Planning an Apache Tomcat upgrade (or migrating to the latest version of Tomcat) can pose challenges to unsuspecting enterprises. But Tomcat migrations and upgrades are key to maintaining security and to unlocking the potential of newly-supported features and improvements found in later versions of Tomcat.

In this blog, we look at how to prepare for your next Tomcat upgrade, with details on the Tomcat community support lifecycle, considerations like how often enterprises should be upgrading/migrating, and the basic steps of performing an Apache Tomcat migration or upgrade.

Editor’s Note: This blog was originally published in 2022 and was updated in 2024.

Understanding the Apache Tomcat Lifecycle

There are two active branches of Tomcat at the time of this writing: 9 and 10. Tomcat 8.5 reached end of life (EOL) on March 31, 2024. The Tomcat community typically does a good job of communicating end of life at least a year in advance for versions going EOL. These EOL announcements are typically accompanied by news regarding the next major version; the Tomcat 8.5 EOL date was announced around the same time as information about Tomcat 11 first emerged.

Ultimately, which branch you choose is likely based on what version of Java you’re using along with it. The Tomcat website has a reference chart to help you figure out what versions of Java work with what versions of Tomcat.

What to Consider Before Your Apache Tomcat Migration or Upgrade

If you happen to be upgrading in the same major branch versions, your configuration file will likely transfer easily in between versions. This means your testing of minor releases should be relatively pain free and not take a lot of time and resources from your team.

Migrating from a major version to another, however, requires that you rewrite your configuration based around all the major changes incorporated into the new major version. Testing for this will take a greater amount of time and resources due to the nature of there being significant changes between major versions of Tomcat.

Reading the release notes is going to provide you with an overview of what to expect. Because of this, we advise you pick the newest version of Tomcat that you can, so that you get the longest range of time of support from the Apache community.

How Often Should You Upgrade Tomcat?

Some apps function so smoothly, we set them out in production and they do their job so well, that touching it becomes almost out of the question because if it isn’t broken, does it need fixing? That is a complicated question, because the answer can be circumstantial. If the app and infrastructure around it are all working soundly, you may not see any reason to do a minor upgrade. But then one day, you hear from the community that there is a CVE or more relating to a version that you’re currently using. Now, there’s a motivating factor to remediate the security issue. Keeping up with the security of Tomcat is important for anyone using it in a production environment, and the longer you wait to upgrade or migrate, the less smoothly things are likely to go.

How Often Should You Migrate to a New Tomcat Version?

Migrating to a newer Tomcat branch is a trickier task, since bringing over your configuration from the previous branch will not work. Migration will require significant testing to verify that your code will work with the app server. The more moving parts in play the greater the risk of older apps not being fully compatible.

Knowing the EOL dates ahead of time is going to give your organization the necessary heads up of when they will have a greater need to migrate.

Tomcat’s website states that on average a major release of Tomcat is good for 10 years. This is a significant window by comparison to other known application servers, giving your organization time to plan accordingly. Apache has also written specific documentation for migrating.

Back to top

How to Prepare for Your Next Apache Tomcat Upgrade / Migration

The very first thing to do before migration is to take back ups of everything. Document what sort of changes you’re going to be making to the environment so that you have an accurate account for everything you’re going to do. Going over metrics of when the app is in use will allow you to know when the best time to perform the migration is. 

Step #1: Determine Your Migration / Upgrade Path

Determine which version of Tomcat you will be upgrading to, along with the required version of Java that Tomcat requires. Read the release notes to see what sort of major changes you’ll be dealing with, as it might also give you insight to the new features available as well.

Step #2: Complete a Test Install and Compare Configuration Files

Using the same OS that you will be deploying your app on, set up the version of Tomcat you will be upgrading to in a test environment. Testing is critical for migration and is still a good practice for upgrades as well. One of the tests that you can run is a git command that compares configuration files against one another. An example of this command would look something like:

git diff 10.1.0-M1 10.1.0-M2 -- conf/

Step #3: Configure Your Test Install and Deploy Your Application to Test Environment

Configure your Tomcat instance and see if you can deploy your application in the test environment. Once you have your app up and running, you’ll want to do some testing to make sure it can handle the standard work load it’ll be under in production. The method you use to generate traffic to the server will vary depending on the type of application you’re running. It’s advised you push your server past the point that it might hit in production to prepare for any upticks in traffic. 

