Changelog

Tomcat 10.1.24 (schultz)

Catalina

  • Add: Small performance optimization when logging cookies with no values. (schultz)
  • Fix: Correct error handling for asynchronous requests. If the application performs an dispatch during AsyncListener.onError() the dispatch is now performed rather than completing the request using the error page mechanism. (markt)
  • Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable style. (schultz)
  • Add: Add more timescale options to AccessLogValve and ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in ExtendedAccessLogValve. (schultz)
  • Fix: Fix WebDAV lock null (locks for non existing resources) thread safety and removal. (remm)
  • Fix: Add periodic checking for WebDAV locks expiration. (remm)
  • Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)
  • Fix: Remove MBean metadata for attibutes that have been removed. Based on pull request #719 by Shawn Q. (markt)

Coyote

  • Fix: Align non-secure and secure writes with NIO and skip the write attempt when there are no bytes to be written. (markt)
  • Fix: Allow any positive value for socket.unlockTimeout. If a negative or zero value is configured, the default of 250ms will be used. (mark)
  • Fix: Reduce the time spent waiting for the connector to unlock. The previous default of 10s was noticeably too long for cases where the unlock has failed. The wait time is now 100ms plus twice socket.unlockTimeout. (markt)
  • Fix: Ensure that the onAllDataRead() event is triggered when the request body uses chunked encoding and is read using non-blocking IO. (markt)
  • Fix: 68934: Add debug logging in the latch object when exceeding maxConnections. (remm)
  • Fix: Refactor trailer field handling to use a MimeHeaders instance to store trailer fields. (markt)
  • Fix: Ensure that multiple instances of the same trailer field are handled correctly. (markt)
  • Fix: Fix non-blocking reads of chunked request bodies. (markt)
  • Fix: When an invalid HTTP response header was dropped, an off-by-one error meant that the first header in the response was also dropped. Fix based on pull request #710 by foremans. (markt)

Jasper

  • Add: Add support for specifying Java 23 (with the value 23) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

WebSocket

  • Fix: 68884: Reduce the write timeout when writing WebSocket close messages for abnormal closes. The timeout defaults to 50 milliseconds and may be controlled using the org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in the user properties collection associated with the WebSocket session. (markt)

Web applications

  • Fix: Examples: Improve performance of WebSocket chat application when multiple clients disconnect at the same time. (markt)
  • Update: Examples: Increase the number of previous messages displayed when using the WebSocket chat application. (markt)
  • Fix: Examples: Improve performance of WebSocket snake application when multiple clients disconnect at the same time. (markt)

Other

  • Update: Switch to using the Base64 encoder and decoder provided by the JRE rather than the version provided by Commons Codec. The internal fork of Commons Codec has been deprecated and will be removed in Tomcat 11. (markt)
  • Update: Update NSIS to 3.10. (mark0t)
  • Update: Update UnboundID to 7.0.0. (markt)
  • Update: Update Checkstyle to 10.16.0. (markt)
  • Update: Update JaCoCo to 0.8.12. (markt)
  • Update: Update SpotBugs to 4.8.4. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
  • Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2024-04-23 Tomcat 10.1.23 (schultz)

Catalina

  • Update: Deprecate and remove sessionCounter (replaced by the addition of the active session count and the expired session count, as a reasonable approximation) and duplicates (which does not represent a possible event in current implementations) statistics from the session manager. (remm)
  • Fix: 68890 Align output encoding of JSPs in the Manager webapp with the XML declarations in those same files. (schultz)
  • Fix: Update Basic authentication to implement the requirements of RFC 7617 including the changing of the trimCredentials setting which is now defaults to false. Note that the trimCredentials setting will be removed in Tomcat 11. (markt)

Coyote

  • Fix: Fix bnd jar descriptor to include the OpenSSL FFM support. (remm)
  • Fix: Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm)

not released Tomcat 10.1.22 (schultz)

Other

  • Fix: Release re-built using correct JDK version.

not released Tomcat 10.1.21 (schultz)

Catalina

  • Fix: Change the thread-safety mechanism for protecting StandardServer.services from a simple synchronized lock to a ReentrantReadWriteLock to allow multiple readers to operate simultaneously. Based upon a suggestion by Markus Wolfe. (schultz)
  • Fix: Improve Service connectors, Container children and Service executors access sync using a ReentrantReadWriteLock. (remm)
  • Fix: Improve handling of integer overflow if an attempt is made to upload a file via the Servlet API and the file is larger than Integer.MAX_VALUE. (markt)
  • Fix: 68862: Handle possible response commit when processing read errors. (remm)

Coyote

  • Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. (remm)

Other

  • Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
  • Update: Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (remm)
  • Add: Improvements to Chinese translations by leeyazhou. (remm)

2024-03-25 Tomcat 10.1.20 (schultz)

Catalina

  • Fix: Minor performance improvement for building filter chains. Based on ideas from pull request #702 by Luke Miao. (remm)
  • Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt)
  • Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm)
  • Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt)
  • Fix: After forwarding a request, attempt to unwrap the response in order to suspend it, instead of simply closing it if it was wrapped. Add a new suspendWrappedResponseAfterForward boolean attribute on Context to control the bahavior, defaulting to false. (remm)
  • Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)
  • Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm)
  • Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)
  • Update: Add highConcurrencyStatus attribute to the SemaphoreValve to optionally allow the valve to return an error status code to the client when a permit cannot be acquired from the semaphore. (remm)
  • Add: Add checking of the "age" of the running Tomcat instance since its build-date to the SecurityListener, and log a warning if the server is old. (schultz)
  • Fix: When using the AsyncContext, throw an IllegalStateException, rather than allowing an NullPointerException, if an attempt is made to use the AsyncContext after it has been recycled. (markt)

Coyote

  • Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)
  • Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow configuring the amount of time before an internal executor will scale back to the configured minSpareThreads size. (remm)
  • Fix: Correct a regression in the support for user provided SSLContext instances that broke the org.apache.catalina.security.TLSCertificateReloadListener. (markt)

Jasper

  • Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
  • Fix: Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt)
  • Fix: Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt)
  • Fix: Prevent the web application's ClassLoader from being pinned by the JSP compiler if an application uses a custom XMLInputFactory. Based upon a suggestion from Simon Niederberger. (schultz)

Cluster

  • Fix: Avoid updating request count stats on async. (remm)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)
  • Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin. (csutherl/schultz)
  • Update: Update Checkstyle to 10.14.1. (markt)

2024-02-19 Tomcat 10.1.19 (schultz)

Catalina

  • Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt)
  • Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)
  • Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
  • Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
  • Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)

Coyote

  • Fix: Setting a null value for a cookie attribute should remove the attribute. (markt)
  • Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt)
  • Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext.
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm)
  • Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt)
  • Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)
  • Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)
  • Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)

Jasper

  • Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)

WebSocket

  • Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
  • Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)

Web applications

  • Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)

Other

  • Fix: Correct the remaining OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. Based on pull request #685 provided by Paul A. Nicolucci. (markt)
  • Update: Update Checkstyle to 10.13.0. (markt)
  • Update: Update JSign to 6.0. (markt)
  • Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)
  • Update: Update Tomcat Native to 2.0.7. (markt)
  • Update: Add strings for debug level messages. (remm)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2024-01-09 Tomcat 10.1.18 (schultz)

Catalina

  • Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt)

Coyote

  • Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)
  • Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)
  • Fix: Allow multiple operations with the same name on introspected mbeans, fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)
  • Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line, if any, to make the check case insensitive since host names are case insensitive. (markt)
  • Add: 68348: Add support for the partitioned attribute for cookies including session cookies. (markt)

Web Applications

  • Fix: 68035: Additional fix to the Manager application to enable the deployment of a web application located in a Host's appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt)

Other

  • Update: Update Checkstyle to 10.12.7. (markt)
  • Update: Update SpotBugs to 4.8.3. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2023-12-12 Tomcat 10.1.17 (schultz)

Catalina

  • Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm)
  • Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)
  • Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
  • Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)

Jasper

  • Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)

Web Applications

  • Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)

Other

  • Fix: 68124: Migrate sample.war from javax to jakarta. (lihan)
  • Update: Update UnboundID to 6.0.11. (markt)
  • Update: Update Checkstyle to 10.12.5. (markt)
  • Update: Update SpotBugs to 4.8.2. (markt)
  • Update: Update Derby to 10.17.1. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)
  • Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)
  • Add: Improvements to Russian translations by usmazat and remm. (markt)

2023-11-14 Tomcat 10.1.16 (schultz)

Catalina

  • Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
  • Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm)
  • Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz)
  • Fix: 67793: Ensure the original session timeout is restored after FORM authentication if the user refreshes a page during the FORM authentication process. Based on a suggestion by Mircea Butmalai. (markt)
  • Update: 67926: PEMFile prints unidentifiable string representation of ASN.1 OIDs. (michaelo)
  • Fix: 66875: Ensure that setting the request attribute jakarta.servlet.error.exception is not sufficient to trigger error handling for the current request and response. (markt)
  • Fix: 68054: Avoid some file canonicalization calls introduced by the fix for 65433. (remm)
  • Fix: 68089: Improve performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
  • Fix: Use a 400 status code to report an error due to a bad request (e.g. an invalid trailer header) rather than a 500 status code. (markt)
  • Fix: Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. (markt)

Coyote

  • Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
  • Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks), automatically call setCertificateKeystoreType(ks.getType()). (markt)
  • Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used. (markt)
  • Fix: 67666: Ensure TLS connectors using PEM files either work with the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt)
  • Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
  • Fix: 67927: Reloading TLS configuration can cause the Connector to refuse new connections or the JVM to crash. (markt)
  • Fix: 67938: Correct handling of large TLS client hello messages that were causing the TLS handshake to fail. (markt)
  • Fix: 68026: Convert selected MessageByte values to String when first accessed to speed up subsequent accesses and reduce garbage collection. (markt)

Jasper

  • Fix: 68068: Performance improvement for EL. Based on a suggestion by John Engebretson. (markt)

WebSocket

  • Fix: Correct missing metadata in the MANIFEST of the for WebSocket client API JAR file. (markt)

