JavaEnterprise JavaTomcat 7 Debuts for Java

Tomcat 7 Debuts for Java content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The open source Apache Tomcat Java server is among the most popular ways of deploying Java applications, and significant updates have been few and far between. Now, however, four years after its last major release, the Apache Tomcat project this week introduced Apache Tomcat 7, ushering in a number of enhancements.

The open source Tomcat 7 Java app server leverages some of the new JavaEE 6 specifications formally ratified at the end of 2009. In addition, new performance and security features are also baked into Tomcat 7, and its developers say the server is intended to provide an easy migration path for Java applications that already run on Tomcat 5.5 and 6.x.

Still, Tomcat users might want to wait a bit before they choose to migrate.

“The release announced this week was Apache Tomcat 7.0.0 — it was the first release of the Tomcat 7 branch,” Mark Thomas, a member of Apache Tomcat’s project management committee, told However, “the Tomcat developers voted to grade it ‘beta.’ …While it passed all the compatibility tests and our own unit tests, we recognized that with the number of new features and the refactoring that had been performed, there was a reasonable chance that there would be some regressions that would make it unsuitable for production use in most cases at this stage.”

Thomas also said that Tomcat 7.0 won’t be considered “stable” until its developers get a handle on the volume and severity of bugs reported after this week’s launch. He added that the Apache Tomcat project’s formal definition of “stable” is that a release may only contain a small number of relatively minor bugs, and that Apache Tomcat stable releases are intended for production use, running for extended periods of time.

“It is always going to be a judgment call. Major Tomcat releases typically take 6 to 12 months to reach stability,” Thomas said. “My intention as the current Tomcat 7 release manager is to produce Tomcat 7 releases more frequently with the effect — hopefully — of enabling Tomcat 7 to reach stability sooner.”

Apache Tomcat 7 enhancements

In terms of new features supported in Tomcat 7, Thomas noted that Tomcat now implements Servlet 3.0, JavaServer Pages 2.2 and Expression Language 2.2 from the JavaEE 6 specifications. He added, however, that the specifications supported in Tomcat 7 represent only a subset of the full set of the JavaEE 6 specifications.

“Tomcat has always implemented this specific sub-set of the JavaEE specifications,” Thomas said. “Another Apache project, Apache Geronimo, implements the full JavaEE specification and uses Tomcat as part of their solution.”

The fact that Tomcat in the past has not implemented the full JavaEE specification has helped to give it the reputation for being a lightweight Java app server, a status that has won it some amount of commercial appeal: Vendors including SpringSource and MuleSoft provide commercial versions of Tomcat that compete against full-scale JavaEE app servers.

In addition to introducing some new JavaEE 6 specification support, Tomcat 7 takes aim at performance with a new feature to detect and prevent Web application memory leaks.

“The intention of the new functionality is to protect developers from unexpected side effects of using some standard Java APIs that will trigger Web application memory leaks, and to detect application coding errors that can cause memory leaks,” Thomas said. “Detailed information on application errors are reported in the logs when an application is reloaded. Administrators may also query if any applications caused issues as a result of a reload via the manager application or via JMX (Java Management Extensions).”

Security is also improved in Tomcat 7 with a filter to help offer generic Cross-Site Request Forgery, or CSRF , protection. CSRF attacks have been increasingly common in recent years, hitting popular sites like Facebook.

“The filter wraps the response to ensure that all links on a page contain a unique security token,” Thomas said. “The filter then checks that the subsequent request includes the correct security token. If it does, the request is allowed to continue. If it does not, the request is blocked. The security token is changed on every request.”

In terms of deployment, Thomas said that Web applications currently running on Tomcat 5.5 and Tomcat 6 should run without modification on Tomcat 7. He added that the Apache Tomcat project recommends that users start with a clean Tomcat 7 configuration, however, and then modify it as required. The project provides some direction on Tomcat migration on its site to help users along with the process.

Now that such features and enhancements have been baked into the Tomcat 7.0 release, the main focus for the Apache Tomcat project turns to achieving stability — although additional feature considerations may not be far off.

“The next few point releases will most likely be focused on bug fixes,” Thomas said. “In terms of new features, a number of possible ideas have been discussed on the dev list but there are no firm plans at the moment. Personally, once Tomcat 7 reaches stability, I plan to start looking at the open enhancement requests in Bugzilla.”

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories