Ensure that ServerAuthModule.initialize() is called when
a Jakarta Authentication module is configured via
registerServerAuthModule(). (markt)
Ensure that the Jakarta Authentication CallbackHandler only
creates one GenericPrincipal in the Subject.
(markt)
If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the
ServerAuthContext may not have set it. (markt)
When persisting the Jakarta Authentication provider configuration,
create any necessary parent directories that don't already exist.
(markt)
Correct the logic used to detect errors when deleting temporary files
associated with persisting the Jakarta Authentication provider
configuration. (markt)
When processing Jakarta Authentication callbacks, don't overwrite a
Principal obtained from the PasswordValidationCallback with
null if the CallerPrincipalCallback does not
provide a Principal. (markt)
Avoid store config backup loss when storing one configuration more than
once per second. (remm)
69359: WebdavServlet duplicates
getRelativePath() method from super class with
incorrect Javadoc. (michaelo)
69360: Inconsistent DELETE behavior between
WebdavServlet and DefaultServlet.
(michaelo)
Make WebdavServlet properly return the Allow
header when deletion of a resource is not allowed. (michaelo)
Add log warning if non wildcard mappings are used with the
WebdavServlet. (remm)
69361: Ensure that the order of entires in a multi-status
response to a WebDAV is consistent with the order in which resources
were processed. (markt)
69362: Provide a better multi-status response when deleting a
collection via WebDAV fails. Empty directories that cannot be deleted
will now be included in the response. (markt)
69363: Use getPathPrefix() consistently in the
WebDAV servlet to ensure that the correct path is used when the WebDAV
servlet is mounted at a sub-path within the web application. (markt)
Coyote
69316: Ensure that
FastHttpDateFormat#getCurrentDate() (used to generate Date
headers for HTTP responses) generates the correct string for the given
input. Prior to this change, the output may have wrong by one second in
some cases. Pull request #751 provided by Chenjp. (markt)
Request start time may not have been accurately recorded for HTTP/1.1
requests preceded by a large number of blank lines. (markt)
Add server and serverRemoveAppProvidedValues
to the list of attributes the HTTP/2 protocol will inherit from the
HTTP/1.1 connector it is nested within. (markt)
Avoid possible crashes when using Apache Tomcat Native, caused by
destroying SSLContext objects through GC after APR has been terminated.
(remm)
Improve HTTP/2 handling of trailer fields for requests. Trailer fields
no longer need to be recieved before the headers of the subsequent
stream nor are trailer fields for an in progress stream swallowed if the
Connector is paused before the trailer fields are received. (markt)
Ensure the request and response are not recycled too soon for an HTTP/2
stream when a stream level error is detected during the processing of
incoming HTTP/2 frames. This could lead to incorrect processing times
appearing in the access log. (markt)
Jasper
69333: Remove unnecessary code from generated JSPs. (markt)
69338: Improve the performance of processing expressions that
include AND or OR operations with more than two operands and expressions
that use not empty. (markt)
69348: Reduce memory consumption in ELContext by
using lazy initialization for the data structure used to track lambda
arguments. (markt)
Web applications
The manager webapp will now be able to access certificates again when
OpenSSL is used. (remm)
Other
Update to the Eclipse JDT compiler 4.33. (markt)
Update Byte Buddy to 1.15.3. (markt)
Update CheckStyle to 10.18.2. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Chinese translations by Ch_jp. (markt)
release in progress Tomcat 11.0.0-M26 (markt)
Coyote
Fix 69320, a regression in the fix for 69302 that
meant the HTTP/2 processing was likely to be broken for all clients once
any client sent an HTTP/2 reset frame. (markt)
2024-09-10 Tomcat 11.0.0-M25 (markt)
Catalina
Implement the recent clarification from the Jakarta Servlet project that
if a content length is declared then once that many bytes have been
written to the response, further writes should trigger an
IOException. (markt)
Improve performance of
ApplicationHttpRequest.parseParameters(). Based on sample
code and test cases provided by John Engebretson. (markt)
Coyote
Correct a regression in the fix for non-blocking reads of chunked
request bodies that caused InputStream.available() to
return a non-zero value when there was no data to read. In some
circumstances this could cause a blocking read to block waiting for more
data rather than return the data it had already received. (markt)
Add a new attribute cookiesWithoutEquals to the
Rfc6265CookieProcessor. The default behaviour is unchanged.
(markt)
Ensure that Tomcat sends a TLS close_notify message after receiving one
from the client when using the OpenSSLImplementation.
(markt)
69301: Fix trailer headers replacing non-trailer headers when
writing response headers to the access log. Based on a patch and test
case provided by hypnoce. (markt)
69302: If an HTTP/2 client resets a stream before the request
body is fully written, ensure that any ReadListener is
notified via a call to ReadListener.onErrror(). (markt)
Jasper
Switch the TldScanner back to logging detailed scan
results at debug level rather than trace level. (markt)
Simplify the implementation of OptionalELResolver. (markt)
WebSocket
If a blocking message write exceeds the timeout, don't attempt the write
again before throwing the exception. (markt)
An Exception being thrown during message processing (e.g. in a method
annotated with @onMessage) should not automatically cause
the connection to close. The application should handle the exception and
make the decision whether or not to close the connection. (markt)
Web applications
Documentation. Align the logging configuration documentation with the
current defaults. (markt)
jdbc-pool
69255: Correct a regression in the fix for 69206
that meant exceptions executing statements were wrapped in an
java.lang.reflect.UndeclaredThrowableException rather than
the application seeing the original SQLException. Fixed
by pull request #744 provided by Michael Clarke. (markt)
69279: Correct a regression in the fix for 69206
that meant that methods that previously returned a nullResultSet were returning a proxy with a null delegate.
Fixed by pull request #745 provided by Huub de Beer. (markt)
Other
Exclude the tomcat-coyote-ffm.jar from JAR scanning by
default. (markt)
Change the default log handler level to ALL so log messages
are not dropped by default if a logger is configured to use trace
(FINEST) level logging. (markt)
Update Hamcrest to 3.0. (markt)
Update EasyMock to 5.4.0. (markt)
Update Byte Buddy to 1.15.0. (markt)
Update CheckStyle to 10.18.0. (markt)
Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
Improvements to Spanish translations by Fernando. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2024-08-06 Tomcat 11.0.0-M24 (markt)
Catalina
69234: Fix a regression caused by the refactoring to use
java.net.URI rather than java.net.URL that
broke support for parallel deployment with WAR files. (markt)
Coyote
Correct regressions in the refactoring that added recycling of the
coyote request and response to the HTTP/2 processing. (markt)
not released Tomcat 11.0.0-M23 (markt)
Catalina
Add support for RFC 8297 (Early Hints). Applications can use this
feature by casting the HttpServletResponse to
org.apache.catalina.connector.Reponse and then calling the
method void sendEarlyHints(). This method will be added to
the Servlet API (removing the need for the cast) in Servlet 6.2 onwards.
(markt)
69214: Do not reject a CORS request that uses POST but does
not include a content-type header. Tomcat now correctly
processes this as a simple CORS request. Based on a patch suggested by
thebluemountain. (markt)
Refactor SpnegoAuthenticator so it uses
Subject.callAs() rather than Subject.doAs()
when the available. (markt)
Coyote
Add FFM compatibility methods for LibreSSL support. Renegotiation is
not supported at the moment. (remm)
Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies
the name of the library to load) and
org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY
(set to true to use System.loadLibrary rather
than the FFM library loading code) to configure the OpenSSL library
loading using FFM. (remm)
Add FFM compatibility methods for BoringSSL support. Renegotiation is
not supported in many cases. (remm)
Ensure that HTTP/2 stream input buffers are only created when there is a
request body to be read. (markt)
Refactor creation of HttpParser instances from the Processor level to
the Protocol level since the parser configuration depends on the
protocol and the parser is, otherwise, stateless. (markt)
Align HTTP/2 with HTTP/1.1 and recycle the container internal request
and response processing objects by default. This behaviour can be
controlled via the new discardRequestsAndResponses
attribute on the HTTP/2 upgrade protocol. (markt)
jdbc-pool
69206: Ensure statements returned from Statement
methods executeQuery(), getResultSet() and
getGeneratedKeys() are correctly wrapped before being
returned to the caller. Based on pull request #742 provided by
Michael Clarke.
