The worlds most popular application server has made over 450 improvements (whether small or large) in their latest stable release. Here, Apache Tomcat Release Manager, Mark Thomas gives a brief overview of three Apache Tomcat 7 new features now available in Apache Tomcat 6 that you should know about.

The new memory leak and prevention feature, announced in a post last year, has been a widely anticipated feature that addresses how Tomcat can cause memory leaks in the permanent generation (PermGen) that lead to OutOfMemoryErrors when re-loading web applications. Thomas explains the feature in two parts:

First, it prevents memory leaks through a new life-cycle listener, the JreMemoryLeakPreventionListener that calls various parts of the Java API. Its common that if the web application is the first code to call the Java APIs, the web application class loader will be pinned in memory, causing leaks. The listener ensures that Tomcat is the first to make a call, and therefore prevents the class loader from being pinned in memory.


Second, it handles detection by executing code when a web application is stopped, undeployed or reloaded. It scans the code for standard causes of memory leaks, and where it can, fixes the leaks. Implemented in the WebappClassLoader, there are a series of expandable, standard API calls and some reflection tricks that help this detection feature do its job.

It should be noted that Apache Tomcat 6.0.30 has the latest  version of this feature.

Cross-site request forgery (CSRF) was also described in a post on Tomcat Expert describing the protection it provides to secure websites from an attack that compromises the site’s trust in the web browser making calls within an authenticated session. Thomas goes a little more into detail when describing CSRF by saying:

The new CSRF Protection specifically prevents attacks directly on Apache Tomcat Manager and Apache Tomcat Host Manager, as well as provides a new CSRF Prevention Filter that companies can use to protect their own applications. The fix prevents these types of attacks by using a system of nonces, or tokens. Starting with the authentication request, the browser is sent a special token that must be provided with the next request, or in the case of more complicated applications, within a specific limit of the next series of requests. Since the token changes frequently, when the attacker sends the request, while it will reach the server, it will not include the correct token, so the server will reject the request and prevent the attack.

Windows Installer is also a newer, more updated, feature in Apache Tomcat 6.0.30. Some of the improvements made are the install/uninstall icons that are now available for updates and installation logs can now be created. Windows installer allows 32-bit JVMs to be selected when installing on a 64-bit platform. The .ini files can be replaced with the script equivalents and also,  new manager and host-manager roles are ready to use.

While having so many changes, updates and improvements can be overwhelming, remember that upgrading your application is always a serious consideration, and due diligence to how it will affect your applications and systems should always be fully carried out.