TomcatExpert

Security

Blog : Everything Apache Tomcat 8 Meetup in San Francisco 9/24

posted by Stacey Schneider on September 17, 2013 04:45 PM

The Apache Tomcat community has been working hard over the past two years developing the next release, what will be Apache Tomcat 8. The first release candidate for Tomcat 8 was released this past August, and users are starting to test out the new release. Within the structure of the Apache Software Foundation, the release manager for Apache Tomcat 8 is currently Pivotal's Mark Thomas.

As cited in a profile piece on Mark Thomas on Pivotal's blog earlier this year, since 2003 Thomas has been involved in a number of facets of the Tomcat project, including becoming a Tomcat committer and PMC member, volunteering to be the Tomcat 7  and 8 release manager, creating the Tomcat security pages, becoming a member of the ASF, joining the Apache Security Committee and the JCP expert groups for WebSocket, JSP and Servlet. In addition, he wrote Tomcat’s WebSocket implementation as well as large parts of the Servlet 3.0 and Servlet 3.1 implementations. He also a member of the ASF infrastructure team where, amongst other things, he helps maintain the ASF’s Bugzilla instances.

In parallel with attending JavaOne next week in San Francisco, on Tuesday, September 24, 2013 at 5:30PM, Thomas will host a meetup at Pivotal's San Francisco offices at 875 Howard Street. During the event he will provide an update on several topics including the most recent developments in Tomcat 8 and open the floor to discuss other items about Apache Tomcat. 

Read More

34 comments   |  

0
Rating
  |  

Developers, Executives | meetup, Tomcat 8

Blog : Apache Tomcat Maven Plugin 2.0

posted by Stacey Schneider on September 17, 2012 09:43 AM

The Apache Tomcat is pleased to announce the release of the 2.0 version. This plugin can used to run your war project inside an embeded Apache Tomcat and to deploy your project to a running Apache Tomcat instance.

Documentation available: http://tomcat.apache.org/maven-plugin-2.0/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Read More

44 comments   |  

0
Rating
  |  

Developers, Operations | maven, Apache Tomcat 7

Blog : Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Read More

139 comments   |  

0
Rating
  |  

Developers, Operations | authentication, client certificate, communication

Blog : Apache Tomcat 7.0.28 released

posted by Stacey Schneider on June 19, 2012 08:07 AM

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.28.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies.

This release is includes may improvements as well as a number of bug fixes compared to version 7.0.27. The notable changes include:

  • The minimum required APR/native library version required if the APR/native connector is used is now 1.1.24.
  • Various fixes and improvements to WebSocket support including the use of infinite time outs by default for WebSocket connections. * Various fixes and improvements to annotation scanning.

Read More

38 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 7

Ask the Experts : Apache Tomcat 7 Private byte increases and not releasing back

I have observed the tomcat 7 process memory (private bytes) was initially 1.2 GB during startup and it got increased to 3.5 GB where my server RAM size is only 4GB after running a 100 users test for 4 hours. this private bytes was not released even after stopping the test. could you please let us know any configurations that might help this or kindly analyze the situation and provide your suggestions/solutions.

Regards,

Raga

 

asked by Ragavendran

question

Lacking more specific about the behavior that you are seeing and about the environment that you are using to run your tests, and since this is a testing environment, my suggestion to you would be to run your tests while you have a profiler hooked up to Tomcat (YourKit is an excellent profiler).  The profiler will allow you to look for memory problems in your application.

That's not to say there is definitely a problem here.  It is entirely possible that you could see the heap grow from 1.2 G to 3.5G legitimately.  It just depends on your JVM options and the memory demands of your application.

answered by dmikusa on May 8, 2012 10:51 AM

Read More

answer

25 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat Configuration, Tomcat Memory, YourKit

Blog : Apache Tomcat 7.0.27 Released

posted by Stacey Schneider on April 5, 2012 01:59 PM

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.27

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This release is includes significant new features as well as a number of bug fixes compared to version 7.0.26. The notable changes include:

  • Support for the WebSocket protocol (RFC6455). Both streaming and message based APIs are provided and the implementation currently fully passes the Autobahn test suite. Also included are several examples.
  • A number of fixes to the HTTP NIO connector, particularly when using Comet.
  • Improve the memory leak prevention and detection code so that it works well with JVMs from IBM.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Read More

23 comments   |  

0
Rating
  |  

Developers, Operations | nio, Tomcat 7, WebSocket

Blog : Year in Review 2011

posted by Stacey Schneider on January 4, 2012 07:31 AM

2011 has been a great year for the Tomcat Expert community. After almost 2 years of operating, the Tomcat Expert has hit its stride, unloading an array of new information, as well as keeping you up to date with the newest releases for Apache Tomcat 6 and Apache Tomcat 7. With the addition of two new Tomcat Expert Contributors, (Channing Benson and Daniel Mikusa), the Tomcat Expert community continues to build on its reputation for being the leading source for fresh perspectives and new information on how to best leverage Apache Tomcat in the enterprise.

