Apache Tomcat Changelog

What's new in Apache Tomcat 11.0.0 M19 Alpha

Apr 17, 2024

Finalize update to the Jakarta EE 11 specifications.
Cookies header generation enhancements.
Fix regression when reloading TLS configuration and files.

New in Apache Tomcat 10.1.20 (Mar 26, 2024)

New in Apache Tomcat 11.0.0 M18 Alpha (Mar 15, 2024)

New in Apache Tomcat 10.1.19 (Feb 19, 2024)

New in Apache Tomcat 10.1.18 (Jan 9, 2024)

New in Apache Tomcat 11.0.0 M16 Alpha (Jan 9, 2024)

New in Apache Tomcat 10.1.17 (Dec 12, 2023)

New in Apache Tomcat 11.0.0 M15 Alpha (Dec 12, 2023)

New in Apache Tomcat 10.1.15 (Oct 16, 2023)

New in Apache Tomcat 11.0.0 M13 Alpha (Oct 16, 2023)

New in Apache Tomcat 10.1.14 (Oct 10, 2023)

New in Apache Tomcat 11.0.0 M12 Alpha (Oct 10, 2023)

New in Apache Tomcat 11.0.0 M11 Alpha (Aug 27, 2023)

New in Apache Tomcat 10.1.13 (Aug 27, 2023)

New in Apache Tomcat 10.1.12 (Aug 16, 2023)

New in Apache Tomcat 11.0.0 M10 Alpha (Aug 16, 2023)

New in Apache Tomcat 10.1.11 (Jul 11, 2023)

New in Apache Tomcat 11.0.0 M9 Alpha (Jul 11, 2023)

New in Apache Tomcat 10.1.10 (Jun 18, 2023)

New in Apache Tomcat 11.0.0 M7 Alpha (Jun 9, 2023)

New in Apache Tomcat 10.1.9 (May 21, 2023)

New in Apache Tomcat 11.0.0 M6 Alpha (May 10, 2023)

New in Apache Tomcat 11.0.0 M5 Alpha (Apr 20, 2023)

New in Apache Tomcat 10.1.8 (Apr 20, 2023)

New in Apache Tomcat 10.1.7 (Mar 5, 2023)

New in Apache Tomcat 10.1.6 (Feb 26, 2023)

New in Apache Tomcat 11.0.0 M3 Alpha (Feb 23, 2023)

New in Apache Tomcat 10.1.5 (Jan 13, 2023)

New in Apache Tomcat 10.1.4 (Dec 9, 2022)

New in Apache Tomcat 11.0.0 M1 Alpha (Dec 6, 2022)

New in Apache Tomcat 10.1.2 (Nov 14, 2022)

New in Apache Tomcat 10.1.1 (Oct 12, 2022)

New in Apache Tomcat 10.1.0 (Sep 27, 2022)

New in Apache Tomcat 10.0.23 (Jul 26, 2022)

New in Apache Tomcat 10.0.22 (Jul 21, 2022)

New in Apache Tomcat 10.0.21 (May 17, 2022)

New in Apache Tomcat 10.0.20 (Apr 5, 2022)

New in Apache Tomcat 10.0.18 (Mar 15, 2022)

New in Apache Tomcat 10.0.16 (Jan 21, 2022)

New in Apache Tomcat 10.0.7 (Jun 17, 2021)

New in Apache Tomcat 10.0.6 (May 13, 2021)

New in Apache Tomcat 10.0.5 (Apr 8, 2021)

New in Apache Tomcat 10.0.4 (Mar 12, 2021)

New in Apache Tomcat 10.0.3 (Mar 12, 2021)

Catalina:
Fix: Revert an incorrect fix for a potential resource leak that broke deployment via the Ant deploy task. (markt)
Fix: Improve error message for failed ConfigurationSource lookups in the Catalina implementation. (remm)
Fix: 65135: Rename Context method isParallelAnnotationScanning to getParallelAnnotationScanning for consistency and ease of use in JMX descriptors. (remm)
Update: Allow the loader to directly use the Tomcat Migration Tool for JakartaEE as a ClassFileTransformer using the jakartaConverter attribute. This only supports javax to jakarta conversion for classes, not for classloader resources or static files. (remm)
Add: Integrate the Tomcat Migration Tool for JakartaEE at deployment time. Java EE web applications placed in the webapps-javaee directory will be migrated to Jakarta EE 9 and placed in the webapps where it will be deployed (or not) based on the current settings for automatic deployment. (markt)
Fix: 64938: Align the behaviour when null is passed to the ServletResponse methods setCharacterEncoding(), setContentType() and setLocale() with the recent clarification from the Jakarta Servlet project of the expected behaviour in these cases. (markt)
Fix: Ensure that the AsyncListener.onError() event is triggered when a I/O error occurs during non-blocking I/O. There were some cases discovered where this was not happening. (markt)
Add: Make the non-blocking I/O error handling more robust by handling the case where the application code swallows an IOException in WriteListener.onWritePossible() and ReadListener.onDataAvailable(). (markt)
Fix: Correct syntax error in output of JsonErrorReportValve. Pull request provided by Viraj Kanwade. (markt)
Code: Make the StandardContext.postWorkDirectory() protected rather than private to help users wishing to customise the default work directory behaviour. (markt)
Coyote:
Add: 64943: Add support for Unix Domain Sockets to org.apache.coyote.http11.Http11AprProtocol. Depends on tomcat-native 1.2.26 and up. (minfrin)
Fix: 65118: Fix a potential NullPointerException when pruning closed HTTP/2 streams from the connection. (markt)
Fix: Avoid NullPointerException when a secure channel is closed before the SSL engine was initialized. (remm)
Fix: Ensure that the ReadListener's onError() event is triggered if the client closes the connection before sending the entire request body and the server is ready the request body using non-blocking I/O. (markt)
Fix: 65137: Ensure that a response is not corrupted as well as incomplete if the connection is closed before the response is fully written due to a write timeout. (markt)
Fix: Related to bug 65131, make sure all errors from OpenSSL are fully cleared, as there could be more than one error present after an operation (confirmed in the OpenSSL API documentation). (remm)
Fix: Make handling of OpenSSL read errors more robust when plain text data is reported to be available to read. (markt)
Fix: Correct handling of write errors during non-blocking I/O to ensure that the associated AsyncContext was closed down correctly. (markt)
Web applications:
Fix: Remove the restriction that prevented the Manager web application deploying different web applications in parallel. (markt)
Other:
Update: Update the OWB module to Apache OpenWebBeans 2.0.21. (remm)
Update: Update the CXF module to Apache CXF 3.4.2. (remm)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
Add: Improvements to Brazilian Portuguese translations. Provided by Thiago. (mark)
Add: Improvements to Russian translations. Provided by Azat. (mark)
Add: Improvements to Chinese translations. Provided by shawn. (mark)
Update: Update to bnd 5.3.0. (markt)

New in Apache Tomcat 10.0.2 (Feb 4, 2021)

New in Apache Tomcat 9.0.39 (Oct 12, 2020)

Catalina:
Update: The health check valve will now check the state of its associated containers to report availability. (remm)
Fix: Fix race condition when saving and recycling session in PersistentValve. (kfujino)
Update: Deprecate the JDBCRealm. (markt)
Fix: Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)
Fix: 64715: Add PasswordValidationCallback to the JASPIC implementation. Patch provided by Robert Rodewald. (markt)
Update: Allow using the utility executor for annotation scanning. Patch provided by Jatin Kamnani. (remm)
Fix: 64751: Correct the JPMS module descriptor so the embedded JARs may be used with JPMS. (markt)
Fix: When performing an incremental build, ensure bdn does not create unwanted JPMS dependencies between embedded JARs. (markt)
Update: Add a bloom filter to speed up archive lookup and improve deployment speed of applications with a large number of JARs. Patch provided by Jatin Kamnani. (remm)
Fix: Throw SQLException instead of NullpointerException when failing to connect to the database. (kfujino)
Fix: 64735: Ensure that none of the methods on a ServletContext instance always fail when running under a SecurityManager. Pull request provided by Kyle Stiemann. (markt)
Fix: 64765: Ensure that the number of currently processing threads is tracked correctly when a web application is undeployed, long running requests are being processed and renewThreadsWhenStoppingContext is enabled for the web application. (markt)
Add: Improve the error messages when running under JPMS without the necessary options to enable reflection required by the memory leak prevention / detection code. (markt)
Update: Add connection pooling to JNDI realm. (remm)
Fix: When estimating the size of a resource in the static resource cache, include a specific allowance for the path to the resource. Based on a pull request by blueSky1825821. (markt)
Coyote:
Fix: Do not send an HTTP/2 PING frame to measure round-trip time when it is known that the HTTP/2 connection is not in a good state. (markt)
Fix: Ensure HTTP/2 timeouts are processed for idle connections. (markt)
Fix: 64743: Correct a regression introduced in 9.0.37 that caused a Connection: close header to be added to the response if the Connector was configured with maxSwallowSize=-1. (markt)
Fix: When logging HTTP/2 debug messages, use consistent formatting for stream identifiers. (markt)
Fix: Correct some double counting in the code that tracks the number of in-flight asynchronous requests. The tracking enables Tomcat to shutdown gracefully when asynchronous processing is in use. (markt)
Fix: Improve the error handling for the HTTP/2 connection preface when the Connector is configured with useAsyncIO="true". (markt)
Fix: Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. (markt)
Fix: Don't send the Keep-Alive response header if the connection has been explicitly closed. (markt)
Fix: 64710: Avoid a BufferOverflowException if an HTTP/2 connection is closed while the parser still has a partial HTTP/2 frame in the input buffer. (markt)
Jasper:
Fix: Use lazy instantiation to improve the performance when working with listeners added to the ELContext. Pull request provided by Thomas Andraschko. (markt)
Web applications:
Add: Configure the Manager and Host Manager applications to set SameSite=strict for all cookies, including session cookies, created by the application. (markt)
Fix: Update the Manager How-To in the documentation web application to clarify when a user may wish to deploy additional instances of the Manager web application. (markt)
Other:
Update: Update to Commons Daemon 1.2.3. This adds support to jsvc for --enable-preview and native memory tracking (Procrun already supported these features), adds some addition debug logging and adds a new feature to Procrun that outputs the command to (re-)configure the service with the current settings. (markt)
Add: When building, only rebuild JAR files (including OSGi and JPMS metadata) if the contents has changed. (markt)
Add: Improvements to Chinese translations. Pull request provided by Yang Yang. (markt)
Add: Expand coverage of Russian translations. Pull request provided by Nikolay Gribanov. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.18. (remm)
Update: Update the CXF module to Apache CXF 3.4.0. (remm)
Fix: Fix running service.bat when called from $CATALINA_HOME. (markt)
Fix: Complete the fix for 63815. Users wishing to use system properties that require quoting with catalina.sh and the debug option must use a JRE that includes the fix for JDK-8234808. (markt)
Add: Improvements to Chinese translations. Provided by leeyazhou. (markt)
Add: Improvements to Czech translations. Provided by Dušan Hlaváč and Arnošt Havelka. (markt)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
Add: Improvements to Spanish translations. Provided by Andrewlanecarr. (markt)

