Master Tomcat: Memory, Concurrency, Compression & Security Tuning Guide

Tomcat Overview

Tomcat is an open‑source, lightweight web application server commonly used for small‑to‑medium systems and for developing and debugging Servlet/JSP programs.

Runtime Environment Requirements

Tomcat runs on top of an operating system and a Java Virtual Machine (JVM).

The JVM allocates an initial heap (Xms) and a maximum heap (Xmx) when the Java program starts.

When the application reaches the maximum heap, the JVM triggers garbage collection.

To adjust the initial and maximum memory, you must pass Xms and Xmx options to the JVM.

Setting Xms too small while many objects are created forces the JVM to repeatedly expand the heap.

Best practice: set Xms and Xmx to the same value.

All objects are allocated on the heap (some may be on the stack).

The heap can grow dynamically but is limited by physical memory; exceeding the limit causes an OutOfMemoryError.

Recommended heap size: about 80 % of physical memory.

Memory Optimization (JVM Options)

Adjust Tomcat’s startup parameters by editing catalina.sh and setting the JAVA_OPTS variable.

-server                     # Use the JVM server compiler
-Xms <em>size</em>               # Initial heap size
-Xmx <em>size</em>               # Maximum heap size
-XX:PermSize=<em>size</em>       # Permanent generation size (pre‑Java 8)
-XX:MaxPermSize=<em>size</em>    # Maximum permanent generation size (pre‑Java 8)

Example configuration for a server with 2 GB RAM:

JAVA_OPTS='-Xms1024m -Xmx2048m -XX:PermSize=256M -XX:MaxNewSize=256m -XX:MaxPermSize=256m'

After updating, restart Tomcat and verify the settings, e.g.:

sudo jmap -heap 15242   # 15242 is the Tomcat process ID

Concurrency Optimization (Connector Settings)

Modify the <Connector> element in conf/server.xml to increase request handling capacity.

<Connector port="9027" protocol="HTTP/1.1"
    maxHttpHeaderSize="8192"
    minProcessors="100" maxProcessors="1000"
    acceptCount="1000" redirectPort="8443"
    disableUploadTimeout="true" />

Key parameters: maxThreads – maximum number of request processing threads. minSpareThreads – number of idle threads kept ready. maxSpareThreads – maximum idle threads. enableLookups – if true, performs DNS lookups for client IPs. redirectPort – SSL port for secure redirects. acceptCount – maximum queue length for incoming connections. connectionTimeout – socket timeout. URIEncoding – character encoding for request URIs.

Compression and Caching Optimization

Enable GZIP compression to reduce response size:

<Connector port="9027" protocol="HTTP/1.1"
    maxHttpHeaderSize="8192" maxThreads="1000"
    minSpareThreads="100" maxSpareThreads="1000"
    enableLookups="false" compression="on"
    compressionMinSize="2048"
    compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain"
    connectionTimeout="20000" URIEncoding="utf-8"
    acceptCount="1000" redirectPort="8443" disableUploadTimeout="true" />

Important flags: compression="on" – turns compression on. compressionMinSize="2048" – only compress responses larger than 2 KB. noCompressionUserAgents – list of browsers for which compression is disabled. compressableMimeType – MIME types that should be compressed.

Browser caching works via the Last-Modified and If-Modified-Since headers. The server returns a 304 status when the resource has not changed, avoiding retransmission.

Security Hardening

Run Tomcat as a non‑root user to prevent privilege escalation.

Change the default HTTP connector port in server.xml to avoid common scans.

Disable the shutdown command or change its port/value:

<Server port="-1" shutdown="SHUTDOWN">

Update default manager credentials in conf/tomcat-users.xml:

<tomcat-users>
    <role rolename="manager"/>
    <user username="temobi" password="temobi8090" roles="manager"/>
</tomcat-users>

Remove the default management webapps in production:

rm -rf /usr/local/tomcat8/webapps/*

Database Connection Pool Tuning

Tomcat’s performance can suffer while waiting for database queries. Ensure that naming queries are pre‑loaded if needed, close connections promptly, and configure the pool correctly: maxIdle – maximum idle connections. maxActive – maximum total connections. maxWait – maximum time to wait for a connection.

Determine optimal values by running database performance tests.

Additional Optimizations

Configure custom error pages for graceful failure handling.

Hide Tomcat version information from HTTP headers.

Disable DNS lookups to reduce latency:

enableLookups="false"

Set session timeout using one of three methods:

In conf/server.xml:

<Context path="/test" docBase="/test" defaultSessionTimeOut="3600" .../>

In WEB-INF/web.xml:

<session-config>
    <session-timeout>20</session-timeout>
</session-config>

Programmatically:

session.setMaxInactiveInterval(30*60); // seconds, -1 = never expire