Changelog

Tomcat 11.0.0-M18 (markt)

General

  • Update: Reduce the minimum supported Java version to Java 17. (markt)

Catalina

  • Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm)
  • Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt)
  • Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. The org.apache.catalina.Executor interface now extends ExecutorService. (remm)
  • Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt)
  • Fix: After forwarding a request, attempt to unwrap the response in order to suspend it, instead of simply closing it if it was wrapped. Add a new suspendWrappedResponseAfterForward boolean attribute on Context to control the bahavior, defaulting to true. (remm)
  • Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)
  • Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm)
  • Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)

Coyote

  • Fix: Fix bad symbol lookup use in the OpenSSL FFM code. (remm)
  • Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)

Jasper

  • Add: Add method invocation support for java.util.Optional via the jakarta.el.OptionalELResolver to Tomcat's implementation of the Jakarta EL API to align with the latest proposals for the Jakarta EL 6.0 API. The property support has also been refined for greater consistency. (markt)
  • Update: The defaults for compilerSourceVM and compilerTargetVM have been updated to 17 to align with Java 17 being the minimum Java version required for Tomcat 11. (markt)

Cluster

  • Fix: Avoid updating request count stats on async. (remm)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2024-02-19 Tomcat 11.0.0-M17 (markt)

Catalina

  • Add: Implement HttpSession.getAccessor() which provides a mechanism for applications to interact with an HttpSession outside the standard Servlet processing of an HTTP request. This is expected to be especially useful with applications using the Jakarta WebSocket API. (markt)
  • Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt)
  • Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)
  • Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
  • Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
  • Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)

Coyote

  • Fix: Setting a null value for a cookie attribute should remove the attribute. (markt)
  • Fix: Optimize state handling for OpenSSL context callbacks with the FFM API. (remm)
  • Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt)
  • Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext.
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm)
  • Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt)
  • Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)
  • Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)
  • Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)

Jasper

  • Fix: Additional fixes to correctly support length as a read-only property of an array via the ArrayELResolver. (markt)
  • Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)

WebSocket

  • Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)
  • Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
  • Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)

Web applications

  • Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)

Other

  • Fix: Correct the remaining OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. Based on pull request #685 provided by Paul A. Nicolucci. (markt)
  • Update: Update Checkstyle to 10.13.0. (markt)
  • Update: Update JSign to 6.0. (markt)
  • Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)
  • Update: Update Tomcat Native to 2.0.7. (markt)
  • Update: Add strings for debug level messages. (remm)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2024-01-09 Tomcat 11.0.0-M16 (markt)

Catalina

  • Add: Allow alternate redirect status code for directory redirects issued by the default servlet via the init param directoryRedirectStatusCode. (funkman/markt)
  • Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt)

Coyote

  • Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)
  • Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)
  • Fix: Allow multiple operations with the same name on introspected mbeans, fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)
  • Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line, if any, to make the check case insensitive since host names are case insensitive. (markt)
  • Add: 68348: Add support for the partitioned attribute for cookies including session cookies. (markt)

Jasper

  • Update: The defaults for compilerSourceVM and compilerTargetVM have been updated to 21 to align with Java 21 being the minimum Java version required for Tomcat 11. (markt)

Web Applications

  • Fix: 68035: Additional fix to the Manager application to enable the deployment of a web application located in a Host's appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt)

Other

  • Update: Update to the Eclipse JDT compiler 4.30. (markt)
  • Update: Update Checkstyle to 10.12.7. (markt)
  • Update: Update SpotBugs to 4.8.3. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2023-12-12 Tomcat 11.0.0-M15 (markt)

Catalina

  • Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm)
  • Add: Add support for the jakarta.servlet.request.secure_protocol request attribute that has been added in Jakarta Servlet 6.1. This replaces the now deprecated Tomcat specific request attribute org.apache.tomcat.util.net.secure_protocol_version. (markt)
  • Add: Align behaviour with the latest addition to the Servlet 6.1 specification that requires that all HTTP error dispatches use the GET method. (markt)
  • Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)
  • Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
  • Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)

