Tomcat 11 and Jakarta EE 11: A Comprehensive Overview of Key Updates and Implementation

中文 English 日本語
Tomcat 11Jakarta EE 11Jakarta EEEclipseJavaApache Foundation

Introduction

Tomcat 11, as a core component of the Apache Foundation, represents a significant evolution in the Java ecosystem, particularly in alignment with Jakarta EE 11. This update addresses critical changes in the Jakarta EE specification, emphasizing modernization, security, and performance. This article provides a detailed analysis of the technical changes, implementation status, and practical implications of Tomcat 11 and Jakarta EE 11, offering insights for developers and architects.

Key Technical Changes in Jakarta EE 11

Java Version Requirements

Jakarta EE 11 mandates a minimum Java version of Java 17, reflecting the industry's shift toward modern JVM features. This change eliminates support for older Java versions, ensuring compatibility with contemporary development practices and security standards.

Specification Cleanups and Updates

Jakarta EE 11 removes deprecated APIs across Servlet, JSP, and WebSocket specifications. For instance, the HTTPUtil class and specific HTTP header handling logic are deprecated. The HTTP/2 server push feature is replaced by the 103 Early Hints mechanism, enhancing resource loading efficiency.

New Features and Improvements

  • Servlet Enhancements: New standard request attributes, improved redirect control, and support for custom status codes and URLs.
  • Expression Language (EL): Optional handling and support for arrays and records, reducing null-related issues.
  • WebSocket: Added HTTP session reading APIs to maintain session state during WebSocket connections.
  • Security Updates: Introduction of 103 Early Hints, SHA-256 support for basic authentication, and simplified HTTP priority mechanisms based on RFC 9218.

Tomcat 11 Implementation Status

Jakarta EE 11 Compliance

Tomcat 11 fully integrates with Jakarta EE 11 specifications, including Servlet and JSP TCK testing suites updated to JUnit 5. WebSocket and EL features are aligned with the new standards, ensuring compatibility and performance improvements.

Removed and Deprecated Features

  • 32-bit Windows Support: Removed due to Java 17's lack of support, though manually installable for specific needs.
  • HTTP/2 Server Push: Deprecated in favor of 103 Early Hints.
  • Security Manager: Removed to eliminate outdated and problematic dependencies.

Additional Enhancements

  • Security Improvements: Shortened form authentication session timeouts, new limit filters for DDoS mitigation, and session cookie partition attributes.
  • Logging and Monitoring: Dedicated loggers for specific functionalities and JSON-formatted access logs with customizable time granularity.
  • HTTP/2 Optimizations: Simplified priority mechanisms using RFC 9218, enhancing performance and reducing complexity.

Key Technical Enhancements

Removed Components

  • Commons Binaries: No longer included by default, though manually installable.
  • 32-bit Windows Support: Retained only for niche use cases.

RFC Updates

  • Basic Authentication: Fixed whitespace handling in header values.
  • Digest Authentication: Supports SHA-256 and MD5 algorithms.
  • HTTP Priority Mechanism: Simplified from HDP2 to RFC 9218 for better compatibility.

Logging Improvements

  • Dedicated Loggers: Enable detailed tracking of certificate configurations and other critical operations.
  • Access Logs: JSON output with second/millisecond/microsecond-level time granularity.

Security Enhancements

  • Form Authentication: Reduced session timeout to mitigate DoS risks.
  • Anti-DDoS Measures: RAID limit filters to prevent service disruption.
  • Session Cookies: Partition attributes for enhanced cookie management.
  • CSRF Protection: Customizable principles in Realm configurations.

Performance Optimizations

  • FFM (Foreign Function Memory): Direct OpenSSL calls in Java 22, replacing APR connectors for improved stability.
  • Virtual Threads: Enhance scalability in high-I/O scenarios without significant speed gains.

Advantages and Challenges

Advantages

  • Modernization: Java 17 compliance ensures access to latest language features and security updates.
  • Security: Enhanced authentication mechanisms and DDoS protection reduce vulnerabilities.
  • Performance: Optimized HTTP/2 and logging features improve efficiency.

Challenges

  • Java 17 Requirement: May require infrastructure upgrades for legacy systems.
  • Deprecated Features: Removal of older APIs necessitates code reviews and updates.

Conclusion

Tomcat 11's alignment with Jakarta EE 11 marks a pivotal step in modernizing Java web applications. Developers should prioritize upgrading to Java 17, reviewing deprecated APIs, and leveraging new features like 103 Early Hints and virtual threads for improved performance and security. By embracing these changes, organizations can build more robust and scalable applications aligned with current industry standards.

推薦閱讀

Multi-Tenancy in Apache HBase: Architecture, Challenges, and SolutionsIntegrating OpenSSL and QUIC with Foreign Function and Memory API (FFM) in JavaHTTP/3 Current State and Server Implementation: A Technical OverviewWhisky Clustering with Apache Projects: Groovy, Commons Math, Ignite, Spark, Wayang, Beam and FlinkDecoding 'Community Over Code': The Apache Foundation’s Approach to Open Source CollaborationMoving Apache Cassandra Command Execution and Monitoring from JMX to CQL: A Developer's Overview