Read More

57 comments   |  

0
Rating
  |  

Developers, Executives | Cross-site Scripting, Java Development, Parallel Deployment

Blog : Best Practices for Securing Apache Tomcat 7

posted by mthomas on November 2, 2011 07:27 AM

Every effort is made to have each version of Apache Tomcat to ship with a system of reasonable defaults forsecurity purposes. This means that the standard defaults for the security settings are reasonably secure—it is not as secure as it could be, but not horribly insecure either. The default security level is essentially a compromise between security and usability. It is probably OK for simple use in production, but there are a number of things that all users should consider before deploying business applications on a standard installation of Apache Tomcat.

General precautions:

  • Tomcat security configuration should not be your only line of defense. Take a comprehensive look at security and ensure that your OS is secure,there are firewalls in place, and file permissions are set correctly as well.Remember, it won’t matter how secure your application is if your underlying platform is vulnerable. A simple rule of thumb (especially for those firewalls) is to ban everything and only explicitly allow what access you need to run your applications.
  • Delete all the stuff you don’t need. Tomcat will by default install a handful of default applications that you don’t need, and having them in production is just more applications to look after and to ensure are secure. Take a look at the documentation, examples, default root web application, Manager App and Host Manager App and if you are not using them, delete them and focus just on your production applications. While these applications are relatively low risk, eliminating risk is always a better strategy. Same would be true if applications are archived or no longer in use – move them off of the production site to eliminate any additional pathways for threats.
  • Consider running under a Security Manager. This is always a good idea if you are running applications that you do not trust (e.g. a hosting environment), or if you want an additional layer of protection. A Security Manager will essentially run each deployed web application in a separate sandbox to prevent malicious code from accessing your files or other applications on your network. While it is always a good idea to run under a security manager, it should be noted that this is best done during early stages of development as it can impact how an application behaves and thorough testing is always recommended. For later stage projects you’llneed to evaluate if the benefits of a security managerare worth the extra cost of development and testing to deploy it properly. The TCK tests that are used as part of every Tomcat release are always run under a Security Manager but few users run with a Security Manager in production. There is, therefore, a slightly increased risk that you will hit a Tomcat bug running with a Security Manager. However, it is usually possible to configure around such bugs if they occur.

Read More

109 comments   |  

3
Rating
  |  

Developers, Operations | Tomcat Configuration, Tomcat Security

Blog : Understanding Apache Tomcat: Getting Started

posted by fhanik on October 19, 2011 07:39 AM

Apache Tomcat, and other containers, have been around for so long today that it has become increasingly harder to get started with them today.

In this article, we will take you back from the beginning with how to get started with Apache Tomcat. We will go into the lowest level, so you don't have to rely on an IDE or other system to get started. This article is written for those that have never used Apache Tomcat and wish to get started in an easy, yet explanatory, way that helps you to understand what is happening under the hood. This will fast track you to become very proficient with this light weight application server.

Step 1. Download and Install Apache Tomcat

While there are a lot of different packages available to install Tomcat, for example some Linux distributions you can download it using that distributions package and dependency management. This is good, for the sake of simplicity, but once again, you lose the concept of what Tomcat is and what true dependencies it has as well on how to use it.

I strongly recommend only moving to a third party packaging of Apache Tomcat after you understand the container itself. This will help avoid complications when you try to create a plan for how you distribute, upgrade and maintain your software.

Rule 1. When learning, only download the software from http://tomcat.apache.org/

Now, since you are learning Apache Tomcat from scratch, I suggest you start with Apache Tomcat 7.  As explained in an earlier post,  the majority of features that are implemented, are driven by the (Servlet) and (JSP) specifications.  Each time the Servlet specification is upgraded, new features added, the Apache Tomcat will plan for a new major release of Apache Tomcat. The latest version, Apache Tomcat 7,  is based on the version of the Servlet specification, in this case, Servlet 3.0.

Read More

86 comments   |  

0
Rating
  |  

Developers, Operations | Apache Tomcat 6, Apache Tomcat 7

Blog : Apache Tomcat 7.0.21 released

posted by Stacey Schneider on September 2, 2011 08:43 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.21

Apache Tomcat 7.0.21 includes security fixes, bug fixes and new features compared to version 7.0.20 including:

  • - A fix for CVE-2011-3190 that allowed an attacker to inject requests when Tomcat was configured behind a reverse proxy using the AJP protocol.
  • - Multiple additions and improvements to the memory leak detection/prevention features.
  • - Improved validation of received AJP messages.

Read More

136 comments   |  

0
Rating
  |  

Developers, Security | Tomcat 7, Tomcat Performance, Tomcat Security

Syndicate content