New in Apache Tomcat 9.0.38 (Sep 17, 2020)

Catalina:
Fix: 64582: Pre-load the CoyoteOutputStream class to prevent a potential exception when running under a security manager. Patch provided by Johnathan Gilday. (markt)
Fix: 64593: If a request is not matched to a Context, delay issuing the 404 response to give the rewrite valve, if configured, an opportunity to rewrite the request. (remm/markt)
Fix: Change top package name for generated emebedded classes to avoid conflict with default host name on case insensitive filesystems. (remm)
Fix: Add missing code generation for remaining digester rules. (remm)
Update: Add a dedicated loader for generated code to avoid dynamic class loading. (remm)
Add: Refactor the Default servlet to provide a single method that can be overridden (generateETag()) should a custom entity tag format be required. (markt)
Fix: Improve the validation of entity tags provided with conditional requests. Requests with headers that contain invalid entity tags will be rejected with a 400 response code. Improve the matching algorithm used to compare entity tags in conditional requests with the entity tag for the requested resource. Based on a pull request by Sergey Ponomarev. (markt)
Fix: Correct the description of the storage format for salted hashes in the Javadoc for MessageDigestCredentialHandler and refactor the associated code for clarity. Based on a patch provided by Milo van der Zee. (markt)
Fix: Correct the path vaidation to allow the use of the file system root for the docBase attribute of a Context. Note that such a configuration should be used with caution. (markt)
Add: Added filtering expression for requests that are not supposed to use session in PersistentValve. (kfujino)
Fix: Use the correct method to calculate session idle time in PersistentValve. (kfujino)
Fix: Fix path used by the health check valve when it is not associated with a Context. (remm)
Fix: 64712: The JASPIC authenticator now checks the ServerAuthModule for jakarta.servlet.http.authType and, if present, uses the value provided. Based on a patch by Robert Rodewald. (markt)
Fix: 64713: The JASPIC authenticator now checks the value of jakarta.servlet.http.registerSession set by the ServerAuthModule when decideing whether or nor to register the session. Based on a patch by Robert Rodewald. (markt)
Coyote:
Add: 57661: For requests containing the Expect: 100-continue header, add optional support to delay sending an intermediate 100 status response until the servlet reads the request body, allowing the servlet the opportunity to respond without asking for the request body. Based on a pull request by malaysf. (markt)
Fix: Refactor the implementation of ServletInputStream.available() to provide a more accurate return value, particularly when end of stream has been reached. (markt)
Fix: Refactor the stopping of the acceptor to ensure that the acceptor thread stops when a connector is started immediately after it is stopped. (markt)
Fix: 64614: Improve compatibility with FIPS keystores. When a FIPS keystore is configured and the keystore contains multiple keys, the alias attribute will be ignored and the key used will be implementation dependent. (jfclere)
Fix: 64621: Improve handling HTTP/2 stream reset frames received from clients. (markt)
Fix: 64660: Avoid a potential NPE in the AprEndpoint if a socket is closed in one thread at the same time as the poller is processing an event for that socket in another. (markt)
Fix: 64671: Avoid several potential NPEs introduced in the changes in the previous release to reduce the memory footprint of closed HTTP/2 streams. (markt)
Fix: Refactor the HTTP/2 implementation to more consistently return a stream closed error if errors occur after a stream has been reset by the client. (markt)
Fix: Improve handling of HTTP/2 stream level flow control errors and notify the stream immediately if it is waiting for an allocation when the flow control error occurs. (markt)
Fix: Ensure that window update frames are sent for HTTP/2 connections to account for DATA frames containing padding including when the associated stream has been closed. (markt)
Fix: Ensure that window update frames are sent for HTTP/2 connections and streams to account for DATA frames containing zero-length padding. (markt)
Fix: 64710: Revert the changes to reduce the memory footprint of closed HTTP/2 streams as they triggered multiple regressions in the form of NullPointerExceptions. (markt)
Fix: Ensure that the HTTP/2 overhead protection check is performed after each HTTP/2 frame is processed. (markt)
WebSocket:
Fix: Requests received via proxies may be marked as using the ws or wss protocol rather than http or https. Ensure that such requests are not rejected. PR provided by Ronny Perinke. (markt)
Fix: Fix a potential issue where the write lock for a WebSocket connection may not be released if an exception occurs during the write. (markt)
Add: 64644: Add support for a read idle timeout and a write idle timeout to the WebSocket session via custom properties in the user properties instance associated with the session. Based on a pull request by sakshamverma. (markt)
Web applications:
Fix: Remove the localization of the text output of the Manager application list of contexts and the Host Manager application list of hosts so that the output is more consistent. PR provided by Holomark. (markt)
Fix: Clean-up / standardize the XSL files used to generate the documentation. PR provided by John Bampton. (markt)
Fix: 62723: Clarify the effects of some options for cluster channelSendOptions. Patch provided by Mitch Claborn. (schultz)
Fix: Remove the out of date functional specification secton from the documentation web application. (markt)
Fix: Extracted CSS styles from the Manager we application for better code maintenance and replaced the GIF logo with SVG. (isapir)
Add: Add document for PersistentValve. (kfujino)
Other:
Fix: Correct a regression in the fix for 64540 and include org.apache.tomcat.util.modeler.modules and org.apache.tomcat.util.net.jsse in the list of exported packages. (markt)
Fix: Remove the local copy of javax.transaction.xa package which is only used during compilation. The package is provided by the JRE from Java 1.4 onwards so the local copy should be unnecessary. (markt)
Add: Improve the quality of the Japanese translations provided with Apache Tomcat. Includes contributions from Yuki Shira. (markt)
Fix: 64645: Use a non-zero exit code if the service.bat does not complete normally. (markt)
Add: Update the internal fork of Apache Commons BCEL to 6.5.0. Code clean-up only. (markt)
Add: Update the internal fork of Apache Commons Codec to 53c93d0 (2020-08-18, 1.15-SNAPSHOT). Code clean-up. (markt)
Add: Update the internal fork of Apache Commons FileUpload to c25a4e3 (2020-08-26, 2.0-SNAPSHOT). Code clean-up and RFC 2231 support. (markt)
Add: Update the internal fork of Apache Commons Pool to 2.8.1. Code clean-up and improved abandoned pool handling. (markt)
Add: Update the internal fork of Apache Commons DBCP to 6d232e5 (2020-08-11, 2.8.0-SNAPSHOT). Code clean-up various bug fixes. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.25. (markt)

New in Apache Tomcat 9.0.37 (Sep 17, 2020)

