book

Tomcat: The Definitive Guide, 2nd Edition

Name: Tomcat: The Definitive Guide, 2nd Edition
ISBN: 9780596101060

by Jason Brittain, Ian F. Darwin

October 2007

Intermediate to advanced

496 pages

16h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Tomcat: The Definitive Guide
A Note Regarding Supplemental Files
Preface
What's This Book About?
Why an Entire Book on Tomcat?
Who This Book Is For
Conventions Used in This Book
Using Code Examples
We'd Like to Hear from You
Safari® Books Online
Acknowledgments
Jason Brittain's AcknowledgmentsIan Darwin's Acknowledgments

1. Getting Started with Tomcat
Installing TomcatInstalling Tomcat on LinuxInstalling Tomcat from an Apache multiplatform binary releaseInstalling Tomcat from this book's Linux RPM packagesInstalling Tomcat from the JPackage.org Linux RPM packagesInstalling Tomcat on SolarisInstalling Tomcat on WindowsInstalling Tomcat on Mac OS XInstalling Tomcat on FreeBSD
Starting, Stopping, and Restarting Tomcat
Starting Up and Shutting DownEnvironment variablesStarting and stopping: The general caseStarting and stopping on LinuxStarting and stopping on SolarisStarting and stopping on WindowsStarting and stopping on Mac OS XStarting and stopping on FreeBSDCommon ErrorsRestarting TomcatThe general caseRestarting Tomcat on LinuxRestarting Tomcat on SolarisRestarting the Tomcat Windows ServiceRestarting Tomcat on Mac OS XRestarting Tomcat on FreeBSD
Automatic Startup
Automatic Startup on LinuxAutomatic Startup on SolarisAutomatic Startup on WindowsAutomatic Startup on Mac OS XAutomatic Startup on FreeBSD
Testing Your Tomcat Installation
Where Did Tomcat Come From?
2. Configuring Tomcat
A Word About Using the Apache Web Server
Relocating the Web Applications Directory
Changing the Port Number from 8080
Relaying Port 80 TCP Connections to Port 8080Running Tomcat on Port 80 via a Service WrapperCommon Errors
Java VM Configuration
Changing the JSP Compiler
Managing Realms, Roles, and Users
RealmsUserDatabaseRealmJDBCRealmJNDIRealmJAASRealmContainer-Managed SecurityBasic authenticationDigest authenticationForm authenticationClient-cert authenticationSingle Sign-on
Controlling Sessions
Session PersistenceStandardManagerPersistentManagerUsing FileStore for storing sessionsUsing JDBCStore for storing sessions
Accessing JNDI and JDBC Resources
JDBC DataSourcesOther JNDI Resources
Servlet Auto-Reloading
Customized User Directories
Tomcat Example Applications
Common Gateway Interface (CGI)
The Tomcat Admin Webapp
3. Deploying Servlet and JSP Web Applications in Tomcat
HostsThe Host Manager Webapp
Layout of a Web Application
Deploying Servlets and JavaServer Pages
Deploying an Unpacked Webapp Directory
server.xml Context DeploymentContext XML Fragment File Deployment
Deploying a WAR File
server.xml Context DeploymentContext XML Fragment File Deployment
Hot Deployment
Working with WAR Files
The Manager Webapp
Automation with Apache Ant
Building a JAR/WARDeployment via AntCopying the WAR file or webapp directoryAccessing the Manager webappThe Tomcat standalone deployerThe scp Ant TaskCommon ErrorsXML in property filesFileNotFoundExceptions
Symbolic Links
4. Tomcat Performance Tuning
Measuring Web Server PerformanceLoad-Testing Toolsab: The Apache benchmark toolSiegeApache Jakarta JMeterWeb Server Performance ComparisonTomcat connectors and Apache httpd connector modulesBenchmarked hardware and software configurationsBenchmark procedureBenchmark results and summaryWhat else we could have benchmarked
External Tuning
JVM PerformanceOperating System Performance
Internal Tuning
Disabling DNS LookupsAdjusting the Number of ThreadsSpeeding Up JSPsPrecompiling JSPs by requesting themPrecompiling JSPs at webapp start timePrecompiling JSPs at build time using JspC
Capacity Planning
Anecdotal Capacity PlanningEnterprise Capacity PlanningCapacity Planning on Tomcat
Additional Resources
5. Integration with the Apache Web Server
The Pros and Cons of IntegrationRunning Tomcat StandaloneIt's easier to set upNo web server connector module to worry aboutTomcat standalone is faster than Apache httpd proxying requests to TomcatPotential for better securityEase of migrationEase of upgradesTomcat has less supporting softwareFewer people who know Tomcat's web serverFewer web server featuresRunning Tomcat with Apache httpdTomcat's web server is faster than Apache httpdMore support softwareFaster startup and shutdown timesMore difficult to set upTomcat dynamic content slowdownPotential for additional security holesMore complicated upgrades
Installing Apache httpd
Apache Integration with Tomcat
Sharing the Load Using Separate Port NumbersApache httpd is oblivious to Tomcat securityTwice the web servers to tune, maintain, and secureAwkward user experience and splintered loggingTroublesome double authenticationProxying from Apache httpd to TomcatSetting Up Apache httpdSetting Up TomcatVerify That Proxying WorksDisadvantagesApache httpd slows Tomcat's response timeTwice the web servers to tune, maintain, and secureTroublesome dual authenticationSee alsoProxying from Tomcat to Apache httpdUsing the mod_jk ConnectorUsing binary releasesCompiling mod_jkStarting up the integrated serversworkers.properties
Tomcat Serving HTTP over the APR Connector