Web applications

  • Fix: 68035: Correct a regression in the fix for 56248 that prevented deployment via the Manager of a WAR or directory that was already present in the appBase or a context file that was already present in the xmlBase. (markt)

Other

  • Add: 67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
  • Update: Update Checkstyle to 10.12.4. (markt)
  • Update: Update JaCoCo to 0.8.11. (markt)
  • Update: Update SpotBugs to 4.8.0. (markt)
  • Update: Update BND to 7.0.0. (markt)
  • Update: The minimum Java version required to build Tomcat has been raised to Java 17. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 4.0.0. (remm)

2023-10-16 Tomcat 10.1.15 (schultz)

Coyote

  • Fix: 67670: Fix regression with HTTP compression after code refactoring. (remm)

jdbc-pool

  • Fix: 67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 10.1.14 that broke the jdbc-pool. (markt)

2023-10-10 Tomcat 10.1.14 (schultz)

Catalina

  • Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
  • Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
  • Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
  • Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
  • Add: Improve handling of failures within recycle() methods. (markt)

Coyote

  • Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
  • Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
  • Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
  • Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
  • Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
  • Fix: Avoid rare thread safety issue accessing message digest map. (remm)
  • Fix: Improve statistics collection for upgraded connections under load. (remm)
  • Fix: Align validation of HTTP trailer fields with standard fields. (markt)
  • Fix: Improvements to HTTP/2 overhead protection. (markt)

Jasper

  • Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)

Other

  • Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
  • Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
  • Update: Update UnboundID to 6.0.10. (markt)
  • Update: Update Checkstyle to 10.12.3. (markt)
  • Update: Update Tomcat Native to 2.0.6. (markt)
  • Update: Update Commons Pool to 2.12.0. (markt)
  • Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)
  • Add: Improvements to Russian translations by usmazat. (markt)

2023-08-25 Tomcat 10.1.13 (markt)

Catalina

  • Fix: If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. (markt)
  • Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)
  • Fix: Avoid protocol relative redirects in FORM authentication. (markt)

Web applications

  • Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)

Other

  • Add: Improvements to Chinese translations. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2023-08-14 Tomcat 10.1.12 (markt)

Catalina

  • Fix: 66680: When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable. Pull request #638 provided by tsryo. (markt)
  • Fix: Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections. (fschumacher)
  • Fix: 66822: Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance. (markt)
  • Fix: The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first. (remm)

Coyote

  • Fix: Correct a regression introduced in 10.1.11 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance. (markt)
  • Code: Refactor HTTP/2 implementation to reduce pinning when using virtual threads. (markt)
  • Fix: Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. (remm)
  • Fix: 66841: Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2. (markt)
  • Fix: 66842: When using asynchronous I/O (the default), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. (markt)
  • Fix: Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream. (markt)

WebSocket

  • Fix: 66681: Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate. (markt)

jdbc-pool

  • Fix: Fix the releaseIdleCounter does not increment when testAllIdle releases them. Pull request #241 provided by Arun Chaitanya Miriappalli (lihan)
  • Fix: Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing. Pull request #643 provided by Wenjun Xiao. (lihan)

Other

  • Update: Update NSIS to 3.09. (markt)
  • Update: Update Checkstyle to 10.12.2. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji and Shirayuking. (markt)
  • Fix: 66829: Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces. (markt)
  • Fix: 66834: Correct the OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. (markt)
  • Update: Update Tomcat Native to 2.0.5. (markt)

2023-07-10 Tomcat 10.1.11 (schultz)

Catalina

  • Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries. (michaelo)
  • Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. (michaelo)
  • Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)
  • Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. (remm)
  • Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan. (markt)
  • Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)

Coyote

  • Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)
  • Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)
  • Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt)
  • Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt)

WebSocket

  • Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown. (markt)
  • Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)

Web applications

  • Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)
  • Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)

Other

  • Add: Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  • Update: Update UnboundID to 6.0.9. (markt)
  • Update: Update Checkstyle to 10.12.1. (markt)
  • Update: Update BND to 6.4.1. (markt)
  • Update: Update JSign to 5.0. (markt/rjung)
  • Fix: Align documentation for maxParameterCount to match hard-coded defaults. Contributed by Michal Sobkiewicz. (schultz)

2023-06-12 Tomcat 10.1.10 (schultz)

Catalina

  • Code: Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods. (markt)
  • Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21. (markt)
  • Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore. (markt)
  • Fix: 66609: Ensure that the default servlet correctly escapes file names in directory listings when using XML output. Based on pull request #621 by Alex Kachanov. (markt)
  • Add: 66618: Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT. Pull request #622 by Alex Kachanov. (markt)
  • Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock. (markt)
  • Fix: 66622: Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false as support for the associated HTTP header has been removed from all major browsers. (markt)

Coyote

  • Update: Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined in RFC 7540. (markt)
  • Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)

Other

  • Update: Update to Commons Daemon 1.3.4. (markt)
  • Add: Improvements to French translations. (remm)
  • Update: Update Checkstyle to 10.12.0. (markt)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.4 to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)

2023-05-19 Tomcat 10.1.9 (schultz)

Catalina

  • Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)
  • Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)
  • Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)
  • Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)
  • Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)
  • Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)
  • Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)

Coyote

  • Add: Add support for a new character set, gb18030-2022 - introduced in Java 21, to the character set caching mechanism. (markt)
  • Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)
  • Update: Deprecate the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards. (markt)
  • Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)

Jasper

  • Fix: 66582: Account for EL having stricter requirements for static imports than JSPs when adding JSP static imports to the EL context. (markt)

WebSocket

  • Fix: 66574: Refactor WebSocket session close to remove the lock on the SocketWrapper which was a potential cause of deadlocks if the application code used simulated blocking. (markt)
  • Fix: 66575: Avoid unchecked use of the backing array of a buffer provided by the user in the compression transformation. (remm)
  • Fix: Improve exception handling when flushing batched messages during WebSocket session close. (markt)
  • Fix: 66581: Update AsyncChannelGroupUtil to align it with the current defaults for AsynchronousChannelGroup. Pull request #612 by Matthew Painter. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Chinese translations. (lihan)
  • Update: Update Checkstyle to 10.10.0. (markt)
  • Update: Update Jacoco to 0.8.10. (markt)
  • Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)

2023-04-19 Tomcat 10.1.8 (schultz)

Catalina

  • Fix: 65995: Implement RFC 9239 and use text/javascript as the media type for JavaScript rather than application/javascript. (markt)
  • Add: Add an access log valve that uses a json format. Based on pull request #539 provided by Thomas Meyer. (remm)
  • Add: Harden the FORM authentication process against DoS attacks by using a reduced session timeout if the FORM authentication process creates a session. The duration of this timeout is configured by the authenticationSessionTimeout attribute of the FORM authenticator. (markt)
  • Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that incorrectly stated that the docBase parameter could be a relative path. (markt)
  • Fix: 66524 Correct eviction ordering in WebResource cache to be LRU as intended. (schultz)
  • Update: Use server.xml to reduce the default value of maxParameterCount from 10,000 to 1,000. If not configured in server.xml, the default remains 10,000. (markt)
  • Add: Update Digest authentication support to align with RFC 7616. This adds a new configuration attribute, algorithms, to the DigestAuthenticator with a default of SHA-256,MD5. (markt)
  • Update: Add support code for custom user attributes in RealmBase. Based on code from #473 by Carsten Klein. (remm)
  • Fix: Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. This aligns with 11.0.x. (markt)
  • Fix: 66541: Improve handling for cached resources for resources that use custom URL schemes. The scheme specific equals() and hashCode() algorithms, if present, will now be used for URLs for these resources. This addresses a potential performance issue with some OSGi custom URL schemes that can trigger potentially slow DNS lookups in some configurations. Based on a patch provided by Tom Whitmore. (markt)
  • Fix: When using a custom session manager deployed as part of the web application, avoid ClassNotFoundExceptions when validating session IDs extracted from requests. (markt)
  • Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log message. (fschumacher)
  • Fix: 66554: Initialize Random during server initialization to avoid possible JVM thread creation in the webapp context on some platforms. (remm)
  • Update: Make the server utility executor available to webapps using a Servlet context attribute named org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor. (remm)

Coyote

  • Fix: JSON filter should support specific escaping for common special characters as defined in RFC 8259. Based on code submitted by Thomas Meyer. (remm)
  • Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when used with direct buffers. Patch suggested by Arjen Poutsma. (markt)
  • Fix: 66512: Align AJP handling of invalid HTTP response headers (they are now removed from the response) with HTTP. (markt)
  • Fix: 66530: Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections. (markt)

Jasper

  • Fix: Fix bug that meant some instances of coercing a LambdaExpression to a functional interface invocation failed. (markt)
  • Fix: 66536: Fix parsing of tag files that meant that tag directives could be ignored for some tag files. (markt)

Cluster

  • Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be the maximum time allowed between receiving parts of a transferred file before the transfer is cancelled and the associated resources cleaned-up. A new warning message will be logged if the file transfer is cancelled. (markt)

WebSocket

  • Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout before sending the close frame if an I/O error occurs during a write. (markt)
  • Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. (markt)

Web applications

  • Fix: 66542: Documentation. Update the JNDI documentation to replace references to JavaMail with references to Jakarta Mail. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
  • Add: Improvements to Chinese translations. Contributed by totoo. (markt)
  • Code: Refactor code using MD5Encoder to use HexUtils.toHexString(). (markt)
  • Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in catalina.sh when calling version. Patch suggested by Eric Hamilton. (lihan)
  • Update: Update the internal fork of Commons DBCP to f131286 (2023-03-08, 2.10.0-SNAPSHOT). This corrects a regression introduced in 10.1.5. (markt)
  • Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the start-up scripts and the service install script. (markt)
  • Update: Update to the Eclipse JDT compiler 4.27. (markt)
  • Update: Update UnboundID to 6.0.8. (markt)
  • Update: Update Checkstyle to 10.9.3. (markt)
  • Update: Update Jacoco to 0.8.9. (markt)
  • Fix: Enhance PEMFile to load from an InputStream. Patch provided by Romain Manni-Bucau. (schultz)

2023-03-03 Tomcat 10.1.7 (schultz)