Catalina:
Add: Remove the error message on start if java.io.tmpdir is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can't be used. (markt)
Update: Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
Fix: 64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
Add: Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
Fix: Fix a bug in HttpServlet so that a 405 response is returned for an HTTP/2 request if the mapped servlet does implement the requested method rather than the more general 400 response. (markt)
Add: Add generated classes using Tomcat embedded as an optional replacement for the Catalina configuration files. (remm)
Fix: 64541: Refactor the DTD used to validate mbeans-descriptors.xml files to avoid issues when XML entity expansion is limited or disabled. (markt)
Coyote:
Add: Include a Connection: close HTTP header when committing a response and it is known that the maxSwallowSize limit is going to be exceeded. (markt)
Fix: 64509: Correctly parse RFC 2109 version 1 cookies that use a comma as a separator between cookies when using the RFC 6265 cookie processor. Based on a patch by W J Carpenter. (markt)
Fix: Fix the utility code that converted IPv6 addresses to a canonical form to correctly handle input addresses that ended with a pair of colons. Based on a patch by syarramsetty-skyhook. (markt)
Fix: Correctly parse RFC 2109 version 1 cookies that have additional linear white space around cookie attribute names and values when using the RFC 6265 cookie processor. (markt)
Fix: Once an HTTP/2 stream has been closed, ensure that the code that cleans up references that are no longer required is called. (markt)
Fix: Reduce the memory footprint of closed HTTP/2 streams. (markt)
Fix: Ensure that the HTTP/1.1 processor is correctly recycled when a direct connection to h2c is made. (markt)
Cluster:
Fix: 64560: Refactor the replication of a changed session ID for a replicated session so that the list of changes associated with the session is not reset when the session ID changes. (markt)
WebSocket:
Fix: 64563: Add additional validation of payload length for WebSocket messages. (markt)
Fix: Correct the calculation of payload length when four or more bytes are required to represent the payload length. (markt)
Other:
Fix: 64498: Fix incorrect version format in OSGi manifests. Patch provided by Raymond Augé. (markt)
Fix: 64501: Refactor the handling of the deprecated LOGGING_CONFIG environment variable to avoid using a POSIX shell feature that is not available by default on Solaris 10. (markt)
Fix: 64513: Remove bndlib from dependencies as it is not required. Pull request provided by Raymond Augé. (markt)
Fix: 64515: Bnd files don't need to be filtered (save some work). Pull request provided by Raymond Augé. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.17. (remm)
Fix: 64514: Fixes some missing class dependency issues in bootstrap to address packaging/dependency concerns for JPMS and OSGi. Pull request provided by Raymond Augé. (markt)
Fix: 64521: Avoid moving i18n translations into classes dir since they are packaged into separate jars. Pull request provided by Raymond Augé. (markt)
Fix: 64522: Package jars in effective dependency order. Pull request provided by Raymond Augé. (markt)
Fix: Store common build details in a shared build-defaults.bnd. Pull request provided by Raymond Augé. (markt)
Fix: 64532: Update to bnd 5.1.1. Pull request provided by Raymond Augé. (markt)
Fix: 64540: Switch from bndwrap task to bnd task, begin generating a better manifest and make sure the resulting jar contents are correct. Pull request provided by Raymond Augé. (markt)
Fix: 64544: Add built libs to the bnd classpath for introspection. Pull request provided by Raymond Augé. (markt)
Add: Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. (remm)
Fix: 64548: Generate JPMS metadata. (rotty3000)

New in Apache Tomcat 9.0.36 (Jun 18, 2020)

New in Apache Tomcat 9.0.12 (Sep 12, 2018)

New in Apache Tomcat 9.0.11 (Aug 20, 2018)

New in Apache Tomcat 9.0.10 (Jul 7, 2018)

New in Apache Tomcat 9.0.8 (May 5, 2018)

New in Apache Tomcat 9.0.7 (Apr 16, 2018)

Catalina:
Fix: 51195: Avoid a false positive report of a web application memory leak by clearing ObjectStreamClass$Caches of classes loaded by the web application when the web application is stopped. (markt)
Fix: 52688: Add support for the maxDays attribute to the AccessLogValve and ExtendedAccessLogValve. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined. (markt)
Fix: Ensure the MBean names for the SSLHostConfig and SSLHostConfigCertificate are correctly formed when the Connector is bound to a specific IP address. (markt)
Fix: 62168: When using the PersistentManager honor a value of -1 for minIdleSwap and do not swap out sessions to keep the number of active sessions under maxActive. Patch provided by Holger Sunke. (markt)
Fix: 62172: Improve Javadoc for org.apache.catalina.startup.Constants and ensure that the constants are correctly used. (markt)
Fix: 62175: Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. (fschumacher)
Fix: Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. (markt)
Add: 62224: Disable the forkJoinCommonPoolProtection of the JreMemoryLeakPreventionListener when running on Java 9 and above since the underlying JRE bug has been fixed. (markt)
Coyote:
Fix: Avoid potential loop in APR/Native poller. (markt)
Fix: Ensure streams that are received but not processed are excluded from the tracking of maximum ID of processed streams. (markt)
Fix: Refactor the check for a paused connector to consistently prevent new streams from being created after the connector has been paused. (markt)
Fix: Improve debug logging for HTTP/2 pushed streams. (markt)
Fix: The OpenSSL engine SSL session will now ignore invalid accesses. (remm)
Fix: 62177: Correct two protocol errors with HTTP/2 PUSH_PROMISE frames. Firstly, the HTTP/2 protocol only permits pushes to be sent on peer initiated requests. Secondly, pushes must be sent in order of increasing stream ID. These restriction were not being enforced leading to protocol errors at the client. (markt)
Web applications:
Add: Add document for FragmentationInterceptor. (kfujino)
Add: Document how the roles for an authenticated user are determined when the CombinedRealm is used. (markt)
Fix: 62163: Correct the Tomcat Setup documentation that incorrectly referred to Java 7 as the minimum version rather than Java 8. (markt)
Tribes:
Fix: Add JMX support for FragmentationInterceptor in order to prevent warning of startup. (kfujino)
jdbc-pool:
Fix: Ensure that SQLWarning has been cleared when connection returns to the pool. (kfujino)
Add: Enable clearing of SQLWarning via JMX. (kfujino)
Fix: Ensure that parameters have been cleared when PreparedStatement and/or CallableStatement are cached. (kfujino)
Fix: Enable PoolCleaner to be started even if validationQuery is not set. (kfujino)
Other:
Update: Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy. (markt)
Fix: 62164: Switch the build script to use TLS for downloads from SourceForge and Maven Central to avoid failures due to HTTP to HTTPS redirects. (markt)
Add: Always report the OS's umask when launching the JVM. (schultz)
Add: Add managed connections package to the package renamed DBCP2 to provide a complete DBCP2 in Tomcat. (remm)

New in Apache Tomcat 9.0.6 (Mar 9, 2018)

Highlights:
TLS stability improvements.
Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve.
Add async HTTP/2 parser for NIO2.
Add documentation for the Host Manager web application. Patch provided by Marek Czernek.
Catalina:
Fix: 43866: Add additional attributes to the Manager to provide control over which listeners are called when an attribute is added to the session when it has already been added under the same name. This is to aid clustering scenarios where setAttribute() is often called to signal that the attribute value has been mutated and needs to be replicated but it may not be required, or even desired, for the associated listeners to be triggered. The default behaviour has not been changed. (markt)
Fix: Minor optimization when calling class transformers. (rjung)
Add: Pass errors triggered by invalid requests or unavailable services to the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. (markt)
Add: 41007: Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve. (markt)
Fix: Prevent Tomcat from applying gzip compression to content that is already compressed with brotli compression. Based on a patch provided by burka. (markt)
Fix: 62090: Null container names are not allowed. (remm)
Fix: 62104: Fix programmatic login regression as the NonLoginAuthenticator has to be set for it to work (if no login method is specified). (remm)
Fix: 62117: Improve error message in catalina.sh when calling kill -0 fails. Based on a suggestion from Mark Morschhaeuser. (markt)
Fix: 62118: Correctly create a JNDI ServiceRef using the specified interface rather than the concrete type. Based on a suggestion by Ángel Álvarez Páscua. (markt)
Fix: Fix for RequestDumperFilter log attribute. Patch provided by Kirill Romanov via Github. (violetagg)
Fix: 62123: Avoid ConcurrentModificationException when attempting to clean up application triggered RMI memory leaks on web application stop. (markt)
Add: When a deployment descriptor is deployed that includes a path attribute, log a warning that the path attribute will be ignored. (markt)
Add: When a deployment descriptor is deployed that references an external docBase and, as a result, a docBase under the appBase will be ignored, log a warning. (markt)
Fix: Correct a regression in the fix for 60276 that meant that compression was applied to all MIME types. Patch provided by Stefan Knoblich. (markt)
Coyote:
Add: Add async HTTP/2 parser for NIO2. (remm)
Fix: Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm)
Fix: 61751: Follow up fix so that OpenSSL engine returns underflow when unwrapping if no bytes were produced and the input is empty. (remm)
Fix: Minor OpenSSL engine cleanups. (remm)
Fix: NIO SSL handshake should throw an exception on overflow status, like NIO2 SSL. (remm)
Web applications:
Add: 47467: When deploying a web application via the manager application and a path is not explicitly specified, derive it from the provided deployment descriptor or, if that is not present, the WAR or DIR. (markt)
Add: 48672: Add documentation for the Host Manager web application. Patch provided by Marek Czernek. (markt)
Add: Add support for specifying the application version when deploying an application via the Manager application HTML interface. (markt)
Add: Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response. Based on a suggestion from Muthukumar Marikani. (markt)

New in Apache Tomcat 8.5.28 (Feb 13, 2018)

New in Apache Tomcat 8.5.27 (Jan 24, 2018)

New in Apache Tomcat 9.0.4 Beta (Jan 23, 2018)

New in Apache Tomcat 8.5.24 / 9.0.2 Beta (Dec 1, 2017)

New in Apache Tomcat 9.0.1 Beta (Oct 3, 2017)

New in Apache Tomcat 8.5.23 (Oct 3, 2017)

New in Apache Tomcat 9.0.0 M26 Alpha (Aug 10, 2017)

