66388: Correct a regression in the refactoring that replaced
the use of the URL constructors. The regression broke
lookups for resources that contained one or more characters in their
name that required escaping when used in a URI path. (markt)
66392: Change the default value of AccessLogValue's
file encoding to UTF-8 and update documentation. (lihan)
66393: Align ExtendedAccessLogValve's x-P(XXX) with the
documentation. (lihan)
Coyote
When resetting an HTTP/2 stream because the final response has been
generated before the request has been fully read, use the HTTP/2 error
code NO_ERROR so that client does not discard the response.
Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
66385: Correct a bug in HTTP/2 where a non-blocking read for
a new frame with the NIO2 connector was incorrectly made using the read
timeout leading to unexpected stream closure. (markt)
Jasper
66370: Change the default of the
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system
property to true unless the EL library is running on Tomcat
in which case the default remains false as the EL library
is already called from within a privileged block and skipping the
unnecessary privileged block improves performance. (markt)
Add support for specifying Java 21 (with the value 21) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
Other
Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
6.7.1-SNAPSHOT). (markt)
Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
1.16-SNAPSHOT). (markt)
Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
2.10.0-SNAPSHOT). (markt)
Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
Improvements to Portuguese translations. Contributed by Guilherme
Custódio. (markt)
Update to the Eclipse JDT compiler 4.26. (markt)
Update Checkstyle to 10.6.0. (markt)
Update Unboundid to 6.0.7. (markt)
Update SpotBugs to 4.7.3. (markt)
2022-12-09 Tomcat 10.1.4 (markt)
Other
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.6. (markt)
not released Tomcat 10.1.3 (markt)
Catalina
Correct the default implementation of
HttpServletRequest.isTrailerFieldsReady() to return
true so it is consistent with the default implementation of
HttpServletRequest.getTrailerFields() and with the Servlet
API provided by the Jakarta EE project. (markt)
Refactor WebappLoader so it only has a runtime dependency
on the migration tool for Jakarta EE if configured to use the converter
as classes are loaded. (markt)
Improve the behavior of the credential handler attribute that is set in
the Servlet context so that it actually reflects what is used during
authentication. (remm)
66359: Update javadoc for RemoteIpValve and RemoteIpFilter with
correct protocolHeader default value of "X-Forwarded-Proto".
(lihan)
Coyote
When an HTTP/2 stream was reset, the current active stream count was not
reduced. If enough resets occurred on a connection, the current active
stream count limit was reached and no new streams could be created on
that connection. (markt)
Web applications
66348: Update the JARs listed in the class loader
documentation and note which ones are optional. (markt)
Documentation. Replace references in the application developer's guide
to CVS with more general references to a source code control system.
(markt)
Other
Refactor code base to replace use of URL constructors. While they are
deprecated in Java 20 onwards, the reasons for deprecation are valid for
all versions so move away from them now. (markt)
Refine the Tomcat native image metadata to avoid including unintended
non-Tomcat resources. Pull request #569 provided by Sébastien
Deleuze. (markt)
Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28,
6.7.0-RC1). (markt)
Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29,
1.16-SNAPSHOT). (markt)
Update to Commons Daemon 1.3.3. (markt)
Update the internal fork of Apache Commons FileUpload to aa8eff6
(2022-11-29, 2.0-SNAPSHOT). (markt)
Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
2022-11-14 Tomcat 10.1.2 (markt)
Catalina
66209: Add a configuration option to allow bloom filters used
to index JAR files to be retained for the lifetime of the web
application. Prior to this addition, the indexes were always flushed by
the periodic calls to WebResourceRoot.gc(). As part of this
addition, configuration of archive indexing moves from
Context to WebResourceRoot. Based on a patch
provided by Rahul Jaisimha. (markt)
66330: Correct a regression introduced when fixing
62897 that meant any value configured for
skipMemoryLeakChecksOnJvmShutdown on the
Context was ignored and the default was always used.
(markt)
66331: Fix a regression in refactoring for Stack
on the SystemLogHandler which caught incorrect exception.
(lihan)
66338: Fix a regression that caused a nuance in refactoring
for ErrorReportValve. (lihan)
Escape values used to construct output for the
JsonErrorReportValve to ensure that it always outputs valid
JSON. (markt)
Coyote
Correct the date format used with the expires attribute of HTTP cookies.
A single space rather than a single dash should be used to separate the
day, month and year components to be compliant with RFC 6265. (markt)
Include the name of the current stream state in the error message when a
stream is cancelled due to an attempt to write to the stream when it is
in a state that does not permit writes. (markt)
NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL
not to do so and remove checks for this return value. Based on
#562 by tianshuang. (markt)
Remove unnecessary code that exposed the asyncTimeout to
components that never used it. (markt)
Jasper
66294: Make the use of a privileged block to obtain the
thread context class loader added to address 62080 optional
and disabled by default. This is now controlled by the
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system
property. (markt)
66317: Fix for Lambda coercion security manager missing
privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
66325: Fix concurrency issue in evaluation of expression
language containing lambda expressions. (markt)
jdbc-pool
66346: Ensure all JDBC pool JARs are reproducible. Pull
request #566 provided by John Neffenger. (markt)
Other
Update to Commons Daemon 1.3.2. (markt)
66323: Move module start up parameters from
JDK_JAVA_OPTIONS to JAVA_OPTS now that the
minimum Java version is 11 and these options are always required. (markt)
Improvements to Chinese translations. Contributed by DigitalCat and
lihan. (markt)
Improvements to French translations. Contributed by Mathieu Bouchard.
(markt)
Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
Correct a regression in the removal of the APR connector that broke
Graal native image support. Pull request #564 provided by
Sébastien Deleuze. (markt)
Update the packaged version of the Apache Tomcat Native Library to 2.0.2
to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.5. (markt)
2022-10-11 Tomcat 10.1.1 (markt)
Catalina
Update the RewriteValve to perform pattern matching using
dotall mode to avoid unexpected behaviour if the URL includes encoded
line terminators. (markt)
Coyote
66276: Fix incorrect class cast when adding
a descendant of HTTP/2 streams. (lihan)
66281: Fix unexpected timeouts that may appear as client
disconnections when using HTTP/2 and NIO2. (markt)
Enforce the requirement of RFC 7230 onwards that a request with a
malformed content-length header should always be rejected
with a 400 response. (markt)
Jasper
66277: Fix regressions in refactoring from StackArrayDeque.
Add support for specifying Java 20 (with the value 20) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
Web applications
Documentation. Document the nonceRequestParameterName
attribute for the CsrfPreventionFilter. Based on
#553 by Mert Ülkgün. (markt)
Other
Update to the Eclipse JDT compiler 4.23. (markt)
Update Objenesis to 3.2. (markt)
Update UnboundID to 6.0.6. (markt)
Update Checkstyle to 10.3.4. (markt)
Update JaCoCo to 0.8.8. (markt)
Update SpotBugs to 4.7.2. (markt)
Update JSign to 4.2. (markt)
Update Derby to 10.16.1.1. (markt)
Improvements to Chinese translations. (markt)
Improvements to Czech translations. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
Improvements to Korean translations. (markt)
Improvements to Spanish translations. (markt)
2022-09-26 Tomcat 10.1.0 (markt)
Coyote
Update Panama OpenSSL code for the extensive Java 20 changes. (remm)
Fix a regression in refactoring for Hashtables which caused mbeans to
lose many of their attributes. (remm)
Jasper
66203: Log an error message when the JSP compiler is unable
to create the output directory for the generated code. (markt)
Other
Further automation to the build process to reduce the number of manual
steps that release managers must perform. (markt)
not released Tomcat 10.1.0-M20 (markt)
Coyote
Prepare OpenSSL Panama module for Java 20 API changes. (remm)
Other
Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.4.
