TomcatExpert

Tomcat 7

Blog : Security Lifecycle Listener

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Read More

0 comments   |  

0
Rating
  |  

Operations, Security | Tomcat 7, Tomcat Security

Blog : Apache Tomcat 7.0.19 Released

posted by Stacey Schneider on July 19, 2011 09:23 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.19

Apache Tomcat 7.0.19 includes security fixes, bug fixes and the following new features compared to version 7.0.16:

  • JSP recompilation is now triggered by any change (backwards as well as forwards) in the last modified time of the JSP or any of its dependencies
  • Support for installing multiple instances with the Windows Installer
  • Include jdbc-pool (an alternative database connection pool)

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

The following known issues in 7.0.19 are noteworthy:

  • The AJP NIO connector does not use persistent connections. To workaround this, use a large value for connectionTimeout
  • There is a typo in the list of JARs to skip in catalina.properties. Apply http://s.apache.org/catalina.properties-r1146623 to fix it

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7, Tomcat jdbc-pool

Blog : The Top 3 Apache Tomcat 7 features now Available in Apache Tomcat 6

posted by mthomas on June 30, 2011 08:39 AM

The release of Apache Tomcat 7(out in beta last June) has made great strides in improving the overall security and general robustness of the world's most popular application server. In fact, over 450 improvements and issues have been resolved in this latest stable release. While these changes range from small to significant, what is notable is the mature architecture of Apache Tomcat has remained intact as we have seen little problems thus far in the backportability of the application. (See a special note at the end of the Crawler Session Manager Valve post where we note that the Apache Software Foundation (ASF) has upgraded its own bug tracker system , JIRA, which runs on Tomcat to version 7, and it just works--even though JIRA has not yet announced support for it). This consistency across versions of course means many bug fixes, as well as new features, are good candidates to be added to Tomcat 6. As of Tomcat 6.0.30 - these are the three that you should know about:

Memory Leak Detection/Prevention

Announced in a post here on Tomcat Expert last year, the new memory leak detection and prevention feature has been a widely anticipated new feature that addresses how Tomcat can cause memory leaks in the permanent generation (PermGen) that lead to OutOfMemoryErrors when re-loading web applications.

This feature exists in two parts. First, it prevents memory leaks through a new life-cycle listener, the JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory. For more details on what this listener actually does, the source code is pretty well commented.

Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job. For more on what these checks do, check out the explanation by Sylvain Laurent on the Tomcat Wiki, or of course, you can look at the source code. Start with the clearReferences() method.

Updates to these features are spread over several 6.0 versions, with 6.0.30 having the latest version of the feature.

 

Read More

0 comments   |  

0
Rating
  |  

Developers, Operations | Tomcat 6, Tomcat 7, Tomcat Security

Blog : Windows Authentication with Apache Tomcat

posted by mthomas on June 22, 2011 09:31 AM

Most companies of any significant size have lots of applications designed to support their employees across many departments. The bane of any system administrator in these environments, is user access to these applications. Provisioning a new employee, decommissioning an exiting employee, controlling access to contractors, and of course, the ubiquitous password resets for every employee who forgets which cat or kid they used to name their latest password.

For companies using Microsoft Windows, it is possible to do user authentication within the domain. Each user is created with one username and password, and assigned roles which designate access to various applications. Until now, in order to integrate Apache Tomcat based applications with Windows Authentication, administrators would need to use a third party library like WAFFLE, or employ a reverse proxy, such as IIS or httpd, to perform the authentication step. Many of these libraries are heavy-weight, and some solutions, such as IIS, are limited to only working on Windows hosts.

Built-in Tomcat Support for Windows Authentication

With Tomcat 7, there is now the option to use built in support for Windows Authentication. Tomcat’s Windows Authentication relies solely on Java 6 and therefore works when Tomcat is running on Linux or other non-Windows platforms. Users can also use a range of platforms and still take advantage of Windows Authentication. Users on Windows platforms, such as Windows XP, Vista or Windows 7, and who are logged on to the Windows domain, can use Windows Authentication to access applications any platforms without having to re-enter their password.