New in Apache Tomcat 8.5.20 (Aug 10, 2017)

New in Apache Tomcat 8.5.16 (Jun 28, 2017)

New in Apache Tomcat 9.0.0 M22 Alpha (Jun 28, 2017)

New in Apache Tomcat 9.0.0 M21 Alpha (May 12, 2017)

New in Apache Tomcat 8.5.15 (May 12, 2017)

New in Apache Tomcat 8.5.14 (Apr 20, 2017)

Notable changes:
Correct a regression that broke JMX operations (including the Manager web application) if the operation took parameters
Calls to isReady() no longer throw exceptions after timeouts for async servlets
Catalina:
Fix: 59825: Log a message that lists the components in the processing chain that do not support async processing when a call to ServletRequest.startAsync() fails. (markt)
Fix: 60926: Ensure o.a.c.core.ApplicationContextFacade#setSessionTimeout will invoke the correct method when running Tomcat with security manager. (markt)
Update: Update the early access Servlet 4.0 API implementation to reflect the change in method name from getPushBuilder() to newPushBuilder(). (markt)
Fix: Correct a regression in the X to comma refactoring that broke JMX operations that take parameters. (markt)
Fix: Avoid a NullPointerException when reading attributes for a running HTTP connector where TLS is not enabled. (markt)
Fix: 60940: Improve the handling of the META-INF/ and META-INF/MANIFEST.MF entries for Jar files located in /WEB-INF/lib when running a web application from a packed WAR file. (markt)
Fix: Pre-load the ExceptionUtils class. Since the class is used extensively in error handling, it is prudent to pre-load it to avoid any failure to load this class masking the true problem during error handling. (markt)
Fix: Avoid potential NullPointerExceptions related to access logging during shutdown, some of which have been observed when running the unit tests. (markt)
Fix: When there is no javax.servlet.WriteListener registered then a call to javax.servlet.ServletOutputStream#isReady will return false instead of throwing IllegalStateException. (violetagg)
Fix: When there is no javax.servlet.ReadListener registered then a call to javax.servlet.ServletInputStream#isReady will return false instead of throwing IllegalStateException. (violetagg)
Coyote:
Fix: Align cipher configuration parsing with current OpenSSL master. (markt)
Fix: 60970: Fix infinite loop if application tries to write a large header to the response when using HTTP/2. (markt)
Jasper:
Fix: 60925: Improve the handling of access to properties defined by interfaces when a BeanELResolver is used under a SecurityManager. (markt)
jdbc-pool:
Code: Refactor the creating a constructor for a proxy class to reduce duplicate code. (kfujino)
Fix: In StatementFacade, the method call on the statements that have been closed throw SQLException rather than NullPointerException. (kfujino)
Other:
Fix: Correct comments about Java 8 in Jre8Compat. Patch provided by fibbers via Github. (violetagg)
Fix: 60932: Correctly escape single quotes when used in i18n messages. Based on a patch by Michael Osipov. (markt)
Fix: Update the custom Ant task that integrates with the Symantec code signing service to use the now mandatory 2-factor authentication. (markt)

New in Apache Tomcat 8.5.13 (Mar 31, 2017)

Highlights:
Various HTTP/2 improvements
Fixes for sendfile related issues that could cause subsequent requests to experience IllegalStateExceptions
Servlet 4.0 early access updates
Catalina:
Add: 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
Fix: 60853: Expose the SSLHostConfig and SSLHostConfigCertificate objects via JMX. (markt)
Fix: 60876: Ensure that Set-Cookie headers generated by the Rfc6265CookieProcessor are aligned with the specification. Patch provided by Jim Griswold. (markt)
Fix: 60882: Fix a NullPointerException when obtaining a RequestDispatcher for a request that will not have any pathInfo associated with it. This was a regression in the changes in 8.5.12 for the Servlet 4.0 API early preview changes. (markt)
Update: Align PushBuilder API with changes from Servlet expert group. (markt)
Code: Refactor the various implementations of X to comma separated list to a single utility class and update the code to use the new utility class. (markt)
Fix: 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote:
Add: 60362: Add a new Connector configuration sendReasonPhrase. When this attribute is set to true, a reason phrase will be sent with the response. By default a reason phrase will not be sent. This option is deprecated and is not available in Tomcat 9. (violetagg)
Fix: Fix HTTP/2 incorrect input unblocking on EOF. (remm)
Fix: Close the connection sooner if an event occurs for a current connection that is not consistent with the current state of that connection. (markt)
Fix: Speed up shutdown when using multiple acceptor threads by ensuring that the code that unlocks the acceptor threads correctly handles the case where there are multiple threads. (markt)
Fix: 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
Fix: 60900: Avoid a NullPointerException in the APR Poller if a connection is closed at the same time as new data arrives on that connection. (markt)
Fix: Improve HPACK specification compliance by fixing some test failures reported by the h2spec tool written by Moto Ishizawa. (markt)
Fix: Improve HTTP/2 specification compliance by fixing some test failures reported by the h2spec tool written by Moto Ishizawa. (markt)
Fix: 60918: Fix sendfile processing error that could lead to subsequent requests experiencing an IllegalStateException. (markt)
Fix: Improve sendfile handling when requests are pipelined. (markt)
Jasper:
Fix: Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
Fix: 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool:
Fix: 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Other:
Fix: Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)

New in Apache Tomcat 9.0.0 M18 Alpha (Mar 15, 2017)

New in Apache Tomcat 8.5.12 (Mar 15, 2017)

New in Apache Tomcat 8.5.11 / 9.0.0 M17 Alpha (Jan 18, 2017)

New in Apache Tomcat 9.0.0 M15 Alpha (Dec 9, 2016)

New in Apache Tomcat 8.5.9 (Dec 9, 2016)

Highlights:
Improvements to SPNEGO authentication.
Correct regression in I/O buffer handling.
Improve handling of varargs in UEL expressions
Catalina:
Update: 60202: Add an available flag to realms, to indicate the state, or the realm backend. Update lockout realm to only register auth failures if the realm is available. (remm)
Fix: 60340: Readability improvements for CSS used in DefaultServlet and ErrorReportValve. Patch provided by Michael Osipov. (violetagg)
Fix: 60351: Delay creating META-INF/war-tracker file until after the WAR has been expanded to address the case where the Tomcat process terminates during the expansion. (markt)
Fix: Correctly generate URLs for resources located inside JARs that are themselves located inside a packed WAR file. (markt)
Fix: Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
Fix: 60368: Restore egde case for embedded allowing the connector to be removed. (remm)
Fix: 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
Fix: 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
Fix: 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
Code: 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
Fix: 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
Fix: 60400: When expanding the buffer used for reading the request body, ensure the read position will be restored to the original one. (violetagg)
Fix: 60410: Ensure that multiple calls to JarInputStreamWrapper#close() do not incorrectly trigger the closure of the underlying JAR or WAR file. (markt)
Fix: 60411: Implement support in the RewriteValve for symbolic names to specify the redirect code to use when returning a redirect response to the user agent. Patch provided by Michael Osipov. (markt)
Fix: 60413: In the RewriteValve write empty capture groups as the empty string rather than as "null" when generating the re-written URL. Based on a patch by Michael Osipov. (markt)
Coyote:
Fix: 60372: Ensure the response headers' buffer limit is reset to the capacity of this buffer when IOException occurs while writing the headers to the socket. (violetagg)
Fix: Ensure that the availability of configured upgrade protocols that require ALPN is correctly reported during Tomcat start. (markt)
Fix: 60386: Implement a more sophisticated pruning algorithm for removing closed streams from the priority tree to ensure that the tree does not grow too large. (markt)
Fix: 60409: When unable to complete sendfile request, ensure the Processor will be added to the cache only once. (markt/violetagg)
Fix: Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.0.0.0 or ::. (markt)
Add: Add a new configuration option, ipv6v6only to the APR connectors that allows them to be configure to only accept IPv6 connections when configured with an IPv6 address rather than the default which is to accept IPv4 connections as well if the operating system uses a dual network stack. (markt)
Fix: Improve the logic that unlocks the acceptor thread so a better choice is made for the address to connect to when a connector is configured for any local port. This reduces the likelihood of the unlock failing. (markt)
Fix: 60436: Avoid a potential NPE when processing async timeouts. (markt)
Fix: Reduce the window in which an async request that has just started processing on a container thread remains eligible for an async timeout. (markt)
Jasper:
Fix: 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben. (markt)
Web applications:
Fix: Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
Fix: 60412: Add information on the comment syntax for the RewriteValve configuration. (markt)
Tribes:
Fix: Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
WebSocket:
Fix: 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool:
Add: 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount. (kfujino)
Fix: 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
Fix: 60398: Fix testcase of TestSlowQueryReport. (kfujino)
Other:
Fix: Allow customization of service.bat, such as heap memory size, service startup mode and JVM args. Patch provided by isapir via Github. (violetagg)
Fix: 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
Fix: 60383: JASPIC API is added as a dependency to the org.apache.tomcat:tomcat-catalina maven artifact. (violetagg)
Fix: Update the comments associated with the TLS Connector examples in server.xml. (markt)
Add: New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
Code: TestOpenSSLCipherConfigurationParser.testSpecification - if there are test failures, provide more detailed information. Patch provided by Emmanuel Bourg. (violetagg)