Coyote

  • Fix: Use Java code to load certificate chain when using OpenSSL through the FFM API. (remm)

Jasper

  • Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)

Web Applications

  • Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)

Other

  • Update: Update the OWB module to Apache OpenWebBeans 4.0.1. (remm)
  • Fix: 68124: Migrate sample.war from javax to jakarta. (lihan)
  • Update: Update UnboundID to 6.0.11. (markt)
  • Update: Update Checkstyle to 10.12.5. (markt)
  • Update: Update SpotBugs to 4.8.2. (markt)
  • Update: Update Derby to 10.17.1. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)
  • Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)
  • Add: Improvements to Russian translations by usmazat and remm. (markt)

2023-11-15 Tomcat 11.0.0-M14 (markt)

Catalina

  • Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
  • Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm)
  • Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz)
  • Update: Use Files.move instead of File.renameTo in the FarmWebDeployer to support a broader range of environments, and to give better information in the event of a failure. (schultz)
  • Fix: 67793: Ensure the original session timeout is restored after FORM authentication if the user refreshes a page during the FORM authentication process. Based on a suggestion by Mircea Butmalai. (markt)
  • Update: 67926: PEMFile prints unidentifiable string representation of ASN.1 OIDs. (michaelo)
  • Fix: 66875: Ensure that setting the request attribute jakarta.servlet.error.exception is not sufficient to trigger error handling for the current request and response. (markt)
  • Fix: 68054: Avoid some file canonicalization calls introduced by the fix for 65433. (remm)
  • Fix: 68089: Improve performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
  • Fix: Use a 400 status code to report an error due to a bad request (e.g. an invalid trailer header) rather than a 500 status code. (markt)
  • Fix: Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. (markt)

Coyote

  • Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
  • Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks), automatically call setCertificateKeystoreType(ks.getType()). (markt)
  • Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 (starting with preview build 20) or later. (remm)
  • Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used. (markt)
  • Fix: 67666: Ensure TLS connectors using PEM files either work with the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt)
  • Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
  • Fix: 67927: Reloading TLS configuration can cause the Connector to refuse new connections or the JVM to crash. (markt)
  • Fix: 67938: Correct handling of large TLS client hello messages that were causing the TLS handshake to fail. (markt)
  • Fix: 68026: Convert selected MessageByte values to String when first accessed to speed up subsequent accesses and reduce garbage collection. (markt)

Jasper

  • Add: Add support for Records to expression language. (markt)
  • Fix: 68068: Performance improvement for EL. Based on a suggestion by John Engebretson. (markt)

WebSocket

  • Fix: Correct missing metadata in the MANIFEST of the for WebSocket client API JAR file. (markt)

Web applications

  • Fix: 68035: Correct a regression in the fix for 56248 that prevented deployment via the Manager of a WAR or directory that was already present in the appBase or a context file that was already present in the xmlBase. (markt)

Other

  • Add: 67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
  • Update: Update Checkstyle to 10.12.4. (markt)
  • Update: Update JaCoCo to 0.8.11. (markt)
  • Update: Update SpotBugs to 4.8.0. (markt)
  • Update: Update BND to 7.0.0. (markt)

2023-10-14 Tomcat 11.0.0-M13 (markt)

Coyote

  • Fix: 67670: Fix regression with HTTP compression after code refactoring. (remm)

jdbc-pool

  • Fix: 67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 11.0.0-M12 that broke the jdbc-pool. (markt)

2023-10-10 Tomcat 11.0.0-M12 (markt)

Catalina

  • Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
  • Fix: Fix handling of an error reading a context descriptor on deployment. (remm)
  • Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
  • Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
  • Add: Improve handling of failures within recycle() methods. (markt)

Coyote

  • Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
  • Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
  • Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
  • Fix: Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
  • Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
  • Fix: Avoid rare thread safety issue accessing message digest map. (remm)
  • Fix: Improve statistics collection for upgraded connections under load. (remm)
  • Update: PushBuilder has been deprecated in line with the changes for the Servlet 6.1 specification. It will be replaced in a future Tomcat 11 milestone with support for 103 early hints. (markt)
  • Update: Remove support for HTTP/2 server push. Calls to newPushBuilder() will always return null. (markt)
  • Fix: Align validation of HTTP trailer fields with standard fields. (markt)
  • Fix: Improvements to HTTP/2 overhead protection. (markt)

