Welcome to Tomcat 7.com
The directory for information and resources about Apache Tomcat 7
This page is your source for the latest Tomcat 7 news, guides, and updates.
Table Of Contents
- Latest News (Updated!)
- What's New In Tomcat 7: Changes and New Features
- Tomcat 7 Release Milestones
- Migrating From Tomcat 6 To Tomcat 7
The latest updates on Tomcat 7 development, security patches, and more.
The Latest (Updated!)
July 08, 2012 - Tomcat 7.0.29 was released as stable!29
The Apache Software Foundation released Tomcat 7.0.29 as the latest stable version of Tomcat. This release fixes a few regressions introduced in 7.0.28 and also takes care of a few bugs. To see complete changelog click here
January 14, 2010 - Tomcat 7.0.6 was released as stable!
After two years of development, the Apache Software Foundation released Tomcat 7.0.6 as the latest stable version of Tomcat. See the Changes and New Features section below about what changed in Tomcat 7, and see Mulesoft Architect Jason Brittain's blog about this new release for more information.
October 14, 2010 - Apache Tomcat at ApacheCon 2010
The full schedule for ApacheCon 2010 in Atlanta has been announced, including a full day of Apache Tomcat 7 sessions!
On Friday, November 5, Tomcat experts including: Mladen Turk (project founder), Mark Thomas (current project lead), and MuleSoft's Jason Brittain (author of Tomcat: The Definitive Guide (O'Reilly)) gave talks on Tomcat 7 topics such as:
- improved memory leak detection
- securing Tomcat infrastructure
- embedding Tomcat 7
- ..and more!
Apache Tomcat training will also be offered on Monday and Tuesday.
In addition to the ApacheCon sessions, the Tomcat core team hosted a meetup for the Apache Tomcat community on Thursday, November 4th, at 8PM. The meet-up, open to the public, covered topics such as Tomcat 7's new features, how to become a committer, security, and more.
August 10, 2010 - Tomcat 7.0.2 Beta Now Available
The latest beta version of Tomcat 7, 7.0.2, was voted beta today, and is available from Apache. The release includes a number of small fixes to documentation and regression in 7.0.1, as well as updates to Commons and Eclipse components, and the long laundry list of improvements included in 7.0.1, which was ultimately not released due to a Security Manager bug. For a complete list of changes in Tomcat 7.0.2 Beta, as well as a preview of changes in 7.0.3, visit the Apache project site.
July 13, 2010 - MuleSoft Tcat Server 6 R3 Offers First Enterprise Support For Tomcat 7 in the Industry
The latest iteration of MuleSoft's Tcat Server, the leading enterprise Apache Tomcat application server, was released last week, becoming the first enterprise Tomcat product in the industry to offer support for the Tomcat 7 beta. All of Tcat Server's features now work seamlessly with Tomcat 7 beta instances, in addition to Tomcat 5.5 and Tomcat 6.
Tcat Server is a fully-supported enterprise Apache Tomcat web application server with critical features for production deployment, such as server group management, configuration management, application deployment, and performance diagnostics. Based 100% on the Apache Tomcat binaries, with zero changes to the core code, Tcat Server allows IT teams to migrate from legacy platforms such as Oracle WebLogic and IBM WebSphere to the lightweight and open source Tomcat. More information about new features in the latest Tcat Server release is available on MuleSoft's development blog.
July 9, 2010 - Security Alert - Remote Denial Of Service Vulnerability Affects Tomcat 7 Beta
Apache released a security update today warning users of a newly discovered flaw in the Tomcat code that could potentially be exploited by malicious users to execute a Remote Denial of Service attack against a vulnerable Tomcat instance.
A patch for the issue has already been created, and is available as a standalone fix or incorporated into new versions of all actively supported Tomcat branches. The flaw was discovered and reported by Steve Jones, a Tomcat community member.How The Exploit Works
Flaws in Tomcat's handling of 'Transfer-Encoding' headers were found to be preventing a buffer from recycling. This flaw could potentially be intentionally triggered by a malicious remote user to cause failure of subsequent requests and possible information leaks.Fixing The Issue
Tomcat 7.0.1 has not yet been released, but will include a patch for this vulnerability.
To secure your Tomcat 7 instances until the release of 7.0.1, apply the standalone patch: http://svn.apache.org/viewvc?view=revision&revision=958911
June 29, 2010 - It's here! Tomcat 7 Beta Officially Released This Week!
After almost a year and a half in active development, the official Tomcat 7 beta release is tagged, packaged, and available for download from Apache! The release, which is based on Tomcat 7 RC4, was voted beta on June 25, 2010. All major work is done, so the release will be considered stable once all open bugs reported over the next few iterations are resolved.
Tomcat 7 will be the first major version of Tomcat in over three years, and as such, includes a huge set of new features and enhancements that make the popular application server faster, easier to use, and more reliable than ever before.
Many of the improvements are centered around Tomcat's implementation of the latest JSR specifications - Servlet 3.0, JSP 2.2, and EL 2.2, which add a laundry list of features including asynchronous support, annotation-based configuration, improved session tracking, and method invocation using expression language. However, the improvements don't stop there - Tomcat 7 itself has been streamlined and optimized for high performance, stability, and security.