(markt)
not released Tomcat 10.1.0-M19 (markt)
Coyote
Correct a regression in the previous fix for 66236. (markt)
not released Tomcat 10.1.0-M18 (markt)
Catalina
Correct handling of HTTP TRACE requests where there are multiple
instances of an HTTP header with the same name. (markt)
Implement the requirements of RFC 7231 and do not include sensitive
headers in responses to HTTP TRACE requests. (markt)
Implement the clarification in RFC 9110 that the units in HTTP range
specifiers are case insensitive. (markt)
Properly-escape role and group information when writing
MemoryUserDatabase to an XML file. (schultz)
Move control of XML-export logic from individual support classes into
MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
MemoryRole, and MemoryGroup classes. (schultz)
66183: When logging cookie values in an access log valve and
there are multiple cookies with the same name, log all cookie values
rather than just the first. Based on pull request #541 by Han
Li. (markt)
66184: Ensure that JULI root loggers have a default level of
INFO. Pull request #533 provided by Piotr P.
Karwasz. (markt)
Improve handling of stack overflow errors when parsing SSI expressions.
(markt)
66120: Enable FORM authentication to work correctly if
session persistence and restoration occurs during the authentication
process. (markt)
66233: Include an error message when sending a 400 response
because a request has too many cookies. (markt)
When web application deployment fails due to JARs with duplicate
fragment names, improve the error message by listing the JARs that
contain the duplicates. Based on pull request #535 by Mads
Rolsdorph. (markt)
Replace logging thread for JULI's AsyncFileHandler with an
executor to protect against failure of the logging thread. Based on pull
request #545 by Piotr P. Karwasz. (markt)
Coyote
Avoid potential NPE by skipping duplicate accept check when using a Unix
Domain Socket. Based on #532 by Han Li. (markt)
Address an edge case in HTTP header parsing that allowed CRCRLF to be
used as a valid line terminator. (markt)
Ensure HTTP/2 requests that include connection specific headers are
rejected. (markt)
When processing HTTP/2 requests, allow a host header to be
used in place of an :authority header. (markt)
When processing HTTP/2 requests, allow a host header and an
:authority header to be present providing they are
consistent. (markt)
Make parsing of invalid filename directives in
Content-Disposition headers more robust. Invalid filename
directives will now be ignored rather than triggering a 500 response.
(markt)
66194: Log HTTP/2 stream closures (usually caused by client
errors) via a UserDataHelper to broadly align it with the
behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
66196: Align HTTP/1.1 with HTTP/2 and throw an exception when
attempting to commit a response with an header value that includes one
or more characters with a code point above 255. (markt)
66236: Implement support for the special values zero and
minus one when configuring maxSavePostSize for a Connector
when used in conjunction with TLS renegotiation. (markt)
66240: Avoid int overflow when parsing octets by limiting
the maximum value to 255. Based on a PR #548 by Stefan Mayr.
(lihan)
#550: Correctly handle case where a Servlet responds to a
request with an expectation with a 2xx response without reading the
request body. Pull request provided by Malay Shah. (markt)
#551: Avoid potential IndexOutOfBoundsException by fixing
incorrect check when matching HTTP/2 preface. Submitted by 刘文章.
(lihan)
Jasper
Improve handling of stack overflow errors when parsing EL expressions.
(markt)
Correct parsing of integer and floating point literals in EL expressions
so that larger values are correctly parsed to BigInteger
and BigDecimal respectively. (markt)
66235: Fix various issues with the bean resolver used for
Graal. (remm)
Improve the performance of the ImportHandler in the
Expression Language implementation. This removes a previous optimisation
that is now detrimental rather than helpful. Pull request #547
provided by rmannibucau. (markt)
Improve handling of EL error messages so instances of Number are not
formatted in unexpected ways. (markt/kkolinko)
Switch to using ELException rather than IllegalArgumentException when a
type conversion fails during an EL arithmetic operation. This is an EL
error so ELException seems more appropriate. (markt)
Fix a bug in MethodExpression handling that triggered an
error when invoking a static method on an instance of the class rather
than directly on the class. (markt)
Use BigInteger.remainder() rather than
BigInteger.mod() when performing the modulus operation for
instances of BigInteger as part of an EL expression.
(markt)
Cluster
To aid future additions of new functionality, rather than throw an
IllegalArgumentException if a DeltaRequest is
passed an unrecognised action type, a warning message will now be
logged. (markt)
66120: Enable FORM authentication to work correctly if
session failover occurs during the authentication process. (markt)
WebSocket
62312: Add support for authenticating WebSocket clients with
an HTTP forward proxy when establishing a connection to a WebSocket
endpoint via a forward proxy that requires authentication. Based on a
patch provided by Joe Mokos. (markt)
Other
Ensure that zip archives use UTC for file modification times to ensure
repeatable builds across time zones. (markt)
Improvements to Chinese translations. (lihan)
Improvements to Czech translations. (markt)
Improvements to French translations. (remm)
Improvements to German translations. (markt)
Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
Improvements to Korean translations. Contributed by 수현. (markt)
Improvements to Brazilian Portuguese translations. (markt)
Improvements to Russian translations. (markt)
Improvements to Spanish translations. (markt)
Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.3.
(markt)
2022-07-20 Tomcat 10.1.0-M17 (markt)
Catalina
66104: Avoid error message by not trying to clean up old
files from the logging directory before the directory has been created.
Based on #521 by HanLi. (markt)
Update the Jakarta Common Annotations API to 2.1.1. This deprecates the
ManagedBean annotation which will be removed in a future
release. (markt)
Coyote
Provide dedicated loggers
(org.apache.tomcat.util.net.NioEndpoint.handshake /
org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS
handshake failures. (markt)
Enable the use of the FIPS provider for TLS enabled Connectors when
using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
(markt)
Remove the jvmRoute system property used to configure a
default value for the jvmRoute attribute of an Engine.
(markt)
Update experimental Panama modules with support for OpenSSL 3.0+.
OpenSSL 1.1 remains supported. (remm)
Correct a regression in the refactoring to support experimentation with
project Loom that broke HTTP/2 support if async IO was disabled. (markt)
Fix duplicate Poller registration with HTTP/2, NIO and async IO that
could cause HTTP/2 connections to unexpectedly fail. (markt)
Refactor Panama module to better take advantage of the Panama preview
API updates and fixes. Improves memory session usage and avoids some
allocations. Review from Maurizio Cimadamore. (remm)
Update the minimum recommended version of the Tomcat Native Library to
2.0.1. (markt)
Jasper
Add support for specifying Java 19 (with the value 19) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
WebSocket
Remove configuration settings related to the restriction on WebSocket
endpoint deployment that was removed in version 2.1 of the
specification. (markt)
Web applications
Documentation. 62245: Include contextXsltFile
when discussing options for configuring directory listings. (markt)
Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example. (markt)
Documentation. Expand the description of the useSendfile
attribute for HTTP/2 and reference the possibility of file locking when
using this feature on Windows operating systems. (markt)
Other
Update to bnd 6.3.1. (markt)
The minimum Ant version required to build Tomcat 10.1.x is now 1.10.2.
