TomcatExpert

Security

Blog : Apache Tomcat 6.0.33 Released

posted by Stacey Schneider on August 18, 2011 02:49 PM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.33 stable.

Apache Tomcat 6.0.33 is primarily a security and bug fix release. All users of older versions of the Tomcat 6.0 family should upgrade to 6.0.33.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

84 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 6

Blog : Apache Tomcat 7.0.20 Released

posted by Stacey Schneider on August 12, 2011 04:19 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.20

Apache Tomcat 7.0.20 includes bug fixes and the following new features compared to version 7.0.19:

  • JSP files with dependencies in JARs are no longer recompiled on every access thereby improving performance.
  • Update to version 1.1.22 of the native component of the AJP and HTTP APR/native connectors.
  • Update to Commons Daemon 1.0.7.
  • Converted unit tests to JUnit 4.

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

146 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : End of Life Announced for Apache Tomcat 5.5

posted by Stacey Schneider on August 10, 2011 08:38 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012.

This means that after 30 September 2012:

  • releases from the 5.5.x branch are highly unlikely
  • bugs affecting only the 5.5.x branch will not be addressed
  • security vulnerability reports will not be checked against the 5.5.x branch

 

Three months later (i.e. after 31 December 2012)

  • the 5.5.x download pages will be removed
  • the latest 5.5.x release will be removed from the mirror system
  • the 5.5.x branch in svn will move from /tomcat/tc5.5.x to /tomcat/archive/tc5.5.x
  • the links to the 5.5.x documentation will be removed from tomcat.apache.org
  • The bugzilla project for 5.5.x will be made read-only

 

Note that all 5.5.x releases will always be available from the archive.

It is anticipated that the final 5.5.x release will be made shortly before 30 September 2012.

Thank you,

-- The Apache Tomcat Team

Read More

141 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 5.5

Blog : Mark Thomas Status Update on Apache Tomcat 7 Project

posted by Stacey Schneider on July 29, 2011 12:09 PM

13 months ago today marked the initial release of the Apache Tomcat 7 beta. Proving itself to be very backwards compatible with Apache Tomcat 6, Tomcat 7 is wealth of add-on features and bug fixes that purely builds on the success of Tomcat 6. Many of these features were not around 13 months ago, many of which we have covered here including:

Originally presented in the SpringSource S2F Forum in Amsterdam, Mark Thomas recorded a new update on the overall status of the Tomcat 7 project for the Tomcat Expert community. This update is slightly more current and gives good insight as to what is now in Tomcat 7 and what will be coming (and how to influence what gets worked on!). Some interesting points Mark brings up:

Read More

92 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7, apache

Knowledge Base : What's New in Apache Tomcat 7

posted by SpringSource on July 28, 2011 07:05 AM

SpringSource engineer and Apache Software Foundation's release manager for Apache Tomcat 7, Mark Thomas, reviews what is currently in Tomcat 7 and future plans.

This Apache Tomcat 7 update was originally delivered at the SpringSource S2G Forum Series in Amsterdam on May 26, 2011, by SpringSource engineer and the Apache Software Foundation's Apache Tomcat 7's release manager, Mark Thomas.

Read More

82 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7, Apache Tomcat

Blog : Security Lifecycle Listener

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Read More

56 comments   |  

0
Rating
  |  

Operations, Security | Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.19 Released

posted by Stacey Schneider on July 19, 2011 09:23 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.19

Apache Tomcat 7.0.19 includes security fixes, bug fixes and the following new features compared to version 7.0.16:

  • JSP recompilation is now triggered by any change (backwards as well as forwards) in the last modified time of the JSP or any of its dependencies
  • Support for installing multiple instances with the Windows Installer
  • Include jdbc-pool (an alternative database connection pool)

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

The following known issues in 7.0.19 are noteworthy:

  • The AJP NIO connector does not use persistent connections. To workaround this, use a large value for connectionTimeout
  • There is a typo in the list of JARs to skip in catalina.properties. Apply http://s.apache.org/catalina.properties-r1146623 to fix it

