Background: We inherited a Java project that uses a Tomcat Server NIO connector (with SSL) for development. The project installer, installs Tomcat as a Windows Service when the product is deployed. No attempt has been made to configure the APR connector (with SSL) instead of the NIO connector in the server.xml file, because it looks like Tomcat is performing as expected in both development and production logs.
Is this practice dangerous? Wouldn’t it be better to use two server.xml files, one for development (NIO) and one for production (APR)?
The key difference, in your case, between the APR and NIO connectors is that you’re using SSL.
The SSL configuration for APR uses OpenSSL whereas the NIO connector uses Java’s own JSSE.
In a very highly loaded environment you may see a speed improvement using APR+OpenSSL for the HTTPS protected part of your application, however NIO performs extremely well with a large number of concurrent connections.
It’s also true that SSL decoding/decryption is usually a very small part of the work compared to the CPU cycles your application uses.
If it’s performing well, it’s fine. It’s certainly not dangerous to use NIO+SSL in production.