Other
Fix packaging regression with missing osgi information following
addition of the test-only build target. (remm)
Update Tomcat Native to 2.0.8. (markt)
Update Byte Buddy to 1.14.18. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2024-07-05 Tomcat 11.0.0-M22 (markt)
Catalina
Allow JAASRealm to use the configuration source to load a
configured configFile, for easier use with testing. (remm)
Fix a potential NullPointerException in classes that extend
ServletResponse when
setCharacterEncoding(Charset) is called with
null. (markt)
Add missing algorithm callback to the JAASCallbackHandler.
(remm)
Add the OpenSSL version number on the APR and OpenSSL status classes.
(remm)
69131: Expand the implementation of the filter
value of the Authenticator attribute allowCorsPreflight, so
that it applies to all requests that match the configured URL patterns
for the CORS filter, rather than only applying if the CORS filter is
mapped to /*. (markt)
Coyote
Improve the algorithm used to identify the IP address to use to unlock
the acceptor thread when a Connector is listening on all local
addresses. Interfaces that are configured for point to point connections
or are not currently up are now skipped. (markt)
Clean and log OpenSSL errors before processing of OpenSSL conf commands
in the FFM code. (remm)
69121: Ensure that the onComplete() event is
triggered if AsyncListener.onError() dispatches to a target
that throws an exception. (markt)
Following the trailer header field refactoring, -1 is no
longer an allowed value for maxTrailerSize. Adjust
documentation accordingly. (remm)
Move OpenSSL support using FFM to a separate JAR named
tomcat-coyote-ffm.jar that advertises Java 22 in its
manifest. (remm)
Fix search for OpenSSL library for FFM on Mac OS so that
java.library.path is searched. (markt)
Jasper
Update the optimisation in jakarta.el.ImportHandler so it
is aware of new classes added to the java.lang package in
Java 23. (markt)
Ensure that an exception in toString() still results in an
ELException when an object is coerced to a String using
ExpressionFactory.coerceToType(). (markt)
Add support for specifying Java 24 (with the value 24) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
69135: When using include directives in a tag file packaged
in a JAR file, ensure that context relative includes are processed
correctly. (markt)
69135: When using include directives in a tag file packaged
in a JAR file, ensure that file relative includes are processed
correctly. (markt)
69135: When using include directives in a tag file packaged
in a JAR file, ensure that file relative includes are are not permitted
to access files outside of the /META_INF/tags/ directory
nor outside of the JAR file. (markt)
Web applications
Fix status servlet detailed view of the connectors when using automatic
port. (remm)
Other
Add test-only build target to allow running only the
testsuite, supporting Java versions down to the minimum supported
to run Tomcat. (rjung)
Update to the Eclipse JDT compiler 4.32. (markt)
Update UnboundID to 7.0.1. (markt)
Update to SpotBugs 4.8.6. (markt)
Remove cglib dependency as it is not required by the version of EasyMock
used by the unit tests. (markt)
Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
1.14.17. (markt)
Improvements to Czech translations by Vladimír Chlup. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Chinese translations by fangzheng. (markt)
2024-06-18 Tomcat 11.0.0-M21 (markt)
Catalina
Add support for shallow copies when using WebDAV. (markt)
Remove the WebdavFixFilter as it is no longer required.
(markt)
69066: Fix regression in SPNEGO authenticator when
processing Base64. Submitted by Daniel Lyko. (remm)
Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext)
for retrieving extended/additional information from an established
GSS context. (michaelo)
Correct a regression in the fix for 68721 that caused some
instances of LinkageError to be reported as
ClassNotFoundException. (markt)
Ensure that static resources deployed via a JAR file remain accessible
when the context is configured to use a bloom filter. Based on pull
request #730 provided by bergander. (markt)
Introduce reference counting so the AprLifecycleListener
is more robust. This particularly targets more complex embedded
configurations with multiple server instances with independent
lifecycles where more than one server instance requires the
AprLifecycleListener. (markt)
Coyote
Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
and use ERR_error_string_n instead. (remm)
Fix a crash on Windows setting CA certificate on null path.
(remm)
69068: Ensure read timouts are triggered for asynchronous,
non-blocking reads when using HTTP/2. (markt)
69133: Add task queue size configuration on the
Connector element, similar to the Executor
element, for consistency. (remm)
Make counting of active HTTP/2 streams per connection more robust.
(markt)
Add support for TLS 1.3 client initiated re-keying. (markt)
Jasper
68546: Small additional optimisation for initial loading of
Servlet code generated for JSPs. Based on a suggestion by Dan Armstrong.
(markt)
Web applications
Add the ability to set a sub-title for the Manager web application main
page. This is intended to allow users with lots of instances to easily
distinguish them. Based on pull request #724 by Simon Arame.
(markt)
Other
Revert Derby to 10.16.1.1 as that is the latest version of Derby that
runs on Java 17. (markt)
Update to Commons Daemon 1.4.0. (markt)
Update to Jakarta Annotations API 3.0. (markt)
Update to Jakarta Authentication API 3.1. (markt)
Update to Objenesis 3.4. (markt)
Update to Checkstyle 10.17.0. (markt)
Update to SpotBugs 4.8.5. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2024-05-08 Tomcat 11.0.0-M20 (markt)
Catalina
Deprecate and remove sessionCounter (replaced by the
addition of the active session count and the expired session count,
as a reasonable approximation) and duplicates (which
does not represent a possible event in current implementations)
statistics from the session manager. (remm)
68890 Align output encoding of JSPs in the Manager webapp
with the XML declarations in those same files. (schultz)
Update Basic authentication to implement the requirements of RFC 7617
including the removal of the trimCredentials setting which
is now hard-coded to false. (markt)
Small performance optimization when logging cookies with no values.
(schultz)
Correct error handling for asynchronous requests. If the application
performs an dispatch during AsyncListener.onError() the
dispatch is now performed rather than completing the request using the
error page mechanism. (markt)
Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable
style. (schultz)
Add more timescale options to AccessLogValve and ExtendedAccessLogValve.
Allow timescales to apply to "time-taken" token in ExtendedAccessLogValve.
(schultz)
Fix WebDAV lock null (locks for non existing resources) thread safety
and removal. (remm)
Add periodic checking for WebDAV locks expiration. (remm)
Extend Asn1Parser to parse UTF8Strings.
(michaelo)
Remove MBean metadata for attibutes that have been removed. Based on
pull request #719 by Shawn Q. (markt)
Remove duplicate ID check from Manager.rotateSessionId().
(markt)
Coyote
Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm)
Align non-secure and secure writes with NIO and skip the write attempt
when there are no bytes to be written. (markt)
Allow any positive value for socket.unlockTimeout. If a
negative or zero value is configured, the default of 250ms
will be used. (mark)
Reduce the time spent waiting for the connector to unlock. The previous
default of 10s was noticeably too long for cases where the unlock has
failed. The wait time is now 100ms plus twice
socket.unlockTimeout. (markt)
Ensure that the onAllDataRead() event is triggered when the
request body uses chunked encoding and is read using non-blocking IO.