Jasper

  • Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)

Other

  • Update: Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
  • Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
  • Update: Update to the Eclipse JDT compiler 4.29. (markt)
  • Update: Update UnboundID to 6.0.10. (markt)
  • Update: Update Checkstyle to 10.12.3. (markt)
  • Update: Update Tomcat Native to 2.0.6. (markt)
  • Update: Update Commons Pool to 2.12.0. (markt)
  • Fix: 67611: Correct the download link in BUILDING.txt. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)
  • Add: Improvements to Russian translations by usmazat. (markt)

2023-08-25 Tomcat 11.0.0-M11 (markt)

Catalina

  • Fix: If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. (markt)
  • Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)
  • Add: Update the HTTP parameter handling to align with the changes in the Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used to obtain request parameters. Invalid parameters and/or exceeding parameter size and/or quantity limits now trigger exceptions. As a consequence, the FailedRequestFilter has been removed. (markt)
  • Fix: Avoid protocol relative redirects in FORM authentication. (markt)

Web applications

  • Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)

Other

  • Add: Improvements to Chinese translations. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations by tak7iji. (markt)

2023-08-14 Tomcat 11.0.0-M10 (markt)

Catalina

  • Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan. (markt)
  • Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)
  • Fix: Fix failure trying to persist configuration for an internal credential handler. (remm)
  • Fix: 66680: When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable. Pull request #638 provided by tsryo. (markt)
  • Fix: 66822: Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance. (markt)
  • Fix: The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first. (remm)

Coyote

  • Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt)
  • Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt)
  • Update: Improve extensibility of endpoints for socket channel creation and TLS. Pull request #639 provided by Marco Fargetta. (remm)
  • Fix: Correct a regression introduced in 11.0.0-M9 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance. (markt)
  • Code: Refactor HTTP/2 implementation to reduce pinning when using virtual threads. (markt)
  • Fix: Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. (remm)
  • Fix: 66841: Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2. (markt)
  • Fix: 66842: When using asynchronous I/O (the default), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. (markt)
  • Fix: Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream. (markt)

WebSocket

  • Fix: 66681: Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate. (markt)

jdbc-pool

  • Fix: Fix the releaseIdleCounter does not increment when testAllIdle releases them. Pull request #241 provided by Arun Chaitanya Miriappalli (lihan)
  • Fix: Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing. Pull request #643 provided by Wenjun Xiao. (lihan)

Other

  • Update: Update NSIS to 3.0.9. (markt)
  • Update: Update Checkstyle to 10.12.2. (markt)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji and Shirayuking. (markt)
  • Fix: 66829: Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces. (markt)
  • Fix: 66834: Correct the OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. (markt)
  • Update: Update Tomcat Native to 2.0.5. (markt)

2023-07-10 Tomcat 11.0.0-M9 (markt)

Other

  • Fix: Correct properties for JSign dependency. (rjung)

not released Tomcat 11.0.0-M8 (markt)

Catalina

  • Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries. (michaelo)
  • Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. (michaelo)
  • Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)
  • Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. (remm)

Coyote

  • Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)
  • Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)

Jasper

  • Add: Add java.util.Optional support via the jakarta.el.OptionalELResolver to Tomcat's implementation of the Jakarta EL API to align with the latest proposals for the Jakarta EL 6.0 API. (markt)
  • Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

WebSocket

  • Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown. (markt)
  • Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)
  • Add: Update the WebSocket API provided by Tomcat to align with the latest proposals from the Jakarta WebSocket project and make the WebSocket Session instance available via SendResult. (markt)