Step #4: Bring Test Environment to Production and Gradually Transition Workloads

Once you’ve done thorough testing of workloads on the new server, you’ll want to schedule time to bring your environment to production. The best practice is to stand the new servers up alongside the production servers, allow traffic to the new environment while maintaining the older live environment. When you’ve established that the new servers can properly handle live workloads, you may then take down the older servers one at a time, making sure that the new live servers are able to handle the workload gradually.

Back to top

Final Thoughts

With enough planning — and a proper test environment and traffic tools — you should be able to properly plan a fairly stress-free Tomcat upgrade or migration. While Tomcat versions are good for roughly ten years, there are performance gains and new features to be had when you decide to migrate or upgrade to a newer version. Upgrading and migrating should be a regular part of every organizations maintenance plan and is also critical for preventing exposure to security vulnerabilities.

In this blog, we look at eight ways to improve your Apache Tomcat security hardening, ranging from basic best practices like not running your Tomcat as the root user, to more advanced tips like using realms to control resource access. At the end of the blog, we’ll wrap up with some final thoughts about how to secure Tomcat and then link to some related resources you should check out. Let’s dive in!

Editor’s Note: This blog was originally published on December 29, 2020 and was revised and updated with new content on September 3, 2024. 

Why You Need to Secure Tomcat

Apache Tomcat is a robust application server that includes many features available right out of the box. However, just because these features and settings are available right away doesn’t mean that your Tomcat server is ready for production. Before you go to production, you need to perform thorough tuning and security hardening to ensure your Tomcat server is secure.

Back to top

How to Keep Your Tomcat Secure: 8 Tomcat Security Hardening Tips 

There are many ways to improve Apache Tomcat security, and this blog is no replacement for a thorough dive into the possible ways in which you can do so. However, the tips below are a good starting point for people interested in hardening their Tomcat server deployment. 

As a longtime developer and champion of open source, I’m always looking for ways to remove barriers to adoption. So I’m especially proud today to announce the Hadoop Service Bundle from OpenLogic, a new offering that will enable enterprises to switch from subscription-based platforms to a fully open source Big Data stack.

Why We Created the Hadoop Service Bundle

For years, vendors like Cloudera have been selling companies an open-core Big Data solution based on Apache Hadoop that takes the complexity of Hadoop administration off their plates. Open source technologies power their product, and enterprise support and managed services are included as part of the deal. Lately, however, they have been pressuring their customers to migrate to their public cloud platform, the Cloudera Data Platform (CDP). 

Why is this a problem? Moving data to the public cloud presents a number of significant issues — new compliance considerations, security risks, and ballooning costs, as well as less cost predictability. Many organizations would prefer to keep their data on-prem or in a hybrid environment and not pay cloud-hosting and migration fees.

Another concern is vendor lock-in: what if Cloudera starts making some or all of their tools proprietary? We’ve seen it happen before, with Oracle Java and Red Hat Enterprise Linux. Companies are understandably nervous about handing over control of their Big Data and then being forced to pay for software they don’t want or need.

The Hadoop Service Bundle was devised as a more customizable and cost-effective alternative that gives organizations more freedom and flexibility with their Big Data. With the Hadoop Service Bundle, organizations can host their data wherever they want and deploy only what they need for their use case, in a 100% open source Hadoop implementation remotely monitored and supported by OpenLogic. 

Back to top

What’s Included in the Hadoop Service Bundle?

There are three components of the Hadoop Service Bundle:

Installation and Migration

After conducting a thorough assessment of your current data infrastructure, we will oversee the cutover process from Cloudera, with a side-by-side parallel installation so that we can test for stability before completing the migration. 