New in Apache Tomcat 9.0.0 M13 Alpha (Dec 4, 2016)

New in Apache Tomcat 9.0.0 M12 Alpha (Dec 4, 2016)

Catalina:
Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and AJP/1.3 connectors can be created. (markt)
Fix: Reduce multiple error messages when Connector fails to instantiate the associated ProtocolHandler. (markt)
Fix: 60152: Provide an option for Connector Lifecycle exceptions to be re-thrown rather than logged. This is controlled by the new throwOnFailure attribute of the Connector. (markt)
Fix: Include the Context name in the log message when an item cannot be added to the cache. (markt)
Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
Fix: When calling getResourceAsStream() on a directory, ensure that null is returned. (markt)
Fix: 60161: Allow creating subcategories of the container logger, and use it for the rewrite valve. (remm)
Fix: Correctly test for control characters when reading the provided shutdown password. (markt)
Fix: 60297: Simplify connector creation in embedded mode. (remm)
Fix: Refactor creation of containers in embedded mode for more consistency and flexibility. (remm)
Add: Log a warning if running on Java 9 with the ThreadLocal memory leak detection enabled (the default) but without the command line option it now requires. (markt)
Fix: When a Connector is configured to use an executor, ensure that the StoreConfig component includes the executor name when writing the Connector configuration. (markt)
Fix: When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote:
Fix: Correct the HPACK header table size configuration that transposed the client and server table sizes when creating the encoder and decoder. (markt)
Code: Review HTTP/2 implementation removing unused code, reducing visibility where possible and using final where appropriate. (markt)
Fix: Don't continue to process an HTTP/2 stream if it is reset during header parsing. (markt)
Fix: HTTP/2 uses separate headers for each Cookie. As required by RFC 7540, merge these into a single Cookie header before processing continues. (markt)
Fix: Align the HTTP/2 implementation with the HTTP/1.1 implementation and return a 500 response when an unhandled exception occurs during request processing. (markt)
Fix: Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
Add: Add checks around the handling of HTTP/2 pseudo headers. (markt)
Add: Add support for trailer headers to the HTTP/2 implementation. (markt)
Fix: 60232: When processing headers for an HTTP/2 stream, ensure that the read buffer is large enough for the header being processed. (markt)
Add: Add configuration options to the HTTP/2 implementation to control the maximum number of headers allowed, the maximum size of headers allowed, the maximum number of trailer headers allowed, the maximum size of trailer headers allowed and the maximum number of cookies allowed. (markt)
Fix: Correctly differentiate between sending and receiving a reset frame when tracking the state of an HTTP/2 stream. (markt)
Code: Remove the undocumented support for using the old Connector attribute names backlog, soLinger and soTimeout that were renamed several major versions ago. (markt)
Fix: 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
Fix: If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
Fix: Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
Add: Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Jasper:
Update: Update to the Eclipse JDT Compiler 4.6.1. (markt)
Web applications:
Add: Add HTTP/2 configuration information to the documentation web application. (markt)
Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
Fix: Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
Tribes:
Fix: When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
Other:
Add: Add the JASPIC API jar to the Maven Central publication script. (markt)
Fix: Remove classes from tomcat-util-scan.jar that are duplicates of those in tomcat-util.jar. (markt)
Add: Update the NSIS Installer used to build the Windows installer to version 3.0. (markt)

New in Apache Tomcat 8.5.8 (Nov 10, 2016)

New in Apache Tomcat 9.0.0 M11 Alpha (Oct 12, 2016)

Catalina:
Add: 59961: Add an option to the StandardJarScanner to control whether or not JAR Manifests are scanned for additional class path entries. (markt)
Fix: 60013: Refactor the previous fix to align the behaviour of the Rewrite Valve with mod_rewrite. As part of this, provide an implementation for the B and NE flags and improve the handling for the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
Fix: 60087: Refactor the web resources handling to use the Tomcat specific war:file:... URL protocol to refer to WAR files and their contents rather than the standard jar:file:... form since some components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager. (markt)
Fix: 60116: Fix a problem with the rewrite valve that caused back references evaluated in conditions to be forced to lower case when using the NC flag. (markt)
Fix: Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Fix: 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
Fix: 60138: Fix the SSLHostConfig so that the protocols attribute is limited to the protocols supported by the current JSSE implementation rather than the default protocols used by the implementation. (markt)
Fix: 60146: Improve performance for resource retrieval by making calls to WebResource.getInputStream() trigger caching if the resource is small enough. Patch provided by mohitchugh. (markt)
Add: 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
Fix: 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
Fix: 60170: Exclude the compressed test file index.html.br from RAT analysis. Patch provided by Gavin McDonald. (markt)
Fix: When starting web resources, ensure that class resources are only started once. (markt)
Fix: Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
Fix: 60196: Ensure that the isMandatory flag is correctly set when using JASPIC authentication. (markt)
Fix: 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
Fix: 60208: When using RFC6265 compliant cookies, the / character should not be allowed in a cookie name since the RFC6265 will drop such cookies as invalid. (markt)
Coyote:
Add: Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Fix: Fail earlier if the client closes the connection during SNI processing. (markt)
Fix: 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
Fix: 60174: Log instances of HeadersTooLargeException during request processing. (markt)
Fix: 60173: Allow up to 64kB HTTP/2 header table size limit. (remm)
Fix: Java 9 compatibility of direct ByteBuffer cleaner. (remm)
Jasper:
Fix: 60101: Remove preloading of the class that was deleted. (violetagg)
Web applications:
Add: Expand the documentation for the nested elements within a Resources element to clarify the behaviour of different configuration options with respect to the order in which resources are searched. (markt)
Add: Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
Fix: 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
jdbc-pool:
Fix: Notify jmx when returning the connection that has been marked suspect. (kfujino)
Fix: Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Fix: 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
Other:
Fix: Update the download location for Objenesis. (violetagg)
Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is log4j-web*.jar that contains the ServletContainerInitializer. (markt)
Add: Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Update: Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)

New in Apache Tomcat 8.5.6 (Oct 12, 2016)

Catalina:
Add: 59961: Add an option to the StandardJarScanner to control whether or not JAR Manifests are scanned for additional class path entries. (markt)
Fix: 60013: Refactor the previous fix to align the behaviour of the Rewrite Valve with mod_rewite. As part of this, provide an implementation for the B and NE flags and improve the handling for the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
Fix: 60087: Refactor the web resources handling to use the Tomcat specific war:file:... URL protocol to refer to WAR files and their contents rather than the standard jar:file:... form since some components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager. (markt)
Fix: 60116: Fix a problem with the rewrite valve that caused back references evaluated in conditions to be forced to lower case when using the NC flag. (markt)
Fix: Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Fix: 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
Fix: 60138: Fix the SSLHostConfig so that the protocols attribute is limited to the protocols supported by the current JSSE implementation rather than the default protocols used by the implementation. (markt)
Fix: 60146: Improve performance for resource retrieval by making calls to WebResource.getInputStream() trigger caching if the resource is small enough. Patch provided by mohitchugh. (markt)
Add: 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
Fix: 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
Fix: 60170: Exclude the compressed test file index.html.br from RAT analysis. Patch provided by Gavin McDonald. (markt)
Fix: When starting web resources, ensure that class resources are only started once. (markt)
Fix: Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
Fix: 60196: Ensure that the isMandatory flag is correctly set when using JASPIC authentication. (markt)
Fix: 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
Fix: 60208: When using RFC6265 compliant cookies, the / character should not be allowed in a cookie name since the RFC6265 will drop such cookies as invalid. (markt)
Coyote:
Add: Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Fix: Fail earlier if the client closes the connection during SNI processing. (markt)
Fix: 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
Fix: 60174: Log instances of HeadersTooLargeException during request processing. (markt)
Fix: 60173: Allow up to 64kB HTTP/2 header table size limit. (remm)
Fix: Java 9 compatibility of direct ByteBuffer cleaner. (remm)
Jasper:
Fix: 60101: Remove preloading of the class that was deleted. (violetagg)
Web applications:
Add: Expand the documentation for the nested elements within a Resources element to clarify the behaviour of different configuration options with respect to the order in which resources are searched. (markt)
Add: Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
Fix: 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
jdbc-pool:
Fix: Notify jmx when returning the connection that has been marked suspect. (kfujino)
Fix: Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Fix: 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other:
Fix: Update the download location for Objenesis. (violetagg)
Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is log4j-web*.jar that contains the ServletContainerInitializer. (markt)
Add: Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Update: Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)

New in Apache Tomcat 8.5.5 (Sep 6, 2016)

