of the "problem applications" we ran into over the years...many of them while transitioning applications from JEE application servers to the "highly distributed services architectures" (now widely called the "Cloud") that I have been discussing and building for the last 6-7 years.

In a word, WOW!

Of the 11 "problem" applications we've tried on Tomcat 7:

  • 100% of them worked
  • 9 of the 11 exposed coding problems that had led to development and production problems previously.
  • All 9 were readily fixed, and they now run properly on 6.5, as well as on 7
  • The other two simply ran reliably on Tomcat 7, while they required frequent re-starts on 6.5
  • 7 of the 11 ran faster, with the best seeing approximately a 6% performance gain

Read More

0 comments   |  

0
Rating
  |  

Developers | Tomcat 7

Blog : Tomcat Expert's Top 10 of 2010

posted by joannad on December 30, 2010 08:53 PM

2010 has been an exciting year for the Tomcat Expert community site. Created by the Apache Tomcat Experts at SpringSource, Tomcat Expert was launched in March to improve the adoption, performance and value of Apache Tomcat for enterprise users. After almost ten months of operation, we’ve been able to provide you with content from Tomcat Expert Contributors weighing in on top Apache Tomcat news and topics, including several relating to June's release of Tomcat 7.0.0 Beta, the first Tomcat 7 release.  As the year winds down, we've put together a list of the most popular blog posts of the year. Additionally, we're asking you to tell us what topics you'd like to see covered more in 2011 with a content request form below. 

Read More

1 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7, Tomcat Admin, Tomcat Cloud

Blog : Integrating ActiveMQ With Apache Tomcat using Global JNDI

posted by bsnyder on December 20, 2010 07:45 AM

This article is excerpted from the forthcoming book ActiveMQ In Action (http://bit.ly/2je6cQ) by Bruce Snyder, Rob Davies and Dejan Bosanac (Manning Publications, ISBN: 1933988940)

The first article in this series began by introducing ActiveMQ at a high level. This provided you a picture into where to use ActiveMQ with your applications. The second article dove a bit deeper to demonstrate how to integrate ActiveMQ with Tomcat using local JNDI. This is useful for situations where ActiveMQ should only be accessed by a single application. But what about a situation where more than one application deployed to a single instance of Tomcat needs to access ActiveMQ? This is where Tomcat's global JNDI enters the picture. In this article, I show how to integrate ActiveMQ with Tomcat using a global JNDI configuration.

Integrating ActiveMQ With Tomcat

As mentioned in the previous article, ActiveMQ provides a unique feature that allows a broker to be created via the ActiveMQ JMS connection factory. By creating an ActiveMQ connection factory using a URI for a broker that does not yet exist, the JMS connection will create an embedded instance of the broker. So this means that the creation of the broker is dependent upon the ability to create the ActiveMQ connection. JMS connections are created from a connection factory that is registered with the application server. For this purpose, Java application servers provide a JNDI (Java Naming and Directory Interface) implementation that can be used to expose objects to be used by applications deployed to the container. Objects such as JDBC drivers, JMS resources, transaction managers and so forth can be configured to be accessed using the JNDI API. This is the approach that will be used with the web containers.

Tomcat offers two styles of configuration for JNDI resources, local JNDI context and global JNDI context. Configuring a local JNDI resource means that the resource is only available to a particular web application deployed to Tomcat. Whereas configuring a resource in the global JNDI context means that the resource is available to any web application deployed to Tomcat.

Read More

6 comments   |  

0
Rating
  |  

Developers | Tomcat 6, Tomcat 7, ActiveMQ

Blog : Integrating ActiveMQ With Apache Tomcat Using Local JNDI

posted by bsnyder on December 16, 2010 08:03 AM

This article is excerpted from the forthcoming book ActiveMQ In Action (http://bit.ly/2je6cQ) by Bruce Snyder, Rob Davies and Dejan Bosanac (Manning Publications, ISBN: 1933988940)

In the first article in this series, I introduced ActiveMQ at a high level and briefly discussed why and when it might be used. In the next two articles, I will introduce two styles of integrating ActiveMQ with Tomcat. In this article I will discuss the first style of integrating ActiveMQ with Tomcat.

Tomcat supports the ability to configure Java objects as JNDI resources. This is ideal for ActiveMQ because a JMS connection factory is required to access the message broker. ActiveMQ is highly configurable and very flexible. As part of this flexibility, ActiveMQ can be embedded inside an existing JVM via a connection factory or started up as a stand alone server in its own JVM. Both of these styles will be touched upon in this article.

Integrating ActiveMQ With Tomcat

ActiveMQ provides a unique feature that allows a broker to be created via the ActiveMQ JMS connection factory. By creating an ActiveMQ connection factory using a URI for a broker that does not yet exist, the JMS connection will create an embedded instance of the broker. So this means that the creation of the broker is dependent upon the ability to create the ActiveMQ connection. JMS connections are created from a connection factory that is registered with the application server. For this purpose, Java application servers provide a JNDI (Java Naming and Directory Interface) implementation that can be used to expose objects to be used by applications deployed to the container. Objects such as JDBC drivers, JMS resources, transaction managers and so forth can be configured to be accessed using the JNDI API. This is the approach that will be used with the web containers.

