17

Is there a need for a Java EE application to have web servers such as SUN Java Web Server to handle the servlet/jsp request and forward to Application Servers such as IBM WebSphere or BEA WebLogic?

Since Application Servers are able to handle such servlets/jsp as well?

What are the advantages / disadvantages of such server architecture?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
ilovetolearn
  • 2,006
  • 5
  • 33
  • 64

3 Answers3

40

Apache Tomcat, Jetty and Sun Java System Web Server are only Java Web (Servlet) containers, meaning they can only execute Servlets/JSP - they don't provide the full Java EE API stack.

As such, they can only deploy .war files, not .ear (that would also include .jar modules with EJBs), and do not support out of the box some Java EE APIs like JSF or CDI. or other functionalities/APIs. It is important to note that, since Java EE6, .war files may contain EJBs. More info on differences about .war and .ear.


Every Java EE server has a Web Container + EJB Container. (You can see here and here that Tomcat and Jetty do not claim to be JavaEE servers, just servlet (web) containers.)

JBoss Application Server uses JbossWeb (an Apache Tomcat fork) as its web container. Its EJB container is, well, JBoss (they don't have a separate name other than "JBoss EJB Container" for it).

The others (IBM WebSphere, Oracle/BEA WebLogic, TomEE, Glassfish) also have their web container + EJB container.

TomEE obviously uses Apache Tomcat as its web container. Glassfish also uses an Apache Tomcat fork. (Yes, Apache Tomcat seems to be very popular :)

In the discussion below, you can change Tomcat with "Web Container" and JBoss with "Fully capable Java EE Server" whenever they appear. (I used the product's names for clarity.)

JavaEE Server Containers

Image: Java EE Server and containers - Source: The Java EE Tutorial.

What are the (dis)advantages of having Java Web Servers (such as Tomcat) handling the Servlet/JSP calls and forwarding more complex requests to Application Servers such as JBoss (or IBM WebSphere or BEA WebLogic)?

From a functionality stantdpoint, there is no effective gain

If you place a Tomcat before a JBoss, what you are actually doing is putting a Tomcat before a JBossWeb (web container, thus the entrance to every web application) that will always be before the JBoss' EJB container. If we are talking about functionality, that's just redundant, as we have the same service being delivered twice.

Switching implementors or Clustering capabilities

Placing a Tomcat before a JBoss can make sense if they are using JBoss for its EJB container only: the choice here, then, would be a simple switch in the web container implementor.

Also, if the Tomcat was at a different network node (or more than one Tomcat/node), clustering capabilities could be applied (that otherwise couldn't, as JBossWeb and JBoss usually are treated as one and thus go in the same machine).

Serving static content and Security issues

What is very common is placing a web server (such as Apache HTTPD or IIS) before the Java Web Container. There are two main motivations for this:

  • Make the HTTPD serve the static content (such as images) and forward the rest to the Java web container. This is done because web servers are usually better optimized at the task of delivering static content.
  • Security: Expose only the HTTPD in the DMZ. One can set up an Apache HTTPD at the DMZ, and make it simply forward everything to Web Containers (Tomcats, etc.) and JavaEE Servers (JBosses, etc.).

If one wants added security, there is no point in using a web container in the DMZ: If it is serving apps (that is, have .war files deployed to it), the applications are still "vulnerable"; if it its only forwarding requests/responses, then an Apache HTTPD is a much better option!