Highlights:
Treat paths used to obtain a request dispatcher as encoded (configurable)
Correct regressions in TLS handshake and server certificate handling.
Various improvements to the Rewrite Valve including better alignment with httpd behaviour and improved UTF-8 handling.
Catalina:
Fix: 18500: Add limited support for wildcard host names and host aliases. Names of the form *.domainname are now permitted. Note that an exact host name match takes precedence over a wild card host name match. (markt)
Fix: 59813: Ensure that circular relations of the Class-Path attribute from JAR manifests will be processed correctly. (violetagg)
Fix: Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
Fix: By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty Sutherland. (fschumacher)
Add: Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
Add: When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
Fix: 59823: Ensure that JASPIC configuration is taken into account when calling HttpServletRequest.authenticate(). (markt)
Fix: 59824: Mark the RewriteValve as supporting async processing by default. (markt)
Fix: 59862: Allow nested jar files scanning to be filtered with the system property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is provided by Terence Bandoian. (violetagg)
Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
Fix: 59888: Correctly handle tabs and spaces in quoted version one cookies when using the Rfc6265CookieProcessor. (markt)
Fix: 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
Fix: 59913: Correct a regression introduced with the support for the Servlet 4 HttpServletRequest.getMapping() API that caused the attributes for forwarded requests to be lost if requested from within a subsequent include. (markt)
Fix: 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
Fix: Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
Fix: 60012: Improvements in the log messages. Based on suggestions by Nemo Chen. (violetagg)
Fix: Changes to the allowLinking attribute of a StandardRoot instance now invalidate the cache if caching is enabled. (markt)
Add: Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
Add: When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
Fix: 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
Fix: Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 query strings or UTF-8 redirect URLs. (markt)
Fix: 60022: Improve handling when a WAR file and/or the associated exploded directory are symlinked into the appBase. (markt)
Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
Fix: Consistently decode URL patterns provided via web.xml using the encoding of the web.xml file where specified or UTF-8 where no explicit encoding is specified. (markt)
Fix: Make timing attacks against the Realm implementations harder. (schultz)
Fix: A number of the JRE memory leaks addressed by the JreMemoryLeakPreventionListener have been fixed in Java 9 so the associated protection is now disabled when running on Java 9 onwards. (markt)
Coyote:
Fix: Correct a regression in refactoring to enable injection of custom keystores that broke the automatic conversion of OpenSSL style PEM key and certificate files for use with JSSE TLS connectors. (markt)
Fix: 59910: Don't hardcode key alias value to "tomcat" for JSSE. When using a keystore, OpenSSL will still default to it. (remm)
Fix: 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
Fix: 59925: Correct regression in r1628368 and ensure that HTTP separators are handled as configured in the LegacyCookieProcessor. Patch provided by Kyohei Nakamura. (markt)
Fix: 59950: Correct log message when reporting that the current number of HTTP/2 streams for a connection could not be pruned to below the limit. (markt)
Fix: Ensure that Semaphore.release is called in all cases. Even when there is an exception. (violetagg)
Fix: 60030: Correct a potential infinite loop in the SNI parsing code triggered by failing to handle an end of stream condition. (markt)
Fix: Small logging optimization in the Rfc6265CookieProcessor. Patch provided by Svetlin Zarev. (markt)
Fix: OpenSSL now disables 3DES by default so reflect this when using OpenSSL syntax to select ciphers. (markt)
Fix: Use the proper ERROR socket status code for async errors with NIO2. (remm)
Fix: 60035: Fix a potential connection leak if the client drops a TLS connection before the handshake completes. (markt)
Fix: Refactor the JSSE client certificate validation so that the effectiveness of the certificateVerificationDepth configuration attribute does not depend on the presence of a certificate revokation list. (markt)
Add: Log a warning at start up if a JSSE TLS connector is configured with a trusted certificate that is either not yet valid or has expired. (markt)
Jasper:
Fix: When writing out a full web.xml file with JspC ensure that the encoding used in the XML prolog matches the encoding used to write the contents of the file. (markt)
Fix: Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
Fix: 60032: Fix handling of method calls that use varargs within EL value expressions. (markt)
Fix: Ignore engineOptionsClass and scratchdir when running under a security manager. (markt)
Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket:
Fix: 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web applications:
Fix: 59867: Correct the documentation provided by Manager's 403.jsp. (violetagg)
Fix: 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
Fix: 59940: Correct the name of the truststorePassword attribute of the SSLHostConfig element in the configuration documentation. (markt)
Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
Fix: Update NIO Connector configuration documentation with an information about socket.directSslBuffer. (violetagg)
Fix: 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
jdbc-pool:
Fix: In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
Fix: 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
Fix: 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
Fix: Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
Fix: 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
Fix: Add log message of when returning the connection that has been marked suspect. (kfujino)
Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other:
Add: 59871: Add a property (timeFormat) to JULI's OneLineFormatter to enable the format of the time stamp used in log messages to be configured. (markt)
Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to include the changes made in 2.1 / JavaEE 7. (markt)
Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
Update: Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up a couple of bug fixes. (markt)
Update: Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
Update: Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)

New in Apache Tomcat 9.0.0 M10 Alpha (Sep 6, 2016)

New in Apache Tomcat 9.0.0 M9 Alpha (Jul 14, 2016)

Catalina:
Fix: 18500: Add limited support for wildcard host names and host aliases. Names of the form *.domainname are now permitted. Note that an exact host name match takes precedence over a wild card host name match. (markt)
Fix: 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
Fix: Correct a regression in the fix for 58588 that removed the entire org.apache.juli package from the embedded JARs rendering them unusable. (markt)
Add: 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
Update: Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
Fix: Follow-up to 59655. Improve the documentation for configuring permitted cookie names. Patch provided by Kyohei Nakamura. (markt)
Fix: Do not attempt to start web resources during a web application's initialisation phase since the web application is not fully configured at that point and the web resources may not be correctly configured. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Coyote:
Fix: Fix a cause of multiple attempts to close the same socket. (markt)
Code: Refactor the certifcate keystore and trust store generation to make it easier for embedded users to inject their own key stores. (markt)
Update: Add a maxConcurrentStreamExecution on the HTTP/2 protocol handler to allow restricting the amount of concurrent stream that are being executed in a single connection. The default is to not limit it. (remm)
Add: 59233: Add the ability to add TLS virtual hosts dynamically. (markt)
Fix: Correct a problem with ServletRequest.getServerPort() for secure HTTP/2 connections that meant an incorrect value was retured when using the default port. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Jasper:
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
WebSocket:
Code: Now the WebSocket implementation is not built directly on top of the Servlet API and can use Tomcat internals, there is no need for the dedicated WebSocket Executor. It has been replaced by the use of the Connector/Endpoint provided Executor. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Web Applications:
Fix: Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
Fix: 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
Fix: 59672: Update the security considerations page of the documentation web application to take account of the fact that the Manager and HostManager applications now have a RemoteAddrValve configured by default. (markt)
Fix: Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
Fix: Fix the description of maxAge attribute in jdbc-pool doc. This attribute works both when a connection is returned and when a connection is borrowed. (kfujino)
Fix: 59774: Correct the prefix values in the the documented examples for configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
Tribes:
Add: Add log message when the ping has timed-out. (kfujino)
Fix: If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool:
Fix: Fix the duplicated connection release when connection verification failed. (kfujino)
Fix: Ensure that do not remove the abandoned connection that has been already released. (kfujino)
Other:
Fix: Remove JULI plus log4j extras and embedded artifacts from Maven release script. (markt)
Add: Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)

New in Apache Tomcat 8.5.4 (Jul 14, 2016)

Highlights:
Correct a regression in the embedded packaging
Add the ability to control the degree of concurrency when processing HTTP/2 connections
Update to Tomcat Native 1.2.8
Catalina:
Fix: 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
Fix: Correct a regression in the fix for 58588 that removed the entire org.apache.juli package from the embedded JARs rendering them unusable. (markt)
Add: 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
Update: Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
Fix: Follow-up to 59655. Improve the documentation for configuring permitted cookie names. Patch provided by Kyohei Nakamura. (markt)
Fix: Do not attempt to start web resources during a web application's initialisation phase since the web application is not fully configured at that point and the web resources may not be correctly configured. (markt)
Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Coyote:
Code: Refactor the certifcate keystore and trust store generation to make it easier for embedded users to inject their own key stores. (markt)
Add: 59233: Add the ability to add TLS virtual hosts dynamically. (markt)
Update: Add a maxConcurrentStreamExecution on the HTTP/2 protocol handler to allow restricting the amount of concurrent stream that are being executed in a single connection. The default is to not limit it. (remm)
Fix: Correct a problem with ServletRequest.getServerPort() for secure HTTP/2 connections that meant an incorrect value was retured when using the default port. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Jasper:
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
WebSocket:
Code: Now the WebSocket implementation is not built directly on top of the Servlet API and can use Tomcat internals, there is no need for the dedicated WebSocket Executor. It has been replaced by the use of the Connector/Endpoint provided Executor. (markt)
Fix: Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
Web Applications:
Fix: Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
Fix: 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
Fix: 59672: Update the security considerations page of the documentation web application to take account of the fact that the Manager and HostManager applications now have a RemoteAddrValve configured by default. (markt)
Fix: Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
Fix: Fix the description of maxAge attribute in jdbc-pool doc. This attribute works both when a connection is returned and when a connection is borrowed. (kfujino)
Fix: 59774: Correct the prefix values in the the documented examples for configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
Extras:
Code: 58588: Remove the JULI extras package from the distribution. It was only useful for switching Tomcat's internal logging to log4j 1.2.x and that version of log4j is no longer supported. No additional Tomcat code is required if switching Tomcat's internal logging to log via log4j 2.x. (markt)
Tribes:
Add: Add log message when the ping has timed-out. (kfujino)
Fix: If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool:
Fix: Fix the duplicated connection release when connection verification failed. (kfujino)
Fix: Ensure that do not remove the abandoned connection that has been already released. (kfujino)
Other:
Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
Add: Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
Code: Use UTF-8 with a standard prolog for all XML files. (markt)

