I'm maintaining a legacy server built on Tomee. Tomee releases lag behind the tomcat releases by a few months. We need to adhere to strict security policies in my company and even the most recent Tomee versions are raising security flags for having unpatched security problems.
Is there a way to use tomee with all its managed dependencies but to override the tomcat version for deploy?
The deploy environment is via docker, so ideally I would just add a few lines to the dockerfile to pull a newer tomcat and overwrite the one that tomee uses. Is that as easy as it sounds or is there some kind of trick?
Basically, you need to adhere to the following convention:
Switching between Tomcat major versions is not easy possible. Patching minor Tomcat version updates in the corresponding TomEE release - however - is possible.
However, sometimes it is necessary to replace certain classes within a Tomcat distribution to build a full TomEE distribution from scratch. You can check the details in the related Maven build file. In addition, some other files and properties are "bootstrapped" too. The relevant content is contained in Installer.java and in the related web.xml.
If I would need to patch a Tomcat's version and the release cycle would be too slow for my needs, I would go the following path:
mvn clean install -Dskip.tests=true
(requires Java 8 + Maven)target
folder of tomee/apache-tomee/
.Alternative
You can also use the drop-in TomEE webapp to "upgrade" a Tomcat to a TomEE. However, there is a known limitation: If your webapp starts before the "tomee" webapp, the integration will have to do a separate undeploy/redeploy of your webapp which is clunky. In addition, some "magic" is required to load the tomee webapp's contents into the Tomcat server classloader. From current mailing list discussions, this webapp will be retired in the near future.