How It Works

Once windows native authentication is enabled, when a user logs onto the domain and connects to the Tomcat Server, rather than Tomcat prompting the user for a username and password, Tomcat will send a particular header to the browser. The browser recognizes this and knows that it wants it to try Windows Authentication. Since the user is already logged onto the domain, the browser can get the information from the domain. The browser constructs a response and sends it back to the Tomcat server. The server then authenticates it. Assuming response is authenticated, the user is granted access to whatever role they are assigned within the application. For users on non-Windows platforms and/or users who are not logged on to a Windows domain, the browser will prompt the user to provide their user name and password.

Read More

2 comments   |  

0
Rating
  |  

Operations, Security | Tomcat 7, Tomcat Configuration, Tomcat Security

Blog : NIO implementation of the AJP connector

posted by mthomas on June 17, 2011 10:20 AM

The Apache JServ Protocol (AJP) , is a binary protocol that can proxy inbound requests from a webserver, such as Apache HTTPD, to an application server like Apache Tomcat. Typically used in load balanced web applications where the web server has to pass requests to multiple application servers, using modules like mod_proxy_ajp help improve the speed of transactions and add support for SSL. This week’s update of Apache Tomcat 7.0.16, introduces a NIO implementation of the built-in AJP connector.

What is NIO?

New I/O, usually shortened to NIO, is a set of Java APIs that allow for more scaleable I/O operations. Among other things, NIO provides support for non-blocking of data connections which ensures a response from the application server. Without NIO, admins must configure their web servers and application servers to match the number of threads between the web server and application server. Depending on configuration, application behavior and the number of concurrent sessions, there is a constant risk of running out of threads and having users get a HTTP 500 Internal Server error. NIO eliminates this risk by providing a more efficient usage of these threads.

A Simple Example

In simple deployments, users will have one HTTPD instance and one Tomcat server to host their web application. Configure both to use 1000 threads, and the web server instance and the application server instance should run fine. Where it gets complicated is when you employ multiple HTTPDs and multiple instances of Tomcat, and those instances are not using a 1 to 1 mapping— i.e. situations where any HTTPD instance can talk to any Tomcat instance.

Let’s say that you have 2 HTTPD instances and 2 Tomcat instances. Each HTTPD is configured for 1000 threads. Each Tomcat will need to be available to process a connection from each of the threads from all of the instances of HTTPD. So each Tomcat will need 2000 threads. As we add more, this quickly does not scale. As the number of HTTPD instances go up, you need more and more threads on the Tomcat side and eventually this becomes unsustainable.

Read More

0 comments   |  

0
Rating
  |  

Operations | Tomcat 7, Tomcat Configuration, Tomcat Performance

Blog : Apache Tomcat 7.0.16 Released

posted by Stacey Schneider on June 17, 2011 09:28 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.16.

Apache Tomcat 7.0.16 includes bug fixes and the following new features compared to version 7.0.14:

  • NIO implementation of the AJP connector
  • Enable Servlet 3 asynchronous processing support when using clustering
  • Add parallel deployment support to the Manager's Ant tasks

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

0 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Parallel Deployment with Apache Tomcat 7

posted by mthomas on May 31, 2011 07:44 AM

Upgrading web applications can be very expensive if your storefront is the web. Weekend maintenance windows, or downtime in general can give an entire company heartburn. Survey data shows that web application downtime can cost some companies up to $72,000 per minute. Yet the cost of not constantly rolling out new features and bug fixes can equally penalize a company in the competitive online markets today.

Previously, to upgrade an application on Tomcat and avoid downtime, system administrators would have to set up multiple instances of Tomcat and do some very clever stuff with load balancers. This equals extra hardware costs as a permanent part of the company’s infrastructure.

Now with the advent of parallel deployment in Tomcat 7, you can have multiple versions of the same application installed at the same time on a single server. Users with active sessions can continue to use the old application and new users will be routed to the new version. This way, no user sessions will be interrupted, and the old application can gracefully phase out.