(markt)
Add additional automation to the build process to reduce the number of
manual steps that release managers must perform. (schultz)
Implement support for reproducible builds. Reproducible builds are
independent of operating system but require the same Ant version and
same JDK (vendor and version) to be used as associated version
information is embedded in a number of build outputs such as JAR file
manifests. (markt)
Update the minimum supported version of Tomcat Native to 1.2.34 to allow
the removal of the deprecated Java API associated with features that
will be removed in Tomcat Native 2.0.x. (markt)
Remove and/or update references to the removed
org.apache.tomcat.util.threads.res package. The
LocalStrings*.properties files in that package were moved
to org.apache.tomcat.util.threads package for consistency
with the rest of the Tomcat code base. (markt)
66134: The NSIS based Tomcat installer for Windows now
correctly handles the combination of TomcatAdminRoles
defined in a configuration file and selecting the Manager and/or
Host Manager web applications in the installer's GUI. (markt)
Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)
Update the CXF module to Apache CXF 3.5.3. (remm)
Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.1.
(markt)
Update the packaged version of the Tomcat Native Library to 2.0.1 to
pick up the Windows binaries built with with OpenSSL 3.0.5. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations contributed tak7iji. (markt)
2022-06-09 Tomcat 10.1.0-M16 (markt)
Catalina
Update the memory leak protection code to support stopping application
created executor threads when running on Java 19 and later. (markt)
Improve the error message if a required --add-opens option
is missing. (markt)
Disable the memory leak correction code enabled by the Context attribute
clearReferencesObjectStreamClassCaches when running on a
JRE that includes a fix for the underlying memory leak. (markt)
#515: Avoid deadlock on startup with some utility executor
configurations. Submitted by Han Li. (remm)
66068: Ensure that the changes made to a request by the
RemoteIPValve persist after the request is put into
asynchronous mode. (markt)
Include the major version in the recommended version used for Tomcat
Native with the AprLifecycleListener. (markt)
Remove the reporting of the unused APR feature flags. (markt)
Coyote
Additional fix for 65118. Fix a potential
NullPointerException when pruning closed HTTP/2 streams
from the connection. (markt)
Refactor synchronization blocks locking on SocketWrapper to
use ReentrantLock to support users wishing to experiment
with project Loom. (markt)
66076: When using TLS with non-blocking writes and the NIO
connector, ensure that flushing the buffers attempts to empty all of the
output buffers. (markt)
66084: Correctly calculate bytes written to a response. Pull
request #516 provided by aooohan HanLi. (markt)
Correct a regression in the support added for encrypted PKCS#1 formatted
private keys in the previous release that broke support for unencrypted
PKCS#1 formatted private keys. (jfclere/markt)
Remove support for NPN when using the Tomcat Native Connector as NPN was
never standardised and browser support for NPN was removed several years
ago. (markt)
Jasper
Update XML schema used for generated web fragments to use the Servlet
6.0 web fragment schema. (markt)
Update the XML schema used by the web fragment defined for the Jasper EL
JAR to use the Servlet 6.0 web fragment schema. (markt)
Update ImportHandler optimisation for new classes
introduced in Java 19. (markt)
Web Socket
Update the XML schema used by the web fragment defined for the WebSocket
JAR to use the Servlet 6.0 web fragment schema. (markt)
Web applications
66064: Update the building page in the documentation web
application to reflect changes in required Java version and source
repository. (markt)
Documentation. Make the description of the HTTP/1.1 configuration
attributes that control the maximum allowed HTTP header size more
specific. (markt)
Tribes
Increase the default buffer size for replication messages from 43800 to
65536 bytes. This is expected to improve performance for large messages
when running on Linux based systems. (markt)
Other
Improvements to French translations. (remm)
Improvements to Japanese translations contributed by Shirayuking and
tak7iji. (markt)
Improvements to Chinese translations contributed by Dingzi2012. (markt)
2022-05-16 Tomcat 10.1.0-M15 (markt)
Catalina
65853: Refactor the CsrfPreventionFilter to make
it easier for sub-classes to modify the nonce generation and storage.
Based on suggestions by Marvin Fröhlich. (markt)
65991: Avoid NPE with SSLAuthenticator when
boundOnInit is used on a connector, during the check
for client certificate authentication availability. (remm)
66009: Use getSubjectX500Principal().toString()
rather than getSubjectX500Principal().getName(...) to
retrieve a certificate DN, to match the output of the deprecated
getSubjectDN().getName() that was used previously. (remm)
Revert the change in 10.1.0-M11 that added a mapping of
Shift_JIS for the ja locale to the default
mappings used by ServletResponse.setLocale() as it
caused regressions for applications using UTF-8. (markt)
Provide a property source that sources values from Kubernetes service
bindings. Pull request #512 provided by Sumit Kulhadia and
Gareth Evans. (markt)
Coyote
#501: Add new maxHttpRequestHeaderSize and
maxHttpResponseHeaderSize attributes which allow setting
the maximum HTTP header sizes independently. If not specified, the
value of the maxHttpHeaderSize connector attribute will
be used. Submitted by Zhongming Hua. (remm)
The root cause of the Linux kernel duplicate accept bug has been
identified along with the version of the kernel that includes the fix.
The error message displayed when this bug occurs has been updated to
reflect this new information and to advise users to update to a version
of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for
the research into this issue. (markt)
Remove the custom UTF-8 decoder that was introduced to work around
various UTF-8 decoding bugs in Java. These issues were fixed in early
Java 8 releases. Now the minimum Java version is 11, we can be sure that
Tomcat will not be running on a JRE where these issues are present.
(markt)
66023: Improve the fix for 65726 and support HTTP
upgrade with a request body for a wider set of use cases. (markt)
66035: Add NULL check on the SSL session reference in the
Panama code before accessing the session id and creation time. (remm)
Add support for encrypted PKCS#1 formatted private keys when configuring
the internal, in memory key store. Based on #511.
(jfclere/markt)
Remove the prestartminSpareThreads attribute of the
StandardThreadExecutor since all core threads are always
started by default making this attribute meaningless. Pull request
#510 provided by Aooohan. (markt)
Jasper
To align with the JSP 3.1 specification, make the
jsp:plugin action a NO-OP. No HTML will be generated as a
result the jsp:plugin action being included in a JSP. This
is be because the associated HTML elements are no longer supported by
any major browser. (markt)
66031: Fix NPE when using a custom JspFactory. Patch by
Jean-Louis Monteiro. (remm)
Webapps
66008: In the documentation web application, clarify the
recommendation for the use the trimSpaces option for Jasper
in production environments. (markt)
Update the documentation web application to state that the
EncryptInterceptor does not provide sufficient protection
to run Tomcat clustering over an untrusted network. This is
CVE-2022-29885. (markt)
Other
Improvements to Chinese translations contributed by shawn. (markt)
Improvements to French translations. (remm)
Improvements to German translations contributed by Thomas Hoffmann.
(markt)
Improvements to Japanese translations contributed by Shirayuking.
