tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: 6.x feature wishlist
Date Wed, 08 Aug 2007 04:01:46 GMT
For most browsers, this won't really work.  Most browsers treat CLIENT-CERT 
login the same way that they treat BASIC, so once they have authenticated, 
they won't ask the user again, and just re-send the same credentials.  It is 
easy enough to write a Valve to do this, but as I said, it won't work the 
way you want it to.  As such, I'd be against including it in Tomcat unless 
you can write such a Valve and show that it works.

"atul" <> wrote in message
I was wondering if a feature to achieve SSL "logout" would make it in here 
too !

SSL Logout :

Provide a way to session-tear-off/logout for an authenticated session using 
X509Certificate based client/mutual SSL. So that when the user tries to 
access a protected resource again without closing the browser (user agent), 
the server re-negotiates ssl and ask for client certificate.

I was not able to find this in any of Tomcat 4.x, 5.x Or 6.x.
This would be great feature and I know quiet a few people are looking for 

A t u l

----- Original Message ----
From: Filip Hanik - Dev Lists <>
To: Tomcat Developers List <>
Sent: Monday, August 6, 2007 10:36:24 PM
Subject: 6.x feature wishlist

I wanted to start a wish list of what we can move forward with, here is
a short list of items that I had in mind as a starter

1. Session replication - stateless backup location
   Store the backup location of a session as part of the sessionId,
similar to the jvmRoute but opposite.
   This way, you can scale a cluster horizontally, since the location of
the backup node doesn't have to be known until you fail over.

2. Add a block/no-block parameter to InputFilter.doRead and
    InputFilter -> public int doRead(ByteChunk chunk, Request unused,
boolean block) throws IOException;
    OutputFilter -> public int doWrite(ByteChunk chunk, Response unused,
boolean block) throws IOException;
    Servlet 3.0 will most likely expose non blocking read/write through
the servlet API, this will get us there ahead of time
    Haven't thought of how we expose this API yet though, but more will

3. Consolidate connector code
   Currently we have
Http11Processor/Http11NioProcessor/Http11AprProcessor doing almost the
same thing, there is much that
   can be consolidated to make the code more maintainable
   Essentially, you create a Endpoint base line interface.
   At the same time we could consolidate the Internal(In/Out)put buffers
as they are copies too.
   We have some fairly tuned endpoints now, it would also be nice to
make these protocol agnostic.

4. Startup -> server.xml warnings
   If one enters an invalid element or attribute that is simply ignored
today, at least output an info or warn message letting the
   admin know if its misconfiguration.

5. Finish bayeux -> I started this in sandbox, took me a while to
understand the protocol, and its not as cool as I thought it would be
   but I still feel its important for it to be part of Tomcat

6. Auto context logging
   Automatically create loggers for each context, so that one doesn't
have to specify one per context in
   Of course, you can turn on/off the auto context logger through

7. File cache - use MappedByteBuffers for the file cache, that way the
send file operation can benefit even more
   when you have two direct buffers, and you also avoid reading the disk
each time for a file
   ideas on this came from Jeanfrancois Arcand.


8. Add getName()/setName() to the WebappClassLoader, name of the web app
classloader will correspond to the one of the Context container
   Applications like Terracotta or AOP apps can much easier plug in and
be able to share data when they know what loader the class came from

9. Add the configuration option to start the connectors after all apps
are deployed
   If some applications are taking long to startup, load balancers are
already trying to send requests to the Tomcat instance, which is just
bound to a port, but not yet taking requests

10.Turn our embedded thread pools into Tomcat Executor thread pools,
same performance but pluggable. Instead of having them hidden in the end
point code

11.Timestamps & System.currentTimeMillis
   System.currentTimeMillis is invoked everywhere during the chain of
events for a HTTP requests, even though most dates only need precision
down to the second.
   I've received feedback that this could be improved by keeping a time
service, that updates a timestamp every second, and therefor reduces the
number of system calls
   I think we would need to prove the theory before committing to the
implementation, but that should be pretty easy

12.Comet sample webapp
   While most folks want to start with Comet, it is a strange question,
tons of users on the user list just are having a hard time getting kick

I was thinking we can keep this list on Wiki or in a text file in SVN,


To unsubscribe, e-mail:
For additional commands, e-mail:

Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel 
and lay it on us.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message