Spring Web Services Tomcat Compatibility

In this post we attempt to help you choose the appropriate version of Tomcat when using Spring Web Services.

As context, if you’ve developed a web service, using Spring Web Services, chances are you’ve blissfully been using the Maven Jetty Plugin in your project during the development phase. When you’re getting ready to deploy to Tomcat however, you may need to know what the Servlet/JSP Spec version supported by Spring Web Services is since this is how the Tomcat Which Version page guides users in their decision making process.

Here are steps that could be used to determine the relevant Servlet/JSP Spec version and hence Tomcat version:

  1. Run mvn dependency:tree
  2. Look for the org.springframework.ws:spring-ws-core line and then for the version number of its org.springframework:spring-webmvc line, in our case, we have 3.1.0.RELEASE as the version
  3. Now look at the dependencies of the version of spring-webmvc and in turn it’s org.apache.tomcat:tomcat-servlet-api dependency, in our case, we find that we find that we are depedant on tomcat-servlet-api version 7.0.8
  4. Finally, have a look at the MANIFEST of the above mentioned jar, and here you will find the relevant Servlet Spec, in our case we find: Specification-Title : Java API for Servlets, Specification-Version : 3.0
  5. Choose Tomcat 7 as advised.



Protect your web service from a denial-of-service attack with Apache Synapse

If you’re looking to protect your web service from a denial-of-service (DOS) attack, and don’t want to polute your web service with home grown security logic, you may want to have a look at Apache Synapse (The Lightweight ESB).

Synapse comes packaged as a war, if you are using Maven, you should be able to use an overlay to modify the default configuration to suit your needs. On the note of configuration, this page documents one way of protecting your web service against a DOS attack, and that is by using a Throttle Mediator and Concurrency Control (in Synapse parlance).

In my case, I’m using a cloud based platform as a service provider, so low level firewall work is not going to work for me. Instead a proxy such as Synapse, routing HTTP based SOAP requests, seems to be suitable.

I hope to update this post once I have tested and deployed it all, which may take some time, since the web service is far from finished. Its good to know about Synapse though, as now I can stop thinking about security for a while and an intentional (or unintentional) DOS attack. Not sure if I could restrict load of a per client basis with Synapse, but at least global throttling is better than nothing.