General

  • Fix: Fix a bug that memory allocation is larger than limit in SynchronizedStack to reduce memory footprint. (lihan)

Catalina

  • Add: Add support for txt: and rnd: rewrite map types from mod_rewrite. Based on a pull request #591 provided by Dimitrios Soumis. (remm)
  • Update: Provide a more appropriate response (501 rather than 400) when rejecting an HTTP request using the CONNECT method. (markt)
  • Fix: 66488: Correct a regression introduced in the fix for bug 66196 that meant that the HTTP headers and/or request line could get corrupted (one part overwriting another part) within a single request. (markt)
  • Fix: 66491: Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored. (markt)

Coyote

  • Add: Add a check for the validity of the scheme pseudo-header in HTTP/2. (markt)
  • Fix: 66482: Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang. (remm)

2023-02-24 Tomcat 10.1.6 (schultz)

Catalina

  • Fix: Allow a Valve to access cookies from a request that cannot be mapped to a Context. (markt)
  • Fix: 66438: Correct names of Jakarta modules in JPMS metadata. (markt)
  • Update: Switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. (markt)
  • Fix: Avoid possible ISE when scanning from bad JAR URLs, to restore the previous behavior following the removal of Java 9+ reflection code which caught the ISE. (remm)
  • Fix: Refactor uses of String.replaceAll() to use String.replace() where regular expressions where not being used. Pull request #581 provided by Andrei Briukhov. (markt)
  • Add: Add error report valve that allows redirecting to of proxying from an external web server. Based on code and ideas from pull request #506 provided by Max Fortun. (remm)
  • Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/10) to the regular expression used to identify internal proxies for the RemoteIpFilter and RemoteIpValve. (markt)
  • Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter determines that this request was submitted via a secure channel. (lihan)

Coyote

  • Add: Log basic information for each configured TLS certificate when Tomcat starts. (markt)
  • Fix: 66442: When an HTTP/2 response must not include a body, ensure that the end of stream flag is set on the headers frame and that no data frame is sent. (markt)
  • Fix: 66455: Fix the cause of a potential ClassCastException when processing a WINDOW_UPDATE frame on an HTTP/2 connection where the flow control window for the overall connection has been exhausted. (markt)
  • Fix: Fix a regression introduced in 10.1.0-M17 that prevented HTTP/2 connections from timing out when using a Connector configured with useAsyncIO=true (the default). (markt)
  • Add: Provided dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.certificate / org.apache.tomcat.util.net.Nio2Endpoint.certificate) for logging of configured TLS certificates. (markt)

Jasper

  • Fix: 66419: Fix calls from expression language to a method that accepts varargs when only one argument was passed. (markt)
  • Fix: 66441: Make imports of static fields in JSPs visible to any EL expressions used on the page. (markt)

Web applications

  • Fix: 66429: Documentation. Limit access to the documentation web application to localhost by default. (markt)
  • Fix: 66429: Examples. Limit access to the examples web application to localhost by default. (markt)

Other

  • Update: Update BND to 6.4.0. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.3 to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)

2023-01-13 Tomcat 10.1.5 (markt)

Catalina

  • Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
  • Fix: 66392: Change the default value of AccessLogValve's file encoding to UTF-8 and update documentation. (lihan)
  • Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)

Coyote

  • Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
  • Fix: 66385: Correct a bug in HTTP/2 where a non-blocking read for a new frame with the NIO2 connector was incorrectly made using the read timeout leading to unexpected stream closure. (markt)

Jasper

  • Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
  • Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

Other

  • Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03, 2.10.0-SNAPSHOT). (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
  • Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
  • Update: Update to the Eclipse JDT compiler 4.26. (markt)
  • Update: Update Checkstyle to 10.6.0. (markt)
  • Update: Update Unboundid to 6.0.7. (markt)
  • Update: Update SpotBugs to 4.7.3. (markt)

2022-12-09 Tomcat 10.1.4 (markt)

Other

  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.6. (markt)

not released Tomcat 10.1.3 (markt)

Catalina

  • Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
  • Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
  • Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
  • Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)

Coyote

  • Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)

Web applications

  • Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
  • Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)

Other

  • Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
  • Code: Refine the Tomcat native image metadata to avoid including unintended non-Tomcat resources. Pull request #569 provided by Sébastien Deleuze. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28, 6.7.0-RC1). (markt)
  • Update: Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29, 1.16-SNAPSHOT). (markt)
  • Update: Update to Commons Daemon 1.3.3. (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to aa8eff6 (2022-11-29, 2.0-SNAPSHOT). (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)

2022-11-14 Tomcat 10.1.2 (markt)

Catalina

  • Add: 66209: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
  • Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
  • Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
  • Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
  • Fix: Escape values used to construct output for the JsonErrorReportValve to ensure that it always outputs valid JSON. (markt)

Coyote

  • Fix: Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. (markt)
  • Add: Include the name of the current stream state in the error message when a stream is cancelled due to an attempt to write to the stream when it is in a state that does not permit writes. (markt)
  • Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do so and remove checks for this return value. Based on #562 by tianshuang. (markt)
  • Code: Remove unnecessary code that exposed the asyncTimeout to components that never used it. (markt)

Jasper

  • Fix: 66294: Make the use of a privileged block to obtain the thread context class loader added to address 62080 optional and disabled by default. This is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property. (markt)
  • Fix: 66317: Fix for Lambda coercion security manager missing privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
  • Fix: 66325: Fix concurrency issue in evaluation of expression language containing lambda expressions. (markt)

jdbc-pool

  • Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566 provided by John Neffenger. (markt)

Other

  • Update: Update to Commons Daemon 1.3.2. (markt)
  • Fix: 66323: Move module start up parameters from JDK_JAVA_OPTIONS to JAVA_OPTS now that the minimum Java version is 11 and these options are always required. (markt)
  • Add: Improvements to Chinese translations. Contributed by DigitalCat and lihan. (markt)
  • Add: Improvements to French translations. Contributed by Mathieu Bouchard. (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
  • Fix: Correct a regression in the removal of the APR connector that broke Graal native image support. Pull request #564 provided by Sébastien Deleuze. (markt)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.5. (markt)

2022-10-11 Tomcat 10.1.1 (markt)

Catalina

  • Fix: Update the RewriteValve to perform pattern matching using dotall mode to avoid unexpected behaviour if the URL includes encoded line terminators. (markt)

Coyote

  • Fix: 66276: Fix incorrect class cast when adding a descendant of HTTP/2 streams. (lihan)
  • Fix: 66281: Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2. (markt)
  • Fix: Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response. (markt)

Jasper

  • Fix: 66277: Fix regressions in refactoring from Stack ArrayDeque.
  • Add: Add support for specifying Java 20 (with the value 20) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

Web applications

  • Fix: Documentation. Document the nonceRequestParameterName attribute for the CsrfPreventionFilter. Based on #553 by Mert Ülkgün. (markt)

Other

  • Update: Update to the Eclipse JDT compiler 4.23. (markt)
  • Update: Update Objenesis to 3.2. (markt)
  • Update: Update UnboundID to 6.0.6. (markt)
  • Update: Update Checkstyle to 10.3.4. (markt)
  • Update: Update JaCoCo to 0.8.8. (markt)
  • Update: Update SpotBugs to 4.7.2. (markt)
  • Update: Update JSign to 4.2. (markt)
  • Update: Update Derby to 10.16.1.1. (markt)
  • Add: Improvements to Chinese translations. (markt)
  • Add: Improvements to Czech translations. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji and Shirayuking. (markt)
  • Add: Improvements to Korean translations. (markt)
  • Add: Improvements to Spanish translations. (markt)

2022-09-26 Tomcat 10.1.0 (markt)

Coyote

  • Update: Update Panama OpenSSL code for the extensive Java 20 changes. (remm)
  • Fix: Fix a regression in refactoring for Hashtables which caused mbeans to lose many of their attributes. (remm)

Jasper

  • Add: 66203: Log an error message when the JSP compiler is unable to create the output directory for the generated code. (markt)

Other

  • Add: Further automation to the build process to reduce the number of manual steps that release managers must perform. (markt)

not released Tomcat 10.1.0-M20 (markt)

Coyote

  • Fix: Prepare OpenSSL Panama module for Java 20 API changes. (remm)

Other

  • Update: Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.4. (markt)

not released Tomcat 10.1.0-M19 (markt)

Coyote

  • Fix: Correct a regression in the previous fix for 66236. (markt)

not released Tomcat 10.1.0-M18 (markt)

Catalina

  • Fix: Correct handling of HTTP TRACE requests where there are multiple instances of an HTTP header with the same name. (markt)
  • Fix: Implement the requirements of RFC 7231 and do not include sensitive headers in responses to HTTP TRACE requests. (markt)
  • Fix: Implement the clarification in RFC 9110 that the units in HTTP range specifiers are case insensitive. (markt)
  • Fix: Properly-escape role and group information when writing MemoryUserDatabase to an XML file. (schultz)
  • Fix: Move control of XML-export logic from individual support classes into MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser, MemoryRole, and MemoryGroup classes. (schultz)
  • Fix: 66183: When logging cookie values in an access log valve and there are multiple cookies with the same name, log all cookie values rather than just the first. Based on pull request #541 by Han Li. (markt)
  • Fix: 66184: Ensure that JULI root loggers have a default level of INFO. Pull request #533 provided by Piotr P. Karwasz. (markt)
  • Fix: Improve handling of stack overflow errors when parsing SSI expressions. (markt)
  • Fix: 66120: Enable FORM authentication to work correctly if session persistence and restoration occurs during the authentication process. (markt)
  • Fix: 66233: Include an error message when sending a 400 response because a request has too many cookies. (markt)
  • Fix: When web application deployment fails due to JARs with duplicate fragment names, improve the error message by listing the JARs that contain the duplicates. Based on pull request #535 by Mads Rolsdorph. (markt)
  • Fix: Replace logging thread for JULI's AsyncFileHandler with an executor to protect against failure of the logging thread. Based on pull request #545 by Piotr P. Karwasz. (markt)

