Changelog

in development Tomcat 10.0.0-M6 (markt)

Catalina

  • Fix: 64432: Correct a refactoring regression that broke handling of multi-line configuration in the RewriteValve. Patch provided by Jj. (markt)
  • Fix: Fix use of multiple parameters when defining RewriteMaps. (remm/fschumacher)
  • Update: Add the special internal rewrite maps for case modification and escaping. (remm/fschumacher)
  • Fix: Correct a regression in an earlier fix that broke the loading of configuration files such as keystores via URIs on Windows. (markt)
  • Fix: Implement a few rewrite SSL env that correspond to Servlet request attributes. (remm)

Coyote

  • Update: Add support for ALPN on recent OpenJDK 8 releases. (remm)
  • Fix: 64467: Improve performance of closing idle HTTP/2 streams. (markt)
  • Update: Expose server certificate through the SSLSupport interface. (remm)

Jasper

  • Update: Update the Jakarta Server Pages API implementation to align with specification updates to use generics and add missing @Deprecated annotations. (markt)

WebSocket

  • Add: Add default implementations for init() and destroy() to the Encoder and Decoder interfaces. (markt)
  • Fix: Consistently throw a DeploymentException when an invalid endpoint path is specified and catch invalid endpoint paths earlier. (markt)

Other

  • Update: Update the list of known Charsets in the CharsetCache to include ISO-8859-16, added in OpenJDK 15. (markt)
  • Add: Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. (remm)

2020-05-11 Tomcat 10.0.0-M5 (markt)

Catalina

  • Update: Remove useAprConnector flag from AprLifecycleListener so that the only way to use the APR connectors is to set the full class name. (remm)
  • Add: 59203: Before calling Thread.stop() (if configured to do so) on a web application created thread that is not stopped by the web application when the web application is stopped, try interrupting the thread first. Based on a pull request by Govinda Sakhare. (markt)
  • Fix: 62912: Don't mutate an application provided content header if it does not contain a charset. Also remove the outdated workaround for the buggy Adobe Reader 9 plug-in for IE. (markt)
  • Code: Remove the reloadable attribute from the Loader interface as it is duplicated on the Context interface. (markt)
  • Fix: Reduce reflection use and remove AJP specific code in the Connector. (remm/markt/fhanik)
  • Fix: Rework the fix for 64021 to better support web applications that use a custom class loader that loads resources from non-standard locations. (markt)
  • Update: Remove redundant sole path/URI from error page message on SC_NOT_FOUND. (michaelo)
  • Add: Log a warning if a CredentialHandler instance is added to an instance of the CombinedRealm (or a sub-class) as the CombinedRealm doesn't use a configured CredentialHandler and it is likely that a configuration error has occurred. (markt)
  • Add: Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. (michaelo)
  • Fix: 64309: Improve the regular expression used to search for class loader repositories when bootstrapping Tomcat. Pull request provided by Paul Muriel Biya-Bi. (markt)
  • Fix: 64384: Fix multipart configuration ignoring some parameters in some cases. (schultz)
  • Add: 64386: WebdavServlet does not send "getlastmodified" property for resource collections. (michaelo)
  • Update: Remove reason phrase on WebDAV Multi-Status (207) response. (michaelo)
  • Fix: 64398: Change default value separator for property replacement to :- due to possible conflicts. The syntax is now ${name:-default}. (remm)
  • Add: Improve validation of storage location when using FileStore. (markt)

Coyote

  • Fix: Move SocketProperties mbean to its own type rather than use a subType to improve robustness with tools. (remm)
  • Fix: Include the problematic data in the error message when reporting that the provided request line contains an invalid component. (markt)
  • Fix: Improve the handling of requests that use an expectation. Do not disable keep-alive where the response has a non-2xx status code but the request body has been fully read. (rjung/markt)
  • Fix: 64403: Ensure that compressed HTTP/2 responses are not sent with a content length header appropriate for the original, uncompressed response. (markt)

Jasper

  • Update: Remove redundant sole path/URI from error page message on SC_NOT_FOUND. (michaelo)
  • Add: Add more descriptive error message in DefaultServlet for SC_NOT_FOUND. (michaelo)
  • Fix: 64373: When a tag file is packaged in a WAR and then that WAR is unpacked in /WEB-INF/classes ensure that the tag file can still be found. Patch provided by Karl von Randow. (markt)
  • Fix: Ensure that the Jasper code that interfaces with the Eclipse Compiler for Java (ECJ) enables Jasper to compile JSPs using ECJ 4.14 onwards when the JSPs have inner classes. (markt)

