Besides EAR and EJB, what do I get from a Java EE app server that I don't get in a servlet container like Tomcat?

We use Tomcat to host our WAR based applications. We are servlet container compliant J2EE applications with the exception of org.apache.catalina.authenticator.SingleSignOn.

We are being asked to move to a commercial Java EE application server.

  1. The first downside to changing that I see is the cost. No matter what the charges for the application server, Tomcat is free.
  2. Second is the complexity. We don't use either EJB nor EAR features (of course not, we can't), and have not missed them.

What then are the benefits I'm not seeing?

What are the drawbacks that I haven't mentioned?


Mentioned were...

  1. JTA - Java Transaction API - We control transaction via database stored procedures.
  2. JPA - Java Persistence API - We use JDBC and again stored procedures to persist.
  3. JMS - Java Message Service - We use XML over HTTP for messaging.

This is good, please more!


Solution 1:

When we set out with the goal to Java EE 6 certify Apache Tomcat as Apache TomEE, here are some of the gaps we had to fill in order to finally pass the Java EE 6 TCK.

Not a complete list, but some highlights that might not be obvious even with the existing answers.

No TransactionManager

Transaction Management is definitely required for any certified server. In any web component (servlet, filter, listener, jsf managed bean) you should be able to get a UserTransaction injected like so:

  • @Resource UserTransaction transaction;

You should be able use the javax.transaction.UserTransaction to create transactions. All the resources you touch in the scope of that transaction should all be enrolled in that transaction. This includes, but is not limited to, the following objects:

  • javax.sql.DataSource
  • javax.persistence.EntityManager
  • javax.jms.ConnectionFactory
  • javax.jms.QueueConnectionFactory
  • javax.jms.TopicConnectionFactory
  • javax.ejb.TimerService

For example, if in a servlet you start a transaction then:

  • Update the database
  • Fire a JMS message to a topic or queue
  • Create a Timer to do work at some later point

.. and then one of those things fails or you simply choose to call rollback() on the UserTransaction, then all of those things are undone.

No Connection Pooling

To be very clear there are two kinds of connection pooling:

  • Transactionally aware connection pooling
  • Non-Transactionally aware connection pooling

The Java EE specs do not strictly require connection pooling, however if you have connection pooling, it should be transaction aware or you will lose your transaction management.

What this means is basically:

  • Everyone in the same transaction should have the same connection from the pool
  • The connection should not be returned to the pool until the transaction completes (commit or rollback) regardless if someone called close() or any other method on the DataSource.

A common library used in Tomcat for connection pooling is commons-dbcp. We wanted to also use this in TomEE, however it did not support transaction-aware connection pooling, so we actually added that functionality into commons-dbcp (yay, Apache) and it is there as of commons-dbc version 1.4.

Note, that adding commons-dbcp to Tomcat is still not enough to get transactional connection pooling. You still need the transaction manager and you still need the container to do the plumbing of registering connections with the TransactionManager via Synchronization objects.

In Java EE 7 there's talk of adding a standard way to encrypt DB passwords and package them with the application in a secure file or external storage. This will be one more feature that Tomcat will not support.

No Security Integration

WebServices security, JAX-RS SecurityContext, EJB security, JAAS login and JAAC are all security concepts that by default are not "hooked up" in Tomcat even if you individually add libraries like CXF, OpenEJB, etc.

These APIs are all of course suppose to work together in a Java EE server. There was quite a bit of work we had to do to get all these to cooperate and to do it on top of the Tomcat Realm API so that people could use all the existing Tomcat Realm implementations to drive their "Java EE" security. It's really still Tomcat security, it's just very well integrated.

JPA Integration

Yes, you can drop a JPA provider into a .war file and use it without Tomcat's help. With this approach you will not get:

  • @PersistenceUnit EntityManagerFactory injection/lookup
  • @PersistenceContext EntityManager injection/lookup
  • An EntityManager hooked up to a transactional aware connection pool
  • JTA-Managed EntityManager support
  • Extended persistence contexts

JTA-Managed EntityManager basically mean that two objects in the same transaction that wish to use an EntityManager will both see the same EntityManager and there is no need to explicitly pass the EntityManager around. All this "passing" is done for you by the container.

How is this achieved? Simple, the EntityManager you got from the container is a fake. It's a wrapper. When you use it, it looks in the current transaction for the real EntityManager and delegates the call to that EntityManager. This is the reason for the mysterious EntityManager.getDelegate() method, so users can get the real EntityManager if they want and make use of any non-standard APIs. Do so with great care of course and never keep a reference to the delegate EntityManager or you will have a serious memory leak. The delegate EntityManager will normally be flushed, closed, cleaned up and discarded when a transaction completes. If you're still holding onto a reference, you will prevent garbage collection of that EntityManager and possibly all the data it holds.