Coyote

  • Fix: Avoid potential NPE by skipping duplicate accept check when using a Unix Domain Socket. Based on #532 by Han Li. (markt)
  • Fix: Address an edge case in HTTP header parsing that allowed CRCRLF to be used as a valid line terminator. (markt)
  • Fix: Ensure HTTP/2 requests that include connection specific headers are rejected. (markt)
  • Fix: When processing HTTP/2 requests, allow a host header to be used in place of an :authority header. (markt)
  • Fix: When processing HTTP/2 requests, allow a host header and an :authority header to be present providing they are consistent. (markt)
  • Fix: When processing HTTP/2 requests, reject requests containing multiple host headers. (markt)
  • Fix: Make parsing of invalid filename directives in Content-Disposition headers more robust. Invalid filename directives will now be ignored rather than triggering a 500 response. (markt)
  • Fix: 66194: Log HTTP/2 stream closures (usually caused by client errors) via a UserDataHelper to broadly align it with the behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
  • Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when attempting to commit a response with an header value that includes one or more characters with a code point above 255. (markt)
  • Fix: 66236: Implement support for the special values zero and minus one when configuring maxSavePostSize for a Connector when used in conjunction with TLS renegotiation. (markt)
  • Fix: 66240: Avoid int overflow when parsing octets by limiting the maximum value to 255. Based on a PR #548 by Stefan Mayr. (lihan)
  • Fix: #550: Correctly handle case where a Servlet responds to a request with an expectation with a 2xx response without reading the request body. Pull request provided by Malay Shah. (markt)
  • Fix: #551: Avoid potential IndexOutOfBoundsException by fixing incorrect check when matching HTTP/2 preface. Submitted by 刘文章. (lihan)

Jasper

  • Fix: Improve handling of stack overflow errors when parsing EL expressions. (markt)
  • Fix: Correct parsing of integer and floating point literals in EL expressions so that larger values are correctly parsed to BigInteger and BigDecimal respectively. (markt)
  • Fix: 66235: Fix various issues with the bean resolver used for Graal. (remm)
  • Fix: Improve the performance of the ImportHandler in the Expression Language implementation. This removes a previous optimisation that is now detrimental rather than helpful. Pull request #547 provided by rmannibucau. (markt)
  • Fix: Improve handling of EL error messages so instances of Number are not formatted in unexpected ways. (markt/kkolinko)
  • Fix: Switch to using ELException rather than IllegalArgumentException when a type conversion fails during an EL arithmetic operation. This is an EL error so ELException seems more appropriate. (markt)
  • Fix: Fix a bug in MethodExpression handling that triggered an error when invoking a static method on an instance of the class rather than directly on the class. (markt)
  • Fix: Use BigInteger.remainder() rather than BigInteger.mod() when performing the modulus operation for instances of BigInteger as part of an EL expression. (markt)

Cluster

  • Fix: To aid future additions of new functionality, rather than throw an IllegalArgumentException if a DeltaRequest is passed an unrecognised action type, a warning message will now be logged. (markt)
  • Fix: 66120: Enable FORM authentication to work correctly if session failover occurs during the authentication process. (markt)

WebSocket

  • Add: 62312: Add support for authenticating WebSocket clients with an HTTP forward proxy when establishing a connection to a WebSocket endpoint via a forward proxy that requires authentication. Based on a patch provided by Joe Mokos. (markt)

Other

  • Fix: Ensure that zip archives use UTC for file modification times to ensure repeatable builds across time zones. (markt)
  • Add: Improvements to Chinese translations. (lihan)
  • Add: Improvements to Czech translations. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to German translations. (markt)
  • Add: Improvements to Japanese translations. Contributed by tak7iji and Shirayuking. (markt)
  • Add: Improvements to Korean translations. Contributed by 수현. (markt)
  • Add: Improvements to Brazilian Portuguese translations. (markt)
  • Add: Improvements to Russian translations. (markt)
  • Add: Improvements to Spanish translations. (markt)
  • Update: Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.3. (markt)

2022-07-20 Tomcat 10.1.0-M17 (markt)

Catalina

  • Fix: 66104: Avoid error message by not trying to clean up old files from the logging directory before the directory has been created. Based on #521 by HanLi. (markt)
  • Update: Update the Jakarta Common Annotations API to 2.1.1. This deprecates the ManagedBean annotation which will be removed in a future release. (markt)

Coyote

  • Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)
  • Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)
  • Code: Remove the jvmRoute system property used to configure a default value for the jvmRoute attribute of an Engine. (markt)
  • Update: Update experimental Panama modules with support for OpenSSL 3.0+. OpenSSL 1.1 remains supported. (remm)
  • Fix: Correct a regression in the refactoring to support experimentation with project Loom that broke HTTP/2 support if async IO was disabled. (markt)
  • Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)
  • Update: Refactor Panama module to better take advantage of the Panama preview API updates and fixes. Improves memory session usage and avoids some allocations. Review from Maurizio Cimadamore. (remm)
  • Update: Update the minimum recommended version of the Tomcat Native Library to 2.0.1. (markt)

Jasper

  • Add: Add support for specifying Java 19 (with the value 19) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

WebSocket

  • Update: Remove configuration settings related to the restriction on WebSocket endpoint deployment that was removed in version 2.1 of the specification. (markt)

Web applications

  • Fix: Documentation. 62245: Include contextXsltFile when discussing options for configuring directory listings. (markt)
  • Fix: Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the Form authentication example. (markt)
  • Fix: Documentation. Expand the description of the useSendfile attribute for HTTP/2 and reference the possibility of file locking when using this feature on Windows operating systems. (markt)

Other

  • Update: Update to bnd 6.3.1. (markt)
  • Update: The minimum Ant version required to build Tomcat 10.1.x is now 1.10.2. (markt)
  • Add: Add additional automation to the build process to reduce the number of manual steps that release managers must perform. (schultz)
  • Add: Implement support for reproducible builds. Reproducible builds are independent of operating system but require the same Ant version and same JDK (vendor and version) to be used as associated version information is embedded in a number of build outputs such as JAR file manifests. (markt)
  • Update: Update the minimum supported version of Tomcat Native to 1.2.34 to allow the removal of the deprecated Java API associated with features that will be removed in Tomcat Native 2.0.x. (markt)
  • Fix: Remove and/or update references to the removed org.apache.tomcat.util.threads.res package. The LocalStrings*.properties files in that package were moved to org.apache.tomcat.util.threads package for consistency with the rest of the Tomcat code base. (markt)
  • Fix: 66134: The NSIS based Tomcat installer for Windows now correctly handles the combination of TomcatAdminRoles defined in a configuration file and selecting the Manager and/or Host Manager web applications in the installer's GUI. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)
  • Update: Update the CXF module to Apache CXF 3.5.3. (remm)
  • Update: Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.1. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 2.0.1 to pick up the Windows binaries built with with OpenSSL 3.0.5. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed tak7iji. (markt)

2022-06-09 Tomcat 10.1.0-M16 (markt)

Catalina

  • Fix: Update the memory leak protection code to support stopping application created executor threads when running on Java 19 and later. (markt)
  • Fix: Improve the error message if a required --add-opens option is missing. (markt)
  • Fix: Disable the memory leak correction code enabled by the Context attribute clearReferencesObjectStreamClassCaches when running on a JRE that includes a fix for the underlying memory leak. (markt)
  • Fix: #515: Avoid deadlock on startup with some utility executor configurations. Submitted by Han Li. (remm)
  • Fix: 66068: Ensure that the changes made to a request by the RemoteIPValve persist after the request is put into asynchronous mode. (markt)
  • Add: Include the major version in the recommended version used for Tomcat Native with the AprLifecycleListener. (markt)
  • Code: Remove the reporting of the unused APR feature flags. (markt)

Coyote

  • Fix: Additional fix for 65118. Fix a potential NullPointerException when pruning closed HTTP/2 streams from the connection. (markt)
  • Code: Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom. (markt)
  • Fix: 66076: When using TLS with non-blocking writes and the NIO connector, ensure that flushing the buffers attempts to empty all of the output buffers. (markt)
  • Fix: 66084: Correctly calculate bytes written to a response. Pull request #516 provided by aooohan HanLi. (markt)
  • Add: Correct a regression in the support added for encrypted PKCS#1 formatted private keys in the previous release that broke support for unencrypted PKCS#1 formatted private keys. (jfclere/markt)
  • Update: Remove support for NPN when using the Tomcat Native Connector as NPN was never standardised and browser support for NPN was removed several years ago. (markt)

Jasper

  • Fix: Update XML schema used for generated web fragments to use the Servlet 6.0 web fragment schema. (markt)
  • Fix: Update the XML schema used by the web fragment defined for the Jasper EL JAR to use the Servlet 6.0 web fragment schema. (markt)
  • Fix: Update ImportHandler optimisation for new classes introduced in Java 19. (markt)

Web Socket

  • Fix: Update the XML schema used by the web fragment defined for the WebSocket JAR to use the Servlet 6.0 web fragment schema. (markt)

Web applications

  • Fix: 66064: Update the building page in the documentation web application to reflect changes in required Java version and source repository. (markt)
  • Fix: Documentation. Make the description of the HTTP/1.1 configuration attributes that control the maximum allowed HTTP header size more specific. (markt)

Tribes

  • Fix: Increase the default buffer size for replication messages from 43800 to 65536 bytes. This is expected to improve performance for large messages when running on Linux based systems. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by Shirayuking and tak7iji. (markt)
  • Add: Improvements to Chinese translations contributed by Dingzi2012. (markt)

2022-05-16 Tomcat 10.1.0-M15 (markt)

Catalina

  • Code: 65853: Refactor the CsrfPreventionFilter to make it easier for sub-classes to modify the nonce generation and storage. Based on suggestions by Marvin Fröhlich. (markt)
  • Fix: 65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a connector, during the check for client certificate authentication availability. (remm)
  • Fix: 66009: Use getSubjectX500Principal().toString() rather than getSubjectX500Principal().getName(...) to retrieve a certificate DN, to match the output of the deprecated getSubjectDN().getName() that was used previously. (remm)
  • Add: Revert the change in 10.1.0-M11 that added a mapping of Shift_JIS for the ja locale to the default mappings used by ServletResponse.setLocale() as it caused regressions for applications using UTF-8. (markt)
  • Add: Provide a property source that sources values from Kubernetes service bindings. Pull request #512 provided by Sumit Kulhadia and Gareth Evans. (markt)