Web applications

  • Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)
  • Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)
  • Update: Remove support for running Tomcat on 32-bit Windows operating systems as Java 21 is not available for that platform. (markt)
  • Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  • Update: Update to the Eclipse JDT compiler 4.28. (markt)
  • Update: Update UnboundID to 6.0.9. (markt)
  • Update: Update Checkstyle to 10.12.1. (markt)
  • Update: Update BND to 6.4.1. (markt)
  • Update: Update JSign to 5.0. (markt)

2023-06-08 Tomcat 11.0.0-M7 (markt)

General

  • Update: Increase the minimum supported Java version to Java 21. (markt)

Catalina

  • Code: Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods. (markt)
  • Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)
  • Code: Remove support for using the ^ character to separate the WAR file and WAR contents in Tomcat's custom WAR URL handler. The current default separator character of * remains unchanged. (markt)
  • Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. (markt)
  • Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore. (markt)
  • Fix: 66609: Ensure that the default servlet correctly escapes file names in directory listings when using XML output. Based on pull request #621 by Alex Kachanov. (markt)
  • Add: 66618: Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT. Pull request #622 by Alex Kachanov. (markt)
  • Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock. (markt)
  • Fix: 66622: Remove the xssProtectionEnabled setting from the HttpHeaderSecurityFilter as support for the associated HTTP header has been removed from all major browsers. (markt)

Coyote

  • Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)

Other

  • Update: Update to Commons Daemon 1.3.4. (markt)
  • Add: Improvements to French translations. (remm)
  • Update: Update Checkstyle to 10.12.0. (markt)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.4 to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)

2023-05-09 Tomcat 11.0.0-M6 (markt)

Catalina

  • Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)
  • Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)
  • Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)
  • Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)
  • Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)
  • Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)

Coyote

  • Add: Add support for a new character set, gb18030-2022 - introduced in Java 21, to the character set caching mechanism. (markt)
  • Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)
  • Update: Remove support for the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch. These are now hard-coded to the previous defaults. (markt)
  • Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)

Jasper

  • Fix: 66582: Account for EL having stricter requirements for static imports than JSPs when adding JSP static imports to the EL context. (markt)

WebSocket

  • Fix: 66574: Refactor WebSocket session close to remove the lock on the SocketWrapper which was a potential cause of deadlocks if the application code used simulated blocking. (markt)
  • Fix: 66575: Avoid unchecked use of the backing array of a buffer provided by the user in the compression transformation. (remm)
  • Fix: Improve exception handling when flushing batched messages during WebSocket session close. (markt)
  • Fix: 66581: Update AsyncChannelGroupUtil to align it with the current defaults for AsynchronousChannelGroup. Pull request #612 by Matthew Painter. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Chinese translations. (lihan)
  • Update: Update Checkstyle to 10.10.0. (markt)
  • Update: Update Jacoco to 0.8.10. (markt)
  • Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)

2023-04-19 Tomcat 11.0.0-M5 (markt)

Catalina

  • Add: Add a doPatch method to HttpServlet to provide support for the HTTP PATCH method as defined in RFC 5789. This is one of the changes in the Servlet 6.1 API. (markt)
  • Fix: 65995: Implement RFC 9239 and use text/javascript as the media type for JavaScript rather than application/javascript. (markt)
  • Code: Tomcat no longer sets the java.protocol.handler.pkgs system property when starting. Users are now free to configure this property if they wish. (markt)
  • Add: Add an access log valve that uses a json format. Based on pull request #539 provided by Thomas Meyer. (remm)
  • Add: Harden the FORM authentication process against DoS attacks by using a reduced session timeout if the FORM authentication process creates a session. The duration of this timeout is configured by the authenticationSessionTimeout attribute of the FORM authenticator. (markt)
  • Add: Implement the new Servlet API methods that provide additional control when sending a redirect to the client. (markt)
  • Add: Update Digest authentication support to align with RFC 7616. This adds a new configuration attribute, algorithms, to the DigestAuthenticator with a default of SHA-256,MD5. (markt)
  • Update: Reduce the default value of maxParameterCount from 10,000 to 1,000. (markt)
  • Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that incorrectly stated that the docBase parameter could be a relative path. (markt)
  • Fix: 66524 Correct eviction ordering in WebResource cache to be LRU as intended. (schultz)
  • Update: Add support code for custom user attributes in RealmBase. Based on code from #473 by Carsten Klein. (remm)
  • Fix: Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. This aligns with the current draft of the Servlet 6.1 specification. (markt)
  • Fix: 66541: Improve handling for cached resources for resources that use custom URL schemes. The scheme specific equals() and hashCode() algorithms, if present, will now be used for URLs for these resources. This addresses a potential performance issue with some OSGi custom URL schemes that can trigger potentially slow DNS lookups in some configurations. Based on a patch provided by Tom Whitmore. (markt)
  • Fix: When using a custom session manager deployed as part of the web application, avoid ClassNotFoundExceptions when validating session IDs extracted from requests. (markt)
  • Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log message. (fschumacher)
  • Fix: 66554: Initialize Random during server initialization to avoid possible JVM thread creation in the webapp context on some platforms. (remm)
  • Update: Make the server utility executor available to webapps using a Servlet context attribute named org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor. (remm)