(markt)
Improvements to Korean translations. (woonsan)
Update to Commons Daemon 1.3.1. This fixes a known regression in 1.3.0
when configuring the Windows service with custom scripts as described in
66055. (markt)
Update to JSign 4.1. (markt)
Update the packaged version of the Tomcat Native Library to 1.2.33 to
pick up Windows binaries built with OpenSSL 1.1.1o.(markt)
2022-04-01 Tomcat 10.1.0-M14 (markt)
Catalina
65736: Disable the forceString option for the
JNDI BeanFactory and replace it with an automatic search
for an alternative setter with the same name that accepts a
String. This is a security hardening measure. (markt)
Remove the WebappClassLoaderBase.getResources() method as
it is not used and if something accidentally exposes the class loader
this method can be used to gain access to Tomcat internals. (markt)
not released Tomcat 10.1.0-M13 (markt)
Catalina
Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
renamed for Jakarta EE 10) including the implementation of the new
methods on AuthConfigFactory. (markt)
Harden the CredentialHandler implementations by switching to a
constant-time implementation for credential comparisons. (schultz/markt)
Coyote
Use a constant for the default TLS cipher suite. This will allow
skipping setting it in some cases (for example, it does not make
sense for OpenSSL TLS 1.3). (remm)
#487: Improve logging of unknown settings frames. Pull request
by Thomas Hoffmann. (remm)
65975: Add a warning if a TLS virtual host is configured with
optional certificate authentication and the containing connector is also
configured to support HTTP/2 as HTTP/2 does not permit optional
certificate authentication. (markt)
65975: Add a warning if a TLS virtual host is configured for
TLS 1.3 with a JSSE implementation and a web application is configured
for CLIENT-CERT authentication. CLIENT-CERT
authentication requires post-handshake authentication (PHA) when used
with TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
(markt)
Improve the recycling of Processor objects to make it more robust.
(markt)
Jasper
65959: Serialize Function as String[] rather Class[]. (remm)
Web applications
65947: Correct the name of HTTP/1.1 configuration property
(maxHttpHeaderSize) that is inherited by the HTTP/2 upgrade
protocol. Thanks to Thomas Hoffmann. (markt)
65952: Align --add-opens configuration for jsvc
with the current Tomcat scripts. (markt)
Correct the AJP and HTTP/1.1 Connector configuration pages in the
documentation web application to show which attributes are applicable to
all Connectors and which are implementation specific. (markt)
Other
Correct a spelling mistake in the German translations. Thanks to Thomas
Hoffmann. (markt)
65951: Use the tomcat.output property for OSGi
bundle manifest paths. (isapir)
Update to Commons Daemon 1.3.0. (markt)
Update to Checkstyle 10.0. (markt)
Update to SpotBugs 4.6.0. (markt)
Expand the spotbugs Ant task to also cover test code.
(markt)
Update to bnd 6.2.0. (markt)
Remove OSGi annotations dependency as it is no longer required with bnd
6.2.0. (markt)
Update to the Eclipse JDT compiler 4.23. (markt)
Refactor the resource files for the Apache Tomcat installer for Windows
so that all the resource files are located in a single directory in the
source tree. (markt)
Update the packaged version of the Tomcat Native Library to 1.2.32 to
pick up Windows binaries built with OpenSSL 1.1.1n.(markt)
Improvements to Chinese translations contributed by 15625988003. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations contributed by tak7iji. (markt)
Expand coverage of translations for jakarta.el package.
Based on #488 from Volodymyr Siedlecki. (markt)
2022-03-14 Tomcat 10.1.0-M12 (markt)
Catalina
#477: Update the default list of JARs to skip to include the
Apache Log4j JAR for Jakarta EE platforms. Pull request by Michael
Seele. (markt)
65921: The type substitution flag for the
rewrite valve should set the content type for the response, not the
request. (markt)
#479: Enable the rewrite valve to redirect requests when the
original request cannot be mapped to a context. This typically happens
when no ROOT context is defined. Pull request by elkman. (markt)
65940: Fix NullPointerException if an exception
occurs during the destruction of a Servlet. (markt)
Coyote
Fix regression introduced with 65757 bugfix which better
identified non request threads but which introduced a similar problem
when user code was doing sequential operations in a single thread.
Test case code submitted by Istvan Szekely. (remm)
Fix potential thread-safety issue that could cause HTTP/1.1 request
processing to wait, and potentially timeout, waiting for additional
data when the full request has been received. (markt)
Throw IOException rather than
IllegalStateException when the application attempts to
write to an HTTP/2 stream after the client has closed the stream.
(markt)
Jasper
When resolving methods in EL expressions that use beans and/or static
fields, ensure that any custom type conversion is considered when
identifying the method to call. (markt)
Web applications
Correct the name of the value attribute in the new
documentation of OpenSSLConfCmd elements. (rjung)
WebSocket
Fix typo in JPMS substitution configuration for WebSocket client module.
(markt)
2022-02-28 Tomcat 10.1.0-M11 (markt)
Catalina
Add ha-api-*.jar and jaxws-rt-*.jar to the
list of JARs to skip when scanning for TLDs, web fragments and
annotations. (michaelo)
Expand the default mappings used by
ServletResponse.setLocale() to include a mapping from the
ja locale to the Shift_JIS encoding. (markt)
65806: Improve the handling of session ID generation when the
default algorithm for SecureRandom (SHA1PRNG)
is not supported by the configured providers as will be the case for a
FIPS compliant configuration. (markt)
#463: Add support for additional user attributes to
TomcatPrincipal and GenericPrincipal.
Patch provided by Carsten Klein. (michaelo)
#464: Fall back to the class loader used to load JULI when the
thread context class loader is not set. In a normal Tomcat
configuration, this will be the system class loader. Based on a pull
request by jackshirazi. (markt)
#469: Include the Jakarata Annotations API in the classes that
Tomcat will not load from web applications. Pull request provided by
ppkarwasz. (markt)
Fix a potential StringIndexOutOfBoundsException exception
when generating a WebDAV multi-status response after an error during a
copy or delete. Report the paths relative to the server root for any
resources with an error. (markt)
Improve the format of WebDAV XML responses to make them easier for
humans to read. The change ensures that there is always a line break
before starting a new element. (markt)
Improve validation of the Destination header for WebDAV
MOVE and COPY requests. (markt)
Coyote
Correct a regression in the fix for 65454 that meant that
minSpareThreads and maxThreads settings were
ignored when the Connector used an internal executor. (markt)
65776: Improve the detection of the Linux duplicate accept
bug and reduce (hopefully avoid) instances of false positives. (markt)
65848: Revert the change that attempted to align the
behaviour of client certificate authentication with NIO or NIO2 with
OpenSSL for TLS between MacOS and Linux/Windows as the root cause was
traced to configuration differences. (markt)
#467: When system time moves backwards (e.g. after clock
correction), ensure that the cached formatted current date used for
HTTP headers tracks this change. Pull request provided by zhenguoli.
(markt)
Jasper
#474: Prevent a tag file from corrupting the ELContext of the
calling page. Pull request provided by Dmitri Blinov. (markt)
Minor optimisation of serialization for FunctionMapperImpl
in response to pull request #476. (markt)
Web applications
Remove the applet example from the example web application as applets
are no longer supported in any major browser. (markt)
Refactor a small number of pages in the examples web application to
avoid an issue with reproducible builds due to differences in file
ordering across different operating systems with Ant's zip task. (markt)
Better documentation for the protocol attribute of the
JNDIRealm. (markt)
Clarify the settings described in the documentation web application to
configure a cluster using static membership. (markt)
Add information on the OpenSSLConf and
OpenSSLConfCmd elements to the HTTP SSL configuration page
in the documentation web applications. (markt)
jdbc-pool
Use LF line endings for text files in JARs to support reproducible
builds across different operating systems. (markt)
Other
Use LF line endings for text files in JARs to support reproducible
builds across different operating systems. (markt)
Fix dependencies for individual test targets in Ant build file. Based on
#468 provided by Totoo chenyonghui. (markt)
Update the OWB module to Apache OpenWebBeans 2.0.26. (remm)
Revert the cherry-pick of JavaDoc fix from DBCP applied in 10.1.0.M9
that broke the DataSourceMXBean by using a type that isn't
supported by MXBeans. (markt)
Improvements to Chinese translations contributed by cloudgyb, totoo and
Chenyonghui1028. (markt)
Improvements to French translations. (remm)
Improvements to German translations contributed by Andreas Abraham.
