Overall service improvement is significant toward prior versions so through some working examples they'll be described in review below.

So, let's see which features are introduced as new ones and which ones been enhanced and improved from last version.

New features

1.Preventing cross-site request forgery (CSRF) attacks with use of nonce

2.Changing the jsessionid on authentication to prevent session fixation attacks altogether

3.Memory leak detection and prevention

4.Storage of static content outside the war file with use of aliases

Enhanced features

5.Servlet 3.0, JSP 2.2 and JSP-EL 2.2 support

6.Tomcat embedding improvement

7.Asynchronous logging

Preventing cross-site request forgery (CSRF) attacks with use of nonce

Defined as an type of malicious attack that affects Web-based applications,  CSRF, typically forces users to execute unwanted actions while they are logged into a trusted Web site. To prevent this tomcat developed nonce as an method of "a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks."

With servlet filter implemented in Tomcat 7, nonce is stored in the user's session after every request has been processed. It has to be added as a request parameter for each subsequent request. The servlet filter then checks whether the nonce in the request parameter is the same as the nonce stored in the user session. If they are the same, the request could have come only from the given site. If they are different, the request is from some other site and is rejected.

For example, in email spam, which cannot have nonce, session will be rejected. Even if the user clicks on a malicious link or posts a malicious form, the request will be denied because the nonce will not be there. The nonce will be present only in Web pages returned by this Web app. Nonce is required as a request parameter for all URLs.

By default, filter configuration is stored in applications web.xml.

Changing the jsessionid on authentication to prevent session fixation attacks altogether

The solution, implemented by the Tomcat team as an patch, changes the jsessionid after authentication. Patch is implemented in version 7 of Tomcat but has been back-ported to version below.

Memory leak detection and prevention

An most common problem with redeploying web applications is Permgen space: OutOfMemoryError caused by memory leaks. It's because the classes from a previous deployment are not completely garbage collected. Developers work around this by increasing the amount of PermGen memory or restarting Tomcat.

Tomcat 7 has implemented feature that fixes this issue but not completely as it cannot be predicted which action would trigger this error. Several scenarios are covered with this fix like JDBC driver registration, Some logging frameworks, Storing objects in ThreadLocals and not removing them and Starting threads and not stopping them.

Storage of static content outside the war file with use of aliases

Static resources such as CSS, JavaScript, and video and image files, if needed, are usually bundled within war archive which leads to it's size growing. This is avoided by another feature introduced in Tomcat 7.

Tomcat 7 allows a new aliases attribute in the context element. This attribute can point to a static resource. You can now access it using Classloader.getResourceAsStream('/static/...') or embed a link to it and let Tomcat resolve the absolute path.

The advantages of using aliases instead of Apache aliases in httpd.conf is that the mapped resources can be accessed from within a servlet, and the aliases can be used for applications that don't have Apache at the front.

According to Mark Thomas, Release Manager and Committer for Tomcat 7, the three most compelling features of Tomcat 7 are Servlet 3.0, memory leak prevention and detection, and improved security.

I wanted to write a few sentences on the xferlog, since I know that not many people pay attention to it, but it really can be useful.

For example, you have an ftp user who does some actions, deletes files, writes file, reads, etc. All these actions are stored with timestamp in xferlog.

System administrator can find out specifically what happened with the files, that are stored or delete, who deleted them, and when.

It is usually located in /var/log/xferlog

It stores a format that will give you as follows, current-time, transfer-time, remote-host, full-size, file-name, transfer-type (binary/ascii), special-action-flag (compressed/uncompressed), direction (outgoing/incoming), access-mode, username, service-name, authentication method and completion-status (complete/incomplete).

So basically, all the information is there for the system admin who wants to analyze the ftp actions.

My current use was to find successfully uploaded files. One command:

awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' xferlog

and I got them all.

So I wanted to share this with you as you might find it useful in some situation. Drop a comment if you want to ask me something, or if you have a problem with an investigation of a specific case.

I want today to present yum vs apt-get differences. I'm sure a lot of users use Fedora Core, and are thinking about switching to Ubuntu or Debian.

The major difference between these systems is your ultimate application for installing, updating and managing packages for the distribution.

For those users who are switching from Fedora to Ubuntu, the yum tool is replaced with another great tool apt-get.