(markt)
68934: Add debug logging in the latch object when exceeding
maxConnections. (remm)
Refactor trailer field handling to use a MimeHeaders
instance to store trailer fields. (markt)
Ensure that multiple instances of the same trailer field are handled
correctly. (markt)
Fix non-blocking reads of chunked request bodies. (markt)
Refactor HTTP header parsing to use common parsing code. (markt)
When an invalid HTTP response header was dropped, an off-by-one error
meant that the first header in the response was also dropped. Fix based
on pull request #710 by foremans. (markt)
Jasper
Add support for specifying Java 23 (with the value 23) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
WebSocket
68884: Reduce the write timeout when writing WebSocket close
messages for abnormal closes. The timeout defaults to 50 milliseconds
and may be controlled using the
org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT
property in the user properties collection associated with the WebSocket
session. (markt)
Web applications
Examples: Improve performance of WebSocket chat application when
multiple clients disconnect at the same time. (markt)
Examples: Increase the number of previous messages displayed when using
the WebSocket chat application. (markt)
Examples: Improve performance of WebSocket snake application when
multiple clients disconnect at the same time. (markt)
Other
Switch to using the Base64 encoder and decoder provided by the JRE
rather than the version provided by Commons Codec. This removes the
internal fork of Commons Codec. (markt)
Update to the Eclipse JDT compiler 4.31. (markt)
Update NSIS to 3.10. (mark0t)
Update UnboundID to 7.0.0. (markt)
Update Checkstyle to 10.16.0. (markt)
Update JaCoCo to 0.8.12. (markt)
Update SpotBugs to 4.8.4. (markt)
Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
Improvements to Japanese translations by tak7iji. (remm)
2024-04-16 Tomcat 11.0.0-M19 (remm)
Catalina
Add highConcurrencyStatus attribute to the
SemaphoreValve to optionally allow the valve to return an
error status code to the client when a permit cannot be acquired from
the semaphore. (remm)
Add checking of the "age" of the running Tomcat instance since its
build-date to the SecurityListener, and log a warning if the server
is old. (schultz)
When using the AsyncContext, throw an
IllegalStateException, rather than allowing an
NullPointerException, if an attempt is made to use the
AsyncContext after it has been recycled. (markt)
Add a default implementation for HttpSession.getAccessor()
to align with the Servlet 6.1 API. (markt)
Add the Jakarta EE 11 XML schemas and update Tomcat and included web
applications to use them. (markt)
Change the thread-safety mechanism for protecting StandardServer.services
from a simple synchronized lock to a ReentrantReadWriteLock to allow
multiple readers to operate simultaneously. Based upon a suggestion by
Markus Wolfe. (schultz)
Improve Service connectors, Container children and Service executors
access sync using a ReentrantReadWriteLock. (remm)
Improve handling of integer overflow if an attempt is made to upload a
file via the Servlet API and the file is larger than
Integer.MAX_VALUE. (markt)
68862: Handle possible response commit when processing read
errors. (remm)
Coyote
Add threadsMaxIdleTime attribute to the endpoint,
to allow configuring the amount of time before an internal executor
will scale back to the configured minSpareThreads size.
(remm)
Adjust the Set-Cookie header generated by the
Rfc6265CookieProcessor so that attributes with a value of
the empty string will be output as bare attribute names without an
equals sign or value. This will simplify future support for similar new
attributes by removing the need for special handling. (markt)
Refactor the internal representation of the HttpOnly and
Secure attributes to use the empty string as the value for
consistency with the recent changes to Set-Cookie header
generation. (markt)
Do not generate the Max-Age attribute for
Set-Cookie headers associated with cookies that have been
configured with a Max-Age value of zero as RFC 6265 does
not permit a value of zero in this case. (markt)
Correct a regression in the support for user provided
SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener.
(markt)
Jasper
Handle the case where the JSP engine forwards a request/response to a
Servlet that uses an OutputStream rather than a
Writer. This was triggering an
IllegalStateException on code paths where there was a
subsequent attempt to obtain a Writer. (markt)
Correctly handle the case where a tag library is packaged in a JAR file
and the web application is deployed as a WAR file rather than an
unpacked directory. (markt)
Prevent the web application's ClassLoader from being pinned by the JSP
compiler if an application uses a custom XMLInputFactory. Based upon a
suggestion from Simon Niederberger. (schultz)
Other
Update Checkstyle to 10.14.1. (markt)
Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (remm)
Improvements to Chinese translations by leeyazhou. (remm)
2024-03-14 Tomcat 11.0.0-M18 (markt)
General
Reduce the minimum supported Java version to Java 17. (markt)
Catalina
Minor performance improvement for building filter chains. Based on
ideas from pull request #702 by Luke Miao. (remm)
Align error handling for Writer and
OutputStream. Ensure use of either once the response has
been recycled triggers a NullPointerException provided that
discardFacades is configured with the default value of
true. (markt)
68692: The standard thread pool implementations that are
configured using the Executor element now implement
ExecutorService for better support NIO2. The
org.apache.catalina.Executor interface now extends
ExecutorService. (remm)
68495: When restoring a saved POST request after a successful
FORM authentication, ensure that neither the URI, the query string nor
the protocol are corrupted when restoring the request body. (markt)
After forwarding a request, attempt to unwrap the response in order to
suspend it, instead of simply closing it if it was wrapped. Add a new
suspendWrappedResponseAfterForward boolean attribute on
Context to control the bahavior, defaulting to
true. (remm)
68721: Workaround a possible cause of duplicate class
definitions when using ClassFileTransformers and the
transformation of a class also triggers the loading of the same class.
(markt)
The rewrite valve should not do a rewrite if the output is identical
to the input. (remm)
Add a new valveSkip (or VS) rule flag to the
rewrite valve to allow skipping over the next valve in the Catalina
pipeline. (remm)
Coyote
Fix bad symbol lookup use in the OpenSSL FFM code. (remm)
Improve the HTTP/2 stream prioritisation process. If a stream uses all
of the connection windows and still has content to write, it will now be
added to the backlog immediately rather than waiting until the write
attempt for the remaining content. (markt)
Jasper
Add method invocation support for java.util.Optional via
the jakarta.el.OptionalELResolver to Tomcat's
implementation of the Jakarta EL API to align with the latest proposals
for the Jakarta EL 6.0 API. The property support has also been refined
for greater consistency. (markt)
The defaults for compilerSourceVM and
compilerTargetVM have been updated to 17 to align with Java
17 being the minimum Java version required for Tomcat 11. (markt)
Cluster
Avoid updating request count stats on async. (remm)
Other
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
57130: Allow digest.(sh|bat) to accept password from a file
or stdin. (csutherl/schultz)
2024-02-19 Tomcat 11.0.0-M17 (markt)
Catalina
Implement HttpSession.getAccessor() which provides a
mechanism for applications to interact with an HttpSession
outside the standard Servlet processing of an HTTP request. This is
expected to be especially useful with applications using the Jakarta
WebSocket API. (markt)
Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
by removing reference to org.apache.catalina.ssi package
that is no longer included in the JAR. Based on pull request
#684 by Jendrik Johannes. (markt)
Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values
when configured to do so. Bug identified by Coverity Scan. (markt)
Add improvements to the CSRF prevention filter including the ability
to skip adding nonces for resource name and subtree URL patterns. (schultz)
Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
68089: Further improve the performance of request attribute
access for ApplicationHttpRequest and
ApplicationRequest. (markt)
68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
Coyote
Setting a null value for a cookie attribute should remove
the attribute. (markt)
Optimize state handling for OpenSSL context callbacks with the FFM API.
