How to process servlet requests during long shutdown

Question

We need to implement a graceful shutdown mechanism into our Servlet application.

EDIT: We want to make it simple as possible, which would be handling a kill signal sent via operating system's function. This would allow system admins to use built in shell utilities (kill or taskkill on Windows), otherwise they would have to install another utility just to "talk" with server.

This mechanism works in two phases:

1. upon shutdown request, deny certain critical activities
2. block until previously initiated critical actions are completed; these may take several hours

Phase #1 is implemented in our DAO layer. Phase #2 is implemented in our ServletContextListener#contextDestroyed method

Our problem is that once contextDestroyed is called the Servlet container stops servicing further HTTP requests.

EDIT: contextDestroyed is called when someone is calling the operating system's kill function on server's process.

We would like to let the application alive during Phase #2, notifying the users that some activities are unavailable.

Answer 1

Use a filter to keep a list of all critical requests.

When the "prepare shutdown" request is received, the filter should start denying some requests.

Write a servlet that tells you how many critical jobs are still left in the queue.

In the shutdown tool, send the "prepare shutdown". The poll the servlet for the number of critical jobs. When this reaches 0, send the actual shutdown command.

To make this happen, create a service in the business layer which orchestrates this. Note that everything must happen before contextDestroyed() is being called! Your special application shutdown doesn't fit into the J2EE view of the world, so you have to manage it yourself.

The service should be able to tell interested parties when a shutdown is in progress, how many critical jobs are still running, etc. Servlets and filters can then use this service to deny requests or tell how many jobs are left.

When all jobs are done, deny all requests except access to the "shutdown info" servlet which should then tell that the app is now ready for death.

Write a tool which gives the administrators a nice UI to initiate shutdown of your app.

[EDIT] You may feel tempted to prevent the OS from shutting down your application. Don't do that.

What you should do is write a special tool to shut down your application using the two phase process that I described above. This should be the standard way to shutdown.

Yes, administrators will complain about it. On Unix, you can hide this tool by putting it into the init script, so no one will notice. There might be a similar solution on Windows.

Killing the server should always be possible to be able to stop it in case of (un)expected circumstances like: bugs in your shutdown code, emergency shutdown during power failure, bugs in your application code, or when Murphy happens.