Installing is basically the same, you do 'yum install package' or 'apt-get install package' you get the same result.

Yum automatically refreshes the list of packages, whilst with apt-get you must execute a command 'apt-get update' to get the fresh packages.

Another difference is upgrading all the packages. With yum you did 'yum upgrade' and with apt-get you get a new option 'apt-get dist-upgrade' which will hopefully upgrade your whole distribution.

There are a few more tips for apt-get which I will name briefly here:

dpkg --list (to get the list of packages), apt-cache search [package_name], apt-get clean (to get packages removed from the local cache directory), etc.

Finally, I wanted to mention that apt-get mostly works with .deb packages, though the tool can be installed on Fedora distribution to serve .rpm as well.

Its configuration is served from /etc/apt/ and there you will find sources.list with respective repositories for packages needed for user's proffered distribution.

I probably forgot to mention some other important differences, so feel free to correct me and drop a comment.

A while then, they started spreading over the network.

Today, viruses are being spread to your website. Now, how do they do that ?

First of all, it's quite simple. The viruses that you pick up downloading files from some suspicies websites are installed on your computer. Then, they search for your ftp details on your computer. Usually, you save your details with your ftp client. They connect to your ftp service, search for index-like files (index.html, index.php, ...) and when found they modify it with their own code at the header or footer of the file. They usually put the code for promoting other websites, or in some case put a link to a file to infect your visitors. Naturally, your visitors trust your website, and they will download the software which will get their computer infected.

The key for your protection in general would be:

-not to keep your password saved in the ftp client (Don't mind typing it every time you connect, as it will save you time in case virus infected you, or somebody hacks your computer)

- keep the backup of your website, so if you get infected, you can easily re-upload your website with clean code

- keep the antivirus updated. Antivirus is a good prevention, as the latest updates usually can reckognize and detect the viruses being downloaded from the web, thus prevent infection of your computer.

These types of attacks are just starting to appear. I have personally seen just a few of them, so it's not that common. If you had an experience with it, and would like to share a method for prevention, please feel free to post a comment.

Often people associate offered bandwidth with network capability. Those are in fact, two different terms.Bandwidth is associated with amount of data you can transfer (both up to your server + and down from your server) in a period of time. Network capability, on the other hand will have a direct impact on the speed of your website and quality of one enjoying your content and online media.Your search engine ranking is also affected by your network uptime and network speed. Your visitors will return if they enjoyed your website's response.

Let us look at number of factors that affect your network capabilities.

Provider is actually routing your traffic !

Network data is like a car in the traffic jam. You will take a shortcut if there's a shortcut available.If not, you just might get late for an appoitment !So, what do providers of your internet service like hosting companies and "last mile" internet providers have to offer ?Larger companies will have an psychical connections to other larger networks. They will invest in optical infrastructure to have their network connected to other larger network, and that's called peering. For example, if you have a website on one network, and your users mostly use large network like telia.com, your provider of service will route the traffic through that particular peer, and users will get response in no time.If your provider doesn't have a connectivity to telia.com, then it will route to another network that has the closes route to the desired destination, and of course, that will cause some delay.Nowadays, network providers do have a lot of "direct routes" to their fellow networks, and that will ultimately affect their quality of service, since the delay between responses will be much lower.Your provider of choice would actually be the provider that has a full redudant network, which basicly means that he has one or more routes towards an another larger network, and will offer 100% of network uptime to your website.
Your server's country can matter ! But then again ...

Your website can target a specific country more then others. So, you would normally guess that hosting your website in your country is the right choice for you. Well, you are right more or less.Having a close peer to an end-user is a good choice, and it will provide a fast response. Issue with local hosting providers is that they can have a good connectivity localy, but the amount of data transfer is somehow always limited. That's due to infrastructure that most countries don't invest in building large networks, simply because there's no primary need for that investment.On the other hand, there are a quite few professional datacenters, even though you are not in US, or maybe not in Europe, that will offer a few milliseconds delay, unnoticable to your end-users, and at the same time offer redudance (having an alternative if one route fails, which most local networks don't have), and capability to have a large amount of data transfered (again bandwidth) at low cost.

Unmetered bandwidth is so cool, but my website is slow ?!