(markt)
Improvements to Japanese translations contributed by tak7iji and
Shirayuking. (markt)
Improvements to Korean translations. (woonsan)
Improvements to Spanish translations contributed by ceciliabarudi.
(markt)
2022-01-20 Tomcat 10.1.0-M10 (markt)
Coyote
Correct a regression in the fix for 65785 that broke HTTP/2
server push. (markt)
not released Tomcat 10.1.0-M9 (markt)
Catalina
Add missing check in SessionCookieConfig.setAttribute() to
ensure that the method fails if called after the web application has
started. (markt)
Add additional locking to DataSourceUserDatabase to provide
improved protection for concurrent modifications. (markt)
Add recycling check in the input and output stream isReady to try to
give a more informative ISE when the facade has been recycled. (remm)
Make the calculation of the session storage location more robust when
using file based persistent storage. (markt)
Coyote
65726: Implement support for HTTP/1.1 upgrade when the
request includes a body. The maximum permitted size of the body is
controlled by maxSavePostSize. (markt)
Restore pre-starting of minSpareThreads lost in the fix for
65454. (markt)
Revert the previous fix for 65714 and implement a more
comprehensive fix. (markt)
Allow freeing up context on JVM shutdown in the OpenSSL Panama module
by properly using a shared scope. (remm)
65757: Missing initial IO listener notification on Servlet
container dispatch to another container thread. (remm)
Expand the fix for 65757 so that rather than just checking if
processing is happening on a container thread, the check is now if
processing is happening on the container thread currently allocated to
this request/response. (markt)
Improve the fix for RST frame ordering added in 10.1.0-M8 to avoid a
potential deadlock on some systems in non-default configurations.
(markt)
65767: Add support for certificates that use keys encrypted
using PBES2. Based on a pull request provided by xiezhaokun. (markt)
Refactor testing whether a String is a valid HTTP token. (markt)
65785: Perform additional validation of HTTP headers when
using HTTP/2. (markt)
When a Connector or Endpoint is paused, ensure that only new connections
and new requests on existing connections are stopped while allowing in
progress requests to run to completion. (markt)
Explicitly release ByteBuffer instances associated with pooled channels
when stopping the NioEndpoint and Nio2Endpoint. (markt)
Narrow the scope of the logging of invalid cookie headers to just the
invalid cookie rather than the whole cookie header. (markt)
Jasper
65724: Fix missing messages for some
PropertyNotWritableExceptions caused by a typo in the name
used for a resource string. (markt)
Add support for specifying Java 18 (with the value 18) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
To align with the JSP 3.1 specification that requires Java 11 as a
minimum, make the default JSP source version and target version Java 11.
(markt)
WebSocket
Remove the ALLOW_UNSUPPORTED_EXTENSIONS system property. As
per RFC 6455, all extensions are optional. If an endpoint declares an
extension that isn't supported there is no need to trigger an error. The
extension can just be excluded from the result of the negotiation.
(markt)
Remove the DISABLE_BUILTIN_EXTENSIONS. It was added to
enable Tomcat to pass the WebSocket TCK but after updates to the TCK, it
is no longer required. (markt)
Add support for POJO WebSocket endpoints to the programmatic upgrade
that allows applications to opt to upgrade an HTTP connection to
WebSocket. (markt)
Add support for the WebSocket 2.1 client-side API for configuring TLS
connection for wss client connections. (markt)
65763: Improve handling of WebSocket connection close if a
message write times out before the message is fully written. (markt)
Other
Update the OWB module to Apache OpenWebBeans 2.0.25. (remm)
Update the CXF module to Apache CXF 3.5.0. (remm)
Improvements to Chinese translations contributed by zhnnn. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations contributed by Shirayuking, yoshy
and tak7iji. (markt)
Improvements to Korean translations. (woonsan)
Improvements to Spanish translations contributed by Israel. (markt)
Update SpotBugs to 4.5.2. (markt)
Update to the Eclipse JDT compiler 4.22. (markt)
Update the NSIS installer to 3.08. (markt)
Update UnboundID to 6.0.3. (markt)
Update CheckStyle to 9.2.1. (markt)
Update BND to 6.1.0. (markt)
Update OSGI annotations to 1.1.1. (markt)
2021-12-08 Tomcat 10.1.0-M8 (markt)
Catalina
Log warning if a listener is not nested inside a Server element
although it must have been. (michaelo)
Where the getter can be called safely, remove the checks for
ServletContext getters called from a
contextInitialized() method of a
ServletContextListener that was not defined in a
web.xml file, a web-fragment.xml file nor
annotated with WebListener. (markt)
Make SPNEGO authentication more robust for the case where the provided
credential has expired. (markt)
Limit cookie support to RFC 6265 to align with recent updates to the
Servlet specification. (markt)
65684: Fix a potential NullPointerException when
using JULI. (markt)
Document conditions under which the AprLifecycleListener
can be used to avoid JVM crashes. (michaelo)
Refactor the AsyncFileHandler to reduce the possibility of
log messages being lost on shutdown. (markt)
Refactor the AsyncFileHandler to remove the need for the
org.apache.juli.AsyncLoggerPollInterval. If set, this
property now has no effect. (markt)
Add debug logging to the RestCsrfPreventionFilter. Based on
pull request #452 by Polina Georgieva. (markt)
Coyote
Use implicit scopes in the OpenSSL Panama module to tie the cleanup of
OpenSSL memory to the Java GC. (remm)
Provide protection against a known OS
bug that causes the acceptor to report an incoming connection more
than once. (markt)
Avoid unnecessary duplicate read registrations for blocking I/O with the
NIO connector. (markt)
65677: Improve exception handling for errors during HTTP/1.1
reads with NIO2. (markt)
When an error occurs that triggers a stream reset, ensure that the first
RST frame sent to the client is the one associated with the
error that triggered the reset. (markt)
65714: Fix exceptions when the security manager is enabled
and the first request received after starting is an HTTP request to a
TLS enabled NIO2 connector. (markt)
Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way
on MacOS as it does on Linux and Windows when no trusted certificate
authorities are configured and reject all client certificates. (markt)
Avoid a potential deadlock during the concurrent processing of incoming
HTTP/2 frames for a stream and that stream being reset. (markt)
WebSocket
Update the WebSocket API packaging to remove the copy of the client API
from the server API and replace it with a dependency on the client API.
This aligns Tomcat with changes in the WebSocket 2.1 specification.
(markt)
2021-11-15 Tomcat 10.1.0-M7 (markt)
Catalina
Refactor HttpServlet so the default doHead()
implementation now calls doGet() and relies on the
container to ensure that the response body is not sent. The previous
behaviour (wrapping the response) may be enabled per Servlet by setting
the jakarta.servlet.http.legacyDoHead Servlet
initialisation parameter to true. This aligns Tomcat with
recent changes updates for Servlet 6.0 in the Jakarta Servlet
specification project. (markt)
Add support for setting generic attributes for session cookies. This
aligns Apache Tomcat with recent changes in the Jakarta Servlet
specification project. (markt)
Do not add a trailing / to a request URI during
canonicalization. (markt)
Invalid byte sequences (typically in %nn form) in a request URi that are
not valid for the given URI encoding now trigger a 400 response. (markt)
Ensure that a request URI starts with a /. (markt)
Add a new Connector option, rejectSuspiciousURIs that will
causes 'suspicious' (see the Servlet 6.0 specification) URIs to be
rejected with a 400 response. (markt)
Improve robustness of JNDIRealm for exceptions occurring when getting
the connection. Also add missing close when running into issues
getting the passord of a user. (remm)
Add Javadoc comment which listeners must be nested within
Server elements only. (michaelo)
Add support for custom caching strategies for web application resources.