New in Apache Tomcat 9.0.0 M8 Alpha (Jun 14, 2016)

New in Apache Tomcat 8.5.3 (Jun 14, 2016)

Catalina:
Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
Code: Remove the clearReferencesStatic option from StandardContext. It was known to cause problems with some libraries (such as log4j) and was only linked to suspected memory leaks rather than known memory leaks. It had been disabled by default with no increase in the reports of memory leaks for some time. (markt)
Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
Fix: Fix error message when failed to register MBean. (kfujino)
Fix: 59655: Configure the cookie name validation to use RFC6265 rules by default to align it with the default cookie parser. Document the impact system properties have on cookie name validation. (mark)
Coyote:
Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
Fix: Improve handling of HTTP/2 stream resets. (markt)
Add: 58750: The HTTP Server header is no longer set by default. A Server header may be configured by setting the server attribute on the Connector. A new Connector attribute, serverRemoveAppProvidedValues may be used to remove any Server header set by a web application. (markt)
Fix: 59564: Correct offset when reading into HTTP/2 input buffer that could cause problems reading request bodies. (violetagg/markt)
Fix: Modify the handling of read/write timeouts so that the appropriate error handling (ReadListener.onError(), WriteListener.onError() or AsycnListener.onError()) is called. (markt)
Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
Fix: Fix a cause of multiple attempts to close the same socket. (markt)
Jasper:
Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
WebSocket:
Fix: 59659: Fix possible memory leak in WebSocket handling of unexpected client disconnects. (markt)
Web applications:
Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
jdbc-pool:
Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
Other:
Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

New in Apache Tomcat 8.0.35 / 8.5.4 Beta / 9.0.0.M6 Alpha (May 18, 2016)

New in Apache Tomcat 8.5.0 Beta (May 9, 2016)

New in Apache Tomcat 8.0.33 (Mar 26, 2016)

Catalina:
Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
Code: Remove unnecessary code. There is no support for context level cluster. (kfujino)
Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
Fix: Fix the type of InstanceManager attribute of mbean definition of StandardContext. (kfujino)
Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
Fix: 57809: Deprecate the custom context attribute org.apache.tomcat.util.scan.MergedWebXml which will be removed in Tomcat 9. (markt)
Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
Fix: Storeconfig handling of alternate cookie processors. (markt/remm)
Fix: Storeconfig handling for socket properties. (remm)
Add: Log a warning message if a user tries to configure the default session timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval() method. (markt)
Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
Coyote:
Fix: 58646: Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. (markt)
Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
Fix: 59081: Retain the user defined cipher order when defining ciphers using the OpenSSL format. (markt)
Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
Add: Add support for additional OpenSSL cipher aliases from OpenSSL master when specifying ciphers using the OpenSSL syntax. (markt)
Jasper:
Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
Update: 58111: Update to the Eclipse JDT Compiler 4.5. (markt)
Add: Add Java 9 support for JSPs. (markt)
WebSocket:
Fix: 59014: Ensure that a WebSocket close message can be sent after a close message has been received. (markt)
Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
Fix: 59189: Explicitly release the native memory held by the Inflater and Deflater when using PerMessageDeflate and the WebSocket session ends. Based on a patch by Henrik Olsson. (markt)
Web applications:
Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
Fix: Fix a potenital indefinite wait in the Comet Chat servlet in the examples web application. (markt)
Tribes:
Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
Other:
Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
Update: Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)

New in Apache Tomcat 9.0.0.M4 Alpha (Mar 17, 2016)

Catalina:
Fix: Ensure that /WEB-INF/classes is never processed as a web fragment. (markt)
Update: Switch default connector when native is installed. Unless configured otherwise, the NIO endpoint will be used by default. If SSL is configured, OpenSSL will be used rather than JSSE. (remm)
Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
Add: Add JASPIC (JSR-196) support. (markt)
Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
Fix: Refactor the web.xml parsing so a new parser is created every time the web application starts rather than creating and caching the parser when the Context is created. This enables the parser to take account of modified Context configuration parameters and reduces (slightly) the memory footprint of a running Tomcat instance. (markt)
Update: Switch to the web application class loader to the ParallelWebappClassLoader by default. (markt)
Fix: 57809: Remove the custom context attribute that held the effective web.xml. Components needing access to configuration information may access it via the Servlet API. (markt)
Fix: Refactor JAR scanning to reduce memory footprint. (markt)
Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
Fix: Add socket properties support to storeconfig. (remm)
Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
Add: Implement the proposed Servlet 4.0 API to provide mapping type information for the current request. (markt)
Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
Add: 59017: Make the pre-compressed file support in the Default Servlet generic so any compression may be used rather than just gzip. Patch provided by Mikko Tiihonen. (markt)
Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
Fix: 59150: Add an additional flag on APR listener to allow disabling automatic use of OpenSSL. (remm)
Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
Coyote:
Fix: Handle the case in the NIO2 connector where the required TLS buffer sizes increase after the connection has been initiated. (markt/remm)
Fix: Bad processing of handshake errors in NIO2. (remm)
Fix: Use JSSE session configuration options with OpenSSL. (remm)
Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
Fix: 59081: Retain the user defined cipher order when defining ciphers. (markt)
Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
Jasper:
Update: Update to the Eclipse JDT Compiler 4.5.1. (markt)
Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
WebSocket:
Fix: Fix a timing issue on session close that could result in an exception being thrown for an incomplete message even through the message was completed. (markt)
Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
Web applications:
Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
Fix: 48674: Implement an option within the Host Manager web application to persist the current configuration. Based on a patch by Coty Sutherland. (markt)
Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
Add: The Manager and Host Manager applications are now only accessible via localhost by default. (markt)
Tribes:
Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
Other:
Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
Update: Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)

New in Apache Tomcat 8.0.32 (Feb 10, 2016)

New in Apache Tomcat 9.0.0.M3 Alpha (Feb 8, 2016)

New in Apache Tomcat 8.0.30 (Dec 7, 2015)

Catalina:
Fix: 34319: Only load those keys in StoreBase.processExpire from JDBCStore, that are old enough, to be expired. Based on a patch by Tom Anderson. (fschumacher)
Add: 56917: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later redirects to use relative URIs. This is controlled by a new attribute useRelativeRedirects on the Context and defaults to true. (markt)
Fix: 58629: Allow an embedded Tomcat instance to start when the Service has no Engine configured. (markt)
Fix: 58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)
Fix: 58660: Correct a regression in 8.0.29 caused by the change that moved the redirection for context roots from the Mapper to the Default Servlet. (markt)
Fix: Fixed potential NPE in HostConfig while deploying an application. Issue reported by coverity scan. (violetagg)
Fix: 58655: Fix an IllegalStateException when calling HttpServletResponse.sendRedirect() with the RemoteIpFilter. This was caused by trying to correctly generate the absolute URI for the redirect. With the fix for 56917, redirects may now be relative making the sendRedirect() implementation for the RemoteIpFilter much simpler. This also addresses issues where the redirect may not have behaved as expected when redirecting from http to https to from https to http. (markt)
Fix: 58657: Exceptions in a Servlet 3.1 ReadListener or WriteListener do not need to be immediately fatal to the connection. Allow an error response to be written. (markt)
Coyote:
Fix: Improve upgrade context classloader handling by using Context.bind and unbind. (remm)
Jasper:
Fix: 57136#c25: Change default value of quoteAttributeEL setting in Jasper to be true for better compatibility with other implementations and older versions of Tomcat (8.0.26/7.0.64 and earlier). Add command line option -no-quoteAttributeEL in JspC. (kkolinko)
Cluster:
Fix: Fix potential integer overflow in DeltaSession. Reported by coverity scan. (fschumacher)
WebSocket:
Add: 55006: The WebSocket client now honors the java.net.java.net.ProxySelector configuration (using the HTTP type) when establishing WebSocket connections to servers. Based on a patch by Niki Dokovski. (markt)
Fix: 58624: Correct a thread safety issue that meant that blocking message writes could block indefinitely if the WebSocket connection was closed while a message write was in progress. (markt)
Web Applications:
Fix: 58631: Correct the continuation character use in the Windows Service How-To page of the documentation web application. (markt)
Tribes:
Fix: Ensure that the static member is registered to the add suspect list even if the static member that is registered to the remove suspect list has disappeared. (kfujino)
Fix: Correct the warning log of when the member that is not registered in the membership is detected. (kfujino)
Fix: When using a static cluster, add the members that have been cached in the membership service to the map members list in order to ensure that the map member is a static member. (kfujino)
jdbc-pool:
Fix: Correct evaluation of system property org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader. It was basically ignored before. Reported by coverity scan. (fschumacher)
Fix: Fix potential integer overflow in ConnectionPool and PooledConnection. Reported by coverity scan. (fschumacher)
Other:
Update: Update optional Checkstyle library to 6.13. (kkolinko)

New in Apache Tomcat 8.0.29 (Nov 25, 2015)

New in Apache Tomcat 9.0.0.M1 Alpha (Nov 19, 2015)

New in Apache Tomcat 8.0.28 (Oct 15, 2015)

New in Apache Tomcat 8.0.27 (Oct 1, 2015)