Coyote

  • Fix: JSON filter should support specific escaping for common special characters as defined in RFC 8259. Based on code submitted by Thomas Meyer. (remm)
  • Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when used with direct buffers. Patch suggested by Arjen Poutsma. (markt)
  • Fix: 66512: Align AJP handling of invalid HTTP response headers (they are now removed from the response) with HTTP. (markt)
  • Fix: 66530: Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections. (markt)
  • Fix: Remove use of deprecated classes in the javax.security.cert package. Pull request #608 provided by Eirik Bjorsnos. (markt)

Jasper

  • Fix: Fix bug that meant some instances of coercing a LambdaExpression to a functional interface invocation failed. (markt)
  • Fix: 66536: Fix parsing of tag files that meant that tag directives could be ignored for some tag files. (markt)
  • Add: Align the EL implementation with the latest changes to the Jakarta EL specification and add support for the length attribute to the ArrayELResolver. (markt)

Cluster

  • Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be the maximum time allowed between receiving parts of a transferred file before the transfer is cancelled and the associated resources cleaned-up. A new warning message will be logged if the file transfer is cancelled. (markt)

WebSocket

  • Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout before sending the close frame if an I/O error occurs during a write. (markt)
  • Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. (markt)

Web applications

  • Fix: 66542: Documentation. Update the JNDI documentation to replace references to JavaMail with references to Jakarta Mail. (markt)

Other

  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
  • Add: Improvements to Chinese translations. Contributed by totoo. (markt)
  • Code: Refactor code using MD5Encoder to use HexUtils.toHexString(). (markt)
  • Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in catalina.sh when calling version. Patch suggested by Eric Hamilton. (lihan)
  • Update: Update the internal fork of Commons DBCP to f131286 (2023-03-08, 2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2. (markt)
  • Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the start-up scripts and the service install script. (markt)
  • Update: Update to the Eclipse JDT compiler 4.27. (markt)
  • Update: Update UnboundID to 6.0.8. (markt)
  • Update: Update Checkstyle to 10.9.3. (markt)
  • Update: Update Jacoco to 0.8.9. (markt)
  • Fix: Enhance PEMFile to load from an InputStream. Patch provided by Romain Manni-Bucau. (schultz)

2023-03-06 Tomcat 11.0.0-M4 (markt)

General

  • Fix: Fix a bug that memory allocation is larger than limit in SynchronizedStack to reduce memory footprint. (lihan)

Catalina

  • Add: Add support for txt: and rnd: rewrite map types from mod_rewrite. Based on a pull request #591 provided by Dimitrios Soumis. (remm)
  • Update: Provide a more appropriate response (501 rather than 400) when rejecting an HTTP request using the CONNECT method. (markt)
  • Fix: 66491: Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored. (markt)

Coyote

  • Add: Add a check for the validity of the scheme pseudo-header in HTTP/2. (markt)
  • Fix: 66482: Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang. (remm)