This initial implementation allows control over whether or not a
resource is cached. (markt)
Coyote
Improve performance of Connector shutdown - primarily to reduce the time
it takes to run the test suite. (markt)
#457: Add a toString() method to
MimeHeader to aid debugging. (dblevins)
Add experimental OpenSSL support through the Panama API incubating in
Java 17, with support for OpenSSL 1.1+. This no longer requires
tomcat-native or APR. Please refer to the openssl-java17
module for more details. (remm)
Jasper
Regenerate the EL parser using JavaCC 7.0.10. (markt)
Fix a bug that prevented the EL parser correctly parsing a literal Map
that used variables rather than literals for both keys and values.
(markt)
Ensure that the getType() method of any
ELResolver implementation returns null if
either the ELResolver or the resolved property is read-only
to align Tomcat with recent updates in the Jakarta EL specification
project. (markt)
Implement an alternative solution to support the JSP page directive
attribute isThreadSafe now that the
SingleThreadModel interface has been removed from the
Servlet API. The new approach synchronizes the service()
method.
WebSocket
Add a new method
ServerEndpointConfig.Configurator.getContainerDefaultConfigurator()
to align with recent updates in the WebSocket specification
project. (markt)
Add a new method ServerContainer.upgradeHttpToWebSocket()
to align with recent updates in the WebSocket specification project.
(markt)
Tribes
#454: Differentiate warning messages in
KubernetesMembershipProvider so that the missing attribute
is clear to the user. PR provided by Hal Deadman. (markt)
Other
Switch from Cobertura to JaCoCo for code coverage as Cobertura does not
support code coverage for code compiled for Java 11 onwards. It also
removes the need to use a single thread to run the tests. (markt)
2021-10-01 Tomcat 10.1.0-M6 (markt)
Catalina
Provide the DataSource in the constructor of
DataSourceUserDatabase, since it is always global. (remm)
Fix delete then create object manipulations with
DataSourceUserDatabase. (remm)
Remove all deprecated code from the Servlet API to align Tomcat with
recent changes in the Jakarta Servlet specification project. (markt)
Add the currently available Jakarta EE 10 schemas from the Jakarta EE
schema project. (markt)
Implement the new connection ID and request ID API for Servlet 6.0.
(markt)
65553: Implement a work-around for a
JRE bug
that can trigger a memory leak when using the JNDI realm. (markt)
65586: Fix the bloom filter used to improve performance of
archive file look ups in the web resources implementation so it works
correctly for directory lookups whether or not the provided directory
name includes the trailing /. (markt)
#451: Improve the usefulness of the thread name cache used in
JULI. Pull request provided by t-gergely. (markt)
Coyote
65563: Correct parsing of HTTP Content-Range
headers. Tomcat was incorrectly requiring an = character
after bytes. Fix based on pull request #449 by
Thierry Guérin. (markt)
Correct a potential StackOverflowException with HTTP/2 and
sendfile. (markt)
Further improvements in the management of the connection flow control
window. This addresses various bugs that caused streams to incorrectly
report that they had timed out waiting for an allocation from the
connection flow control window. (markt)
65577: Fix a AccessControlException reporting
when running an NIO2 connector with TLS enabled. (markt)
Reclassify TLS ciphers that use AESCCM8 as medium security rather than
high security to align with recent changes in OpenSSL. (markt)
Fix an issue that caused some Servlet non-blocking API reads of the HTTP
request body to incorrectly use blocking IO. (markt)
Jasper
Deprecate ELResolver.getFeatureDescriptors to align Tomcat
with recent updates in the Jakarta EL specification project. (markt)
Add support for default methods to BeanRELResolver to align
Tomcat with recent updates in the Jakarta EL specification project.
(markt)
Add support for MethodReference and the associated getter
on MethodExpression to align Tomcat with recent updates in
the Jakarta EL specification project. (markt)
Refactor ScopedAttributeELResolver to separate out the
functionality that is unrelated to scoped attributes into two new
resolvers: ImportELResolver and
NotFoundELResolver. This aligns Tomcat with recent updates
to the Jakarta Server Pages specification. (markt)
Fix the implementation of MethodExpression.getMethodInfo()
so that it returns the expected value rather than failing when the
method expression is defined with the parameter values in the expression
rather than the types being passed explicitly to
ExpressionFactory.createMethodExpression(). (markt)
Add support for a new page/tag directive errorOnELNotFound
that can be used to trigger an identifier if an EL expression in a
page/tag contains an identifier that cannot be resolved. (markt)
WebSocket
The internal upgrade handler should close the associated
WebConnection on destroy. (remm)
Web applications
Update the web applications that are included with Apache Tomcat to use
the Jakarta EE 10 schema for web.xml. (markt)
Clarify the JASPIC configuration options in the documentation web
application. (markt)
Other
65585: Update obsolete comments at the start of the
build.properties.default file. (markt)
2021-09-10 Tomcat 10.1.0-M5 (markt)
Catalina
Enable Tomcat to start if an (old) XML parser is configured that does
not support allow-java-encodings. A warning will be logged
if such an XML parser is detected. (markt)
Change the behaviour of custom error pages. If an error occurs after the
response is committed, once the custom error page content has been added
to the response the connection is now closed immediately rather than
closed cleanly. i.e. the last chunk that marks the end of the response
body is no longer sent. This acts as an additional signal to the client
that the request experienced an error. (markt)
65479: When handling requests using JASPIC authentication,
ensure that PasswordValidationCallback.getResult() returns
the result of the password validation rather than always returning
false. Fixed via pull request #438 provided by
Robert Rodewald. (markt)
Improve the reusability of the UserDatabase by adding
intermediate concrete implementation classes and allowing to do
partial database updates on save. (remm)
Refactor the authenticators to delegate the check for preemptive
authentication to the individual authenticators where an authentication
scheme specific check can be performed. Based on pull request
#444 by Robert Rodewald. (markt)
Add a UserDatabase implementation as a superset of the
DataSourceRealm functionality. (remm)
Make sure the dynamic Principal returned by
UserDatabaseRealm stays up to date with the database
contents, and add an option to have it be static, similar to the other
realms. (remm)
Add derby-*.jar to the list of JARs to skip when scanning
for TLDs, web fragments and annotations. (markt)
#447. Correct JPMS metadata for catalina.jar. Pull request
provided by Hui Wang. (markt)
Coyote
Correct a logic error that meant setting
certificateKeystoreFile to NONE did not have
the expected effect. NONE was incorrectly treated as a file
path. Patch provided by Mikael Sterner. (markt)
Remove the deprecated APR/Native connector which includes the HTTP APR
and the AJP APR connector. Also remove the Java interfaces to the
APR/Native library that are not used by the OpenSSL integration for the
NIO and NIO2 connectors. (markt)
Refactor the JSSE/OpenSSL integration to avoid the use of
finalize(). (markt)
65505: When an HTTP header value is removed, ensure that the
order of the remaining header values is unchanged. (markt)
WebSocket
65506: Fix write timeout check that was using the read
timeout value. Patch submitted by Gustavo Mahlow. (remm)
Web applications
Remove unnecessary Context settings from the examples web application.
(markt)
Document default value for unpackWARs and related clean-up.