Coyote

  • Add: #501: Add new maxHttpRequestHeaderSize and maxHttpResponseHeaderSize attributes which allow setting the maximum HTTP header sizes independently. If not specified, the value of the maxHttpHeaderSize connector attribute will be used. Submitted by Zhongming Hua. (remm)
  • Fix: The root cause of the Linux kernel duplicate accept bug has been identified along with the version of the kernel that includes the fix. The error message displayed when this bug occurs has been updated to reflect this new information and to advise users to update to a version of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for the research into this issue. (markt)
  • Code: Remove the custom UTF-8 decoder that was introduced to work around various UTF-8 decoding bugs in Java. These issues were fixed in early Java 8 releases. Now the minimum Java version is 11, we can be sure that Tomcat will not be running on a JRE where these issues are present. (markt)
  • Fix: 66023: Improve the fix for 65726 and support HTTP upgrade with a request body for a wider set of use cases. (markt)
  • Fix: 66035: Add NULL check on the SSL session reference in the Panama code before accessing the session id and creation time. (remm)
  • Add: Add support for encrypted PKCS#1 formatted private keys when configuring the internal, in memory key store. Based on #511. (jfclere/markt)
  • Fix: Remove the prestartminSpareThreads attribute of the StandardThreadExecutor since all core threads are always started by default making this attribute meaningless. Pull request #510 provided by Aooohan. (markt)

Jasper

  • Update: To align with the JSP 3.1 specification, make the jsp:plugin action a NO-OP. No HTML will be generated as a result the jsp:plugin action being included in a JSP. This is be because the associated HTML elements are no longer supported by any major browser. (markt)
  • Fix: 66031: Fix NPE when using a custom JspFactory. Patch by Jean-Louis Monteiro. (remm)

Webapps

  • Fix: 66008: In the documentation web application, clarify the recommendation for the use the trimSpaces option for Jasper in production environments. (markt)
  • Fix: Update the documentation web application to state that the EncryptInterceptor does not provide sufficient protection to run Tomcat clustering over an untrusted network. This is CVE-2022-29885. (markt)

Other

  • Add: Improvements to Chinese translations contributed by shawn. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to German translations contributed by Thomas Hoffmann. (markt)
  • Add: Improvements to Japanese translations contributed by Shirayuking. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Update: Update to Commons Daemon 1.3.1. This fixes a known regression in 1.3.0 when configuring the Windows service with custom scripts as described in 66055. (markt)
  • Update: Update to JSign 4.1. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.33 to pick up Windows binaries built with OpenSSL 1.1.1o.(markt)

2022-04-01 Tomcat 10.1.0-M14 (markt)

Catalina

  • Fix: 65736: Disable the forceString option for the JNDI BeanFactory and replace it with an automatic search for an alternative setter with the same name that accepts a String. This is a security hardening measure. (markt)
  • Add: Remove the WebappClassLoaderBase.getResources() method as it is not used and if something accidentally exposes the class loader this method can be used to gain access to Tomcat internals. (markt)

not released Tomcat 10.1.0-M13 (markt)

Catalina

  • Code: Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was renamed for Jakarta EE 10) including the implementation of the new methods on AuthConfigFactory. (markt)
  • Code: Harden the CredentialHandler implementations by switching to a constant-time implementation for credential comparisons. (schultz/markt)

Coyote

  • Fix: Use a constant for the default TLS cipher suite. This will allow skipping setting it in some cases (for example, it does not make sense for OpenSSL TLS 1.3). (remm)
  • Fix: #487: Improve logging of unknown settings frames. Pull request by Thomas Hoffmann. (remm)
  • Add: 65975: Add a warning if a TLS virtual host is configured with optional certificate authentication and the containing connector is also configured to support HTTP/2 as HTTP/2 does not permit optional certificate authentication. (markt)
  • Add: 65975: Add a warning if a TLS virtual host is configured for TLS 1.3 with a JSSE implementation and a web application is configured for CLIENT-CERT authentication. CLIENT-CERT authentication requires post-handshake authentication (PHA) when used with TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA. (markt)
  • Fix: Improve the recycling of Processor objects to make it more robust. (markt)

Jasper

  • Fix: 65959: Serialize Function as String[] rather Class[]. (remm)

Web applications

  • Fix: 65947: Correct the name of HTTP/1.1 configuration property (maxHttpHeaderSize) that is inherited by the HTTP/2 upgrade protocol. Thanks to Thomas Hoffmann. (markt)
  • Fix: 65952: Align --add-opens configuration for jsvc with the current Tomcat scripts. (markt)
  • Fix: Correct the AJP and HTTP/1.1 Connector configuration pages in the documentation web application to show which attributes are applicable to all Connectors and which are implementation specific. (markt)

Other

  • Fix: Correct a spelling mistake in the German translations. Thanks to Thomas Hoffmann. (markt)
  • Fix: 65951: Use the tomcat.output property for OSGi bundle manifest paths. (isapir)
  • Update: Update to Commons Daemon 1.3.0. (markt)
  • Update: Update to Checkstyle 10.0. (markt)
  • Update: Update to SpotBugs 4.6.0. (markt)
  • Add: Expand the spotbugs Ant task to also cover test code. (markt)
  • Update: Update to bnd 6.2.0. (markt)
  • Update: Remove OSGi annotations dependency as it is no longer required with bnd 6.2.0. (markt)
  • Update: Update to the Eclipse JDT compiler 4.23. (markt)
  • Code: Refactor the resource files for the Apache Tomcat installer for Windows so that all the resource files are located in a single directory in the source tree. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n.(markt)
  • Add: Improvements to Chinese translations contributed by 15625988003. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  • Add: Expand coverage of translations for jakarta.el package. Based on #488 from Volodymyr Siedlecki. (markt)

2022-03-14 Tomcat 10.1.0-M12 (markt)

Catalina

  • Fix: #477: Update the default list of JARs to skip to include the Apache Log4j JAR for Jakarta EE platforms. Pull request by Michael Seele. (markt)
  • Fix: 65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt)
  • Fix: #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt)
  • Fix: 65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt)

Coyote

  • Fix: Fix regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. Test case code submitted by Istvan Szekely. (remm)
  • Fix: Fix potential thread-safety issue that could cause HTTP/1.1 request processing to wait, and potentially timeout, waiting for additional data when the full request has been received. (markt)
  • Fix: Throw IOException rather than IllegalStateException when the application attempts to write to an HTTP/2 stream after the client has closed the stream. (markt)

Jasper

  • Fix: When resolving methods in EL expressions that use beans and/or static fields, ensure that any custom type conversion is considered when identifying the method to call. (markt)

Web applications

  • Fix: Correct the name of the value attribute in the new documentation of OpenSSLConfCmd elements. (rjung)

WebSocket

  • Fix: Fix typo in JPMS substitution configuration for WebSocket client module. (markt)

2022-02-28 Tomcat 10.1.0-M11 (markt)

Catalina

  • Add: Add ha-api-*.jar and jaxws-rt-*.jar to the list of JARs to skip when scanning for TLDs, web fragments and annotations. (michaelo)
  • Add: Expand the default mappings used by ServletResponse.setLocale() to include a mapping from the ja locale to the Shift_JIS encoding. (markt)
  • Fix: 65806: Improve the handling of session ID generation when the default algorithm for SecureRandom (SHA1PRNG) is not supported by the configured providers as will be the case for a FIPS compliant configuration. (markt)
  • Add: #463: Add support for additional user attributes to TomcatPrincipal and GenericPrincipal. Patch provided by Carsten Klein. (michaelo)
  • Fix: #464: Fall back to the class loader used to load JULI when the thread context class loader is not set. In a normal Tomcat configuration, this will be the system class loader. Based on a pull request by jackshirazi. (markt)
  • Fix: #469: Include the Jakarata Annotations API in the classes that Tomcat will not load from web applications. Pull request provided by ppkarwasz. (markt)
  • Fix: Fix a potential StringIndexOutOfBoundsException exception when generating a WebDAV multi-status response after an error during a copy or delete. Report the paths relative to the server root for any resources with an error. (markt)
  • Fix: Improve the format of WebDAV XML responses to make them easier for humans to read. The change ensures that there is always a line break before starting a new element. (markt)
  • Fix: Improve validation of the Destination header for WebDAV MOVE and COPY requests. (markt)

Coyote

  • Fix: Correct a regression in the fix for 65454 that meant that minSpareThreads and maxThreads settings were ignored when the Connector used an internal executor. (markt)
  • Fix: 65776: Improve the detection of the Linux duplicate accept bug and reduce (hopefully avoid) instances of false positives. (markt)
  • Fix: 65848: Revert the change that attempted to align the behaviour of client certificate authentication with NIO or NIO2 with OpenSSL for TLS between MacOS and Linux/Windows as the root cause was traced to configuration differences. (markt)
  • Fix: #467: When system time moves backwards (e.g. after clock correction), ensure that the cached formatted current date used for HTTP headers tracks this change. Pull request provided by zhenguoli. (markt)

Jasper

  • Fix: #474: Prevent a tag file from corrupting the ELContext of the calling page. Pull request provided by Dmitri Blinov. (markt)
  • Fix: Minor optimisation of serialization for FunctionMapperImpl in response to pull request #476. (markt)

Web applications

  • Fix: Remove the applet example from the example web application as applets are no longer supported in any major browser. (markt)
  • Code: Refactor a small number of pages in the examples web application to avoid an issue with reproducible builds due to differences in file ordering across different operating systems with Ant's zip task. (markt)
  • Fix: Better documentation for the protocol attribute of the JNDIRealm. (markt)
  • Fix: Clarify the settings described in the documentation web application to configure a cluster using static membership. (markt)
  • Add: Add information on the OpenSSLConf and OpenSSLConfCmd elements to the HTTP SSL configuration page in the documentation web applications. (markt)

jdbc-pool

  • Code: Use LF line endings for text files in JARs to support reproducible builds across different operating systems. (markt)