Jasper

  • Add: Provide an implementation of the sub-set of JavaBeans support that does not depend on the java.beans package. This for use by Expression Language when the java.desktop module (which is where the java.beans package resides) is not available. (markt)

2023-02-23 Tomcat 11.0.0-M3 (markt)

General

  • Update: Increase the minimum supported Java version to Java 17. Note that Jakarta EE 11 permits a minimum Java version of 21. The minimum Java version for Tomcat 11 may be increased to Java 21 before the first stable release. (markt)

Catalina

  • Fix: Allow a Valve to access cookies from a request that cannot be mapped to a Context. (markt)
  • Add: Implement the new Servlet API methods for setting character encodings that accept Charset objects. (markt)
  • Update: The default HEAD response no longer includes some HTTP header fields where the value is determined only while generating the content as per section 9.3.2 of RFC 9110. (markt)
  • Fix: 66438: Correct names of Jakarta modules in JPMS metadata. (markt)
  • Update: Switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. (markt)
  • Fix: Switch to using LongAdder rather than AtomicInteger to track request count and error count for servlets. (markt)
  • Fix: Implement the clarification from the Jakarta Servlet project that Servlets mapped to the context root should be mapped for requests to the context root with or without the trailing /. (markt)
  • Fix: Implement the clarification from the Jakarta Servlet project that calling ServletOutputStream.close() on a stream in non-blocking mode returns immediately with the stream effectively closed and any data remaining to be written is written in the background by the container. (markt)
  • Fix: Avoid possible ISE when scanning from bad JAR URLs, to restore the previous behavior following the removal of Java 9+ reflection code which caught the ISE. (remm)
  • Fix: Refactor uses of String.replaceAll() to use String.replace() where regular expressions where not being used. Pull request #581 provided by Andrei Briukhov. (markt)
  • Add: Add error report valve that allows redirecting to of proxying from an external web server. Based on code and ideas from pull request #506 provided by Max Fortun. (remm)
  • Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/10) to the regular expression used to identify internal proxies for the RemoteIpFilter and RemoteIpValve. (markt)
  • Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter determines that this request was submitted via a secure channel. (lihan)
  • Add: Add the additional HTTP status code constants to HttpServletResponse defined by the Jakarta Servlet project for the Servlet 6.1 API. (markt)
  • Fix: Implement the clarification from the Jakarta Servlet project that calling one of the HttpServletResponse methods for setting HTTP header values with null as the new header value removes any existing header of that name. (markt)

Coyote

  • Add: Log basic information for each configured TLS certificate when Tomcat starts. (markt)
  • Fix: 66442: When an HTTP/2 response must not include a body, ensure that the end of stream flag is set on the headers frame and that no data frame is sent. (markt)
  • Fix: Fix a bug that prevented HTTP/2 connections from timing out when using a Connector configured with useAsyncIO=true (the default). (markt)
  • Add: Provided dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.certificate / org.apache.tomcat.util.net.Nio2Endpoint.certificate) for logging of configured TLS certificates. (markt)

Jasper

  • Fix: 66419: Fix calls from expression language to a method that accepts varargs when only one argument was passed. (markt)
  • Fix: 66441: Make imports of static fields in JSPs visible to any EL expressions used on the page. (markt)

Web applications

  • Fix: 66429: Documentation. Limit access to the documentation web application to localhost by default. (markt)
  • Fix: 66429: Examples. Limit access to the examples web application to localhost by default. (markt)

Other

  • Update: Update BND to 6.4.0. (markt)
  • Update: Remove support for starting Tomcat under a SecurityManager. (markt)
  • Add: Improvements to Chinese translations. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.3 to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)

not released Tomcat 11.0.0-M2 (markt)

Catalina

  • Add: Update the ServletInputStream and ServletOuputStream classes in the Servlet API to align with the recent updates in the Jakarta Servlet specification to support reading and writing with ByteBuffers. The changes also clarified various aspects of the Servlet non-blocking API. (markt)
  • Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
  • Fix: 66392: Change the default value of AccessLogValve's file encoding to UTF-8 and update documentation. (lihan)
  • Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
  • Fix: Remove JAX-RPC support which was removed from the Jakarta EE platform for Jakarta EE 9. (markt)