Pull request #439 provided by Robert Rodewald. (markt)
Clarify the documentation of the compressionMinSize and
compressibleMimeType HTTP Connector
attributes. Pull request #442 provided by crisgeek. (markt)
Tribes
Refactor the ParallelNioSender to avoid the use of
finalize(). (markt)
Other
Fix failing build when building on non-English locales. Pull request
#441 provided by Dachuan J. (markt)
Update to JSign version 4.0 to enable code signing without the need for
the installation of additional client tools. (markt)
Add Apache Derby 10.15.2.0 to the testsuite dependencies, for JDBC
and DataSource testing. (remm)
Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01,
6.6.0-SNAPSHOT). Code clean-up only. (markt)
Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01,
1.16-SNAPSHOT). Minor refactoring. (markt)
65661: Update the internal fork of Apache Commons FileUpload
to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As
a result of Commons File Upload now using
java.nio.file.Files, applications using multi-part uploads
need to ensure that the JVM is configured with sufficient direct memory
to store all in progress multi-part uploads. (markt)
Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17).
Improvements, code clean-up and refactoring. (markt)
Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03).
Improvements, code clean-up and refactoring. (markt)
Update the packaged version of the Tomcat Native Library to 1.2.31 to
pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
Switch to the CDN as the primary download location for ASF dependencies.
(markt)
Improvements to Chinese translations contributed by syseal, wolibo,
ZhangJieWen and DigitalFatCat. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations contributed by tak7iji. (markt)
Improvements to Korean translations. (woonsan)
2021-08-06 Tomcat 10.1.0-M4 (markt)
WebSocket
Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3
that caused all WebSocket end points to fail to register. (markt)
not released Tomcat 10.1.0-M3 (markt)
General
Update the minimum required Java version to Java 11. (markt)
Catalina
Incremented the supported Jakarta Servlet version to 6.0 to align with
the current development branch of the Jakarta Servlet specification.
Plans have changed and the next iteration of the Servlet specification
will be 6.0 rather than 5.1. (markt)
65411: Always close the connection when an uncaught
NamingException occurs to avoid connection locking.
Submitted by Ole Ostergaard. (remm)
65433: Correct a regression in the fix for 65397
where a StringIndexOutOfBoundsException could be triggered
if the canonical path of the target of a symlink was shorter than the
canonical path of the directory in which the symlink had been created.
Patch provided by Cedomir Igaly. (markt)
65443: Refactor the CorsFilter to make it easier
to extend. (markt)
To avoid unnecessary cache revalidation, do not add an HTTP
Expires header when setting adding an HTTP header of
CacheControl: private. (markt)
Refactor JULI's custom LogManager, the
web application class loader implementation, the web resources
implementation, the JreLeakPreventionListener
implementation and the StandardJarScanner implementation to
remove Java 8 specific code now that the minimum Java version has been
increased to 11. (markt)
Remove all references to the endorsed standards override feature and the
specifying of optional packages (extensions) in the manifest as these
are not supported in Java 11. (markt)
Coyote
When writing an HTTP/2 response via sendfile (only enabled when
useAsyncIO is true) the connection flow control window was
sometimes ignored leading to various error conditions. sendfile now
checks both the stream and connection flow control windows before
writing. (markt)
Add debug logging for writing an HTTP/2 response via sendfile. (markt)
Correct bugs in the HTTP/2 connection flow control management that meant
it was possible for a connection to stall waiting for a connection flow
control window update that had already arrived. Any streams on that
connection that were trying to write when this happened would time out.
(markt)
65448: When using TLS with NIO, it was possible for a
blocking response write to hang just before the final TLS packet
associated with the response until the connection timed out at which
point the final packet would be sent and the connection closed. (markt)
65454: Fix a race condition that could result in a delay to
a new request. The new request could be queued to wait for an existing
request to finish processing rather than the thread pool creating a new
thread to process the new request. (markt)
65460: Correct a regression introduced in the previous
release in the change to reduce the number of small HTTP/2 window
updates sent for streams. A logic error meant that small window updates
for the connection were dropped. This meant that the connection flow
window slowly reduced over time until nothing could be sent. (markt)
Remove NIO workarounds and code that is no longer needed with Java 11.
(remm)
Refactor the endpoints to remove Java 8 specific code now that the
minimum Java version has been increased to 11. (markt)
Jasper
Add additional generics to the EL API to align with the latest changes
in the EL specification project. (markt)
Enable EL lambda expressions to be coerced to functional interfaces.
This is an implementation of a proposed extension to the Jakarta
Expression Language specification. (markt)
Refactor the EL API and implementation to remove Java 8 specific code
now that the minimum Java version has been increased to 11. (markt)
WebSocket
Refactor the WebSocket implementation to remove Java 8 specific code now
that the minimum Java version has been increased to 11. (markt)
Web applications
65404: Correct a regression in the fix for 63362
that caused the server status page in the Manager web application to be
truncated if HTTP upgrade was used such as when starting a WebSocket
connection. (markt)
Other
Improvements to Chinese translations contributed by ZhangJieWen and
chengzheyan. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations contributed by tak7iji. (markt)
Improvements to Korean translations. (woonsan)
Use of GraalVM native images no longer automatically disables JMX
support. JMX support may still be disabled by calling
org.apache.tomcat.util.modeler.Registry.disableRegistry().
(markt)
2021-07-02 Tomcat 10.1.0-M2 (markt)
Catalina
Refactor the RemoteIpValve to use the common utility method
for list to comma separated string conversion. (markt)
Refactor JNDIRealm$JNDIConnection so its fields are
accessible to sub-classes of JNDIRealm. (markt)
Fix serialization warnings in UserDatabasePrincipal
reported by SpotBugs. (markt)
65397: Calls to
ServletContext.getResourcePaths() no longer include
symbolic links in the results unless allowLinking has been
set to true. If a resource is skipped because of this
change, a warning will be logged as this typically indicates a
configuration issue. (markt)
Coyote
65368: Improve handling of clean closes of inbound TLS
connections. Treat them the same way as clean closes of non-TLS
connections rather than as unknown errors. (markt)
Modify the HTTP/2 connector not to sent small updates for stream flow
control windows to the user agent as, depending on how the user agent is
written, this may trigger small writes from the user agent that in turn
trigger the overhead protection. Small updates for stream flow control
windows are now combined with subsequent flow control window updates for
that stream to ensure that all stream flow control window updates sent
from Tomcat are larger than overheadWindowUpdateThreshold.
(markt)
Add additional debug logging to track the current state of the HTTP/2
overhead count that Tomcat uses to detect and close potentially
malicious connections. (markt)
Many HTTP/2 requests from browsers will trigger one overhead frame and
one non-overhead frame. Change the overhead calculation so that a
non-overhead frame reduces the current overhead count by 2 rather than
1. This means that, over time, the overhead count for a well-behaved
connection will trend downwards. (markt)
Change the initial HTTP/2 overhead count from -10 to
-10 * overheadCountFactor. This means that, regardless of
the value chosen for overheadCountFactor, when a connection
opens 10 overhead frames in a row will be required to trigger the
overhead protection. (markt)
Increase the default overheadCountFactor from
1 to 10 and change the reduction in overhead
count for a non-overhead frame from -2 to -20.
This allows for a larger range (0-20) to be used for
overheadCountFactor providing for finer-grained control.