Cluster

  • Update: Refactor Tribes BufferPool and add the org.apache.catalina.tribes.io.BufferPool.DEFAULT_POOL_SIZE system property to configure its size. (remm)
  • Update: Remove java.io based Tribes receiver and sender, in favor of NIO which was the default. (remm)

Web applications

  • Fix: Fix the saving of a Context configuration file via the scripting interface of the Manager web application. (markt)
  • Add: Add a section to the TLS Connector documentation on different key store types and how to configure them. (markt)

Other

  • Update: Update JUnit to version 4.13. (markt)
  • Fix: Add missing entries to test class path in sample NetBeans configuration files. Patch provided by Brian Burch. (markt)
  • Code: Refactor to use parameterized Collection constructors where possible. Pull request provided by Lars Grefer. (markt)
  • Code: Refactor to use empty arrays with Collections.toArray(). Pull request provided by Lars Grefer. (markt)
  • Code: Refactor loops with a condition to exit as soon as the condition is met. Pull request provided by Lars Grefer. (markt)
  • Code: Refactor bulk addition to collections to use addAll() rather than a loop. Pull request provided by Lars Grefer. (markt)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by winsonzhao, ZhangJieWen and Lee Yazhou. (markt)
  • Add: Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add: Improve the quality of the Japanese translations provided with Apache Tomcat. Includes contributions from Yoshy. (markt)
  • Add: Improve the quality of the German translations provided with Apache Tomcat. (markt)
  • Update: Update the packaged version of the Tomcat Native Library to 1.2.24. (markt)
  • Code: Refactor to use enhanced for loops where possible. Pull request by Lars Grefer. (markt)
  • Add: Improve IDE support for IntelliJ IDEA. Patch provided by Lars Grefer. (markt)
  • Add: Improve the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan)
  • Update: Update dependency on bnd to 5.0.1. (markt)

2020-04-08 Tomcat 10.0.0-M4 (markt)

Catalina

  • Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encoding of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
  • Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
  • Fix: 64149: Avoid NPE when using the access log valve without a pattern. (remm)
  • Fix: 64226: Reset timezone after parsing a date since the date format is reused. Test case submitted by Gary Thomas. (remm)
  • Fix: 64247: Using a wildcard for jarsToSkip should not override a possibly present jarsToScan. Based on code submitted by Iridias. (remm)
  • Update: Refactor DefaultServlet to avoid using an internal Range structure that is duplicated from the parsing result. (remm)
  • Update: Remove org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH system property, replaced by the allowBackslash attribute on the Connector. (remm)
  • Update: Remove org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER system property, replaced by the enforceEncodingInGetWriter attribute on the Connector. (remm)
  • Update: Remove org.apache.catalina.session.StandardSession.ACTIVITY_CHECK system property, replaced by the sessionActivityCheck attribute on the Manager. (remm)
  • Update: Remove org.apache.catalina.session.StandardSession.LAST_ACCESS_AT_START system property, replaced by the sessionLastAccessAtStart attribute on the Manager. (remm)
  • Update: Remove org.apache.catalina.core.StandardHostValve.ACCESS_SESSION system property, replaced by the alwaysAccessSession attribute on the Context. (remm)
  • Update: Remove org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH system property, replaced by the contextGetResourceRequiresSlash attribute on the Context. (remm)
  • Update: Remove org.apache.catalina.core.ApplicationDispatcher.WRAP_SAME_OBJECT system property, replaced by the dispatcherWrapsSameObject attribute on the Context. (remm)
  • Fix: 64265: Fix ETag comparison performed by the default servlet. The default servlet always uses weak comparison. (markt)
  • Update: Remove org.apache.catalina.authenticator.Constants.SSO_SESSION_COOKIE_NAME system property, replaced by the cookieName attribute on the SSO valve. (remm)
  • Fix: Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann. (markt)