Some providers do offer unmetered bandwdith. They are maybe slightly more expensive, or even cheaper, but in any case that sounds very good.There, of course, is a catch. Look at it as a one way street, with no semaphors, and cars trying to drive into the major highway.You can have there thousends of cars, and they will all enter the highway. Well, eventually ... though.Providers that are offering unmetered bandwidth are basicly giving false information. They are telling you that they will not measure your data. But they are mostly not telling you that you that:- you cannot use media streaming- if your website is using too much, you will get disconnected- you and hunderts of others are all having 10mbitps, but you are all sharing it.
That's basicly the story. And sometimes cheaper is costing more, costing you your website's quality, as it's directly connected with end-users pleasure enjoying all your hard work you did put in your website.

If you already use this tool, drop a command to join the hood. If you don't, feel free to ask any questions or add something to my introduction.

It is a very popular way of hosting the website, as it can be quite cheap and useful for small websites not spending alot of resources.

The main disadvantage of the shared hosting is that you are basily living in the same enviroment as other websites.

That can put a question of theoretical risk for your data security, for your emails going through (You all are sending it from one ip address, if one is spamming, all are considered spammers), resource measurment, etc...

If you would need a special software installed for your application, some hosting companies will install it for you on the shared hosting, but majority will not. The solution can be found in one more profound technology that is fastly growing in popularity.

So, what's VPS ?

VPS stands for Virtual Private Server. It's basicly shared as well, but in terms of resources. On the shared hosting you will share the enviroment, services, etc., but on the VPS you will share the memory and CPU.

You will have "root" access to the machine, and will be able to install and configure your virtual server as you like.

Some of advantages of the VPS are:

- Server performance: All resources are equaily shared. One user cannot overtake the whole server with resources, so you are on the safe side there.

- Private mail server: You don't have to bother with the risk of being blacklisted because of other shared users

- Your distribution of choice: Basicly, there are quite a few hosting providers who allow you to choose between different Operating Systems. So you can continue to work on the distribution that you are used to working at home.

- Security: No one, except you, has access to your VPS server, and that minimizes the risk that your data will be stolen. You are practicly isolated in the enviroment with your own services and resources.

- Custom applications: You can install any application that you would like to be installed on your VPS, as long as it doesn't use more resources then you have.

There are number of advantages over Shared hosting, these mentioned are only a few.

If you are a user who is ex-shared hosting user, I would love to hear your opinion and experience with VPS enviroment.

Please feel free to comment.

Google is fastly modifying it's algorithm. It is looking at more and more things to "harvest" the right websites with matched phrases and keywords.

So here we go:

- the name of the page should contain a phrase or topic of the page.

That way search engine will known for certain it's about “that” in page.

(ex. Travelling-around-the-world.html)

- meta titles should always be describing the article to a certain level. Not too much though, should be kept lower then 150 characters

- making a list of tags (common words that are used on the website)

"Tag" the pages and internally link them, so one can get a list of pages containing a certain tag.

It’s also useful to link a word (tag) on the article itself to a tagpage.

Also it’s good to use tags that appear on that page in meta keywords and description as well. It can save time if it’s done automatically.

-       When writing an article, one should use bold, italic, underline, and paragraphs. Search engines pay special attention to these html-tags and they will for sure add a certain point for the ranking for specific keyword of phrase if they found it bolded or such.

Well, these are a few tips that I learned this weekend. If you want to add, correct, or remove some of these tips, please don’t be shy to comment.

Although I do manage APF tool on my work, just recently I have put it in my personal use.
APF is netfilter (iptables based) firewall system designed to cover all advanced needs of your workstation for net filtering.I will just mention a few of its features that are most interesting to me and maybe will draw your attention:
- Detailed and well commented configuration file (very easy to modify and adjust to user's personal needs)

- Reactive address blocking (RAB), next generation in-line intrusion prevention

- Fast load feature that allows for 1000+ rules to load in under 1 second

- Spamhaus don't route or Peer List support to ban known ìhijacked zombie IP blocks

- Intelligent route verification to prevent embarrassing configuration errors

Those are just a few, they have on their website a lot more, that or more or less useful. Overall, I think it's a good practice to introduce APF to your workstation, and let the filtering go at ease.Anyhow, if you feel curious about it, google "APF firewall" and it'll bring you right to their website.
For you who have experience with APF or maybe even better project, please feel welcome to comment.