(markt)
Modify the parsing of HTTP header values that use the
1#token to ignore empty elements as per RFC 7230 section 7
instead of treating the presence of empty elements as an error. (markt)
Expand the unit tests for HttpServlet.doHead() and correct
the flushing of the response buffer. The buffer used to behave as if it
was one byte smaller than the configured size. The buffer was flushed
(and the response committed if required) when the buffer was full. The
buffer is now flushed (and the response committed if required) if the
buffer is full and there is more data to write. (markt)
Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the
same connection could hang and eventually timeout when async IO was
enabled (it is enabled by default). (markt)
Jasper
65387: Correct a regression in the fix for 65124
and restore the local definition of out for tags that
implement TryCatchFinally. (markt)
65390: Correct a regression in the fix for 65124
and restore code that was removed in error leading to JSP compilation
failures in some circumstances. (markt)
Update to the Eclipse JDT compiler 4.20. (markt)
Add support for specifying Java 17 (with the value 17) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the latest supported version will used.
(markt)
65377: Update the Java code generation for JSPs not to use
the boxed primitive constructors as they have been deprecated in Java 9
and marked for future removal in Java 16. valueOf() is now
used instead. (markt)
WebSocket
Refactor the DigestAuthenticator to reuse a shared
SecureRandom instance rather than create a new one to
generate the cnonce if required. (markt)
Web applications
65385: Correct the link in the documentation web application
the Maven Central repository. (markt)
Other
Use JSign to integrate the build script with the code signing service to
enable release builds to be created on Linux as well as Windows. (markt)
Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
Update the CXF module to Apache CXF 3.4.4. (remm)
65369 / #422: Add the additional
--add-opens=... options required for running Tomcat on Java
16 onwards to the service.bat script to align it with the
other start-up scripts. PR provided by MCMicS. (markt)
Improvements to French translations. (remm)
Improvements to Korean translations. (woonsan)
Update JUnit to version 4.13.2. (markt)
Update EasyMock to 4.3. (markt)
Update Objenesis to 3.2. (markt)
Update UnboundID to 6.0.0. (markt)
Update CheckStyle to 8.43. (markt)
Update SpotBugs to 4.2.3. (markt)
Update OSGi annotations to 1.1.0. (markt)
2021-06-15 Tomcat 10.1.0-M1 (markt)
General
This release contains all of the changes up to and including those in
Apache Tomcat 10.0.6 plus the additional changes listed below. (markt)
Remove code previously marked for removal in Tomcat 10.1.x. (markt)
Catalina
Incremented the supported Jakarta Servlet version to 5.1 to align with
the current development branch of the Jakarta Servlet specification.
(markt)
65301: RemoteIpValve will now avoid getting
the local host name when it is not needed. (remm)
65308: NPE in JNDIRealm when no userRoleAttribute
is given. (fschumacher)
#412: Add commented out, sample users for the Tomcat Manager app
to the default tomcat-users.xml file. Based on a PR by
Arnaud Dagnelies. (markt)
#418: Add a new option, pass-through, to the
default servlet's useBomIfPresent initialization parameter
that causes the default servlet to leave any BOM in place when
processing a static file and not to use the BOM to determine the
encoding of the file. Based on a pull request by Jean-Louis Monteiro.
(markt)
#419: When processing POST requests of type
multipart/form-data for parts without a filename that are
added to the parameter map in String form, check the size of the part
before attempting conversion to String. Pull request provided by
tianshuang. (markt)
Implement the new Cookie methods
setAttribute(), getAttribute() and
getAttributes() introduced in Servlet 6.0. (markt)
AprLifecycleListener does not show dev version suffix for libtcnative
and libapr. (michaelo)
Refactor principal handling in UserDatabaseRealm using
an inner class that extends GenericPrincipal. (remm)
Enable the default doHead() implementation in
HttpServlet to correctly handle responses where the content
length needs to be represented as a long since it is larger than the
maximum value that can be represented by an int. (markt)
Avoid synchronization on roles verification for the memory
UserDatabase. (remm)
Fix the default doHead() implementation in
HttpServlet to correctly handle responses where the Servlet
calls ServletResponse.reset() and/or
ServletResponse.resetBuffer(). (markt)
Fix the default doHead() implementation in
HttpServlet to correctly handle responses generated using
the Servlet non-blocking API. (markt)
Coyote
65303: Fix a possible NullPointerException if
an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on
a pushed HTTP/2 stream. (markt)
Simplify AprEndpoint socket bind for all platforms. (michaelo)
65340: Add missing check for a negative return value for
Hpack.decodeInteger in the HpackDecoder,
which could cause a NegativeArraySizeException exception.
Submitted by Thomas, and verified the fix is present in the donated
hpack code in a further update. (remm)
Add debug logging for HTTP/2 HPACK header decoding. (markt)
Correct parsing of HTTP headers consisting of a list of tokens so that a
header with an empty token is treated consistently regardless of whether
the empty token is at the start, middle or end of the list of tokens.
(markt)
Remove support for the identity transfer encoding. The
inclusion of this encoding in RFC 2616 was an error that was corrected
in 2001. Requests using this transfer encoding will now receive a 501
response. (markt)
Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
clients. (markt)
Ensure that if the transfer encoding header contains the
chunked, that the chunked encoding is the
final encoding listed. (markt)
Jasper
Incremented the supported Jakarta Expression Language version to 5.0 to
align with the current development branch of the Jakarta Expression
Language specification. (markt)
Review code used to generate Java source from JSPs and tags and remove
code found to be unnecessary. (markt)
Refactor use of internal ChildInfo class to use compile
time type checking rather than run time type checking. (markt)
65124: Partial fix. When generating Java source code to call
a tag handler, only define the local variable JspWriter out
when it is going to be used. (markt)
Add generics to the EL 5.0 API to align with the current EL 5.0
development branch. (markt)
Update the web-fragment.xml included in
jasper.jar and jasper-el.jar to use the
Servlet 5.0 schema. (markt)
Update JspC to generate web.xml and
web-fragment.xml files using Servlet 5.0 schemas. (markt)
Remove the deprecated method
MethodExpression.isParmetersProvided() from the EL API to
align with the current EL 5.0 development branch. (markt)
65358: Improve expression language method matching for
methods with varargs. Where multiple methods may match the provided
parameters, the method that requires the fewest varargs is preferred.
(markt)
65332: Add a commented out section in
catalina.policy that provides the necessary permissions to
compile JSPs with javac when running on Java 9 onwards with a security
manager. It is commented out as it will cause errors if used with
earlier Java versions. (markt)
WebSocket
65317: When using permessage-deflate, the
WebSocket connection was incorrectly closed if the uncompressed payload
size was an exact multiple of 8192. Based on a patch provided by Saksham
Verma. (markt)
Update the web-fragment.xml included in
tomcat-websocket.jar to use the Servlet 5.0 schema. (markt)
65342: Correct a regression introduced with the fix for
65262 that meant Tomcat's WebSocket implementation would only
work with Tomcat's implementation of the Jakarta WebSocket API. (markt)
Web applications
Improve the description of the maxConnections and
acceptCount attributes in the Connector section of the
documentation web application. (markt)
Other
Improvements to French translations. (remm)
Improvements to Korean translations. (woonsan)
65362: Correct a regression in the previous release. The
change to create OSGi Require-Capability sections in
manifests for Jakarta API JARs manually rather than with bnd annotations
did not add the necessary manual entries to the embedded JARs. (markt)
Update the packaged version of the Tomcat Native Library to 1.2.30. Also
update the minimum recommended version to 1.2.30. (markt)
66388: Correct a regression in the refactoring that replaced
the use of the 
Add support for specifying Java 21 (with the value 
Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
6.7.1-SNAPSHOT). (markt)
Refactor code base to replace use of URL constructors. While they are
deprecated in Java 20 onwards, the reasons for deprecation are valid for
all versions so move away from them now. (markt)
Document conditions under which the