Apache Tomcat^®

Announcements from previous years can be found here:

• year 2020
• year 2019
• year 2018
• year 2017
• year 2016
• year 2015
• year 2014
• year 2013
• year 2012
• year 2011
• year 2010

The Apache Tomcat Project is proud to announce the release of version 9.0.34 of Apache Tomcat. The notable changes compared to 9.0.33 include:

• Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann.
• When configuring an HTTP Connector, warn if the encoding specified for URIEncoding is not a superset of US-ASCII as required by RFC 7230.
• Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 10.0.0-M4 of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 9.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process.

The notable changes in this release are:

• Replace configuration via system property with configuration via an attribute on the appropriate element where practical. A large number of system properties have been replaced.
• Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann.
• Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences.

Full details of these changes, and all the other changes, are available in the Tomcat 10 (alpha) changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.54 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.53 include:

• Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann.
• When configuring an HTTP Connector, warn if the encoding specified for URIEncoding is not a superset of US-ASCII as required by RFC 7230.
• Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 7.0.103 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.100.

• Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein
• A zero length AJP secret will now behave as if it has not been specified.
• Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Note: End of life date for Apache Tomcat 7.0.x is announced. Read more...

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.33 of Apache Tomcat. The notable changes compared to 9.0.31 include:

• Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein
• A zero length AJP secret will now behave as if it has not been specified.
• Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.53 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.51 include:

• Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein
• A zero length AJP secret will now behave as if it has not been specified.
• Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 10.0.0-M3 of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 9.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process.

The notable changes in this release are:

• Disable session persistence by default on restart
• Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein
• A zero length AJP secret will now behave as if it has not been specified.

Full details of these changes, and all the other changes, are available in the Tomcat 10 (alpha) changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 10.0.0-M1 of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 9.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process.

The notable changes in this release are:

• Update to Jakarta Servlet 5.0, Jakarta Server Pages 3.0. Jakarta Expression Language 4.0, Jakarta WebSocket 2.0, Jakarta Authentication 2.0 and Jakarta Annotations 2.0 specifications.
• Use <request-character-encoding> and <response-character-encoding> in conf/web.xml to set the default request and response character encodings to UTF-8.
• Remove duplication of HTTP/1.1 configuration on the HTTP/2 UpgradeProtocol element. Configuration from the main Connector element will now be used.

Full details of these changes, and all the other changes, are available in the Tomcat 10 (alpha) changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 7.0.100 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.99.

• AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml file. If you are using the AJP protocol, please refer to the Migration Guide and update your configuration.
• The JmxRemoteLifecycleListener is now deprecated
• The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Note: End of life date for Apache Tomcat 7.0.x is announced. Read more...

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.31 of Apache Tomcat. The notable changes compared to 9.0.30 include:

• AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml file. If you are using the AJP protocol, please refer to the Migration Guide and update your configuration.
• The JmxRemoteLifecycleListener is now deprecated
• The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.51 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.50 include:

• AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml file. If you are using the AJP protocol, please refer to the Migration Guide and update your configuration.
• The JmxRemoteLifecycleListener is now deprecated
• The HTTP Connector attribute rejectIllegalHeaderName is renamed to rejectIllegalHeader and expanded to include header values as well as names

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download