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

79 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7, Tomcat jdbc-pool

Blog : The Top 3 Apache Tomcat 7 features now Available in Apache Tomcat 6

posted by mthomas on June 30, 2011 08:39 AM

The release of Apache Tomcat 7(out in beta last June) has made great strides in improving the overall security and general robustness of the world's most popular application server. In fact, over 450 improvements and issues have been resolved in this latest stable release. While these changes range from small to significant, what is notable is the mature architecture of Apache Tomcat has remained intact as we have seen little problems thus far in the backportability of the application. (See a special note at the end of the Crawler Session Manager Valve post where we note that the Apache Software Foundation (ASF) has upgraded its own bug tracker system , JIRA, which runs on Tomcat to version 7, and it just works--even though JIRA has not yet announced support for it). This consistency across versions of course means many bug fixes, as well as new features, are good candidates to be added to Tomcat 6. As of Tomcat 6.0.30 - these are the three that you should know about:

Memory Leak Detection/Prevention

Announced in a post here on Tomcat Expert last year, the new memory leak detection and prevention feature has been a widely anticipated new feature that addresses how Tomcat can cause memory leaks in the permanent generation (PermGen) that lead to OutOfMemoryErrors when re-loading web applications.

This feature exists in two parts. First, it prevents memory leaks through a new life-cycle listener, the JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory. For more details on what this listener actually does, the source code is pretty well commented.

Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job. For more on what these checks do, check out the explanation by Sylvain Laurent on the Tomcat Wiki, or of course, you can look at the source code. Start with the clearReferences() method.

Updates to these features are spread over several 6.0 versions, with 6.0.30 having the latest version of the feature.

 

Read More

246 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 6, Tomcat 7, Tomcat Security

Blog : Windows Authentication with Apache Tomcat

posted by mthomas on June 22, 2011 09:31 AM

Most companies of any significant size have lots of applications designed to support their employees across many departments. The bane of any system administrator in these environments, is user access to these applications. Provisioning a new employee, decommissioning an exiting employee, controlling access to contractors, and of course, the ubiquitous password resets for every employee who forgets which cat or kid they used to name their latest password.

For companies using Microsoft Windows, it is possible to do user authentication within the domain. Each user is created with one username and password, and assigned roles which designate access to various applications. Until now, in order to integrate Apache Tomcat based applications with Windows Authentication, administrators would need to use a third party library like WAFFLE, or employ a reverse proxy, such as IIS or httpd, to perform the authentication step. Many of these libraries are heavy-weight, and some solutions, such as IIS, are limited to only working on Windows hosts.

Built-in Tomcat Support for Windows Authentication

With Tomcat 7, there is now the option to use built in support for Windows Authentication. Tomcat’s Windows Authentication relies solely on Java 6 and therefore works when Tomcat is running on Linux or other non-Windows platforms. Users can also use a range of platforms and still take advantage of Windows Authentication. Users on Windows platforms, such as Windows XP, Vista or Windows 7, and who are logged on to the Windows domain, can use Windows Authentication to access applications any platforms without having to re-enter their password.

How It Works

Once windows native authentication is enabled, when a user logs onto the domain and connects to the Tomcat Server, rather than Tomcat prompting the user for a username and password, Tomcat will send a particular header to the browser. The browser recognizes this and knows that it wants it to try Windows Authentication. Since the user is already logged onto the domain, the browser can get the information from the domain. The browser constructs a response and sends it back to the Tomcat server. The server then authenticates it. Assuming response is authenticated, the user is granted access to whatever role they are assigned within the application. For users on non-Windows platforms and/or users who are not logged on to a Windows domain, the browser will prompt the user to provide their user name and password.

Read More

28 comments   |  

0
Rating
  |  

Operations, Security | Tomcat 7, Tomcat Configuration, Tomcat Security

Blog : Apache Tomcat 7.0.16 Released

posted by Stacey Schneider on June 17, 2011 09:28 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.16.

Apache Tomcat 7.0.16 includes bug fixes and the following new features compared to version 7.0.14:

  • NIO implementation of the AJP connector
  • Enable Servlet 3 asynchronous processing support when using clustering
  • Add parallel deployment support to the Manager's Ant tasks

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

31 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Syndicate content