Apache Tomcat — The Java Servlet Container That Powers the Web

Introduction

Apache Tomcat is the reference implementation of the Jakarta Servlet and JavaServer Pages specifications. It has been the standard Java web application server for over two decades, providing a lightweight and reliable runtime for deploying servlet-based applications, REST APIs, and Spring Boot projects.

What Apache Tomcat Does

• Serves Java web applications packaged as WAR files or exploded directories
• Implements Jakarta Servlet 6.0, JSP 3.1, EL 5.0, and WebSocket 2.1 specifications
• Manages HTTP connections with a non-blocking I/O connector (NIO/NIO2) for high concurrency
• Supports virtual hosting, session clustering, and load balancing across multiple instances
• Provides a web-based Manager application for deploying, undeploying, and monitoring apps

Architecture Overview

Tomcat consists of a Catalina servlet container, a Coyote HTTP connector, and a Jasper JSP engine. Incoming HTTP requests arrive at the Coyote connector, which passes them through a pipeline of valves (filters) before dispatching to the appropriate servlet in the Catalina engine. Each web application runs in its own classloader for isolation. Configuration is defined in server.xml (server-level), context.xml (per-app), and web.xml (servlet mappings). The Cluster module enables session replication across nodes.

Self-Hosting & Configuration

• Download the binary distribution from the Apache mirrors or install via package managers
• Place WAR files in the webapps/ directory for automatic deployment on startup
• Configure connectors in server.xml: set ports, thread pool sizes, and TLS certificates
• Tune JVM memory via CATALINA_OPTS (e.g., -Xmx, -XX:+UseG1GC) in setenv.sh
• Enable the Manager and Host Manager apps by adding users to tomcat-users.xml

Key Features

• Lightweight and fast: starts in seconds with a small memory footprint compared to full Jakarta EE servers
• Auto-deploy: drop a WAR file into webapps/ and Tomcat deploys it without a restart
• Embedded mode: use Tomcat as a library inside Spring Boot or standalone Java applications
• Session clustering and replication for high availability across multiple Tomcat nodes
• Mature security: regular CVE patches, built-in CSRF protection, and security manager support

Comparison with Similar Tools

• Jetty — embeddable Java server with similar features; lighter defaults, smaller community
• WildFly — full Jakarta EE application server; more features but heavier for simple servlet apps
• Undertow — high-performance web server from Red Hat; often embedded in WildFly and Quarkus
• Nginx + app server — reverse proxy pattern; Tomcat often runs behind Nginx for static assets and TLS
• Spring Boot embedded — bundles Tomcat inside the app JAR; same engine, different deployment model

FAQ

Q: Is Tomcat a full application server like WildFly? A: No. Tomcat implements the servlet specification but not the full Jakarta EE platform (EJB, JMS, etc.). For most web apps and microservices, this is sufficient.

Q: How do I run Tomcat behind a reverse proxy? A: Configure Nginx or Apache HTTP Server as a reverse proxy. Set the proxyName and proxyPort attributes on the Tomcat connector so generated URLs are correct.

Q: Can Tomcat handle production-level traffic? A: Yes. With proper JVM tuning and NIO connectors, Tomcat handles thousands of concurrent connections. Major organizations run Tomcat in production at scale.

Q: How do I enable HTTPS? A: Add a TLS connector in server.xml pointing to a keystore file. Use Certbot or step-ca to obtain certificates and convert them to JKS or PKCS12 format.

Sources

• https://github.com/apache/tomcat
• https://tomcat.apache.org/