Want more information? You're in luck - we've compiled a detailed look at what's new in Tomcat 7. Click here to jump!
June 14, 2010 - Apache Tomcat 7 Dev Beta Release Available For Testing
The Tomcat 7 dev beta release is now available for testing. The release is based on Tomcat 7 RC4. After a week of testing, the beta candidate currently passes all unit tests, but issues remain that make the candidate unsuitable for full release at this point in time. If no major issues are found, the official beta release is expected by the end of this week.
Given the speed of development to date, users can most likely expect to wait until late summer for a final release. Click here to download the proposed beta release and try it out. As always, be sure to review the release notes before attempting to use this early version.
June 7, 2010 - Apache Tomcat 7 RC4 Now Available For Testing
As of this morning, the fourth release client of the hotly anticipated Apache Tomcat 7 is available for download and testing from the Apache website. Developers will be voting over the next few days, hopefully moving towards a beta release in the near future. Click here to download Tomcat 7 RC4 and take it for a spin. It's still an early version, so be sure to read the running and release notes before you get started!
May 18, 2010 - Second Tomcat 7 Release Client Being Tested, Announcement Drafted
As Tomcat 7 nears release, the committers of the Apache Tomcat project are now testing and voting on the second release candidate of the highly anticipated update. A number of issues still remain, so expect a few more release candidates before any official releases.
Users who want a sneak peak at the latest and greatest version of Tomcat can download the release client from Apache's site here, and check out an early draft of the release announcement. The links for documentation and download are not live yet, but it's exciting proof that the long-delayed update is indeed approaching release. Users attempting to run this early version of Tomcat 7 should read through the list of known issues with this release candidate, which can be found here.
May 13, 2010 - Improved Embedding In Tomcat 7
On May 13, 2010, the Tomcat 7 Proposals document was updated as a result of recently completed development work that implemented several of the proposals into the Tomcat 7 codebase. Several changes have been implemented that make it easier to embed Tomcat inside of another application.
To facilitate more intuitive embedding, Tomcat 7 will include an updated version of the helper class that eliminates the need for external configuration files. This class is available in Tomcat 6.x, but has been improved for the next release.
This updated version includes an example unit test, and a build target to generate a special JAR files containing all dependencies required to run Tomcat and a streamlined main.
April 22, 2010 - Release Plan Update
On April 22nd, the Tomcat 7 release outline was updated to reflect recent development progress. According to the outline, the majority of the remaining critical work is made up of implementing all the new features outlined in the Servlet 3 specification. Work that still needs to be completed includes:
- implementation of new servlet context configuration methods allowing the programmatic definition of filters, servlets, and mapped url patterns when an application starts, as outlined in Servlet 3 Section 4.4
- implementation of related features allowing the new programmatic definition methods to be included in web fragments for plug-ability, as outlined in Servlet 3 Section 8.2 and 8.3
- verification of Tomcat 7's compliance to the Servlet 3 specifications for deployment descriptors
- compliance verification for Tomcat 7's implementations of features required by the servlet specification to allow interoperability with other related JEE technologies (JNDI, session migration, etc.)
Additionally, the most recent update to the release plan proposes that Geronimo's implementation of JSR 196, a Servlet 3 recommendation, be used in Tomcat 7, as there is currently no implementation available. JSR 196 defines a container-friendly Java authentication service provider interface, which provides a standardized interface for validation, invocation, and binding of security credentials to authentication modules within containers, along with other container-based security interactions.
Here's an up-to-date list of the changes and new features you can expect in Tomcat 7.
Servlet 3.0 is designed to improve ease of development, extensibility, and security, and also adds significant support for asynchronous programming techniques. The adoption of this specification in Tomcat 7 means that Tomcat users can expect some exciting new features.
Servlet 3.0's asynchronous support has been fully integrated into Tomcat 7. Although users were already able to benefit from asynchronous programming in Tomcat 6, Servlet 3.0's support will offer developers a standard interface, negating current limits to portability between containers.
Another big Servlet 3.0-related feature is Tomcat 7's dynamic configuration functionality. Thanks to Tomcat 7's support for web fragments, libraries will be able to use an embedded web.xml fragment to provide their configuration, eliminating the need for developers to add library-specific configuration entries to their application's web.xml files.
Tomcat 7 will also include Servlet 3.0's new annotation support, offering developers another method of configuring filters, listeners and servlets through declarative-style programming.Classes and servlets can be quickly defined by annotating the class, which makes development faster and eliminates the need for deployment descriptors.
Extended Servlet API
An extension of the Servlet API will enable the programmatic addition of Filters and Servlets as an application starts, and although access to this API while running an application is prohibited in the Servlet 3.0 specification, Tomcat 7 will allow developers to ignore this specification if they wish.
Other Servlet 3.0-related Features
Other Servlet 3.0 features that developers will appreciate include the use of generics, improved session tracking and SSL session ID tracking for increased security, and brand new file upload functionality, which will allow developers to upload additional libraries as needed.