(remm)
Make asynchronous error handling more robust. Ensure that once a
connection is marked to be closed, further asynchronous processing
cannot change that. (markt)
Make asynchronous error handling more robust. Ensure that once the call
to AsyncListener.onError() has returned to the container,
only container threads can access the AsyncContext. This
protects against various race conditions that would otherwise occur if
application threads continued to access the AsyncContext.
Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. In particular, most of the
HTTP/2 debug logging has been changed to trace level. (remm)
Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on
pull request #673 provided by Hakan Altındağ. (markt)
Partial fix for 68558: Cache the result of converting to
String for request URI, HTTP header names and the request
Content-Type value to improve performance by reducing
repeated byte[] to String conversions. (markt)
Improve error reporting to HTTP/2 clients for header processing errors
by reporting problems at the end of the frame where the error was
detected rather than at the end of the headers. (markt)
Remove the remaining reference to a stream once the stream has been
recycled. This makes the stream eligible for garbage collection earlier
and thereby improves scalability. (markt)
Jasper
Additional fixes to correctly support length as a read-only
property of an array via the ArrayELResolver. (markt)
68546: Generate optimal size and types for JSP imports maps,
as suggested by John Engebretson. (remm)
Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
WebSocket
Correct a regression in the fix for 66508 that could cause an
UpgradeProcessor leak in some circumstances. (markt)
Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
Ensure that WebSocket connection closure completes if the connection is
closed when the server side has used the proprietary suspend/resume
feature to suspend the connection. (markt)
Web applications
Add support for responses in JSON format from the examples application
RequestHeaderExample. (schultz)
Other
Correct the remaining OSGi contract references in the manifest files to
refer to the Jakarta EE contract names rather than the Java EE contract
names. Based on pull request #685 provided by Paul A. Nicolucci.
(markt)
Update Checkstyle to 10.13.0. (markt)
Update JSign to 6.0. (markt)
Update the packaged version of the Tomcat Migration Tool for Jakarta EE
to 1.0.7. (markt)
Update Tomcat Native to 2.0.7. (markt)
Add strings for debug level messages. (remm)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2024-01-09 Tomcat 11.0.0-M16 (markt)
Catalina
Allow alternate redirect status code for directory redirects issued by
the default servlet via the init param
directoryRedirectStatusCode. (funkman/markt)
68378: Align extension to MIME type mappings in the global
web.xml with those in httpd by adding
application/vnd.geogebra.slides for ggs,
text/javascript for mjs and
audio/ogg for opus. (markt)
Coyote
Refactor the VirtualThreadExecutor so that it can be used
by the NIO2 connector which was using platform threads even when
configured to use virtual threads. (markt)
Correct a regression in the fix for 67675 that broke TLS key
file parsing for PKCS#8 format keys that do not specify an explicit
pseudo-random function and rely on the default. This typically affects
keys generated by OpenSSL 1.0.2. (markt)
Allow multiple operations with the same name on introspected mbeans,
fixing a regression caused by the introduction of a second
addSslHostConfig method. (remm)
Relax the check that the HTTP Host header is consistent with the host
used in the request line, if any, to make the check case insensitive
since host names are case insensitive. (markt)
68348: Add support for the partitioned attribute for cookies
including session cookies. (markt)
Jasper
The defaults for compilerSourceVM and
compilerTargetVM have been updated to 21 to align with Java
21 being the minimum Java version required for Tomcat 11. (markt)
Web Applications
68035: Additional fix to the Manager application to enable
the deployment of a web application located in a Host's
appBase where the web application is specified by a bare
(no path) WAR or directory name as shown in the documentation. (markt)
Other
Update to the Eclipse JDT compiler 4.30. (markt)
Update Checkstyle to 10.12.7. (markt)
Update SpotBugs to 4.8.3. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2023-12-12 Tomcat 11.0.0-M15 (markt)
Catalina
Background processes should not be run concurrently with lifecycle
operations of a container. (remm)
Add support for the jakarta.servlet.request.secure_protocol
request attribute that has been added in Jakarta Servlet 6.1. This
replaces the now deprecated Tomcat specific request attribute
org.apache.tomcat.util.net.secure_protocol_version. (markt)
Align behaviour with the latest addition to the Servlet 6.1
specification that requires that all HTTP error dispatches use the GET
method. (markt)
Correct unintended escaping of XML in some WebDAV responses. The XML
list of support locks when provided in response to a PROPFIND request
was incorrectly XML escaped. (markt)
68227: Ensure that AsyncListener.onComplete() is
called if AsyncListener.onError() calls
AsyncContext.dispatch(). (markt)
68228: Use a 408 status code if a read timeout occurs during
HTTP request processing. Includes a test case based on code provided by
adwsingh. (markt)
Coyote
Use Java code to load certificate chain when using OpenSSL through
the FFM API. (remm)
Jasper
68119: Refactor the CompositeELResolver to
improve performance during type conversion operations. (markt)
Web Applications
Examples. Improve the error handling so snakes associated with a user
that drops from the network are removed from the game. (markt)
Other
Update the OWB module to Apache OpenWebBeans 4.0.1. (remm)
68124: Migrate sample.war from javax to jakarta. (lihan)
Update UnboundID to 6.0.11. (markt)
Update Checkstyle to 10.12.5. (markt)
Update SpotBugs to 4.8.2. (markt)
Update Derby to 10.17.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Brazilian Portuguese translations by John William
Vicente. (markt)
Improvements to Russian translations by usmazat and remm. (markt)
2023-11-15 Tomcat 11.0.0-M14 (markt)
Catalina
67667: TLSCertificateReloadListener prints
unreadable rendering of X509Certificate#getNotAfter().
(michaelo)
The status servlet included in the manager webapp can now output
statistics as JSON, using the JSON=true URL parameter.
(remm)
Optionally allow ServiceBindingPropertySource to trim a trailing newline
from a file containing a property-value. (schultz)
Use Files.move instead of File.renameTo in the FarmWebDeployer to
support a broader range of environments, and to give better information
in the event of a failure. (schultz)
67793: Ensure the original session timeout is restored after
FORM authentication if the user refreshes a page during the FORM
authentication process. Based on a suggestion by Mircea Butmalai.
(markt)
67926: PEMFile prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
66875: Ensure that setting the request attribute
jakarta.servlet.error.exception is not sufficient to
trigger error handling for the current request and response. (markt)
68054: Avoid some file canonicalization calls introduced
by the fix for 65433. (remm)
68089: Improve performance of request attribute access for
ApplicationHttpRequest and ApplicationRequest.
(markt)
Use a 400 status code to report an error due to a bad request (e.g. an
invalid trailer header) rather than a 500 status code. (markt)
Ensure that an IOException during the reading of the
request triggers always error handling, regardless of whether the
application swallows the exception. (markt)
Coyote
66670: Add SSLHostConfig#certificateKeyPasswordFile and
SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
When calling
SSLHostConfigCertificate.setCertificateKeystore(ks),
automatically call
setCertificateKeystoreType(ks.getType()). (markt)
Add OpenSSL integration using the FFM API rather than Tomcat Native.
