Some weeks ago I was on vacation and spent some days in my home town. One afternoon I was with an ex-colleague who requested my help to migrate a Tomcat application (you know, with friends like that...). In summary the application was a huge (lots of classes) and old (I think it runs right now in tomcat 4.1) servlet and JSP web app. He was trying to migrate it to a newer version of tomcat (6 or 7) but he is not a specialist in this matter.
In summary the main problem was that this application uses the Invoker Servlet which I did not even known before. It is a strange Servlet used in previous versions of tomcat which is now deprecated in version 6 and totally removed in 7. It seems that the Invoker is a dynamic servlet which allows run-time loading of other servlets based on class name. Currently it is considered evil and that is the reason for its deprecation and clean up. I thought this Servlet needed to be removed but my mate explained me that the application had dozens and dozens of servlets (and references in JPSs too) and it would be a total nightmare. So, focusing in version 6 and after some configurations changes, the application started successfully in tomcat 6 and it begun to work using the Invoker Servlet. My friend still had (and has) a lot of work to do but he needed this little push to start on. Then he kindly paid the beers I deserved.
But turning the issue over in my mind later I decided to find a direct way to replace the Invoker Servlet in tomcat 7. Obviously you can workaround the problem just getting the servlet code and putting it inside your project but, you know, this is not my way. I am going to try the following two ideas:
- In order to not change any reference to the servlets, all of them need to be mapped following the exact way Invoker does (Invoker uses the path /servlet/servlet.class.fully.qualified.name). Obviously keeping the class name in the request is not recommended in terms of security but, at least, no dynamic re-thrown and common servlet mapping is used.
- The other snag is that the application can potentially have hundreds of servlets (I know, this is crazy but I am also sure that many of you have seen an application like this at least once in your life). Besides my mate is a bit lazy, so I am sure he is not going to check all the links to find which are the servlets to map in the configuration file. This way my idea is using new Servlet 3.0 programmatic registration to search, create and map them. Only servlets under some specified packages will be checked.
It is important to understand that this is not a good solution (it is still evil although a bit less). Defining and mapping all your servlets in the web.xml is the best solution and never use the qualified class name as the map name. This workaround needs to be understand as a temporary step that let you use last versions of tomcat with Invoker Servlet applications (huge ones, in little ones just map your servlets).
TOMCAT6
Once everything is explained I am going to deploy an Invoker Servlet application inside tomcat 6 and then move it to tomcat 7. In order to setup the Invoker inside version 6 you need to uncomment invoker definition and mapping in ${TOMCAT6_DIR}/conf/web.xml:
<servlet>
<servlet-name>invoker</servlet-name>
<servlet-class>
org.apache.catalina.servlets.InvokerServlet
</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
The context needs to be defined as privileged (I think tomcat guys do that in order to make clear that this is evil) inside the ${TOMCAT6_DIR}/conf/context.xml. You just need to add privileged="true" to the context tag:
<Context privileged="true">
Finally a simple application was deployed (here it is the netbeans project for version 6). This application has two servlets: InfoServlet.java (typical servlet that shows some request variables like url, path, cookies, headers, parameters and so on) and HelloServlet.java (a servlet that forwards to a JSP and just says hello). Besides I copied both classes in three different packages (sample.invoker.servlet, sample.invoker.other and sample.invoker.another), I like to test Invoker against several packages and servlet classes.
TOMCAT7
Tomcat 7 supports new Servlet standard version 3.0 and the main idea is to programmatically register the servlets found inside some pre-defined packages. All this code has been placed in a context listener (see the servlet 3.0 link I presented before). The listener needs to be added in the web.xml configuration file:
<listener>
<listener-class>
sample.invoker.ctxlistener.InvokerLoadListener
</listener-class>
</listener>
In order to search for classes that extends HttpServlet (and implements ContainerServlet, an interface which is needed by the Invoker Servlet, I try to be as restrictive as possible) I followed the idea presented by vtatai in this post. But I extended it to search through files and jars. Basically the code gets the resources with the specified package using the ClassLoader and then only those which are file: or jar: are inspected, reflection is used to check if the class is a servlet. Using an init parameter in the web.xml you can specify one or more package names to take into account (only servlets under these packages will be registered).
<context-param>
<param-name>invoker.packages</param-name>
<param-value>
sample.invoker.servlet,
sample.invoker.other,
sample.invoker.another
</param-value>
<description>List of packages to check for servlets (comma separated)</description>
</context-param>
The final part performs the dynamic registration. The complete
InvokerLoadListener.java and
netbeans project for tomcat 7 can be downloaded.
Here you see my video. I start tomcat 6 and execute InfoServlet and HelloServlet (different packages). Then I stop version 6 and start the version 7 (I did not change ports to have both tomcats running). Executing the same servlets you can check that both results are exactly the same.
Today entry tries to explain how to workaround the Tomcat Invoker Servlet in new version 7 (this last version has removed the servlet because of its evilness). The solution uses Servlet 3.0 API, class loaders and reflection to dynamically register all the servlets in the application. It is a bit less insecure (there is no redirection, standard mapping and only servlets under specified packages are included) and, more important, it works inside Tomcat 7. Of course the context listener that searches for servlets can take some time to find all of them, but if your servlets are located in a few packages it is not so much, besides think this code is only executed once at startup.
David, you owe me another beer!
Comments