When we set out with the goal to Java EE 6 certify Apache Tomcat as Apache TomEE, here are some of the gaps we had to fill in order to finally pass the Java EE 6 TCK.
Not a complete list, but some highlights that might not be obvious even with the existing answers.
No TransactionManager
Transaction Management is definitely required for any certified server. In any web component (servlet, filter, listener, jsf managed bean) you should be able to get a UserTransaction injected like so:
@Resource UserTransaction transaction;
You should be able use the javax.transaction.UserTransaction to create transactions. All the resources you touch in the scope of that transaction should all be enrolled in that transaction. This includes, but is not limited to, the following objects:
javax.sql.DataSourcejavax.persistence.EntityManagerjavax.jms.ConnectionFactoryjavax.jms.QueueConnectionFactoryjavax.jms.TopicConnectionFactoryjavax.ejb.TimerService
For example, if in a servlet you start a transaction then:
- Update the database
- Fire a JMS message to a topic or queue
- Create a Timer to do work at some later point
.. and then one of those things fails or you simply choose to call rollback() on the UserTransaction, then all of those things are undone.
No Connection Pooling
To be very clear there are two kinds of connection pooling:
- Transactionally aware connection pooling
- Non-Transactionally aware connection pooling
The Java EE specs do not strictly require connection pooling, however if you have connection pooling, it should be transaction aware or you will lose your transaction management.
What this means is basically:
- Everyone in the same transaction should have the same connection from the pool
- The connection should not be returned to the pool until the transaction completes (commit or rollback) regardless if someone called
close()or any other method on theDataSource.
A common library used in Tomcat for connection pooling is commons-dbcp. We wanted to also use this in TomEE, however it did not support transaction-aware connection pooling, so we actually added that functionality into commons-dbcp (yay, Apache) and it is there as of commons-dbc version 1.4.
Note, that adding commons-dbcp to Tomcat is still not enough to get transactional connection pooling. You still need the transaction manager and you still need the container to do the plumbing of registering connections with the TransactionManager via Synchronization objects.
In Java EE 7 there’s talk of adding a standard way to encrypt DB passwords and package them with the application in a secure file or external storage. This will be one more feature that Tomcat will not support.
No Security Integration
WebServices security, JAX-RS SecurityContext, EJB security, JAAS login and JAAC are all security concepts that by default are not “hooked up” in Tomcat even if you individually add libraries like CXF, OpenEJB, etc.
These APIs are all of course suppose to work together in a Java EE server. There was quite a bit of work we had to do to get all these to cooperate and to do it on top of the Tomcat Realm API so that people could use all the existing Tomcat Realm implementations to drive their “Java EE” security. It’s really still Tomcat security, it’s just very well integrated.
JPA Integration
Yes, you can drop a JPA provider into a .war file and use it without Tomcat’s help. With this approach you will not get:
@PersistenceUnit EntityManagerFactoryinjection/lookup@PersistenceContext EntityManagerinjection/lookup- An
EntityManagerhooked up to a transactional aware connection pool - JTA-Managed
EntityManagersupport - Extended persistence contexts
JTA-Managed EntityManager basically mean that two objects in the same transaction that wish to use an EntityManager will both see the same EntityManager and there is no need to explicitly pass the EntityManager around. All this “passing” is done for you by the container.
How is this achieved? Simple, the EntityManager you got from the container is a fake. It’s a wrapper. When you use it, it looks in the current transaction for the real EntityManager and delegates the call to that EntityManager. This is the reason for the mysterious EntityManager.getDelegate() method, so users can get the real EntityManager if they want and make use of any non-standard APIs. Do so with great care of course and never keep a reference to the delegate EntityManager or you will have a serious memory leak. The delegate EntityManager will normally be flushed, closed, cleaned up and discarded when a transaction completes. If you’re still holding onto a reference, you will prevent garbage collection of that EntityManager and possibly all the data it holds.
- It’s always safe to hold a reference to a
EntityManageryou got from the container - Its not safe to hold a reference to
EntityManager.getDelegate() - Be very careful holding a reference to an
EntityManageryou created yourself via anEntityManagerFactory— you are 100% responsible for its management.
CDI Integration
I don’t want to over simplify CDI, but I find it is a little too big and many people have not take a serious look — it’s on the “someday” list for many people 🙂 So here is just a couple highlights that I think a “web guy” would want to know about.
You know all the putting and getting you do in a typical webapp? Pulling things in and out of HttpSession all day? Using String for the key and continuously casting objects you get from the HttpSession. You’ve probably go utility code to do that for you.
CDI has this utility code too, it’s called @SessionScoped. Any object annotated with @SessionScoped gets put and tracked in the HttpSession for you. You just request the object to be injected into your Servlet via @Inject FooObject and the CDI container will track the “real” FooObject instance in the same way I described the transactional tracking of the EntitityManager. Abracadabra, now you can delete a bunch of code 🙂
Doing any getAttribute and setAttribute on HttpServletRequest? Well, you can delete that too with @RequestScoped in the same way.
And of course there is @ApplicationScoped to eliminate the getAttribute and setAttribute calls you might be doing on ServletContext
To make things even cooler, any object tracked like this can implement a @PostConstruct which gets invoked when the bean gets created and a @PreDestroy method to be notified when said “scope” is finished (the session is done, the request is over, the app is shutting down).
CDI can do a lot more, but that’s enough to make anyone want to re-write an old webapp.
Some picky things
There are some things added in Java EE 6 that are in Tomcats wheelhouse that were not added. They don’t require big explanations, but did account for a large chunk of the “filling in the gaps”.
- Support for
@DataSourceDefinition - Support for Global JNDI (
java:global,java:app,java:module) - Enum injection via
@Resource MyEnum myEnumand - Class injection via
@Resource Class myPluggableClassand - Support for
@Resource(lookup="foo")
Minor points, but it can be incredibly useful to define DataSource in the app in a portable way, share JNDI entries between webapps, and have the simple power to say “look this thing up and inject it”
Conclusion
As mentioned, not a complete list. No mention of EJB, JMS, JAX-RS, JAX-WS, JSF, Bean Validation and other useful things. But at least some idea of the things often overlooked when people talk about what Tomcat is and is not.
Also be aware that what you might have thought of as “Java EE” might not match the actual definition. With the Web Profile, Java EE has shrank. This was deliberately to address “Java EE is too heavy and I don’t need all that”.
If you cut EJB out of the Web Profile, here’s what you have left:
- Java Servlets
- Java ServerPages (JSP)
- Java ServerFaces (JSF)
- Java Transaction API (JTA)
- Java Persistence API (JPA)
- Java Contexts and Dependency Injection (CDI)
- Bean Validation
It’s a pretty darn useful stack.