Tomcat version 7.0.6, released on January 11th 2011, has been voted stable. This is the first stable release of the Tomcat 7 branch, superseding version 6 which was introduced in February 2007.
Apache have decided not to add support for the full Java EE 6 web profile to Tomcat, at least for the moment. Thus version 7 simply adds support for Servlet 3.0 - introduced in Java EE 6 - as well as JavaServer Pages 2.2 and EL 2.2. It requires Java SE 6 or higher.
Servlet 3.0 is however a significant update, adding a number of refinements to the specification. Key ones include:
- The introduction of standardised support for asynchronous HTTP requests and responses. Whilst asynchronous support was available in Tomcat 6 through a non-standard API, standarisation means that the Servlet 3 version is portable between containers.
- Dynamic configuration: Support for Web Fragments, which can be used by libraries to provide their configuration, eliminating the need for developers to add library-specific configuration to their application’s web.xml file.
- The use of annotations for configuring filters, listeners and servlets, further reducing the amount of XML developers need to write.
Servlet 3.0 has also been overhauled to use generics, has improvements to session tracking, and includes new file upload functionality.
Not all the improvements in Tomcat 7 are down to the Servlet 3.0 API. Tomcat also sees a number of important security improvements. There are now separate roles for script-based, web-based, JMX proxy, and status page access, allowing more specific access control. To prevent Cross-site request forgery (CSRF) attacks, a randomly generated nonce will be required for all non-idempotent requests (that is, an operation which will not produce the same results if executed multiple times). Preventative measures have also been taken to protect against session fixation attacks. A session fixation attack is designed to force the session ID of a client to an explicit, known value.
The development team have also continued to work on common problems with memory leaks in the container, improved the logging system, and improved the container start-up times.
Finally Tomcat 7 provides a lightweight API allowing a developer to embed the container with just a few lines of code.
Developers wanting to use the full Java EE 6 Web Profile can, of course, include the APIs in their projects themselves. However a community led project, Simple Web Profile Application Server, has sprung up to fill the gap. In addition Apache Geronimo, for which Tomcat provides the servlet container, will be supporting the web profile as well as the full Java EE 6 profile.