TomcatExpert

Blogs

Blog : NIO implementation of the AJP connector

posted by mthomas on June 17, 2011 10:20 AM

The Apache JServ Protocol (AJP) , is a binary protocol that can proxy inbound requests from a webserver, such as Apache HTTPD, to an application server like Apache Tomcat. Typically used in load balanced web applications where the web server has to pass requests to multiple application servers, using modules like mod_proxy_ajp help improve the speed of transactions and add support for SSL. This week’s update of Apache Tomcat 7.0.16, introduces a NIO implementation of the built-in AJP connector.

What is NIO?

New I/O, usually shortened to NIO, is a set of Java APIs that allow for more scaleable I/O operations. Among other things, NIO provides support for non-blocking of data connections which ensures a response from the application server. Without NIO, admins must configure their web servers and application servers to match the number of threads between the web server and application server. Depending on configuration, application behavior and the number of concurrent sessions, there is a constant risk of running out of threads and having users get a HTTP 500 Internal Server error. NIO eliminates this risk by providing a more efficient usage of these threads.

A Simple Example

In simple deployments, users will have one HTTPD instance and one Tomcat server to host their web application. Configure both to use 1000 threads, and the web server instance and the application server instance should run fine. Where it gets complicated is when you employ multiple HTTPDs and multiple instances of Tomcat, and those instances are not using a 1 to 1 mapping— i.e. situations where any HTTPD instance can talk to any Tomcat instance.

Let’s say that you have 2 HTTPD instances and 2 Tomcat instances. Each HTTPD is configured for 1000 threads. Each Tomcat will need to be available to process a connection from each of the threads from all of the instances of HTTPD. So each Tomcat will need 2000 threads. As we add more, this quickly does not scale. As the number of HTTPD instances go up, you need more and more threads on the Tomcat side and eventually this becomes unsustainable.

Read More

0 comments   |  

0
Rating
  |  

Operations | Tomcat 7, Tomcat Configuration, Tomcat Performance

Blog : Apache Tomcat 7.0.16 Released

posted by Stacey Schneider on June 17, 2011 09:28 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.16.

Apache Tomcat 7.0.16 includes bug fixes and the following new features compared to version 7.0.14:

  • NIO implementation of the AJP connector
  • Enable Servlet 3 asynchronous processing support when using clustering
  • Add parallel deployment support to the Manager's Ant tasks

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Parallel Deployment with Apache Tomcat 7

posted by mthomas on May 31, 2011 07:44 AM

Upgrading web applications can be very expensive if your storefront is the web. Weekend maintenance windows, or downtime in general can give an entire company heartburn. Survey data shows that web application downtime can cost some companies up to $72,000 per minute. Yet the cost of not constantly rolling out new features and bug fixes can equally penalize a company in the competitive online markets today.

Previously, to upgrade an application on Tomcat and avoid downtime, system administrators would have to set up multiple instances of Tomcat and do some very clever stuff with load balancers. This equals extra hardware costs as a permanent part of the company’s infrastructure.

Now with the advent of parallel deployment in Tomcat 7, you can have multiple versions of the same application installed at the same time on a single server. Users with active sessions can continue to use the old application and new users will be routed to the new version. This way, no user sessions will be interrupted, and the old application can gracefully phase out.

Setting Up Parallel Deployment

Parallel deployment is a function of the Context Container. The Context element represents a web application, which in turn specifies the context path to a particular Web Application Archive (WAR) file that is the application logic. Parallel deployment allows you to deploy multiple versions of a web application with the same context path concurrently. When choosing what version of the application for any given request, Tomcat will:

  1. Route new requests to the latest version, so new sessions go to the new application.
  2. If session information is in the request, check the session manager for a matching version, so existing sessions will go to the original application for the request.
  3. If session information is in the request, but the corresponding application is no longer present, it will route to the latest version.

Read More

4 comments   |  

5
Rating
  |  

Operations | Parallel Deployment, Tomcat 7, Tomcat Admin

Blog : Crawler Session Manager Valve

posted by mthomas on May 18, 2011 07:25 AM

For organizations with large publically searchable websites, such as those found in ecommerce companies with large product catalogues or companies with active online communities, web crawlers or bots can trigger the creation of many thousands of sessions as they crawl these large sites. Normally crawling sites without relying on cookies or session IDs, these bots can create a session for each page crawled which, depending on the size of the site, may result in significant memory consumption. New in Apache Tomcat 7, a Crawler Session Manager Valve ensures that crawlers are associated with a single session - just like normal users - regardless of whether or not they provide a session token with their requests.

A Relevant Example

One of the roles I play in the Apache Tomcat project is managing the issues.apache.org servers which run the two Apache issue trackers we have—two instances of Bugzilla and one instance of JIRA. Not surprisingly, JIRA runs on Tomcat. A few months ago, while looking at the JIRA management interface, I noticed that we were seeing around 100,000 concurrent sessions. Given that there are only 60,000 registered users and less than 5,000 active users any month, this number appeared extremely inflated.