Simpler, Faster, More Developer-Friendly
Servlet 3.0 is the first "non-maintenance" release of the specification since its first version, with a focus on new features and ease of development. These qualities have been incorporated into Tomcat 7, making it the most developer-friendly release yet! Here's a look at some of the features aimed at making development more agile and user-friendly.
A new API included in the Tomcat 7 release is aimed at making embeddable Tomcat applications a simple, hassle-free reality. Utilizing this new API, developers will only need 8 lines of code to get Tomcat up and running within their applications.
In an effort to make log files easier to read, Tomcat 7 includes two improvements to its logging system: an asynchronous file handler and a single line log formatter. The asynchronous handler allows Tomcat to write logs to disk in a dedicated thread, so that logging operations do not cause any latency in processing threads. The single line formatter writes logs in a single line, which is a better solution for administrators.
Not all of the big changes in Tomcat 7 are related to Servlet 3.0 - for this release, the entire servlet container has been made more streamlined, optimized, and secure. Here's a run-down of these improvements.
No More Leaks!
Tomcat users have historically had problems with memory leaks when reloading web applications throughout the existence of the project, usually manifesting as an OutOfMemoryError for the Permanent Generation.
Although the bugs in Tomcat's 4.1.x/5.5.x codebase responsible for some of these errors have long been fixed, developers still had trouble eliminating memory leaks caused by their own applications.
After working closely with a number of developers, the Tomcat team was able to not only track down and repair new bugs specific to certain Java APIs, but also to write patches for the most common application-caused memory leaks. Applications which previously triggered these leaks now reload without error, and new applications will be covered as well, and the Tomcat team has voiced a dedication to providing additional workarounds in the future.
Tomcat 7's Improved Security
Tomcat 7 will also include a number of security improvements. The Manager and host-manager applications have been made more secure. There are now separate roles for script-based, web-based, JMX proxy, and status page access, for more specific access control. To prevent CSRF attacks, a randomly generated nonce will be required for all non-idempotent requests. Preventive measures have also been taken to protect against session fixation attacks.
Here's a look at recent release milestones for the project.
- 7.0.6 was voted stable on January 11, 2011. This is the first Tomcat 7 stable release!
- 7.0.5 was voted beta on November 28, 2010.
- 7.0.4 was voted beta on October 21, 2010.
- 7.0.3 was deemed a broken release due to a missing license file, and a lack of votes for the release (possibly due to the missing license file).
- 7.0.2 was voted beta on August 10, 2010.
- 7.0.1 was voted broken on August 2, 2010 due to regression that prevented Tomcat from running when the Security Manager was enabled.
- 7.0.0 was voted beta on June 25, 2010.
- 7.0.0 was tagged on Jun 13, 2010.
- 7.0.0rc4 was tagged on June 7, 2010.
- 7.0.0rc3 was nearly voted Beta (but there weren't enough votes) on May 25, 2010.
- 7.0.0rc3 was tagged on May 23, 2010.
- 7.0.0rc2 was tagged on May 17, 2010.
- 7.0.0rc1 was voted broken due mainly to licensing issues on April 14, 2010. This release also had incomplete async connector code (APR and NIO).
- 7.0.0rc1 was tagged on April 14, 2010.
Here is a look at some of the things you may need to change to upgrade from Tomcat 6 to Tomcat 7. Check back soon for additional details.
Fine Grained Manager Control
As it has grown more and more popular and important as a target for automation, the Tomcat 7 Manager application has been refactored to provide better security, and better separation of operations concerns.
Rather than using a single URL with parameters to access all the commands, the Manager's various access points have been mapped to separate URLs. Additionally, the Server Status page, which previously was a tab of the web interface, has been given its own URL as well. Here's how to access the various components:
- HTML Web Interface - /manager/html
- Text Interface - /manager/text
- JMXProxy Servlet - /manager/jmxproxy
- Server Status Pages - /manager/status
Users familiar with the Tomcat Manager will be familiar with the need to assign the "manager" role to a user in order to access the Manager application.
In Tomcat 7, in response to user requests for the ability to create limited access profiles for the application, the "manager" role was broken into four new roles, each with access to only one specific Manager function. Moving from Tomcat 6 to Tomcat 7 you will need to edit your conf/tomcat-users.xml file and assign the new manager role(s) to the users you wish to have each of these privileges.
These roles can be added to user entries in conf/tomcat-users.xml, as in previous versions of Tomcat. Here's a list of all the available roles:
- manager - this role now only grants access to Manager's HTML interface and status pages
- manager-script - this role grants access to the text (URI-command) interface and status pages
- manager-jmx - this role grants access to the JMXProxy servlet and status pages
- manager-status - this role grants access only to the status pages
Minor Changes To Deployment
In Tomcat 6, Context descriptors (WEB-INF/web.xml) contained in WAR files were extracted and deployed into the containing Host's xmlBase as configured in the Host's attributes. These files could be checked for updates, which would trigger an attempted re-deploy.
Tomcat 7 no longer supports this behavior by default, as there are other methods of triggering a redeploy that are considered more efficient. If you would still like to utilize this behavior, you will be able to re-enable it by setting the new Host attribute "copyXML" to "true".