Installing APRUsing binary releasesCompiling and installing APRBuilding and Installing the APR ConnectorConfiguring Tomcat to Use the APR Connector
6. Tomcat Security
Securing the SystemOperating System Security ForumsConfiguring Your Network
Multiple Server Security Models
Using the SecurityManager
Granting File Permissions
Setting Up a Tomcat chroot Jail
Setting Up a chroot JailUsing a Non-Root User in the chroot Jail
Filtering Bad User Input
VulnerabilitiesCross site scriptingHTML injectionSQL injectionCommand injectionHTTP Request FilteringInstalling the BadInputValveInstalling the BadInputFilterSee also
Securing Tomcat with SSL
Generating a Self-Signed Server CertificateRequesting and Installing a Commercial CertificateSetting Up an SSL Connector for TomcatConfiguring the JIO connector for SSLConfiguring the APR connector for SSLConfiguring the NIO connector for SSLClient Certificates
7. Configuration
server.xmlServerServiceExecutorConnectorEngineHostVirtual hostingAliasContextRealmGlobalNamingResourcesEnvironmentResourceResourceEnvRefWatchedResourceListenerLoaderManagerStoresResourcesValveControlling access logs with an access log valveRemoteHostValve and RemoteAddrValveLimiting request concurrency with SemaphoreValveTransactionClusterChannelMembershipSenderTransportReceiverInterceptorMemberDeployerClusterListenerMigrating from Older Versions of TomcatMigrating from 4.1 to 5.0Migrating from 5.0 to 5.5Migrating from 5.5 to 6.0
web.xml
web-appicon, display-name, and descriptiondistributablecontext-paramfilter and filter-mappinglistenerservletservlet-mappingsession-configmime-mappingwelcome-file-listerror-pagejsp-config and taglibresource-env-refresource-refSee alsosecurity-constraintSee alsologin-configSee alsosecurity-roleenv-entrySee alsoejb-ref and ejb-local-refservice-refmessage-destination-refmessage-destinationlocale-encoding-mapping-list
tomcat-users.xml
catalina.policy
catalina.properties
context.xml
8. Debugging and Troubleshooting
Reading Logfiles
Hunting for Errors
URLs and the HTTP Conversation
HTTP RequestsResponse Codes and HeadersInteracting with HTTP
Debugging with RequestDumperValve
When Tomcat Won't Shut Down
9. Building Tomcat from Source
Installing Apache Ant
Obtaining the Source
Downloading Source CodeObtaining Source Code from Apache's Subversion Repository
Downloading Support Libraries
Building Tomcat
10. Tomcat Clustering
Clustering Terms
The Communication Sequence of an HTTP Request
DNS Request DistributionTCP NAT Request Distributionmod_proxy Load Balancing and Failover
Distributed Java Servlet Containers
Servlet sessionsSession affinityReplicated sessions
Tomcat 6 Clustering Implementation
FeaturesConfiguring and Testing IP MulticastConfiguring All-to-All ReplicationTesting Session ReplicationConfiguring Static MembershipConfiguring Primary/Backup Replication
JDBC Request Distribution and Failover
Additional Resources
11. Final Words
Supplemental ResourcesOnline Documentation That Shipped with TomcatThe Apache Tomcat Web DocumentationThe Apache Tomcat Mailing List ArchivesWeb Sites Related to This BookThird-Party Web Sites About TomcatThe #tomcat IRC ChannelThe Apache Tomcat Mailing Lists
Community
A. Installing Java
Choosing a Java JDK
Working Around Older GCJ and Kaffe JVMs
Sun Microsystems Java SE JDK
IBM J9 JDK
BEA JRockit JDK
Apple Java SE JDK
Excelsior JET
Apache Harmony JDK
B. jbchroot.c
C. BadInputValve.java
D. BadInputFilter.java
E. RPM Package Files
Index
About the Authors
Colophon

Content preview from Tomcat: The Definitive Guide, 2nd Edition

Using the SecurityManager

One of the nice features of the Java runtime environment is that it allows application developers to configure fine-grained security policies for constraining Java code via SecurityManagers. This in turn allows you to accept or reject a program's attempt to shut down the JVM, access local disk files, or connect to arbitrary network locations.

In the case of Java server software, turning on the security manager with a carefully configured security policy can ensure that malicious network clients cannot command the JVM to access anything that the administrator did not preapprove. For example, your security policy can dictate that your custom servlets are not allowed to access any files on the filesystem. This would make it impossible for an attacker to carefully craft requests to use those custom servlets to expose the contents of files on the server; the security manager would stop them even if the servlets didn't.

Deciding When to Use the SecurityManager

Most Tomcat installations do not use and do not need the security manager feature. Without the security manager, and configured carefully, Tomcat itself is very secure. Most companies running Tomcat and other organizations and individual users of Tomcat do not need more security than what Tomcat provides without the security manager. Also, it takes some time and effort to write an effective security policy that does more than just cause trouble for the webapp developer(s), and it takes more time and effort ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596101060Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Tomcat: The Definitive Guide, 2nd Edition

by Jason Brittain, Ian F. Darwin

Using the SecurityManager

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.