Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Apache Tomcat 8 Preview
By Daniel Mikusa
Agenda
● Introductions● Java EE 7● Tomcat specific changes● Timescales● Questions
Introductions
Introductions● Daniel Mikusa● Active on [email protected]● Contributing Author on TomcatExpert.com● Senior Technical Support Engineer at
Pivotal○ Tomcat / tc Server○ Spring Framework○ CloudFoundry
Java EE 7
Java EE 7● Tomcat 8
○ Servlet 3.1 ○ JSP 2.3 ○ Expression Language 3.0○ Web Sockets 1.0○ Little / no demand for other Java EE 7 components in Tomcat
● Web Profile Container - Apache TomEE
● J2EE Container - Apache Geronimo
Servlet 3.1● Final: May 28th 2013● New Features
○ Non-blocking IO○ HTTP Upgrade○ Change session id on authentication
● Improvements○ Protection for uncovered HTTP methods in security constraints○ Clarified some ambiguities○ Fixed some typos
Change Session Id● To change the session id:
○ HttpServletRequest.changeSessionId()● To listen for session id changes with HttpSessionIdListener● Register HttpSessionIdListener with:
○ ServletContext.addListener(..)○ @WebListener
public class CustomHttpSessionIdListener implements HttpSessionIdListener { public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) { …. }}
Uncovered HTTP Methods● When defining security constraints, it’s possible to list specific HTTP methods
covered by the security constraint○ <http-method>○ <http-method-omission>
● A method is “uncovered” when…○ One or more methods are listed with <http-method>, any method not
listed is “uncovered”○ One or more methods are listed with <http-method-omission>, every
method list is “uncovered”● If no methods are specifically listed then all methods are protected
Uncovered HTTP Methods: Ex 1
<security-constraint><web-resource-collection>
<web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method>
</web-resource-collection><auth-constraint>
<role-name>SALESCLERK</role-name></auth-constraint>
</security-constraint>
Only GET is covered
Uncovered HTTP Methods: Ex 2
@ServletSecurity((httpMethodConstraints = { @HttpMethodConstraint(value = "GET", rolesAllowed = "R1"), @HttpMethodConstraint(value = "POST", rolesAllowed = "R1", transportGuarantee = TransportGuarantee.CONFIDENTIAL)})public class Example5 extends HttpServlet { ….}
Only GET & POST are covered
Servlet 3.1 Demos
JSP 2.3● Final: June 12th 2013● There is no JSP Expert Group● JSP 2.3 is a maintenance release● Changes
○ Requires Servlet 3.1, EL 3.0 & Java 7○ JSP must render identical response for GET, POST & HEAD; all other
methods are undefined
EL 3.0● Final: Final May 22nd 2013● Significant Changes● New Features
○ Access to static fields, methods & constructors○ Assignment operator○ Semi-colon operator (chain multiple commands)○ String concatenation operator○ New Collections API, including dynamic construction of collections & the
stream method and the collection pipeline○ Lambda Expressions
● Incompatibilities○ Default coercion for nulls to non-primitive types, except Strings, return
null. Ex: null -> Boolean returns null, but null -> boolean returns false.
EL 3.0 Demos
WebSocket 1.0● Final: May 22nd 2013
● Tomcat 7 has supported WebSockets for a while (different API)
● Tomcat 8 implements new API
● Tomcat 7 has been upgraded to support new API (as of Tomcat 7.0.43)
● Both implement client & server APIs
WebSocket 1.0● Additional Features
○ Encoding / decoding, sub-protocols and extensions○ Annotations
● Differences○ Tomcat 7’s old implementation is blocking within a Frame○ WebSocket 1.0 is non-blocking although some writes do block
● Non-blocking○ Works with the BIO connector but obviously is not really non-blocking○ Fundamentally changes the API
Bidirectional messages
WebSocket HandshakeGET /path HTTP/1.1Upgrade: websocketConnection: Upgrade...
HTTP/1.1 101 Switching ProtocolsUpgrade: websocketConnection: Upgrade...
Initiate close(close control frame) Respond to close
(close control frame)
WebSocket Demos
Tomcat Specific Changes
Tomcat Specific Changes● Resources
○ Aliases○ VirtualDirContext / VirtualWebappLoader○ External repositories for the WebappClassLoader○ Servlet 3.0 resource JARS
● Tomcat 7 implements each of these slightly differently○ Very fragile○ Servlet 3.1 overlays would have been difficult
● New resources implementation○ Much cleaner implementation○ Overlays now simpler to implement (but have been dropped from Servlet
3.1)
Resources● Ordering
○ Pre Resources○ Main Resources (i.e. the docBase for a context)○ Jar Resources○ Post Resources
● Types○ DirResourceSet - a directory○ FileResourceSet - a single file○ JarResourceSet - a JAR file
● General recommendation is avoid using directly as this is Tomcat specific
Resources<?xml version='1.0' encoding='utf-8'?><Context>
<Resources> <PreResources className="org.apache.catalina.webresources.FileResourceSet" base="/app/files/special.txt" webAppMount="/static/special.txt" /> <PostResources className="org.apache.catalina.webresources.DirResourceSet" base="/app/files/static" webAppMount="/static" />
</Resources></Context>
RewriteValve● Rewrite Valve implements URL rewrite functionality in a way that is very
similar to mod_rewrite from Apache HTTP Server● Valve can be added in two locations
○ added in <Host> block. Configuration is in conf/Catalina/localhost/rewrite.config.
○ added in Web App’s Context. Configuration is in WEB-INF/rewrite.config.● Configuration Syntax: RewriteCond TestString CondPattern● Examples:
○ RewriteCond %{REMOTE_HOST} ^host1.* [OR]○ RewriteCond %{REMOTE_HOST} ^host2.* [OR]○ RewriteCond %{REMOTE_HOST} ^host3.*○ RewriteRule ...some special stuff for any of these hosts...
Tomcat Specific Changes (cont.)● Requires Java 7 or later● NIO connector is now the default● Additional diagnostic information in the Manager
○ SSL ciphers○ May be back-ported to Tomcat 7
● DBCP2 is now the default (supports JDBC 4.1)○ DBCP & Tomcat jdbc-pool still included as well
● Unclosed InputStream tracking○ logs InputStreams from WebResources that haven’t been closed○ removes need for anti-jar locking and extracting files to work directory
Timescales
Timescales● Java EE 7 Final has shipped● Tomcat 8.0.0
○ 8.0.0.RC5 (alpha) is available, 8.0.0-alpha expected early Dec○ Alpha has complete implementations of Servlet 3.1, JSP 2.3, EL 3.0 &
WebSocket 1.0○ Code is not ready for production usage, purpose is to gather community
feedback and fix bugs○ Additional internal refactoring will likely occur prior to a non-alpha release○ Based on past experience, 8.0.0 release will likely hit six to nine months
after initial alpha release (Feb - May 2014). Depends on community usage and feedback.
Learn More.
● Demo Code: github.com/dmikusa-pivotal/tomcat-8-features● Demo Code Running on CF: tomcat-8-demos.cfapps.io
● Website: tomcat.apache.org● Download: tomcat.apache.org/download-80.cgi● Documentation: tomcat.apache.org/tomcat-8.0-doc/index.html● Migration Guide: tomcat.apache.org/migration.html● Mailing Lists: tomcat.apache.org/lists.html
Questions
We’re Hiring!
● Global Support Services - Spring & Middleware Team● ow.ly/qIuJ1
● Global Support Services - CloudFoundry Team
● Other Job Posting: gopivotal.com/careers