Coyote

  • Fix: When closing a NIO channel, avoid canceling keys as a workaround for deadlocks when running on Java 11. Excessive internal NIO synchronization on channel close is resolved starting with this Java version. (remm)
  • Add: When configuring an HTTP Connector, ensure that the encoding specified for URIEncoding is a superset of US-ASCII as required by RFC7230. (markt)
  • Fix: Avoid always retrieving the NIO poller selection key when processing to reduce sync. (remm)
  • Fix: 64240: Ensure that HTTP/0.9 requests that contain additional data on the request line after the URI are treated consistently. Such requests will now always be treated as HTTP/1.1. (markt)
  • Add: Expose the HTTP/2 connection ID and stream ID to applications via the request attributes org.apache.coyote.connectionID and org.apache.coyote.streamID respectively. (markt)
  • Add: Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences. (markt)
  • Add: Expose the associated HttpServletRequest to the CookieProcessor when generating a cookie header so the header can be tailored based on the properties of the request, such as the user agent, if required. Based on a patch by Lazar Kirchev. (markt)

Jasper

  • Update: Update to the Eclipse JDT compiler 4.15. (markt)
  • Add: Add support for specifying Java 14 (with the value 14) and Java 15 (with the value 15) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. (markt)
  • Update: Remove Jasper configuration using system properties and replace them by a new set of JSP Servlet init parameters. (remm)

Web applications

  • Fix: Correct the documentation web application to remove references to the org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property changing the default for the URIEncoding attribute of the Connector. (markt)
  • Fix: Correct the documentation web application to remove references to the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system property changing how the sequence %5c is interpreted in a URI. (markt)

Tribes

  • Code: Remove support for the deprecated system property org.apache.catalina.tribes.dns_lookups. The default value of false will now always be used. (markt)

Other

  • Add: Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. Contribution provided by Tom Bens. (remm)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contribution provided by Lee Yazhou. (markt)
  • Fix: 64270: Set the documented default umask of 0027 when using jsvc via daemon.sh and allow the umask used to be configured via the UMASK environment variable as it is when using catalina.sh. (markt)
  • Update: Update the OWB module to Apache OpenWebBeans 2.0.16. (remm)
  • Update: Update the CXF module to Apache CXF 3.3.6. (remm)
  • Fix: Remove the LOGGING_CONFIG environment variable and replace it with the CATALINA_LOGGING_CONFIG environment variable to avoid clashes with other components that use LOGGING_CONFIG. (markt)

2020-03-16 Tomcat 10.0.0-M3 (markt)

Coyote

  • Fix: 64202: Use a loop on NIO blocking reads, as it is possible zero bytes are produced by a network read. (markt/remm)
  • Fix: 64210: Correct a regression in the improvements to HTTP header validation that caused requests to be incorrectly treated as invalid if a CRLF sequence was split between TCP packets. Improve validation of request lines, including for HTTP/0.9 requests. (markt)

Other

  • Fix: 64206: Correct a regression introduced in 10.0.0-M1 that meant that the HTTP port specified when using the Windows Installer was ignored and 8080 was always used. (markt)

not released Tomcat 10.0.0-M2 (markt)

Catalina

  • Code: Refactor HttpServlet.doOptions() to improve performance. (markt)
  • Update: Disable StandardManager session persistence by default. It can be enabled back in context.xml. (remm)
  • Add: Add extension point to DeltaSession to improve subclassing. Patch provided by ThStock. (schultz)
  • Fix: 64153: Ensure that the parent for the web application class loader is set consistently. (markt)
  • Fix: 64166: Ensure that the names returned by HttpServletResponse.getHeaderNames() are unique. (markt)
  • Code: Rename org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource to org.apache.tomcat.util.digester.EnvironmentPropertySource. Patch provided by Bernd Bohmann. (markt)
  • Fix: 63286: Resolve inconsistencies with access log valve. This changes the element API to use a nanosecond resolution elapsed time argument. (remm)
  • Add: Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein. (markt)
  • Fix: 64184: Avoid repeated log messages if a MemoryUserDatabase is configured but the specified configuration file is missing. (markt)
  • Add: 64189: Expose the web application version String as a ServletContext attribute named org.apache.catalina.webappVersion. (markt)