OpenSSL support may be enabled by adding the
org.apache.catalina.core.OpenSSLLifecycleListener
listener on the Server element when using Java 22
(starting with preview build 20) or later. (remm)
67628: Clarify how the ciphers attribute of the
SSLHostConfig is used. (markt)
67666: Ensure TLS connectors using PEM files either work with
the TLSCertificateReloadListener or, in the rare case that
they do not, log a warning on Connector start. (markt)
67675: Support a wider range of KDF and ciphers for PEM files
than the combinations supported by the JVM by default. Specifically,
support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
67927: Reloading TLS configuration can cause the Connector to
refuse new connections or the JVM to crash. (markt)
67938: Correct handling of large TLS client hello messages
that were causing the TLS handshake to fail. (markt)
68026: Convert selected MessageByte values to
String when first accessed to speed up subsequent accesses and reduce
garbage collection. (markt)
Jasper
Add support for Records to expression language. (markt)
68068: Performance improvement for EL. Based on a suggestion
by John Engebretson. (markt)
WebSocket
Correct missing metadata in the MANIFEST of the for WebSocket client API
JAR file. (markt)
Web applications
68035: Correct a regression in the fix for 56248
that prevented deployment via the Manager of a WAR or directory that was
already present in the appBase or a context file that was
already present in the xmlBase. (markt)
Other
67538: Make use of Ant's <javaversion /> task
to enfore the mininum Java build version. (michaelo)
Update Checkstyle to 10.12.4. (markt)
Update JaCoCo to 0.8.11. (markt)
Update SpotBugs to 4.8.0. (markt)
Update BND to 7.0.0. (markt)
2023-10-14 Tomcat 11.0.0-M13 (markt)
Coyote
67670: Fix regression with HTTP compression after code
refactoring. (remm)
jdbc-pool
67664: Correct a regression in the clean-up of unnecessary
use of fully qualified class names in 11.0.0-M12 that broke the
jdbc-pool. (markt)
2023-10-10 Tomcat 11.0.0-M12 (markt)
Catalina
65770: Provide a lifecycle listener that will automatically
reload TLS configurations a set time before the certificate is due to
expire. This is intended to be used with third-party tools that
regularly renew TLS certificates. (markt)
Fix handling of an error reading a context descriptor on deployment.
(remm)
Fix rewrite rule qsd (query string discard) being ignored if qsa was
also use, while it should instead take precedence. (remm)
67472: Send fewer CORS-related headers when CORS is not
actually being engaged. (schultz)
Improve handling of failures within recycle() methods.
(markt)
Coyote
67198: Ensure that the AJP connector attribute
tomcatAuthorization takes precedence over the
tomcatAuthentication attribute when processing an
auth_type attribute received from a proxy server. (markt)
67235: Fix a NullPointerException when an
AsyncListener handles an error with a dispatch rather than
a complete. (markt)
When an error occurs during asynchronous processing, ensure that the
error handling process is only triggered once per asynchronous cycle.
(markt)
Fix logic issue trying to match no argument method in IntropectionUtil.
(remm)
Improve thread safety around readNotify and writeNotify in the NIO2
endpoint. (remm)
Improve statistics collection for upgraded connections under load.
(remm)
PushBuilder has been deprecated in line with the changes
for the Servlet 6.1 specification. It will be replaced in a future
Tomcat 11 milestone with support for 103 early hints. (markt)
Remove support for HTTP/2 server push. Calls to
newPushBuilder() will always return null.
(markt)
Align validation of HTTP trailer fields with standard fields. (markt)
Improvements to HTTP/2 overhead protection. (markt)
Jasper
67080: Improve performance of EL expressions in JSPs that use
implicit objects. Based on suggestions by John Engebretson, Anurag Dubey
and Christopher Schultz. (markt)
Other
Update the internal fork of Apache Commons FileUpload to 7a8c324
(2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
branch requiring additional Commons IO dependencies, Tomcat has switched
to tracking the 1.x branch. (markt)
Add the Bundle-License header to the JAR manifest for all
Tomcat JARs. (markt)
Update to the Eclipse JDT compiler 4.29. (markt)
Update UnboundID to 6.0.10. (markt)
Update Checkstyle to 10.12.3. (markt)
Update Tomcat Native to 2.0.6. (markt)
Update Commons Pool to 2.12.0. (markt)
67611: Correct the download link in BUILDING.txt. (lihan)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Russian translations by usmazat. (markt)
2023-08-25 Tomcat 11.0.0-M11 (markt)
Catalina
If an application or library sets both a non-500 error code and the
jakarta.servlet.error.exception request attribute, use the
provided error code during error page processing rather than assuming an
error code of 500. (markt)
Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
and KiB for 1024 bytes rather than MB and kB. (martk)
Update the HTTP parameter handling to align with the changes in the
Jakarta Servlet 6.1 API Javadoc for the ServletRequest
methods used to obtain request parameters. Invalid parameters and/or
exceeding parameter size and/or quantity limits now trigger
exceptions. As a consequence, the FailedRequestFilter has
been removed. (markt)
Avoid protocol relative redirects in FORM authentication. (markt)
Web applications
Documentation. Update documentation to use MiB for 1024 * 1024 bytes and
KiB for 1024 bytes rather than MB and kB. (martk)
Other
Improvements to Chinese translations. (lihan)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
2023-08-14 Tomcat 11.0.0-M10 (markt)
Catalina
Fix potential database connection leaks in
DataSourceUserDatabase identified by Coverity Scan. (markt)
Make parsing of ExtendedAccessLogValve patterns more
robust. (markt)
Fix failure trying to persist configuration for an internal credential
handler. (remm)
66680: When serializing a session during the session
presistence process, do not log a warning that null Principals are not
serializable. Pull request #638 provided by tsryo. (markt)
66822: Use the same naming format in log messages for
Connector instances as the associated ProtocolHandler instance. (markt)
The parts count should also lower the actual
maxParameterCount used for parsing parameters if parts are
parsed first. (remm)
Coyote
Refactor blocking reads and writes for the NIO connector to remove
code paths that could allow a notification from the Poller to be missed
resuting in a timeout rather than the expected read or write. (markt)
Refactor waiting for an HTTP/2 stream or connection window update to
handle spurious wake-ups during the wait. (markt)
Improve extensibility of endpoints for socket channel creation and TLS.
Pull request #639 provided by Marco Fargetta. (remm)
Correct a regression introduced in 11.0.0-M9 and use the correct
constant when constructing the default value for the
certificateKeystoreFile attribute of an
SSLHostConfigCertificate instance. (markt)
Refactor HTTP/2 implementation to reduce pinning when using virtual
threads. (markt)
Pass through ciphers referring to an OpenSSL profile, such as
PROFILE=SYSTEM instead of producing an error trying to
parse it. (remm)
66841: Ensure that AsyncListener.onError() is
called after an error during asynchronous processing with HTTP/2.
(markt)
66842: When using asynchronous I/O (the default), include
DATA frames when calculating the HTTP/2 overhead count to ensure that
connections are not prematurely terminated. (markt)
Correct a race condition that could cause spurious RST messages to be
sent after the response had been written to an HTTP/2 stream. (markt)
WebSocket
66681: Fix a NullPointerException when flushing
batched messages with compression enabled using
permessage-deflate. (markt)
jdbc-pool
Fix the releaseIdleCounter does not increment when testAllIdle
releases them. Pull request #241 provided by Arun Chaitanya Miriappalli
(lihan)
Fix the ConnectionState state will be inconsistent with actual
state on the connection when an exception occurs while writing. Pull request
#643 provided by Wenjun Xiao. (lihan)
Other
Update NSIS to 3.09. (markt)
Update Checkstyle to 10.12.2. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
66829: Fix quoting so users can use the _RUNJAVA
environment variable as intended on Windows when the path to the Java
executable contains spaces. (markt)
66834: Correct the OSGi contract references in the manifest
files to refer to the Jakarta EE contract names rather than the Java EE
contract names. (markt)
Update Tomcat Native to 2.0.5. (markt)
2023-07-10 Tomcat 11.0.0-M9 (markt)
Other
Correct properties for JSign dependency. (rjung)
not released Tomcat 11.0.0-M8 (markt)
Catalina
59232: Add
org.apache.catalina.core.ContextNamingInfoListener,
a listener which creates context naming information environment entries.