You decide which components (up to 11) you want to include in your OpenLogic open source Hadoop stack and we will take care of the rest. In the table below, you can see which open source technologies replace the proprietary tools offered by Cloudera — and how much overlap there is, software-wise, between their platform and our offering.

After the migration, we will adapt it to a “reference installation” to give you the flexibility to grow and add new integrations while monitoring the entire stack.

Technical Support

Of course, it’s essential to have 24/7/365 Hadoop support, backed by SLAs, so if something happens, we can remediate issues quickly. You will have direct access to Enterprise Architects with at least 15 years of experience working on complex, large-scale open source deployments. 

Admin as a Service

We understand that not all teams have the internal knowledge or resources to manage a Hadoop implementation. OpenLogic will provide administration, including health checks and supervision of security updates, to ensure that your Hadoop instance is fully optimized and monitored around the clock. 

Back to top

Benefits of the Hadoop Service Bundle

The biggest benefit is cost savings — when compared to subscription and cloud-hosting fees charged by vendors like Cloudera, the Hadoop Service Bundle can reduce your annual Big Data management spend by up to 60%. 

Other benefits include more freedom and flexibility in terms of your Big Data infrastructure. A straightforward pricing model with no surprise fees. Working with a partner with deep OSS expertise that goes beyond Hadoop. And of course, the peace of mind knowing your data is an open source stack and won’t ever be held hostage in a proprietary platform. 

New Bootstrap vulnerabilities could spell trouble for those with websites or web apps running Bootstrap 3 or Bootstrap 4, which are end of life and no longer community-supported. 

Keep reading to find out how these vulnerabilities can be exploited to engineer cross-site scripting (XSS) attacks and what to do to enhance your Bootstrap security. 

Recently Disclosed Bootstrap Vulnerabilities: Who Is Impacted?

AngularJS has been end of life (EOL) since 2022, and yet more than 20% of large enterprises have not yet migrated to a different framework*. Usually when software becomes end of life, there is a clear successor, but that’s not exactly the case with AngularJS. 

In this blog, we explore how to choose a JavaScript framework to replace AngularJS, with overviews of the most popular JavaScript frameworks as well as different ways to approach your AngularJS migration.

*Source: 2024 State of Open Source Report

Why Replace AngularJS?

As just mentioned, the main reason to replace AngularJS is because it is end of life. This means no more updates, bug fixes, or security patches are being issued from the community. Staying on EOL software exposes your application(s) to vulnerabilities that can be exploited — resulting in serious fiscal and/or reputational damage that puts your business in the headlines for all the wrong reasons. 

Read more about AngularJS vulnerabilities >> 

While security is the most important consideration here, it’s not the only reason to get off AngularJS. New browser versions and updates to jQuery can also wreak havoc and cause breaking changes and downtime. As an older framework, compatibility is another potential problem. As the web development landscape continues to evolve, there is a good chance AngularJS will not always integrate seamlessly with the latest and greatest tools and libraries. 

Back to top

Key Considerations for Choosing a JavaScript Framework

In general, assessment in three key areas is important as you evaluate AngularJS alternatives: scalability, community, and learning curve.

Scalability: Scalability should be one of your top concerns when selecting your next JavaScript framework. Think about your project’s size and complexity, as well as future plans for growth. You need a framework that can scale as your business scales. 

Community: The landscape of JavaScript frameworks has grown over the years, but not every project has been widely adopted or proven stable enough to be viable for enterprise. How established is the community? Can you rely on them for support or guidance if you need it? An active community means there will likely be regular updates, bug fixes, and a robust ecosystem with tools and documentation. 

Learning Curve: Before adopting a new framework, it’s a good idea to consider how long it will take to learn and your dev team’s current expertise. Is your team already familiar with the framework’s concepts and syntax? Obviously, choosing a framework that is aligned with your team’s existing skills can speed development.

Back to top

Popular JavaScript Frameworks 

Let’s take a look at a few of the top JavaScript frameworks for frontend development that could be suitable replacements for AngularJS. We’ll focus on how they compare to AngularJS in terms of architecture, DOM, and data-binding, and highlight some benefits and drawbacks. 