Coyote

  • Fix: Fix support of native jakarta servlet attributes in AJP connector. (remm)
  • Update: 56966: Add use of System.nanoTime to track request execution time. (remm)
  • Fix: 64141: If using a CA certificate, remove a default value for the truststore file when not using a JSSE configuration. (remm)
  • Fix: Improve robustness of OpenSSLEngine shutdown. Based on code submitted by Manuel Dominguez Sarmiento. (remm)
  • Fix: Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept. (markt)
  • Fix: A zero length AJP secret will now behave as if it has not been specified. (remm)
  • Fix: 64188: If an error occurs while committing or flushing the response when using a multiplexing protocol like HTTP/2 that requires the channel to be closed but not the connection, just close the channel and allow the other channels using the connection to continue. Based on a suggestion from Alejandro Anadon. (markt)
  • Fix: Correct the semantics of getEnableSessionCreation and setEnableSessionCreation for OpenSSLEngine. Pull request provided by Alexander Scheel. (markt)
  • Fix: 64192: Correctly handle case where unread data is returned to the read buffer when the read buffer is non empty. Ensure a gathering TLS read stops once the provided ByteBuffers are full or no more data is available. (markt)
  • Fix: Allow async requests to complete cleanly when the Connector is paused before complete() is called on a container thread. (markt)

Cluster

  • Fix: Allow configuring the DNSMembershipProvider using the dns alias. Submitted by Bernd Bohmann. (remm)

Web applications

  • Add: Expand the documentation for the address attribute of the AJP Connector and document that the AJP Connector also supports the ipv6v6only attribute with the APR/Native implementation. (markt)

Other

  • Update: Update the OWB module to Apache OpenWebBeans 2.0.15. (remm)
  • Update: Update the CXF module to Apache CXF 3.3.5. (remm)
  • Add: Expand the coverage of the Korean translations provided with Apache Tomcat. Contributions provided by B. Cansmile Cha. (markt)
  • Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add: 64190: Add support for specifying milliseconds (using S, SS or SSS) in the timestamp used by JULI's OneLineFormatter. (markt)

2020-02-20 Tomcat 10.0.0-M1 (markt)

General

This release contains all of the changes upto and including those in Apache Tomcat 9.0.31 plus the additional changes listed below. (markt)

Catalina

  • Update: Refactor recycle facade system property into a new connector attribute named discardFacades and enable it by default. (remm)
  • Update: Update to Jakarta Servlet 5.0, Jakarta Server Pages 3.0. Jakarta Expression Language 4.0, Jakarta WebSocket 2.0, Jakarta Authentication 2.0 and Jakarta Annotations 2.0. (markt)
  • Update: Remove GenericPrincipal.getPassword. The credentials should remain managed by the realm. (remm)
  • Update: Add connection pooling to JNDI realm. (remm)
  • Update: Use <request-character-encoding> and <response-character-encoding> in conf/web.xml to set the default request and response character encodings to UTF-8. (markt)
  • Fix: Store config compatibility with HostWebXmlCacheCleaner listener. (remm)
  • Fix: Modify the RewriteValve to use ServletRequest.getServerName() to populate the HTTP_HOST variable rather than extracting it from the Host header as this allows HTTP/2 to be supported. (markt)
  • Fix: Switch Tomcat embedded to loading MIME type mappings from a property file generated from the default web.xml so the MIME type mappings are consistent regardless of how Tomcat is started. (markt)
  • Fix: Missing store config attributes for Resources elements. (remm)

Coyote

  • Update: Update endpoint cache sizes defaults. (remm)
  • Update: Remove unused NIO blocking selector. (remm)
  • Add: When using an AJP Connector, convert Java Servlet specific request attributes to the Jakarta Servlet equivalent. (markt)
  • Add: When reporting / logging invalid HTTP headers encode any non-printing characters using the 0xNN form. (markt)
  • Update: Remove duplication of HTTP/1.1 configuration on the HTTP/2 UpgradeProtocol element. Configuration from the main Connector element will now be used. (remm)
  • Fix: When the NIO or APR/native connectors were configured with useAsyncIO="true" and a zero length read or write was performed, the read/write would time out rather than return immediately. (markt)

Jasper

  • Code: Parameterize JSP version and API class names in localization messages to allow simpler re-use between major versions. (markt)
  • Fix: Ensure that TLD files listed in the jsp-config section of web.xml that are registered in the uriTldResourcePathMap with the URI specified in web.xml are also registered with the URI in the TLD file if it is different. Patch provided by Markus Lottmann. (markt)

Cluster

  • Fix: Fix cloud environment lookup order and add a dedicated DNS_MEMBERSHIP_SERVICE_NAME environment for use with the DNS membership provider. Submitted by Bernd Bohmann. (remm)

Other

  • Fix: 53620: JULI now only creates logging files when there is a log entry to write. Based on a patch by Karol Bucek. (markt)
  • Fix: Update implemented specification version information in a few places where it has not been updated for Jakarta EE 9. (markt)
  • Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contribution provided by BoltzmannWxd. (markt)