(michaelo)
66665: Add
org.apache.catalina.core.PropertiesRoleMappingListener,
a listener which populates the context's role mapping from a properties
file. (michaelo)
Fix an edge case where intra-web application symlinks would be followed
if the web applications were deliberately crafted to allow it even when
allowLinking was set to false. (markt)
Add utlity config file resource lookup on Context to allow
looking up resources from the webapp (prefixed with
webapp:) and make the resource lookup API more visible.
(remm)
Coyote
66627: Restore the documented behaviour of
MessageBytes.getType() that it returns the type of the
original content rather than reflecting the most recent conversion.
(markt)
66635: Correct certificate logging on start-up so it
differentiates between keystore based keys/certificates and PEM file
based keys/certificates and logs the relevant information for each.
(markt)
Jasper
Add java.util.Optional support via the
jakarta.el.OptionalELResolver to Tomcat's implementation
of the Jakarta EL API to align with the latest proposals for the Jakarta
EL 6.0 API. (markt)
Add support for specifying Java 22 (with the value 22) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
WebSocket
Improve handling of error conditions for the WebSocket server,
particularly during Tomcat shutdown. (markt)
Correct a regression in the fix for 66574 that meant the
WebSocket session could return false for onOpen() before
the onClose() event had been completed. (markt)
Update the WebSocket API provided by Tomcat to align with the latest
proposals from the Jakarta WebSocket project and make the WebSocket
Session instance available via SendResult.
(markt)
Web applications
Documentation. Expand the security guidance to cover the embedded use
case and add notes on the uses made of the java.io.tmpdir
system property. (markt)
66662: Documentation. Fix a typo in the name of the
algorithms attribute in the configuration section for
the Digest authentication valve. Pull request #629 provided by
gohilmca. (markt)
Other
Improvements to French translations. (remm)
Include the Windows specific binary distributions in the files uploaded
to Maven Central. (markt)
Remove support for running Tomcat on 32-bit Windows operating systems as
Java 21 is not available for that platform. (markt)
Improvements to Japanese translations. Contributed by tak7iji. (markt)
Update to the Eclipse JDT compiler 4.28. (markt)
Update UnboundID to 6.0.9. (markt)
Update Checkstyle to 10.12.1. (markt)
Update BND to 6.4.1. (markt)
Update JSign to 5.0. (markt)
2023-06-08 Tomcat 11.0.0-M7 (markt)
General
Increase the minimum supported Java version to Java 21. (markt)
Catalina
Move the management of the utility executor from the
init()/destroy() methods of components to the
start()/stop() methods. (markt)
Add RateLimitFilter which can be used to mitigate DoS and Brute Force
attacks. (isapir)
Remove support for using the ^ character to separate the
WAR file and WAR contents in Tomcat's custom WAR URL handler. The
current default separator character of * remains unchanged.
(markt)
Add org.apache.catalina.core.StandardVirtualThreadExecutor,
a virtual thread based executor that may be used with one or more
Connectors to process requests received by those Connectors using
virtual threads. (markt)
66513: Add a per session Semaphore to the
PersistentValve that ensures that, within a single Tomcat
instance, there is no more than one concurrent request per session. Also
expand the debug logging to include whether a request bypasses the Valve
and the reason if a request fails to obtain the per session Semaphore.
(markt)
66609: Ensure that the default servlet correctly escapes
file names in directory listings when using XML output. Based on pull
request #621 by Alex Kachanov. (markt)
66618: Add a numeric last modified field to the XML directory
listings produced by the default servlet to enable sorting in the XSLT.
Pull request #622 by Alex Kachanov. (markt)
66621: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
66622: Remove the xssProtectionEnabled setting
from the HttpHeaderSecurityFilter as support for the
associated HTTP header has been removed from all major browsers. (markt)
Coyote
66602: not sending WINDOW_UPDATE when dataLength is ZERO
on call SwallowedDataFramePayload. Pull request #619 by
ledefe. (lihan)
Other
Update to Commons Daemon 1.3.4. (markt)
Improvements to French translations. (remm)
Update Checkstyle to 10.12.0. (markt)
Update the packaged version of the Apache Tomcat Native Library to 2.0.4
to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
2023-05-09 Tomcat 11.0.0-M6 (markt)
Catalina
66567: Fix missing IllegalArgumentException
after the Tomcat code was converted to using URI instead of URL. (remm)
Escape timestamp output in AccessLogValve if a
SimpleDateFormat is used which contains verbatim
characters that need escaping. (rjung)
Change output of vertical tab in AccessLogValve from
\v to \u000b. (rjung)
Improve performance of escaping in AccessLogValve
roughly by a factor of two. (rjung)
Improve JsonAccessLogValve: support more patterns
like for headers and attributes. Those will be logged as sub objects.
(rjung)
#613: Fix possible partial corrupted file copies when using
file locking protection or the manager servlet. Submitted
by Jack Shirazi. (remm)
Coyote
Add support for a new character set, gb18030-2022 -
introduced in Java 21, to the character set caching mechanism. (markt)
Fix an edge case in HTTP header parsing and ensure that HTTP headers
without names are treated as invalid. (markt)
Remove support for the HTTP Connector settings
rejectIllegalHeader and
allowHostHeaderMismatch. These are now hard-coded to the
previous defaults. (markt)
66591: Fix a regression introduced in the fix for
66512 that meant that an AJP Send Headers was not sent for
responses where no HTTP headers were set. (markt)
Jasper
66582: Account for EL having stricter requirements for static
imports than JSPs when adding JSP static imports to the EL context.
(markt)
WebSocket
66574: Refactor WebSocket session close to remove the lock on
the SocketWrapper which was a potential cause of deadlocks
if the application code used simulated blocking. (markt)
66575: Avoid unchecked use of the backing array of a
buffer provided by the user in the compression transformation. (remm)
Improve exception handling when flushing batched messages during
WebSocket session close. (markt)
66581: Update AsyncChannelGroupUtil to align it
with the current defaults for AsynchronousChannelGroup. Pull request
#612 by Matthew Painter. (markt)
Other
Improvements to French translations. (remm)
Improvements to Chinese translations. (lihan)
Update Checkstyle to 10.10.0. (markt)
Update Jacoco to 0.8.10. (markt)
Update the packaged version of the Tomcat Migration Tool for Jakarta EE
to 1.0.7. (markt)
2023-04-19 Tomcat 11.0.0-M5 (markt)
Catalina
Add a doPatch method to HttpServlet to provide
support for the HTTP PATCH method as defined in RFC 5789.
This is one of the changes in the Servlet 6.1 API. (markt)
65995: Implement RFC 9239 and use
text/javascript as the media type for JavaScript rather
than application/javascript. (markt)
Tomcat no longer sets the java.protocol.handler.pkgs system
property when starting. Users are now free to configure this property if
they wish. (markt)
Add an access log valve that uses a json format. Based on pull request
#539 provided by Thomas Meyer. (remm)
Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
authenticationSessionTimeout attribute of the FORM
authenticator. (markt)
Implement the new Servlet API methods that provide additional control
when sending a redirect to the client. (markt)
Update Digest authentication support to align with RFC 7616. This adds a
new configuration attribute, algorithms, to the
DigestAuthenticator with a default of
SHA-256,MD5. (markt)
Reduce the default value of maxParameterCount from 10,000
to 1,000. (markt)
66527: Correct the Javadoc for the
Tomcat.addWebapp() methods that incorrectly stated that the
docBase parameter could be a relative path. (markt)
66524 Correct eviction ordering in WebResource cache to
be LRU as intended. (schultz)
Add support code for custom user attributes in RealmBase.
Based on code from #473 by Carsten Klein. (remm)
Expand the set of HTTP request headers considered sensitive that should
be skipped when generating a response to a TRACE request.
