posted by Stacey Schneider on October 3, 2011 01:29 PM

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.22

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Apache Tomcat 7.0.22 includes bug fixes and new features compared to version 7.0.21 including:

• Further improvements to the memory leak detection and prevention features.
• Fix issue that prevented using SSL with the HTTP BIO connector and Java 7.
• Add support for controlling which session attributes are replicated when using session replication (a.k.a clustering).

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems runningon different CPU architectures.

Read More

posted by Stacey Schneider on August 18, 2011 02:49 PM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.33 stable.

Apache Tomcat 6.0.33 is primarily a security and bug fix release. All users of older versions of the Tomcat 6.0 family should upgrade to 6.0.33.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

posted by Stacey Schneider on August 12, 2011 04:19 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.20

Apache Tomcat 7.0.20 includes bug fixes and the following new features compared to version 7.0.19:

• JSP files with dependencies in JARs are no longer recompiled on every access thereby improving performance.
• Update to version 1.1.22 of the native component of the AJP and HTTP APR/native connectors.
• Update to Commons Daemon 1.0.7.
• Converted unit tests to JUnit 4.

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

posted by Stacey Schneider on August 10, 2011 08:38 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012.

This means that after 30 September 2012:

• releases from the 5.5.x branch are highly unlikely
• bugs affecting only the 5.5.x branch will not be addressed
• security vulnerability reports will not be checked against the 5.5.x branch

Three months later (i.e. after 31 December 2012)

• the 5.5.x download pages will be removed
• the latest 5.5.x release will be removed from the mirror system
• the 5.5.x branch in svn will move from /tomcat/tc5.5.x to /tomcat/archive/tc5.5.x
• the links to the 5.5.x documentation will be removed from tomcat.apache.org
• The bugzilla project for 5.5.x will be made read-only

Note that all 5.5.x releases will always be available from the archive.

It is anticipated that the final 5.5.x release will be made shortly before 30 September 2012.

Thank you,

-- The Apache Tomcat Team

Read More

posted by mthomas on August 3, 2011 06:50 AM

As a VMware engineer dedicated to building Apache Tomcat and vFabric tc Server , I get the opportunity to see a lot of issues across the official Apache Tomcat public mailing lists, as well as VMware’s private professional support queue for both Apache Tomcat and tc Server. Typical of any software issue tracker, many of the issues logged could be avoided with a little better understanding of the Tomcat applications. Here are a few tips that may be useful to keep in mind:

Understanding Global vs Application Context.xml Files

There are two different types of context.xml files: one is global, and the other is specific to each web application. The problem with editing the global context.xml file is, as its name implies, that it affects every web application running on that Tomcat instance. So for instance, if you have 10 web applications, and create a new JNDI datasource with 50 connections to the database in the global context.xml file, you have essentially created 10 JNDI datasources with a total of 500 connections to your database and have likely completely overwhelmed your database. If you want to add a datasource to a single application, by remembering to create the datasource in the application level context.xml file, you can avoid serious performance problems.

Creating a Single Global Datasource for Application Sharing

Occasionally companies will deploy 3 or 4 related applications on a Tomcat server that are designed to share a single datasource. As described above, placing the datasource definition either once in the global context.xml file or in 3 or 4 application specific context.xml files will always create multiple instances of that datasource. To truly share a single datasource, it is necessary to put the definition of the datasource into the server.xml file, and then place a single resource link into the global context.xml file. This link ensures only one instance of the datasource is ever created and when any application goes to use it, it always uses the same single instance.

Read More

posted by Stacey Schneider on July 29, 2011 12:09 PM

13 months ago today marked the initial release of the Apache Tomcat 7 beta. Proving itself to be very backwards compatible with Apache Tomcat 6, Tomcat 7 is wealth of add-on features and bug fixes that purely builds on the success of Tomcat 6. Many of these features were not around 13 months ago, many of which we have covered here including:

• Session Fixation Protection
• Cross-site Request Forgery
• Crawler Session Manager Valve
• Parallel Deployment
• NIO Implementation of the AJP Connector
• Windows Authentication
• Windows Installer Improvements

Originally presented in the SpringSource S2F Forum in Amsterdam, Mark Thomas recorded a new update on the overall status of the Tomcat 7 project for the Tomcat Expert community. This update is slightly more current and gives good insight as to what is now in Tomcat 7 and what will be coming (and how to influence what gets worked on!). Some interesting points Mark brings up:

Read More

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Read More

posted by Stacey Schneider on July 19, 2011 09:23 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.19

Apache Tomcat 7.0.19 includes security fixes, bug fixes and the following new features compared to version 7.0.16:

• JSP recompilation is now triggered by any change (backwards as well as forwards) in the last modified time of the JSP or any of its dependencies
• Support for installing multiple instances with the Windows Installer
• Include jdbc-pool (an alternative database connection pool)

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

The following known issues in 7.0.19 are noteworthy:

• The AJP NIO connector does not use persistent connections. To workaround this, use a large value for connectionTimeout
• There is a typo in the list of JARs to skip in catalina.properties. Apply http://s.apache.org/catalina.properties-r1146623 to fix it

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

posted by mthomas on June 30, 2011 08:39 AM

The release of Apache Tomcat 7(out in beta last June) has made great strides in improving the overall security and general robustness of the world's most popular application server. In fact, over 450 improvements and issues have been resolved in this latest stable release. While these changes range from small to significant, what is notable is the mature architecture of Apache Tomcat has remained intact as we have seen little problems thus far in the backportability of the application. (See a special note at the end of the Crawler Session Manager Valve post where we note that the Apache Software Foundation (ASF) has upgraded its own bug tracker system , JIRA, which runs on Tomcat to version 7, and it just works--even though JIRA has not yet announced support for it). This consistency across versions of course means many bug fixes, as well as new features, are good candidates to be added to Tomcat 6. As of Tomcat 6.0.30 - these are the three that you should know about:

Memory Leak Detection/Prevention

Announced in a post here on Tomcat Expert last year, the new memory leak detection and prevention feature has been a widely anticipated new feature that addresses how Tomcat can cause memory leaks in the permanent generation (PermGen) that lead to OutOfMemoryErrors when re-loading web applications.

This feature exists in two parts. First, it prevents memory leaks through a new life-cycle listener, the JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory. For more details on what this listener actually does, the source code is pretty well commented.

Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job. For more on what these checks do, check out the explanation by Sylvain Laurent on the Tomcat Wiki, or of course, you can look at the source code. Start with the clearReferences() method.

Updates to these features are spread over several 6.0 versions, with 6.0.30 having the latest version of the feature.

Read More