Other

  • Code: Use LF line endings for text files in JARs to support reproducible builds across different operating systems. (markt)
  • Fix: Fix dependencies for individual test targets in Ant build file. Based on #468 provided by Totoo chenyonghui. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 2.0.26. (remm)
  • Fix: Revert the cherry-pick of JavaDoc fix from DBCP applied in 10.1.0.M9 that broke the DataSourceMXBean by using a type that isn't supported by MXBeans. (markt)
  • Add: Improvements to Chinese translations contributed by cloudgyb, totoo and Chenyonghui1028. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to German translations contributed by Andreas Abraham. (markt)
  • Add: Improvements to Japanese translations contributed by tak7iji and Shirayuking. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Add: Improvements to Spanish translations contributed by ceciliabarudi. (markt)

2022-01-20 Tomcat 10.1.0-M10 (markt)

Coyote

  • Fix: Correct a regression in the fix for 65785 that broke HTTP/2 server push. (markt)

not released Tomcat 10.1.0-M9 (markt)

Catalina

  • Fix: Add missing check in SessionCookieConfig.setAttribute() to ensure that the method fails if called after the web application has started. (markt)
  • Fix: Add additional locking to DataSourceUserDatabase to provide improved protection for concurrent modifications. (markt)
  • Fix: Add recycling check in the input and output stream isReady to try to give a more informative ISE when the facade has been recycled. (remm)
  • Fix: Make the calculation of the session storage location more robust when using file based persistent storage. (markt)

Coyote

  • Fix: 65726: Implement support for HTTP/1.1 upgrade when the request includes a body. The maximum permitted size of the body is controlled by maxSavePostSize. (markt)
  • Fix: Restore pre-starting of minSpareThreads lost in the fix for 65454. (markt)
  • Fix: Revert the previous fix for 65714 and implement a more comprehensive fix. (markt)
  • Fix: Allow freeing up context on JVM shutdown in the OpenSSL Panama module by properly using a shared scope. (remm)
  • Fix: 65757: Missing initial IO listener notification on Servlet container dispatch to another container thread. (remm)
  • Fix: Expand the fix for 65757 so that rather than just checking if processing is happening on a container thread, the check is now if processing is happening on the container thread currently allocated to this request/response. (markt)
  • Fix: Improve the fix for RST frame ordering added in 10.1.0-M8 to avoid a potential deadlock on some systems in non-default configurations. (markt)
  • Add: 65767: Add support for certificates that use keys encrypted using PBES2. Based on a pull request provided by xiezhaokun. (markt)
  • Code: Refactor testing whether a String is a valid HTTP token. (markt)
  • Fix: 65785: Perform additional validation of HTTP headers when using HTTP/2. (markt)
  • Fix: When a Connector or Endpoint is paused, ensure that only new connections and new requests on existing connections are stopped while allowing in progress requests to run to completion. (markt)
  • Fix: Explicitly release ByteBuffer instances associated with pooled channels when stopping the NioEndpoint and Nio2Endpoint. (markt)
  • Fix: Narrow the scope of the logging of invalid cookie headers to just the invalid cookie rather than the whole cookie header. (markt)

Jasper

  • Fix: 65724: Fix missing messages for some PropertyNotWritableExceptions caused by a typo in the name used for a resource string. (markt)
  • Add: Add support for specifying Java 18 (with the value 18) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
  • Update: To align with the JSP 3.1 specification that requires Java 11 as a minimum, make the default JSP source version and target version Java 11. (markt)

WebSocket

  • Fix: Remove the ALLOW_UNSUPPORTED_EXTENSIONS system property. As per RFC 6455, all extensions are optional. If an endpoint declares an extension that isn't supported there is no need to trigger an error. The extension can just be excluded from the result of the negotiation. (markt)
  • Fix: Remove the DISABLE_BUILTIN_EXTENSIONS. It was added to enable Tomcat to pass the WebSocket TCK but after updates to the TCK, it is no longer required. (markt)
  • Add: Add support for POJO WebSocket endpoints to the programmatic upgrade that allows applications to opt to upgrade an HTTP connection to WebSocket. (markt)
  • Add: Add support for the WebSocket 2.1 client-side API for configuring TLS connection for wss client connections. (markt)
  • Fix: 65763: Improve handling of WebSocket connection close if a message write times out before the message is fully written. (markt)

Other

  • Update: Update the OWB module to Apache OpenWebBeans 2.0.25. (remm)
  • Update: Update the CXF module to Apache CXF 3.5.0. (remm)
  • Add: Improvements to Chinese translations contributed by zhnnn. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by Shirayuking, yoshy and tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Add: Improvements to Spanish translations contributed by Israel. (markt)
  • Update: Update SpotBugs to 4.5.2. (markt)
  • Update: Update to the Eclipse JDT compiler 4.22. (markt)
  • Update: Update the NSIS installer to 3.08. (markt)
  • Update: Update UnboundID to 6.0.3. (markt)
  • Update: Update CheckStyle to 9.2.1. (markt)
  • Update: Update BND to 6.1.0. (markt)
  • Update: Update OSGI annotations to 1.1.1. (markt)

2021-12-08 Tomcat 10.1.0-M8 (markt)

Catalina

  • Update: Log warning if a listener is not nested inside a Server element although it must have been. (michaelo)
  • Fix: Where the getter can be called safely, remove the checks for ServletContext getters called from a contextInitialized() method of a ServletContextListener that was not defined in a web.xml file, a web-fragment.xml file nor annotated with WebListener. (markt)
  • Fix: Make SPNEGO authentication more robust for the case where the provided credential has expired. (markt)
  • Fix: Limit cookie support to RFC 6265 to align with recent updates to the Servlet specification. (markt)
  • Fix: 65684: Fix a potential NullPointerException when using JULI. (markt)
  • Docs: Document conditions under which the AprLifecycleListener can be used to avoid JVM crashes. (michaelo)
  • Fix: Refactor the AsyncFileHandler to reduce the possibility of log messages being lost on shutdown. (markt)
  • Update: Refactor the AsyncFileHandler to remove the need for the org.apache.juli.AsyncLoggerPollInterval. If set, this property now has no effect. (markt)
  • Add: Add debug logging to the RestCsrfPreventionFilter. Based on pull request #452 by Polina Georgieva. (markt)

Coyote

  • Add: Use implicit scopes in the OpenSSL Panama module to tie the cleanup of OpenSSL memory to the Java GC. (remm)
  • Add: Provide protection against a known OS bug that causes the acceptor to report an incoming connection more than once. (markt)
  • Fix: Avoid unnecessary duplicate read registrations for blocking I/O with the NIO connector. (markt)
  • Fix: 65677: Improve exception handling for errors during HTTP/1.1 reads with NIO2. (markt)
  • Fix: When an error occurs that triggers a stream reset, ensure that the first RST frame sent to the client is the one associated with the error that triggered the reset. (markt)
  • Fix: 65714: Fix exceptions when the security manager is enabled and the first request received after starting is an HTTP request to a TLS enabled NIO2 connector. (markt)
  • Add: Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way on MacOS as it does on Linux and Windows when no trusted certificate authorities are configured and reject all client certificates. (markt)
  • Fix: Avoid a potential deadlock during the concurrent processing of incoming HTTP/2 frames for a stream and that stream being reset. (markt)

WebSocket

  • Add: Update the WebSocket API packaging to remove the copy of the client API from the server API and replace it with a dependency on the client API. This aligns Tomcat with changes in the WebSocket 2.1 specification. (markt)

2021-11-15 Tomcat 10.1.0-M7 (markt)

Catalina

  • Code: Refactor HttpServlet so the default doHead() implementation now calls doGet() and relies on the container to ensure that the response body is not sent. The previous behaviour (wrapping the response) may be enabled per Servlet by setting the jakarta.servlet.http.legacyDoHead Servlet initialisation parameter to true. This aligns Tomcat with recent changes updates for Servlet 6.0 in the Jakarta Servlet specification project. (markt)
  • Add: Add support for setting generic attributes for session cookies. This aligns Apache Tomcat with recent changes in the Jakarta Servlet specification project. (markt)
  • Fix: Do not add a trailing / to a request URI during canonicalization. (markt)
  • Fix: Invalid byte sequences (typically in %nn form) in a request URi that are not valid for the given URI encoding now trigger a 400 response. (markt)
  • Fix: Ensure that a request URI starts with a /. (markt)
  • Add: Add a new Connector option, rejectSuspiciousURIs that will causes 'suspicious' (see the Servlet 6.0 specification) URIs to be rejected with a 400 response. (markt)
  • Fix: Improve robustness of JNDIRealm for exceptions occurring when getting the connection. Also add missing close when running into issues getting the passord of a user. (remm)
  • Docs: Add Javadoc comment which listeners must be nested within Server elements only. (michaelo)
  • Add: Add support for custom caching strategies for web application resources. This initial implementation allows control over whether or not a resource is cached. (markt)

Coyote

  • Code: Improve performance of Connector shutdown - primarily to reduce the time it takes to run the test suite. (markt)
  • Add: #457: Add a toString() method to MimeHeader to aid debugging. (dblevins)
  • Add: Add experimental OpenSSL support through the Panama API incubating in Java 17, with support for OpenSSL 1.1+. This no longer requires tomcat-native or APR. Please refer to the openssl-java17 module for more details. (remm)

Jasper

  • Update: Regenerate the EL parser using JavaCC 7.0.10. (markt)
  • Fix: Fix a bug that prevented the EL parser correctly parsing a literal Map that used variables rather than literals for both keys and values. (markt)
  • Update: Ensure that the getType() method of any ELResolver implementation returns null if either the ELResolver or the resolved property is read-only to align Tomcat with recent updates in the Jakarta EL specification project. (markt)
  • Fix: Implement an alternative solution to support the JSP page directive attribute isThreadSafe now that the SingleThreadModel interface has been removed from the Servlet API. The new approach synchronizes the service() method.