This aligns with the current draft of the Servlet 6.1 specification.
(markt)
66541: Improve handling for cached resources for resources
that use custom URL schemes. The scheme specific equals()
and hashCode() algorithms, if present, will now be used for
URLs for these resources. This addresses a potential performance issue
with some OSGi custom URL schemes that can trigger potentially slow DNS
lookups in some configurations. Based on a patch provided by Tom
Whitmore. (markt)
When using a custom session manager deployed as part of the web
application, avoid ClassNotFoundExceptions when validating
session IDs extracted from requests. (markt)
66543: Give StandardContext#fireRequestDestroyEvent
its own log message. (fschumacher)
66554: Initialize Random during server initialization to
avoid possible JVM thread creation in the webapp context on some
platforms. (remm)
Make the server utility executor available to webapps using a Servlet
context attribute named
org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor. (remm)
Coyote
JSON filter should support specific escaping for common special
characters as defined in RFC 8259. Based on code submitted by
Thomas Meyer. (remm)
66511: Fix GzipOutputFilter (used for compressed
HTTP responses) when used with direct buffers. Patch suggested by Arjen
Poutsma. (markt)
66512: Align AJP handling of invalid HTTP response headers
(they are now removed from the response) with HTTP. (markt)
66530: Correct a regression in the fix for bug
66442 that meant that streams without a response body did not
decrement the active stream count when completing leading to
ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
(markt)
Remove use of deprecated classes in the javax.security.cert
package. Pull request #608 provided by Eirik Bjorsnos. (markt)
Jasper
Fix bug that meant some instances of coercing a
LambdaExpression to a functional interface invocation
failed. (markt)
66536: Fix parsing of tag files that meant that tag
directives could be ignored for some tag files. (markt)
Align the EL implementation with the latest changes to the Jakarta EL
specification and add support for the length attribute to the
ArrayELResolver. (markt)
Cluster
66535: Redefine the maxValidTime attribute of
FarmWarDeployer to be the maximum time allowed between
receiving parts of a transferred file before the transfer is cancelled
and the associated resources cleaned-up. A new warning message will be
logged if the file transfer is cancelled. (markt)
WebSocket
66508: When using WebSocket with NIO2, avoid waiting for
a timeout before sending the close frame if an I/O error occurs during a
write. (markt)
66548: Expand the validation of the value of the
Sec-Websocket-Key header in the HTTP upgrade request that
initiates a WebSocket connection. The value is not decoded but it is
checked for the correct length and that only valid characters from the
base64 alphabet are used. (markt)
Web applications
66542: Documentation. Update the JNDI documentation to
replace references to JavaMail with references to Jakarta Mail. (markt)
Other
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
Improvements to Chinese translations. Contributed by totoo. (markt)
Refactor code using MD5Encoder to use
HexUtils.toHexString(). (markt)
66507: Fix a bug that $JAVA_OPTS is not passed
to the jvm in catalina.sh when calling version.
Patch suggested by Eric Hamilton. (lihan)
Update the internal fork of Commons DBCP to f131286 (2023-03-08,
2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2.
(markt)
Improve the error messages if JRE_HOME or
JAVA_HOME are not set correctly. On windows, align the
handling of JRE_HOME and JAVA_HOME for the
start-up scripts and the service install script. (markt)
Update to the Eclipse JDT compiler 4.27. (markt)
Update UnboundID to 6.0.8. (markt)
Update Checkstyle to 10.9.3. (markt)
Update Jacoco to 0.8.9. (markt)
Enhance PEMFile to load from an InputStream. Patch provided by
Romain Manni-Bucau. (schultz)
2023-03-06 Tomcat 11.0.0-M4 (markt)
General
Fix a bug that memory allocation is larger than limit in
SynchronizedStack to reduce memory footprint. (lihan)
Catalina
Add support for txt: and rnd: rewrite map
types from mod_rewrite. Based on a pull request #591
provided by Dimitrios Soumis. (remm)
Provide a more appropriate response (501 rather than 400) when rejecting
an HTTP request using the CONNECT method. (markt)
66491: Revert the switch to using the ServiceLoader mechanism
to load the custom URL protocol handlers that Tomcat uses. The original
system property based approach has been restored. (markt)
Coyote
Add a check for the validity of the scheme pseudo-header in HTTP/2.
(markt)
66482: Restore inline state after async operation in NIO2,
to account the fact that unexpected exceptions are sometimes thrown
by the implementation. Patch submitted by zhougang. (remm)
Jasper
Provide an implementation of the sub-set of JavaBeans support that does
not depend on the java.beans package. This for use by
Expression Language when the java.desktop module (which is
where the java.beans package resides) is not available.
(markt)
2023-02-23 Tomcat 11.0.0-M3 (markt)
General
Increase the minimum supported Java version to Java 17. Note that
Jakarta EE 11 permits a minimum Java version of 21. The minimum Java
version for Tomcat 11 may be increased to Java 21 before the first
stable release. (markt)
Catalina
Allow a Valve to access cookies from a request that cannot be mapped to
a Context. (markt)
Implement the new Servlet API methods for setting character encodings
that accept Charset objects. (markt)
The default HEAD response no longer includes some HTTP header fields
where the value is determined only while generating the content as per
section 9.3.2 of RFC 9110. (markt)
66438: Correct names of Jakarta modules in JPMS metadata.
(markt)
Switch to using the ServiceLoader mechanism to load the custom URL
protocol handlers that Tomcat uses. (markt)
Switch to using LongAdder rather than
AtomicInteger to track request count and error count for
servlets. (markt)
Implement the clarification from the Jakarta Servlet project that
Servlets mapped to the context root should be mapped for requests to the
context root with or without the trailing /. (markt)
Implement the clarification from the Jakarta Servlet project that
calling ServletOutputStream.close() on a stream in
non-blocking mode returns immediately with the stream effectively closed
and any data remaining to be written is written in the background by the
container. (markt)
Avoid possible ISE when scanning from bad JAR URLs, to restore the
previous behavior following the removal of Java 9+ reflection code which
caught the ISE. (remm)
Refactor uses of String.replaceAll() to use
String.replace() where regular expressions where not being
used. Pull request #581 provided by Andrei Briukhov. (markt)
Add error report valve that allows redirecting to of proxying from an
external web server. Based on code and ideas from pull request
#506 provided by Max Fortun. (remm)
66470: Add the Shared Address Space defined by RFC 6598
(100.64.0.0/10) to the regular expression used to identify internal
proxies for the RemoteIpFilter and
RemoteIpValve. (markt)
66471: Fix JSessionId secure attribute missing When
RemoteIpFilter determines that this request was submitted
via a secure channel. (lihan)
Add the additional HTTP status code constants to
HttpServletResponse defined by the Jakarta Servlet project
for the Servlet 6.1 API. (markt)
Implement the clarification from the Jakarta Servlet project that
calling one of the HttpServletResponse methods for setting
HTTP header values with null as the new header value
removes any existing header of that name. (markt)
Coyote
Log basic information for each configured TLS certificate when Tomcat
starts. (markt)
66442: When an HTTP/2 response must not include a body,
ensure that the end of stream flag is set on the headers frame and that
no data frame is sent. (markt)
Fix a bug that prevented HTTP/2 connections from timing out when using
a Connector configured with useAsyncIO=true (the default).