After a bit of investigation, the access logs revealed that when many of the webcrawlers (e.g., googlebot, bingbot, etc) were crawling the JIRA site, they were creating a new session for every request. For our JIRA instance, this meant that about 95% of the open sessions were left over from a bot creating a single request. For instance, a bot requesting 100 pages, would open 100 sessions. Each one of these requests would hang around in memory for about 4 hours, chewing up tremendous memory resources on the server.

Read More

2 comments   |  

0
Rating
  |  

Developers, Operations | JIRA, Tomcat 7, Tomcat Admin

Blog : Apache Tomcat 7.0.14 Released

posted by Stacey Schneider on May 13, 2011 08:43 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.14.

Apache Tomcat 7.0.14 includes bug fixes and the following new features compared to version 7.0.12:

  • new StuckThreadDetectionValve to identify long running requests
  • JAAS authentication support for the JMXRemoteLifecycleListener
  • updated MIME type mappings to align with those of Apache httpd

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Cross-Site Request Forgery

posted by mthomas on May 9, 2011 07:08 AM

Cross-site request forgery (CSRF), also sometimes referred to as one-click attacks or session riding, is another type of malicious exploit of websites that the Apache Tomcat community has addressed in the Apache Tomcat 7 release process. Different from cross-site scripting, where the attacker exploits the trust users have for a particular site, CSRF targets the trust that sites have in a user’s browser. The new CSRF Protection prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager as well as provides a CSRF Prevention Filter for the applications that run on Tomcat to use.

A Simple Example

A system administrator connects to a Tomcat instance and logs into the Tomcat Manager application. The admin performs routine tasks such as deploying a web application, checking the status of another application and upgrading a third application. Then the administrator leaves Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has malicious code in either a link or a flash file that tricks the browser into making a request into Tomcat Manager. The admin’s session for Tomcat Manager has not yet expired, and Tomcat grants the malicious code access to the request. This essentially introduces a large back door for control into the system administrator’s Tomcat instances.

In addition to targeting administrators to take down websites, applications that run on Tomcat-such as banking applications-are also vulnerable to the same attacks. Check out the article on CSRF on the Open Web Application Security Project (OWASP) for more detail.

Read More

1 comments   |  

0
Rating
  |  

Operations, Security | CSRF, Tomcat 7, Tomcat Host Application

Blog : Session Fixation Protection

posted by mthomas on April 25, 2011 06:30 AM

A common practice these days in email marketing is to provide users with custom links that direct them quickly to their own account, and streamline the number of steps needed to sign up for additional services or address outdated or invalid account information. This is great for company relationships with their customers, however it is somewhat easily exploited.

A simple scenario

Mary and Bob both have accounts with the same bank. Mary is not very internet savvy, and Bob is. Bob sends Mary a link that is plainly seen to be their bank’s address and attaches a session ID (http://www.foobank.com/?SID=BOB_KNOWS_THE_ID). Mary sees its one of the bank’s URLs, and clicks it, logs in with her username and password. As soon as she does that, Bob is able to also click that link and the session is now validated so he has full access to all her account information and money!

There are more complex scenarios documented across the web. Some additional easy to understand examples can be found on Wikipedia. Reality is that there are several things Mary could do to be more educated and protect herself, but consumers are hard to educate perfectly. In turn, companies—especially ones that rely on authenticated sessions to service their customers—must protect their customers from these types of attacks.

Read More

4 comments   |  

0
Rating
  |  

Security | Tomcat 6, Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.12 Released

posted by Stacey Schneider on April 6, 2011 11:20 AM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.12.

Apache Tomcat 7.0.12 includes bug fixes and the following new features compared to version 7.0.12:

  • initial support for SPNEGO/Kerberos authentication (also referred to as Windows authentication);
  • provide a new configuration option to define a close method to call on a JNDI resource when it is no longer required;
  • optional support for pre-emptive authentication.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Known issues:

  • HTTP pipelining is likely to fail with 505 errors with the HTTP BIO connector (bug 50957). The other connectors (HTTP NIO, HTTP APR/native, AJP BIO & AJP APR/native) are not affected.

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.11 Released

posted by Stacey Schneider on March 11, 2011 09:17 AM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.11.

Apache Tomcat 7.0.11 is primarily a security fix release with a small number of additional bug fixes compared to 7.0.10.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Security | Tomcat 7

Blog : Apache Tomcat 7.0.10 Released

posted by Stacey Schneider on March 8, 2011 02:10 PM

Announced this afternoon by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.10.

Apache Tomcat 7.0.8 is primarily a security and bug fix release with numerous fixes compared to 7.0.8.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers | Tomcat 7

Syndicate content