Tomcat offers two styles of configuration for JNDI resources, local JNDI context and global JNDI context. Configuring a local JNDI resource means that the resource is only available to a particular web application deployed to Tomcat. Whereas configuring a resource in the global JNDI context means that the resource is available to any web application deployed to Tomcat. The configuration for each type of JNDI style is different, so I will review one style in this article and second style in the next article.

Read More

1 comments   |  

0
Rating
  |  

Developers | Tomcat 6, Tomcat 7, ActiveMQ

Blog : ActiveMQ and Apache Tomcat: Perfect Partners

posted by bsnyder on December 13, 2010 07:04 AM

This article is excerpted from the forthcoming book ActiveMQ In Action (http://bit.ly/2je6cQ) by Bruce Snyder, Rob Davies and Dejan Bosanac (Manning Publications, ISBN: 1933988940)

At one time or another, every software developer has the need to communicate between applications or transfer data from one system to another. Not only are there many solutions to this sort of problem, but depending on your constraints and requirements, deciding how to go about such a task can be a big decision. Business requirements oftentimes place restrictions on items that directly impact such a decision including performance, scalability, reliability and more. There are many applications that we use every day that impose just such requirements including ATMs, airline reservation systems, credit card systems, point-of-sale systems and telecommunications just to name a few. Where would we be without most of these applications in our daily lives today?

When it comes to developing and deploying Java applications, it is extremely common to use Tomcat as a runtime container. As you expand your Java applications, new business needs arise including the ability to communicate with other applications, the need to scale an application architecture and quite possibly the need to decrease application coupling just to name a few. These requirements and many more can be addressed through the use of ActiveMQ with Tomcat.

In a series of articles, you will learn about the integration of ActiveMQ and Tomcat. In the first article, you will learn a bit about Java Servlet technology, Tomcat and you will be introduced to Apache ActiveMQ. Future articles will continue to dive deeper into the topic of integrating ActiveMQ with Tomcat.

Read More

1 comments   |  

0
Rating
  |  

Developers | Tomcat 6, Tomcat 7, ActiveMQ

Blog : Apache Tomcat 7.0.5 Beta Released

posted by Stacey Schneider on December 1, 2010 10:07 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.5 beta.

Apache Tomcat 7.0.5 beta contains performance improvements in session management, a number of new features including support for parallel deployment of multiple versions of the same web application and a redesigned welcome page.

The 7.0.5 release also contains numerous bug fixes compared to 7.0.4.

Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 7

Blog : Case Study: Hyperic Goes Lean with Spring & Apache Tomcat

posted by Stacey Schneider on November 29, 2010 01:03 PM

Last fall, software provider Hyperic started on a release plan that by all accounts is a major shift in infrastructure by migrating their EJB layer to Spring 3.0 and their internal server to Apache Tomcat. Originally built in 2002, and released as open source in 2006, the Hyperic software, a web infrastructure monitoring and management application, helps some of the largest web shops in the world monitor and manage their production web applications. For any well established software, such a fundemental change to the application architecture is surely not a decision that was made lightly.

So Why Such The Change?

The obvious answer is to follow the proven mantra of eating your own dog food. In 2009, Hyperic was acquired by SpringSource, who has significant investment in both their flagship product Spring and the Apache Tomcat, through their commercial distribution of Tomcat, vFabric tc Server, and the number of Tomcat committers and experts employed directly by the company. By adopting the "company standards", they have better access to engineering support and follow software best practices of using their products just like their customers do.

However, with such an established code base and number of production customers, a shift of this magnitude is bound to delay the development of new features and potentially bug fixes, which are critical improvements needed to keep customers happy. This type of a decision therefore needs to translate quickly into financial or customer benefit.

So why the change? The answer is the Hyperic engineering team wanted to move towards lean software development, a system of development processes popular with the Agile development community. The result of the move would allow future development and bug fixes of the product to happen more quickly through simpler configuration, reduced code complexity, decreased application start time, and faster debugging process which improves the maintainability, testibility, and reliability and their Hyperic HQ 4.5 software, which was released this month. In essence, a temporary delay on a stable product release would quickly pay dividends to their development costs and ultimately provide faster development of features for their customers.

For more information on the rationale, and a detailed walk through of the migration itself, check out the complete webinar that Hyperic technical lead, Jennifer Hickey originally delivered at the SpringOne 2GX conference held in Chicago in October. A link to an audio recording of her presentation with her original slides can be found in the Knowledge Based section of the Tomcat Community here: Hyperic's Migration to Spring and Apache Tomcat Case Study presentation.

Read More

0 comments   |  

5
Rating
  |  

Developers | code migration, Hyperic, Spring Framework

Syndicate content