Angular

Angular is written in Typescript, which is a superset of JavaScript, so migrating means committing to coding in Typescript moving forward, which may extend the learning curve. Angular does, however, have interoperability with AngularJS, so an upgrade via ngUpgrade is possible. The architecture of Angular is also different from AngularJS: Angular’s component-based architecture (compared to AngularJS’s model-view-controller, or MVC, architecture) is a better fit for mobile-first development and makes it very scalable, due to reusable modular components that simplify the development of complex applications. 

Learn more about Angular vs. AngularJS >>

ReactJS

ReactJS was developed by Facebook and offers a component-based architecture like Angular. While AngularJS is MVC, ReactJS is just V, or View-based, and can be used to build dynamic user interfaces. The biggest difference between AngularJS and ReactJS is their scope: AngularJS is more broad and feature-rich, whereas ReactJS is more narrow in scope, making it lightweight and flexible. AngularJS also relies on the real DOM, which can slow things down compared to virtual DOM frameworks like ReactJS and VueJS. 

Read more about AngularJS vs. ReactJS >>

VueJS

VueJS is known for its versatility and intuitive syntax, making it easy to learn. Like ReactJS, it is lightweight with a small API footprint and focused on the “view” part of the typical MVC architecture. VueJS supports two-way data binding, similar to AngularJS, but discourages it in favor of one-way data flow, which is more flexible. Many developers find it easy to get started with VueJS, but before migrating, be sure to consider how your AngularJS deployments are using behaviors from the AngularJS ecosystem.

Get a more in-depth comparison of AngularJS vs. VueJS >>

EmberJS

Compared to the lightweight simplicity of ReactJS and VueJS, EmberJS is more “complete” and well-suited to complex, high-traffic mobile or desktop applications. It follows the MVVM (model-view-view-model) architecture, and components cannot be reused. Compared to AngularJS’s modular approach, EmberJS utilizes routers, templates, models, and components. While two-way data binding is preferred according to the documentation, one-way data binding is also supported. EmberJS uses a rendering engine called Glimmer, which behaves similarly to a virtual DOM. 

Explore more differences between AngularJS and EmberJS >>

Back to top

Planning Your AngularJS Migration 

Both the choice of framework and migration strategy is likely going to be informed by how you/your stakeholders prioritize quality, time, and cost. In the ideal-but-unlikely scenario that you have unlimited money and unlimited time, you won’t have to sacrifice at all in terms of quality. However, most teams will have to make decisions based on tight deadlines and budgets. 

Questions to Answer Before Migrating

As with any legacy codebase modernization project, you should start by analyzing things like size, complexity, dependencies, and your dev team’s bandwidth. Answering the following questions is a good starting point: 

Once you’ve answered these questions and chosen the framework to replace AngularJS, you’re ready to plan the migration itself. There are essentially two approaches:

1. A phased migration, aka gradually replacing AngularJS components with the new framework. Depending on your application, this can be technically challenging, but it can be done. It may require partnering with a commercial vendor for long-term support (LTS) for your existing system while you migrate and/or expertise to guide the migration itself. 
    
2. A complete rewrite, aka rebuilding the application from scratch on the new framework. This can be both time- and resource-intensive; on the other hand, a rewrite could unlock opportunities for a new version with a different vision.

There are some tools that can help automate refactoring, analysis, and running codemods, including ngMigration Assistant, Jscodeshift, and TSLint. The open source community for your new framework may also be able to offer tips and support, or you could consult with OpenLogic for help building your migration roadmap. OpenLogic also offers AngularJS LTS through 2030 if you need a source for patches while you rewrite or migrate your system. 

Back to top

Final Thoughts

Make sure to conduct thorough testing and debugging before implementing the new framework in a production environment, as there may be unforeseen compatibility or integration issues. Also be prepared to offer whatever additional training or upskilling your team needs so they can fully take advantage of the new framework’s capabilities. Finally, after migrating, don’t forget to continually monitor performance via metrics like page load speed, network requests, and rendering, so you can optimize as necessary to keep your application running efficiently.