Coyote

  • Fix: Update Cookie parsing and handling to treat the quotes in a quoted cookie value as part of the value as required by RFC 6265 and explicitly clarified in RFC 6265bis. (markt)
  • Add: Add an RFC 8941 structured field parser. (markt)
  • Add: Add a parser for the priority HTTP header field defined in RFC 9218. (markt)
  • Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
  • Fix: 66385: Correct a bug in HTTP/2 where a non-blocking read for a new frame with the NIO2 connector was incorrectly made using the read timeout leading to unexpected stream closure. (markt)

Jasper

  • Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
  • Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

Other

  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.6. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03, 2.10.0-SNAPSHOT). (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
  • Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
  • Update: Update to the Eclipse JDT compiler 4.26. (markt)
  • Update: Update Checkstyle to 10.6.0. (markt)
  • Update: Update Unboundid to 6.0.7. (markt)
  • Update: Update SpotBugs to 4.7.3. (markt)

2022-12-05 Tomcat 11.0.0-M1 (markt)

General

  • Code: This release contains all of the changes up to and including those in Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)

Catalina

  • Fix: 66175: Change the default character set used by the BasicAuthenticator from ISO-8859-1 to UTF-8. (markt)
  • Add: 66209: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
  • Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
  • Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
  • Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
  • Fix: Escape values used to construct output for the JsonErrorReportValve to ensure that it always outputs valid JSON. (markt)
  • Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
  • Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
  • Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
  • Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
  • Add: Add support for the new attribute for error dispatches jakarta.servlet.error.query_string. (markt)
  • Update: Update ignoreAnnotation attribute on Context to dissociate it from metadata-complete. (remm)

Coyote

  • Fix: Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. (markt)
  • Add: Include the name of the current stream state in the error message when a stream is cancelled due to an attempt to write to the stream when it is in a state that does not permit writes. (markt)
  • Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do so and remove checks for this return value. Based on #562 by tianshuang. (markt)
  • Code: Remove unnecessary code that exposed the asyncTimeout to components that never used it. (markt)
  • Fix: Ensure that all MessageBytes conversions to byte arrays are valid for the configured character set and throw an exception if not. (markt)
  • Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)

Jasper

  • Fix: 66294: Make the use of a privileged block to obtain the thread context class loader added to address 62080 optional and disabled by default. This is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property. (markt)
  • Fix: 66317: Fix for Lambda coercion security manager missing privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
  • Fix: 66325: Fix concurrency issue in evaluation of expression language containing lambda expressions. (markt)
  • Add: Update the ErrorData class in the JSP API to align with the recent changes in the Jakarta Pages specification to support the new error dispatch attribute jakarta.servlet.error.query_string.

Web applications

  • Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
  • Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)

jdbc-pool

  • Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566 provided by John Neffenger. (markt)

Other

  • Update: Update to Commons Daemon 1.3.3. (markt)
  • Fix: 66323: Move module start up parameters from JDK_JAVA_OPTIONS to JAVA_OPTS now that the minimum Java version is 11 and these options are always required. (markt)
  • Add: Improvements to Chinese translations. Contributed by DigitalCat and lihan. (markt)
  • Add: Improvements to French translations. Contributed by Mathieu Bouchard. (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
  • Add: Improvements to Korean translations. (markt)
  • Add: Improvements to Spanish translations. (markt)
  • Fix: Correct a regression in the removal of the APR connector that broke Graal native image support. Pull request #564 provided by Sébastien Deleuze. (markt)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.5. (markt)
  • Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
  • Code: Refine the Tomcat native image metadata to avoid including unintended non-Tomcat resources. Pull request #569 provided by Sébastien Deleuze. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28, 6.7.0-RC1). (markt)
  • Update: Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29, 1.16-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to aa8eff6 (2022-11-29, 2.0-SNAPSHOT). (markt)