  • It's always safe to hold a reference to a EntityManager you got from the container
  • Its not safe to hold a reference to EntityManager.getDelegate()
  • Be very careful holding a reference to an EntityManager you created yourself via an EntityManagerFactory -- you are 100% responsible for its management.

CDI Integration

I don't want to over simplify CDI, but I find it is a little too big and many people have not take a serious look -- it's on the "someday" list for many people :) So here is just a couple highlights that I think a "web guy" would want to know about.

You know all the putting and getting you do in a typical webapp? Pulling things in and out of HttpSession all day? Using String for the key and continuously casting objects you get from the HttpSession. You've probably go utility code to do that for you.

CDI has this utility code too, it's called @SessionScoped. Any object annotated with @SessionScoped gets put and tracked in the HttpSession for you. You just request the object to be injected into your Servlet via @Inject FooObject and the CDI container will track the "real" FooObject instance in the same way I described the transactional tracking of the EntitityManager. Abracadabra, now you can delete a bunch of code :)

Doing any getAttribute and setAttribute on HttpServletRequest? Well, you can delete that too with @RequestScoped in the same way.

And of course there is @ApplicationScoped to eliminate the getAttribute and setAttribute calls you might be doing on ServletContext

To make things even cooler, any object tracked like this can implement a @PostConstruct which gets invoked when the bean gets created and a @PreDestroy method to be notified when said "scope" is finished (the session is done, the request is over, the app is shutting down).

CDI can do a lot more, but that's enough to make anyone want to re-write an old webapp.

Some picky things

There are some things added in Java EE 6 that are in Tomcats wheelhouse that were not added. They don't require big explanations, but did account for a large chunk of the "filling in the gaps".

  • Support for @DataSourceDefinition
  • Support for Global JNDI (java:global, java:app, java:module)
  • Enum injection via @Resource MyEnum myEnum and
  • Class injection via @Resource Class myPluggableClass and
  • Support for @Resource(lookup="foo")

Minor points, but it can be incredibly useful to define DataSource in the app in a portable way, share JNDI entries between webapps, and have the simple power to say "look this thing up and inject it"

Conclusion

As mentioned, not a complete list. No mention of EJB, JMS, JAX-RS, JAX-WS, JSF, Bean Validation and other useful things. But at least some idea of the things often overlooked when people talk about what Tomcat is and is not.

Also be aware that what you might have thought of as "Java EE" might not match the actual definition. With the Web Profile, Java EE has shrank. This was deliberately to address "Java EE is too heavy and I don't need all that".

If you cut EJB out of the Web Profile, here's what you have left:

  • Java Servlets
  • Java ServerPages (JSP)
  • Java ServerFaces (JSF)
  • Java Transaction API (JTA)
  • Java Persistence API (JPA)
  • Java Contexts and Dependency Injection (CDI)
  • Bean Validation

It's a pretty darn useful stack.

Solution 2:

Unless you want EJB proper, you don't need a full stack J2EE server (commercial or not).

You can have most J2EE features (such as JTA, JPA, JMS, JSF) with no full stack J2EE server. The only benefit of a full stack j2ee is that the container will manage all these on your behalf declaratively. With the advent of EJB3, if you need container managed services, using one is a good thing.

You can also have no cost full stack server such as Glasfish, Geronimo or JBoss.

You can also run embedded j2ee container managed services with embedded Glasfish for example, right inside Tomcat.

You may want an EJB container if you want to use session beans, message beans, timer beans nicely managed for you, even with clustering and fail over.

I would suggest to the management to consider upgrades based on feature need. Some of these EJB containers might just well use embedded Tomcat as their webserver so what gives!

Some managers just like to pay for things. Ask them to consider a city shelter donation or just go for BEA.

Solution 3:

If you are being asked to move to a commercial J2EE server, the reasons may have nothing to do with the J2EE stack but with non-technical considerations.

One thing that you do get with a commercial J2EE offering that you don't get with Tomcat is technical support.

This may not be a consideration for you, depending on the service levels your web applications are supposed to meet. Can your applications be down while you try and figure out a problem with Tomcat, or will that be a major problem?

Solution 4:

Cost isn't necessarily a downside as there a few free J2EE servers, e.g. JBoss and Glassfish.

Your question assumes that (J2EE = Servlet + EJB + EAR) and therefore, there's no point in using anything more than a Servlet container if you're not using EJB or EAR. This is simply not the case, J2EE includes a lot more than this. Examples include:

  • JTA - Java transaction API
  • JPA - Java persistence API
  • JMS - Java messaging specification
  • JSF - technology for constructing user interfaces out of components

Cheers, Donal