Setting Up Parallel Deployment

Parallel deployment is a function of the Context Container. The Context element represents a web application, which in turn specifies the context path to a particular Web Application Archive (WAR) file that is the application logic. Parallel deployment allows you to deploy multiple versions of a web application with the same context path concurrently. When choosing what version of the application for any given request, Tomcat will:

  1. Route new requests to the latest version, so new sessions go to the new application.
  2. If session information is in the request, check the session manager for a matching version, so existing sessions will go to the original application for the request.
  3. If session information is in the request, but the corresponding application is no longer present, it will route to the latest version.

Read More

4 comments   |  

5
Rating
  |  

Operations | Parallel Deployment, Tomcat 7, Tomcat Admin

Blog : Crawler Session Manager Valve

posted by mthomas on May 18, 2011 07:25 AM

For organizations with large publically searchable websites, such as those found in ecommerce companies with large product catalogues or companies with active online communities, web crawlers or bots can trigger the creation of many thousands of sessions as they crawl these large sites. Normally crawling sites without relying on cookies or session IDs, these bots can create a session for each page crawled which, depending on the size of the site, may result in significant memory consumption. New in Apache Tomcat 7, a Crawler Session Manager Valve ensures that crawlers are associated with a single session - just like normal users - regardless of whether or not they provide a session token with their requests.

A Relevant Example

One of the roles I play in the Apache Tomcat project is managing the issues.apache.org servers which run the two Apache issue trackers we have—two instances of Bugzilla and one instance of JIRA. Not surprisingly, JIRA runs on Tomcat. A few months ago, while looking at the JIRA management interface, I noticed that we were seeing around 100,000 concurrent sessions. Given that there are only 60,000 registered users and less than 5,000 active users any month, this number appeared extremely inflated.

After a bit of investigation, the access logs revealed that when many of the webcrawlers (e.g., googlebot, bingbot, etc) were crawling the JIRA site, they were creating a new session for every request. For our JIRA instance, this meant that about 95% of the open sessions were left over from a bot creating a single request. For instance, a bot requesting 100 pages, would open 100 sessions. Each one of these requests would hang around in memory for about 4 hours, chewing up tremendous memory resources on the server.

Read More

1 comments   |  

0
Rating
  |  

Developers, Operations | JIRA, Tomcat 7, Tomcat Admin

Blog : Apache Tomcat 7.0.14 Released

posted by Stacey Schneider on May 13, 2011 08:43 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.14.

Apache Tomcat 7.0.14 includes bug fixes and the following new features compared to version 7.0.12:

  • new StuckThreadDetectionValve to identify long running requests
  • JAAS authentication support for the JMXRemoteLifecycleListener
  • updated MIME type mappings to align with those of Apache httpd

Please refer to the change log for the list of changes:

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

1 comments   |  

0
Rating
  |  

Developers, Executives | Tomcat 7

Blog : Cross-Site Request Forgery

posted by mthomas on May 9, 2011 07:08 AM

Cross-site request forgery (CSRF), also sometimes referred to as one-click attacks or session riding, is another type of malicious exploit of websites that the Apache Tomcat community has addressed in the Apache Tomcat 7 release process. Different from cross-site scripting, where the attacker exploits the trust users have for a particular site, CSRF targets the trust that sites have in a user’s browser. The new CSRF Protection prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager as well as provides a CSRF Prevention Filter for the applications that run on Tomcat to use.

A Simple Example

A system administrator connects to a Tomcat instance and logs into the Tomcat Manager application. The admin performs routine tasks such as deploying a web application, checking the status of another application and upgrading a third application. Then the administrator leaves Tomcat Manager, and goes to browse the web. One of the sites the administrator browses has malicious code in either a link or a flash file that tricks the browser into making a request into Tomcat Manager. The admin’s session for Tomcat Manager has not yet expired, and Tomcat grants the malicious code access to the request. This essentially introduces a large back door for control into the system administrator’s Tomcat instances.

In addition to targeting administrators to take down websites, applications that run on Tomcat-such as banking applications-are also vulnerable to the same attacks. Check out the article on CSRF on the Open Web Application Security Project (OWASP) for more detail.

Read More

0 comments   |  

0
Rating
  |  

Operations, Security | CSRF, Tomcat 7, Tomcat Host Application

Syndicate content