Features in Tomcat 7 – Updates and improvements
With new version of Tomcat, 7.0.12, several new features were introduced while other enhanced.
Overall service improvement is significant toward prior versions so through some working examples they'll be described in review below.
So, let's see which features are introduced as new ones and which ones been enhanced and improved from last version.
New features
1.Preventing cross-site request forgery (CSRF) attacks with use of nonce
2.Changing the jsessionid on authentication to prevent session fixation attacks altogether
3.Memory leak detection and prevention
4.Storage of static content outside the war file with use of aliases
Enhanced features
5.Servlet 3.0, JSP 2.2 and JSP-EL 2.2 support
6.Tomcat embedding improvement
7.Asynchronous logging
Preventing cross-site request forgery (CSRF) attacks with use of nonce
Defined as an type of malicious attack that affects Web-based applications, CSRF, typically forces users to execute unwanted actions while they are logged into a trusted Web site. To prevent this tomcat developed nonce as an method of "a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks."
With servlet filter implemented in Tomcat 7, nonce is stored in the user's session after every request has been processed. It has to be added as a request parameter for each subsequent request. The servlet filter then checks whether the nonce in the request parameter is the same as the nonce stored in the user session. If they are the same, the request could have come only from the given site. If they are different, the request is from some other site and is rejected.
For example, in email spam, which cannot have nonce, session will be rejected. Even if the user clicks on a malicious link or posts a malicious form, the request will be denied because the nonce will not be there. The nonce will be present only in Web pages returned by this Web app. Nonce is required as a request parameter for all URLs.
By default, filter configuration is stored in applications web.xml.
Changing the jsessionid on authentication to prevent session fixation attacks altogether
The solution, implemented by the Tomcat team as an patch, changes the jsessionid after authentication. Patch is implemented in version 7 of Tomcat but has been back-ported to version below.
Memory leak detection and prevention
An most common problem with redeploying web applications is Permgen space: OutOfMemoryError caused by memory leaks. It's because the classes from a previous deployment are not completely garbage collected. Developers work around this by increasing the amount of PermGen memory or restarting Tomcat.
Tomcat 7 has implemented feature that fixes this issue but not completely as it cannot be predicted which action would trigger this error. Several scenarios are covered with this fix like JDBC driver registration, Some logging frameworks, Storing objects in ThreadLocals and not removing them and Starting threads and not stopping them.
Storage of static content outside the war file with use of aliases
Static resources such as CSS, JavaScript, and video and image files, if needed, are usually bundled within war archive which leads to it's size growing. This is avoided by another feature introduced in Tomcat 7.
Tomcat 7 allows a new aliases attribute in the context element. This attribute can point to a static resource. You can now access it using Classloader.getResourceAsStream('/static/...') or embed a link to it and let Tomcat resolve the absolute path.
The advantages of using aliases instead of Apache aliases in httpd.conf is that the mapped resources can be accessed from within a servlet, and the aliases can be used for applications that don't have Apache at the front.
According to Mark Thomas, Release Manager and Committer for Tomcat 7, the three most compelling features of Tomcat 7 are Servlet 3.0, memory leak prevention and detection, and improved security.