(markt)
Provided dedicated loggers
(org.apache.tomcat.util.net.NioEndpoint.certificate /
org.apache.tomcat.util.net.Nio2Endpoint.certificate) for
logging of configured TLS certificates. (markt)
Jasper
66419: Fix calls from expression language to a method that
accepts varargs when only one argument was passed. (markt)
66441: Make imports of static fields in JSPs visible to any
EL expressions used on the page. (markt)
Web applications
66429: Documentation. Limit access to the documentation web
application to localhost by default. (markt)
66429: Examples. Limit access to the examples web application
to localhost by default. (markt)
Other
Update BND to 6.4.0. (markt)
Remove support for starting Tomcat under a SecurityManager. (markt)
Improvements to Chinese translations. (lihan)
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by tak7iji. (markt)
Improvements to Korean translations. (woonsan)
Update the packaged version of the Apache Tomcat Native Library to 2.0.3
to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)
not released Tomcat 11.0.0-M2 (markt)
Catalina
Update the ServletInputStream and
ServletOuputStream classes in the Servlet API to align with
the recent updates in the Jakarta Servlet specification to support
reading and writing with ByteBuffers. The changes also
clarified various aspects of the Servlet non-blocking API. (markt)
66388: Correct a regression in the refactoring that replaced
the use of the URL constructors. The regression broke
lookups for resources that contained one or more characters in their
name that required escaping when used in a URI path. (markt)
66392: Change the default value of AccessLogValve's
file encoding to UTF-8 and update documentation. (lihan)
66393: Align ExtendedAccessLogValve's x-P(XXX) with the
documentation. (lihan)
Remove JAX-RPC support which was removed from the Jakarta EE platform
for Jakarta EE 9. (markt)
Coyote
Update Cookie parsing and handling to treat the quotes in a quoted
cookie value as part of the value as required by RFC 6265 and explicitly
clarified in RFC 6265bis. (markt)
Add an RFC 8941 structured field parser. (markt)
Add a parser for the priority HTTP header field defined in
RFC 9218. (markt)
When resetting an HTTP/2 stream because the final response has been
generated before the request has been fully read, use the HTTP/2 error
code NO_ERROR so that client does not discard the response.
Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
66385: Correct a bug in HTTP/2 where a non-blocking read for
a new frame with the NIO2 connector was incorrectly made using the read
timeout leading to unexpected stream closure. (markt)
Jasper
66370: Change the default of the
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system
property to true unless the EL library is running on Tomcat
in which case the default remains false as the EL library
is already called from within a privileged block and skipping the
unnecessary privileged block improves performance. (markt)
Add support for specifying Java 21 (with the value 21) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
Other
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.6. (markt)
Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
6.7.1-SNAPSHOT). (markt)
Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
1.16-SNAPSHOT). (markt)
Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
2.10.0-SNAPSHOT). (markt)
Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
Improvements to Portuguese translations. Contributed by Guilherme
Custódio. (markt)
Update to the Eclipse JDT compiler 4.26. (markt)
Update Checkstyle to 10.6.0. (markt)
Update Unboundid to 6.0.7. (markt)
Update SpotBugs to 4.7.3. (markt)
2022-12-05 Tomcat 11.0.0-M1 (markt)
General
This release contains all of the changes up to and including those in
Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)
Catalina
66175: Change the default character set used by the
BasicAuthenticator from ISO-8859-1 to UTF-8. (markt)
66209: Add a configuration option to allow bloom filters used
to index JAR files to be retained for the lifetime of the web
application. Prior to this addition, the indexes were always flushed by
the periodic calls to WebResourceRoot.gc(). As part of this
addition, configuration of archive indexing moves from
Context to WebResourceRoot. Based on a patch
provided by Rahul Jaisimha. (markt)
66330: Correct a regression introduced when fixing
62897 that meant any value configured for
skipMemoryLeakChecksOnJvmShutdown on the
Context was ignored and the default was always used.
(markt)
66331: Fix a regression in refactoring for Stack
on the SystemLogHandler which caught incorrect exception.
(lihan)
66338: Fix a regression that caused a nuance in refactoring
for ErrorReportValve. (lihan)
Escape values used to construct output for the
JsonErrorReportValve to ensure that it always outputs valid
JSON. (markt)
Correct the default implementation of
HttpServletRequest.isTrailerFieldsReady() to return
true so it is consistent with the default implementation of
HttpServletRequest.getTrailerFields() and with the Servlet
API provided by the Jakarta EE project. (markt)
Refactor WebappLoader so it only has a runtime dependency
on the migration tool for Jakarta EE if configured to use the converter
as classes are loaded. (markt)
Improve the behavior of the credential handler attribute that is set in
the Servlet context so that it actually reflects what is used during
authentication. (remm)
66359: Update javadoc for RemoteIpValve and RemoteIpFilter with
correct protocolHeader default value of "X-Forwarded-Proto".
(lihan)
Add support for the new attribute for error dispatches
jakarta.servlet.error.query_string. (markt)
Update ignoreAnnotation attribute on Context
to dissociate it from metadata-complete. (remm)
Coyote
Correct the date format used with the expires attribute of HTTP cookies.
A single space rather than a single dash should be used to separate the
day, month and year components to be compliant with RFC 6265. (markt)
Include the name of the current stream state in the error message when a
stream is cancelled due to an attempt to write to the stream when it is
in a state that does not permit writes. (markt)
NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL
not to do so and remove checks for this return value. Based on
#562 by tianshuang. (markt)
Remove unnecessary code that exposed the asyncTimeout to
components that never used it. (markt)
Ensure that all MessageBytes conversions to byte arrays are
valid for the configured character set and throw an exception if not.
(markt)
When an HTTP/2 stream was reset, the current active stream count was not
reduced. If enough resets occurred on a connection, the current active
stream count limit was reached and no new streams could be created on
that connection. (markt)
Jasper
66294: Make the use of a privileged block to obtain the
thread context class loader added to address 62080 optional
and disabled by default. This is now controlled by the
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system
property. (markt)
66317: Fix for Lambda coercion security manager missing
privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
66325: Fix concurrency issue in evaluation of expression
language containing lambda expressions. (markt)
Update the ErrorData class in the JSP API to align with the
recent changes in the Jakarta Pages specification to support the new
error dispatch attribute
jakarta.servlet.error.query_string.
Web applications
66348: Update the JARs listed in the class loader
documentation and note which ones are optional. (markt)
Documentation. Replace references in the application developer's guide
to CVS with more general references to a source code control system.
(markt)
jdbc-pool
66346: Ensure all JDBC pool JARs are reproducible. Pull
request #566 provided by John Neffenger. (markt)
Other
Update to Commons Daemon 1.3.3. (markt)
66323: Move module start up parameters from
JDK_JAVA_OPTIONS to JAVA_OPTS now that the
minimum Java version is 11 and these options are always required.
(markt)
Improvements to Chinese translations. Contributed by DigitalCat and
lihan. (markt)
Improvements to French translations. Contributed by Mathieu Bouchard.
(markt)
Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
Improvements to Korean translations. (markt)
Improvements to Spanish translations. (markt)
Correct a regression in the removal of the APR connector that broke
Graal native image support. Pull request #564 provided by
Sébastien Deleuze. (markt)
Update the packaged version of the Apache Tomcat Native Library to 2.0.2
to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.5. (markt)
Refactor code base to replace use of URL constructors. While they are
deprecated in Java 20 onwards, the reasons for deprecation are valid for
all versions so move away from them now. (markt)
Refine the Tomcat native image metadata to avoid including unintended
non-Tomcat resources. Pull request #569 provided by Sébastien
Deleuze. (markt)
Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28,
6.7.0-RC1). (markt)
Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29,
1.16-SNAPSHOT). (markt)
Update the internal fork of Apache Commons FileUpload to aa8eff6
(2022-11-29, 2.0-SNAPSHOT). (markt)
Ensure that 
Add 
Update to the Eclipse JDT compiler 4.33. (markt)
Refactor creation of HttpParser instances from the Processor level to
the Protocol level since the parser configuration depends on the
protocol and the parser is, otherwise, stateless. (markt)