WebSocket

  • Update: Add a new method ServerEndpointConfig.Configurator.getContainerDefaultConfigurator() to align with recent updates in the WebSocket specification project. (markt)
  • Update: Add a new method ServerContainer.upgradeHttpToWebSocket() to align with recent updates in the WebSocket specification project. (markt)

Tribes

  • Fix: #454: Differentiate warning messages in KubernetesMembershipProvider so that the missing attribute is clear to the user. PR provided by Hal Deadman. (markt)

Other

  • Fix: Switch from Cobertura to JaCoCo for code coverage as Cobertura does not support code coverage for code compiled for Java 11 onwards. It also removes the need to use a single thread to run the tests. (markt)

2021-10-01 Tomcat 10.1.0-M6 (markt)

Catalina

  • Fix: Provide the DataSource in the constructor of DataSourceUserDatabase, since it is always global. (remm)
  • Fix: Fix delete then create object manipulations with DataSourceUserDatabase. (remm)
  • Update: Remove all deprecated code from the Servlet API to align Tomcat with recent changes in the Jakarta Servlet specification project. (markt)
  • Add: Add the currently available Jakarta EE 10 schemas from the Jakarta EE schema project. (markt)
  • Add: Implement the new connection ID and request ID API for Servlet 6.0. (markt)
  • Fix: 65553: Implement a work-around for a JRE bug that can trigger a memory leak when using the JNDI realm. (markt)
  • Fix: 65586: Fix the bloom filter used to improve performance of archive file look ups in the web resources implementation so it works correctly for directory lookups whether or not the provided directory name includes the trailing /. (markt)
  • Fix: #451: Improve the usefulness of the thread name cache used in JULI. Pull request provided by t-gergely. (markt)

Coyote

  • Fix: 65563: Correct parsing of HTTP Content-Range headers. Tomcat was incorrectly requiring an = character after bytes. Fix based on pull request #449 by Thierry Guérin. (markt)
  • Fix: Correct a potential StackOverflowException with HTTP/2 and sendfile. (markt)
  • Fix: Further improvements in the management of the connection flow control window. This addresses various bugs that caused streams to incorrectly report that they had timed out waiting for an allocation from the connection flow control window. (markt)
  • Fix: 65577: Fix a AccessControlException reporting when running an NIO2 connector with TLS enabled. (markt)
  • Update: Reclassify TLS ciphers that use AESCCM8 as medium security rather than high security to align with recent changes in OpenSSL. (markt)
  • Fix: Fix an issue that caused some Servlet non-blocking API reads of the HTTP request body to incorrectly use blocking IO. (markt)

Jasper

  • Code: Deprecate ELResolver.getFeatureDescriptors to align Tomcat with recent updates in the Jakarta EL specification project. (markt)
  • Add: Add support for default methods to BeanRELResolver to align Tomcat with recent updates in the Jakarta EL specification project. (markt)
  • Add: Add support for MethodReference and the associated getter on MethodExpression to align Tomcat with recent updates in the Jakarta EL specification project. (markt)
  • Add: Refactor ScopedAttributeELResolver to separate out the functionality that is unrelated to scoped attributes into two new resolvers: ImportELResolver and NotFoundELResolver. This aligns Tomcat with recent updates to the Jakarta Server Pages specification. (markt)
  • Fix: Fix the implementation of MethodExpression.getMethodInfo() so that it returns the expected value rather than failing when the method expression is defined with the parameter values in the expression rather than the types being passed explicitly to ExpressionFactory.createMethodExpression(). (markt)
  • Add: Add support for a new page/tag directive errorOnELNotFound that can be used to trigger an identifier if an EL expression in a page/tag contains an identifier that cannot be resolved. (markt)

WebSocket

  • Fix: The internal upgrade handler should close the associated WebConnection on destroy. (remm)

Web applications

  • Update: Update the web applications that are included with Apache Tomcat to use the Jakarta EE 10 schema for web.xml. (markt)
  • Fix: Clarify the JASPIC configuration options in the documentation web application. (markt)

Other

  • Fix: 65585: Update obsolete comments at the start of the build.properties.default file. (markt)

2021-09-10 Tomcat 10.1.0-M5 (markt)

Catalina

  • Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt)
  • Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt)
  • Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt)
  • Update: Improve the reusability of the UserDatabase by adding intermediate concrete implementation classes and allowing to do partial database updates on save. (remm)
  • Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt)
  • Add: Add a UserDatabase implementation as a superset of the DataSourceRealm functionality. (remm)
  • Fix: Make sure the dynamic Principal returned by UserDatabaseRealm stays up to date with the database contents, and add an option to have it be static, similar to the other realms. (remm)
  • Add: Add derby-*.jar to the list of JARs to skip when scanning for TLDs, web fragments and annotations. (markt)
  • Fix: #447. Correct JPMS metadata for catalina.jar. Pull request provided by Hui Wang. (markt)

Coyote

  • Fix: Correct a logic error that meant setting certificateKeystoreFile to NONE did not have the expected effect. NONE was incorrectly treated as a file path. Patch provided by Mikael Sterner. (markt)
  • Code: Remove the deprecated APR/Native connector which includes the HTTP APR and the AJP APR connector. Also remove the Java interfaces to the APR/Native library that are not used by the OpenSSL integration for the NIO and NIO2 connectors. (markt)
  • Code: Refactor the JSSE/OpenSSL integration to avoid the use of finalize(). (markt)
  • Fix: 65505: When an HTTP header value is removed, ensure that the order of the remaining header values is unchanged. (markt)

WebSocket

  • Fix: 65506: Fix write timeout check that was using the read timeout value. Patch submitted by Gustavo Mahlow. (remm)

Web applications

  • Fix: Remove unnecessary Context settings from the examples web application. (markt)
  • Fix: Document default value for unpackWARs and related clean-up. Pull request #439 provided by Robert Rodewald. (markt)
  • Fix: Clarify the documentation of the compressionMinSize and compressibleMimeType HTTP Connector attributes. Pull request #442 provided by crisgeek. (markt)

Tribes

  • Code: Refactor the ParallelNioSender to avoid the use of finalize(). (markt)

Other

  • Fix: Fix failing build when building on non-English locales. Pull request #441 provided by Dachuan J. (markt)
  • Update: Update to JSign version 4.0 to enable code signing without the need for the installation of additional client tools. (markt)
  • Update: Add Apache Derby 10.15.2.0 to the testsuite dependencies, for JDBC and DataSource testing. (remm)
  • Add: Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01, 6.6.0-SNAPSHOT). Code clean-up only. (markt)
  • Add: Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01, 1.16-SNAPSHOT). Minor refactoring. (markt)
  • Add: 65661: Update the internal fork of Apache Commons FileUpload to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As a result of Commons File Upload now using java.nio.file.Files, applications using multi-part uploads need to ensure that the JVM is configured with sufficient direct memory to store all in progress multi-part uploads. (markt)
  • Add: Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17). Improvements, code clean-up and refactoring. (markt)
  • Add: Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03). Improvements, code clean-up and refactoring. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.31 to pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
  • Update: Switch to the CDN as the primary download location for ASF dependencies. (markt)
  • Add: Improvements to Chinese translations contributed by syseal, wolibo, ZhangJieWen and DigitalFatCat. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)

2021-08-06 Tomcat 10.1.0-M4 (markt)

WebSocket

  • Fix: Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3 that caused all WebSocket end points to fail to register. (markt)

not released Tomcat 10.1.0-M3 (markt)

General

  • Update: Update the minimum required Java version to Java 11. (markt)

Catalina

  • Code: Incremented the supported Jakarta Servlet version to 6.0 to align with the current development branch of the Jakarta Servlet specification. Plans have changed and the next iteration of the Servlet specification will be 6.0 rather than 5.1. (markt)
  • Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
  • Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt)
  • Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
  • Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt)
  • Code: Refactor JULI's custom LogManager, the web application class loader implementation, the web resources implementation, the JreLeakPreventionListener implementation and the StandardJarScanner implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)
  • Code: Remove all references to the endorsed standards override feature and the specifying of optional packages (extensions) in the manifest as these are not supported in Java 11. (markt)

Coyote

  • Fix: When writing an HTTP/2 response via sendfile (only enabled when useAsyncIO is true) the connection flow control window was sometimes ignored leading to various error conditions. sendfile now checks both the stream and connection flow control windows before writing. (markt)
  • Add: Add debug logging for writing an HTTP/2 response via sendfile. (markt)
  • Fix: Correct bugs in the HTTP/2 connection flow control management that meant it was possible for a connection to stall waiting for a connection flow control window update that had already arrived. Any streams on that connection that were trying to write when this happened would time out. (markt)
  • Fix: 65448: When using TLS with NIO, it was possible for a blocking response write to hang just before the final TLS packet associated with the response until the connection timed out at which point the final packet would be sent and the connection closed. (markt)
  • Fix: 65454: Fix a race condition that could result in a delay to a new request. The new request could be queued to wait for an existing request to finish processing rather than the thread pool creating a new thread to process the new request. (markt)
  • Fix: 65460: Correct a regression introduced in the previous release in the change to reduce the number of small HTTP/2 window updates sent for streams. A logic error meant that small window updates for the connection were dropped. This meant that the connection flow window slowly reduced over time until nothing could be sent. (markt)
  • Fix: Remove NIO workarounds and code that is no longer needed with Java 11. (remm)
  • Code: Refactor the endpoints to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

Jasper

  • Code: Add additional generics to the EL API to align with the latest changes in the EL specification project. (markt)
  • Add: Enable EL lambda expressions to be coerced to functional interfaces. This is an implementation of a proposed extension to the Jakarta Expression Language specification. (markt)
  • Code: Refactor the EL API and implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

WebSocket

  • Code: Refactor the WebSocket implementation to remove Java 8 specific code now that the minimum Java version has been increased to 11. (markt)