acdcjunior
  • 132,397
  • 37
  • 331
  • 304
  • 1
    Other Java EE compliant servers are `Glassfish` and `TomEE`. – Menno Apr 14 '13 at 09:19
  • The reason for doing so is, the client "thinks" it would be good to use web server as an DMZ with the application servers behind the internal firewall. – ilovetolearn Apr 14 '13 at 09:24
  • @optimus The reason for doing what? Placing a web server before the web container or placing a web container before the web container? – acdcjunior Apr 14 '13 at 09:26
  • Yes. They are thinking of having a proxy plugin to forward request from SUN web server to Weblogic application server. Which makes no sense to me too. I cant understand what kind of security it offers – ilovetolearn Apr 14 '13 at 09:31
  • @optimus My company uses an Apache HTTPD at the DMZ, and it forwards everything to our Tomcats and JBosses. If one wants added security, there is no point in using a Web Container in the DMZ: If it serves apps, you are still vulnerable; if they are only forwarding, then an Apache HTTPD is better! – acdcjunior Apr 14 '13 at 09:39
  • @optimus I clarified the security issue in the answer. Let me know if you need more details, I got the impression you are trying to gather facts to talk about it in your company. I'd be offended by that setup too, so I'm glad to help! – acdcjunior Apr 14 '13 at 09:55
  • >`Apache Tomcat [...] implement the Java EE web profile` - This is not true. They are only Servlet containers. The Web Profile is something else. – Arjan Tijms Apr 14 '13 at 10:04
  • @acdcjunior Yes. I am gathering facts / advantages on the design and setup. As I am a junior, I am in no position to question the setup. However, they are quite reluctant to use opensource projects webserver – ilovetolearn Apr 14 '13 at 10:15
  • @optimus It can be a tricky subject indeed. I added some pointings about clustering, check it out. Lets keep on discussing it. – acdcjunior Apr 14 '13 at 10:29
  • 1
    @acdcjunior's final point about using a web server in front of the app server is a good one. I should emphasise that this is absolutely standard practice for web servers across many languages - Java, Python, Ruby, etc. The web server is variously called a proxy, reverse proxy, front-end server, or sometimes load balancer (if it is also doing load balancing). There are a number of reasons why it's a good idea, taking in security, stability, performance, and manageability, but this is not the time to go into them! – Tom Anderson Apr 14 '13 at 19:10
  • 1
    A remark about the first section: EJB beans can be put in wars as well. The difference between war/ear is not about EJB. Also realize that the difference between a Servlet Container and a Java EE AS (Web Profile or full) is more than just EJB. There are *many* other APIs in Java EE! – Mike Braun Apr 15 '13 at 09:03
  • Is it possible to define a `context-root` for an ejb module ? why a `websocket` in an `ejb module` is not accessible but in a `war module` is accessible ?!!! Is there any solution? – Hosein Aqajani Sep 09 '20 at 07:29
  • @HoseinAqajani I can't really tell. You probably should create a whole new question with that. – acdcjunior Sep 10 '20 at 18:09
3

Sun Java Web Server, IBM WebSphere Application Server, WebLogic, JBoss Application Server, Tomcat, Jetty... They are all Java Web Application Servers and do the same thing - run your WAR or EAR packaged application (EAR is for "Enterprise", contains 1+ WARs).

If you have two servers in your setup to run one application it is likely something is wrong in your deployment strategy/design.

There are cases of multi-server setups but those are usually load-balancing and proxy setups that have Apache HTTP Server in front of your Java Application Server.

For example, you have a Tomcat serving your application on port 8080 and you wish to use http://myserver.com/myapp/ instead of http://myserver.com:8080/myapp/. You can't do that with Tomcat alone because Java can't go below port 1024 (*). For this to happen you need to setup Apache HTTP Server on port 80 and configure its mod_proxy to redirect all traffic from /myapp to http://myserver.com:8080/myapp.

*: I don't remember exact number but it's around 1024. And this is true for Linux, but maybe not for Windows, it's been a while since I used a Windows setup.

UPDATE: My bad, I forgot to emphasize the "run as system service" part as described here.

Community
  • 1
  • 1
Cebence
  • 2,406
  • 2
  • 19
  • 20
1

Well since Applications Servers already contains Servlet Container on the board, having one more Web Server which handle incoming http request is redundant.

However, once I worked on the project, where this layers was separated. We had cluster of JBoss servers and separate cluster of Tomcat servers. Tomcat was invoking JBoss via RMI with load-balancing. It was done for security (Jboss servers were inside VPN) and scalability.

Anton
  • 5,831
  • 3
  • 35
  • 45
  • The project I am working on, they are using SUN Java Web Server with Weblogic plugin to forward the request. – ilovetolearn Apr 14 '13 at 10:00
  • Tomcat invoking JBoss via RMI huh? How does that help with security? And how will you use JSF, JAX-RS, Bean Validation etc then? Those are very useful in the web layer and Tomcat doesn't have those. – Mike Braun Apr 15 '13 at 09:06
  • Not everybody need JSF, JAX-RS etc. Security benefits are rather arguably in this case. However there are few concerns. Database was on the same machine with Jboss. Sensitive business data (configuration, databases etc) were on the machine, which located into VPN. IF malefactor receives access to public Tomcat somehow, he will not able to access to databases. Also there were another RMI clients which has to invoke JBoss along with Tomcat, core business logic was at JBoss. – Anton Apr 15 '13 at 13:07