Is running spring boot java app with embedded tomcat, less vulnerable than running the same version of standalone? In short can we apply the same criteria here?
Related
I have an application that is currently built on Spring Boot 1.5.9 and I am trying to update it to the latest Spring Boot 2 version.
The application uses spring-security, spring-security-taglibs, spring-boot-starter-data-jpa, spring-session-jdbc, jstl (jsp pages) and connects to two databases, I also use profiles to configure the application differently in development and production environments.
I was successfully able to upgrade my development application. I only needed to modify my pom.xml and a few java files.
During development I usually use the integrated Tomcat server. i.e. The one you get when you run mvn spring-boot:run
As a sanity test I also installed Tomcat 9.0.43 (this is the same build that is used in my production environment). The Spring Boot 2 version of the application works perfectly fine using this method.
However, all my problems started when I tried to deploy my application into the production environment.
When restarting the Tomcat server, I don't see any indication that it even detects the Spring Boot 2 application. In Spring Boot 1, I would usually get the Spring logo and a bunch of startup messages. Visiting the website in a browser shows The origin server did not find a current representation for the target resource or is not willing to disclose that one exists
The Spring Boot application does not generate any log files and Tomcat's log files merely indicate the application was deployed successfully.
What could be causing this issue.
Both my development system and the production server have JRE and JDK 8 installed (although, different minor versions)
Both systems are running the same version of Tomcat.
Both systems run on Windows. The server runs on Windows server 2013 and the development environment is on Windows 10.
I use Visual Studio Code for development and debugging
Update 1
The spring boot 2 version of my application is using version 2.5.1
Here are a few things that I have done:
I have made sure that the application extends SpringBootServletInitializer
I can't put my local Tomcat installation in the production server (at least, not without a lot of issues), but I've copied the server's Tomcat installation onto my development machine and verified that the application DOES start correctly.
The only property in my POM is <java.version>8</java.version>
While both environment have JRE and JDK 8, they may have different minor versions
Update 2
I created a brand new Spring Boot 2.5.9 application (using Spring Initializr and no dependencies) and tried to run this in a Tomcat 8.5.20 instance on the server. I also created an index.html to display a simple Hello World!!! if the application starts correctly
The application works fine on my development system (using both integrated Tomcat and separate Tomcat installation)
In production, the Spring Boot application did not start (i.e. I got a 404)
It did not appear to generate any logs or errors.
We have built some Microservices with Spring Boot (Using Spring Cloud Dependencies). Now as we know Spring Boot comes with an embedded Tomcat Server. Can it be deployed to production with the same embedded Tomcat Server. If we are running this in production for an big enterprise do we need a separate Tomcat license for these embedded Tomcat servers?
If you use microservices architecture, embedded tomcat is enough even in production.
Tomcat is open source, so you don't need lisences.
We currently running an app on production on tomcat 8.0.44.
We migrated our app to work on spring boot v2.0.4 (embedded tomcat) and now we need to upload it to production (instead of the tomcat implementation)
Could someone share his experience regarding this transfer?
Any impact noticed? All aspects (load, performance, etc), any downsides?
What should we consider when doing this transfer? (load test is problematic due to the nature of our application)
Also, I understood that spring boot can run as executable (currently not implemented on QA). What are the benefits of using it? is it preferable as to using java to run spring boot (the regular way)? any downsides?
Thanks,
Hila
It maybe a trivial question for experienced web application developers, but for me as a new developer, I cannot understand that why do we need an application container(like Tomcat or Wildfly) when deploying a Spring Boot web application to Openshift, Heroku, or Google App Engine, etc? My understanding is that Spring Boot already contains an embedded container (Tomcat). Can someone explain this to me? Thanks
SpringBoot is Java API that relies on an embedded Java Servlet engine to support the API calls. These dependencies are typically pulled in by Maven as dependencies. So for the end user, it just looks like a FAR JAR with a bunch dependencies included (where one of those dependencies is Embed Tomcat, Jetty or Undertow for example)
More information can be found on the main SpringBoot project page.
I am looking for a mvn project template that can be downloaded and used as a kick-off for a web application.
The requeriments are:
Spring security (for user authentication and pages accesing control)
Hibernate integration (for data persistance like users and more)
The application must run on tomcat (i use TomEE)
I have a web application already running with pages and servlets and daos, persistence.xml and more. The problem is that i cant find the way to integrate this app with spring security, and for this reason i am looking for a project template...
Give Spring Boot a shot. You can either use Spring Tool Suite or Spring Initializer site to get a secure web app running and using hibernate as ORM.
You can later choose to run the app in the embedded Tomcat/Jetty or package as WAR and deploy in container of your choice.