Web applications

  • Fix: 65404: Correct a regression in the fix for 63362 that caused the server status page in the Manager web application to be truncated if HTTP upgrade was used such as when starting a WebSocket connection. (markt)

Other

  • Add: Improvements to Chinese translations contributed by ZhangJieWen and chengzheyan. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Fix: Use of GraalVM native images no longer automatically disables JMX support. JMX support may still be disabled by calling org.apache.tomcat.util.modeler.Registry.disableRegistry(). (markt)

2021-07-02 Tomcat 10.1.0-M2 (markt)

Catalina

  • Code: Refactor the RemoteIpValve to use the common utility method for list to comma separated string conversion. (markt)
  • Code: Refactor JNDIRealm$JNDIConnection so its fields are accessible to sub-classes of JNDIRealm. (markt)
  • Fix: Fix serialization warnings in UserDatabasePrincipal reported by SpotBugs. (markt)
  • Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include symbolic links in the results unless allowLinking has been set to true. If a resource is skipped because of this change, a warning will be logged as this typically indicates a configuration issue. (markt)

Coyote

  • Fix: 65368: Improve handling of clean closes of inbound TLS connections. Treat them the same way as clean closes of non-TLS connections rather than as unknown errors. (markt)
  • Fix: Modify the HTTP/2 connector not to sent small updates for stream flow control windows to the user agent as, depending on how the user agent is written, this may trigger small writes from the user agent that in turn trigger the overhead protection. Small updates for stream flow control windows are now combined with subsequent flow control window updates for that stream to ensure that all stream flow control window updates sent from Tomcat are larger than overheadWindowUpdateThreshold. (markt)
  • Add: Add additional debug logging to track the current state of the HTTP/2 overhead count that Tomcat uses to detect and close potentially malicious connections. (markt)
  • Update: Many HTTP/2 requests from browsers will trigger one overhead frame and one non-overhead frame. Change the overhead calculation so that a non-overhead frame reduces the current overhead count by 2 rather than 1. This means that, over time, the overhead count for a well-behaved connection will trend downwards. (markt)
  • Update: Change the initial HTTP/2 overhead count from -10 to -10 * overheadCountFactor. This means that, regardless of the value chosen for overheadCountFactor, when a connection opens 10 overhead frames in a row will be required to trigger the overhead protection. (markt)
  • Update: Increase the default overheadCountFactor from 1 to 10 and change the reduction in overhead count for a non-overhead frame from -2 to -20. This allows for a larger range (0-20) to be used for overheadCountFactor providing for finer-grained control. (markt)
  • Fix: Modify the parsing of HTTP header values that use the 1#token to ignore empty elements as per RFC 7230 section 7 instead of treating the presence of empty elements as an error. (markt)
  • Fix: Expand the unit tests for HttpServlet.doHead() and correct the flushing of the response buffer. The buffer used to behave as if it was one byte smaller than the configured size. The buffer was flushed (and the response committed if required) when the buffer was full. The buffer is now flushed (and the response committed if required) if the buffer is full and there is more data to write. (markt)
  • Fix: Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the same connection could hang and eventually timeout when async IO was enabled (it is enabled by default). (markt)

Jasper

  • Fix: 65387: Correct a regression in the fix for 65124 and restore the local definition of out for tags that implement TryCatchFinally. (markt)
  • Fix: 65390: Correct a regression in the fix for 65124 and restore code that was removed in error leading to JSP compilation failures in some circumstances. (markt)
  • Update: Update to the Eclipse JDT compiler 4.20. (markt)
  • Add: Add support for specifying Java 17 (with the value 17) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the latest supported version will used. (markt)
  • Fix: 65377: Update the Java code generation for JSPs not to use the boxed primitive constructors as they have been deprecated in Java 9 and marked for future removal in Java 16. valueOf() is now used instead. (markt)

WebSocket

  • Code: Refactor the DigestAuthenticator to reuse a shared SecureRandom instance rather than create a new one to generate the cnonce if required. (markt)

Web applications

  • Fix: 65385: Correct the link in the documentation web application the Maven Central repository. (markt)

Other

  • Add: Use JSign to integrate the build script with the code signing service to enable release builds to be created on Linux as well as Windows. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
  • Update: Update the CXF module to Apache CXF 3.4.4. (remm)
  • Fix: 65369 / #422: Add the additional --add-opens=... options required for running Tomcat on Java 16 onwards to the service.bat script to align it with the other start-up scripts. PR provided by MCMicS. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Korean translations. (woonsan)
  • Update: Update JUnit to version 4.13.2. (markt)
  • Update: Update EasyMock to 4.3. (markt)
  • Update: Update Objenesis to 3.2. (markt)
  • Update: Update UnboundID to 6.0.0. (markt)
  • Update: Update CheckStyle to 8.43. (markt)
  • Update: Update SpotBugs to 4.2.3. (markt)
  • Update: Update OSGi annotations to 1.1.0. (markt)

2021-06-15 Tomcat 10.1.0-M1 (markt)

General

  • Code: This release contains all of the changes up to and including those in Apache Tomcat 10.0.6 plus the additional changes listed below. (markt)
  • Code: Remove code previously marked for removal in Tomcat 10.1.x. (markt)

Catalina

  • Code: Incremented the supported Jakarta Servlet version to 5.1 to align with the current development branch of the Jakarta Servlet specification. (markt)
  • Fix: 65301: RemoteIpValve will now avoid getting the local host name when it is not needed. (remm)
  • Fix: 65308: NPE in JNDIRealm when no userRoleAttribute is given. (fschumacher)
  • Add: #412: Add commented out, sample users for the Tomcat Manager app to the default tomcat-users.xml file. Based on a PR by Arnaud Dagnelies. (markt)
  • Add: #418: Add a new option, pass-through, to the default servlet's useBomIfPresent initialization parameter that causes the default servlet to leave any BOM in place when processing a static file and not to use the BOM to determine the encoding of the file. Based on a pull request by Jean-Louis Monteiro. (markt)
  • Fix: #419: When processing POST requests of type multipart/form-data for parts without a filename that are added to the parameter map in String form, check the size of the part before attempting conversion to String. Pull request provided by tianshuang. (markt)
  • Add: Implement the new Cookie methods setAttribute(), getAttribute() and getAttributes() introduced in Servlet 6.0. (markt)
  • Fix: AprLifecycleListener does not show dev version suffix for libtcnative and libapr. (michaelo)
  • Update: Refactor principal handling in UserDatabaseRealm using an inner class that extends GenericPrincipal. (remm)
  • Fix: Enable the default doHead() implementation in HttpServlet to correctly handle responses where the content length needs to be represented as a long since it is larger than the maximum value that can be represented by an int. (markt)
  • Fix: Avoid synchronization on roles verification for the memory UserDatabase. (remm)
  • Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses where the Servlet calls ServletResponse.reset() and/or ServletResponse.resetBuffer(). (markt)
  • Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses generated using the Servlet non-blocking API. (markt)

Coyote

  • Fix: 65303: Fix a possible NullPointerException if an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on a pushed HTTP/2 stream. (markt)
  • Update: Simplify AprEndpoint socket bind for all platforms. (michaelo)
  • Fix: 65340: Add missing check for a negative return value for Hpack.decodeInteger in the HpackDecoder, which could cause a NegativeArraySizeException exception. Submitted by Thomas, and verified the fix is present in the donated hpack code in a further update. (remm)
  • Add: Add debug logging for HTTP/2 HPACK header decoding. (markt)
  • Fix: Correct parsing of HTTP headers consisting of a list of tokens so that a header with an empty token is treated consistently regardless of whether the empty token is at the start, middle or end of the list of tokens. (markt)
  • Fix: Remove support for the identity transfer encoding. The inclusion of this encoding in RFC 2616 was an error that was corrected in 2001. Requests using this transfer encoding will now receive a 501 response. (markt)
  • Fix: Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1 clients. (markt)
  • Fix: Ensure that if the transfer encoding header contains the chunked, that the chunked encoding is the final encoding listed. (markt)

Jasper

  • Code: Incremented the supported Jakarta Expression Language version to 5.0 to align with the current development branch of the Jakarta Expression Language specification. (markt)
  • Code: Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt)
  • Code: Refactor use of internal ChildInfo class to use compile time type checking rather than run time type checking. (markt)
  • Fix: 65124: Partial fix. When generating Java source code to call a tag handler, only define the local variable JspWriter out when it is going to be used. (markt)
  • Code: Add generics to the EL 5.0 API to align with the current EL 5.0 development branch. (markt)
  • Update: Update the web-fragment.xml included in jasper.jar and jasper-el.jar to use the Servlet 5.0 schema. (markt)
  • Fix: Update JspC to generate web.xml and web-fragment.xml files using Servlet 5.0 schemas. (markt)
  • Code: Remove the deprecated method MethodExpression.isParmetersProvided() from the EL API to align with the current EL 5.0 development branch. (markt)
  • Fix: 65358: Improve expression language method matching for methods with varargs. Where multiple methods may match the provided parameters, the method that requires the fewest varargs is preferred. (markt)
  • Add: 65332: Add a commented out section in catalina.policy that provides the necessary permissions to compile JSPs with javac when running on Java 9 onwards with a security manager. It is commented out as it will cause errors if used with earlier Java versions. (markt)

WebSocket

  • Fix: 65317: When using permessage-deflate, the WebSocket connection was incorrectly closed if the uncompressed payload size was an exact multiple of 8192. Based on a patch provided by Saksham Verma. (markt)
  • Update: Update the web-fragment.xml included in tomcat-websocket.jar to use the Servlet 5.0 schema. (markt)
  • Fix: 65342: Correct a regression introduced with the fix for 65262 that meant Tomcat's WebSocket implementation would only work with Tomcat's implementation of the Jakarta WebSocket API. (markt)

Web applications

  • Fix: Improve the description of the maxConnections and acceptCount attributes in the Connector section of the documentation web application. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Korean translations. (woonsan)
  • Fix: 65362: Correct a regression in the previous release. The change to create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than with bnd annotations did not add the necessary manual entries to the embedded JARs. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.30. Also update the minimum recommended version to 1.2.30. (markt)