Catalina:
Fix: 58187: Correct a regression in the fix for 57765 that meant that deployment of web applications deployed via the Manager application was delayed until the next execution of the automatic deployment background process. (markt)
Fix: 58284: Correctly implement session serialization so non-serializable attributes are skipped with a warning. Patch provided by Andrew Shore. (markt)
Fix: 58313: Fix concurrent access of encoders map when clearing encoders prior to switch to async. (markt)
Fix: 58320: Fix concurrent access of request attributes which is possible during asynchronous processing. (markt)
Fix: 58352: Always trigger a thread dump if Tomcat fails to stop gracefully from catalina.sh even if using -force. Patch provided by Alexandre Garnier. (markt)
Fix: 58368: Fix a rare data race in the code that obtains the ApplicationFilterFactory instance. (markt)
Fix: 58369: Fix a rare data race in the code that obtains the CookieProcessor for a StandardContext instance. (markt)
Fix: Ensure the JAASRealm uses the configured CredentialHandler. (markt)
Fix: 58372: Fix rare data races closed and suspended flags that could be triggered by async and/or comet processing. (markt)
Fix: 58373: Fix rare data race with the application event listeners for StandardContext. (markt)
Fix: 58374: Fix a rare data race in the AsyncContext implementation for access to the internal Tomcat request object to which it holds a reference. (markt)
Fix: 58380: Fix two rare data races in the standard session implementation on the flag that tracks if the session is new and on the field that tracks the maximum inactive period. (markt)
Fix: 58385: Fix a rare data race in the internal flag Tomcat uses to keep track of whether or not a request is being used for Comet processing. (markt)
Fix: 58394: Fix a rare data race in Mapper when adding or removing a host. (markt)
Fix: 58398: Fix a rare data race in LifecycleSupport. (markt)
Fix: 58412: Ensure that the AsyncFileHandler has the source class and method name available for logging. (fschumacher)
Fix: 58416: Correctly detect when a forced stop fails to stop Tomcat because the Tomcat process is waiting on some system call or is uninterruptible. (markt)
Fix: 58436: Fix some rare data races in JULI's ClassLoaderLogManager during shutdown. (markt)
Fix: 58845: Fix off-by one error in calculation of valid characters in a cookie domain. Patch provided by Thorsten Ehlers. (markt)
Coyote:
Fix: Correct some edge cases in RequestUtil.normalize(). (markt)
Fix: 58275: The IBM JREs accept cipher suite names starting with TLS_ or SSL_ but when listing the supported cipher suites only the SSL_ version is reported. This can break Tomcat's check that at least one requested cipher suite is supported. Tomcat now includes a work-around so either form of the cipher suite name can be used when running on an IBM JRE. (markt)
Fix: 58357: For reasons not currently understood when the APR/native connector is used with OpenSSL reads can return an error code when there is no apparent error. This was work-around for HTTP upgrade connections by treating this as EAGAIN. The same fix has now been applied to the standard HTTP connector. (markt)
Code: Minor clean-up in NIO2 SSL handshake code to address some theoretical concurrency issues. (markt)
Fix: 58367: Fix a rare data race in the code that obtains the reason phrase for a given HTTP response code. (markt)
Fix: 58370: Fix a rare data race in the connector shutdown code. (markt)
Fix: 58371: Fix a rare data race when accessing request URI in String form when switching from non-async to async due to early triggering of the gathering of request statistics. (markt)
Fix: 58375: Fix a rare data race on the internal flag Tomcat uses to mark a response as committed. (markt)
Fix: 58377: Fix a rare data race on the internal flag Tomcat uses to mark a request as using HTTP keep-alive when switching to asynchronous processing. (markt)
Fix: 58379: Fix a rare data race on the interal reference Tomcat retains to the socket when switching to asynchronous processing. (markt)
Fix: 58387: Fix a rare data race when closing Comet connections. (markt)
Fix: 58388: Fix a data race when determining if Comet processing is occurring on a container or non-container thread. (markt)
Fix: 58389: Fix a rare data race while shutting down the thread pools on Connector stop. (markt)
Code: Clean up use of error flag on socket wrapper prompted by 58390. (markt)
Code: Remove some unnecessary code from the NIO Poller and fix 58396 as a side-effect. (markt)
Fix: 57799: Remove useless sendfile check for NIO SSL. (remm)
Jasper:
Fix: 57136: Correct a regression in the previous fix for this issue. \${ should only an escape for ${ within an EL expression. Within a JSP page \$ should be an escape for $. The EL specification applies when parsing the expression delimited by ${ and }. Parsing of the delimiting ${ and } is the responsibility of the JSP specification. (markt)
Fix: 58296: Fix a memory leak in the JSP unloading feature that meant that using a value other than -1 for maxLoadedJsps triggered a memory leak once the limit was reached. (markt)
Fix: 58327: Cache the expression string for value expression literals since it is frequently used and may be expensive to evaluate. Patch provided by Andreas Kohn. (markt)
Fix: 58340: Improve error reporting for tag files packaged in JARs. (markt)
Fix: 58424: When parsing TLD files, allow whitespace around boolean configuration values. (schultz)
Fix: Fix a possible resource leak reported by coverity scan. (fschumacher)
Fix: 58427: Enforce the JSP specification defined limitations of which elements are allowed in an implicit.tld file. (markt)
Fix: 58444: Ensure that JSPs work with any custom base class that meets the requirements defined in the JSP specification without requiring that base class to implement Tomcat specific code. (markt)
Cluster:
Fix: Fix a default clusterListeners in SimpleTcpCluster. The optimal default value is different for each session manager. ClusterSessionListener is never used in BackupManager. (kfujino)
Fix: Correct log messages in case of using BackupManager. (kfujino)
WebSocket:
Fix: 58342: Fix a copy and paste error that meant MessageHandler removal could fail for binary and pong MessageHandlers. Patch provided by DJ. (markt)
Fix: Data races detected by RV-Predict, mostly caused by completion handlers running in separate threads. (markt)
Fix: 58414: Correctly handle sending zero length messages when using per message deflate. (markt)
Web applications:
Fix: Correct documentation for cluster-howto. (kfujino)
Fix: Add missing documentation for property alwaysAddExpires for the LegacyCookieProcessor. (markt)
Tribes:
Add: Add support for configurations of ChannelListener and MembershipListener in server.xml. (kfujino)
Fix: Correct log messages in case of using ReplicatedMap. (kfujino)
Fix: 58381: Fix a rare data race in the NioReceiver. (markt)
Fix: 58382: Fix multiple rare data races in the default membership implementation. (markt)
Fix: 58383: Fix a data race in SenderState. (markt)
Fix: 58386: Fix a data race in ObjectReader. (markt)
Fix: 58391: Fix multiple data races in NonBlockingCoordinator, most of which were associated with ensuring that log messages contained the correct information. (markt)
Fix: 58392: Fix a data race in DomainFilterInterceptor. (markt)
Fix: 58393: Fix a data race on the listener in McastService. (markt)
Fix: 58395: Fix multiple data races in MemberImpl that were likely to cause issues if certain properties were updated concurrently (such updates are unlikely in normal usage). (markt)
Code: Remove some unnecessary code from PooledParallelSender and fix 58397. (markt)
jdbc-pool:
Fix: Make sure the pool has been properly configured when attributes that related to the pool size are changed via JMX. (kfujino)
Other:
Fix: Ensure logging works for all tests in a class rather than just the first one executed. (markt)
Add: 58344: Add build properties to enable tests to be executed against alternative binaries. Based on a patch by Petr Sumbera. (markt)

New in Apache Tomcat 8.0.26 (Aug 25, 2015)

New in Apache Tomcat 8.0.25 (Aug 25, 2015)

Catalina:
Fix: Make the WAR manifest file available for WebResource instances from an unpacked WAR in the same way the manifest is available if the WAR is not unpacked. (markt)
Fix: Ensure that only /WEB-INF/classes/ and /WEB-INF/lib/ are excluded from the web resource caching. (Resources loaded from these locations are cached by the web application class loader.) (markt)
Add: 57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt)
Fix: 58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt)
Fix: 58086: Correct a regression in the fix for 58086 that incorrectly handled WAR URLs. (violetagg)
Fix: 58096: Classes loaded from /WEB-INF/classes/ should use that directory as their code base. (markt)
Fix: Fix possible resource leaks by closing streams properly. Issues reported by Coverity Scan. (violetagg)
Fix: 58116: Fix regression in the fix for 57281 that broke Comet support when running under a security manager. Based on a patch provided by Johno Crawford. (markt)
Fix: 58125: Avoid a possible ClassCircularityError when running under a security manager. (markt)
Fix: 58179: Fix a thread safety issues that could mean concurrent threads setting the same attribute on a ServletContext could both see null as the old value. (markt)
Fix: Allow web archives bigger than 2G to be deployed using ANT tasks. (violetagg)
Fix: 58192: Correct a regression in the previous fix for 58023. Ensure that classes are associated with their manifest even if the class file is first read (and cached) without the manifest. (markt)
Fix: Fix thread safety issue in the AsyncContext implementation that meant a sequence of start();dispatch(); calls using non-container threads could result in a previous dispatch interfering with a subsequent start. (markt)
Fix: 58228: Make behaviour of ServletContext.getResource() and ServletContext.getResourceAsStream() consistent with each other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH system property. (markt)
Fix: 58230: Fix input stream corruption if non-blocking I/O is used and the first read is made immediately after the switch to async mode rather than in response to onDataAvaiable() and that read does not read all the available data. (markt)
Fix: Ensure that log4javascript*.jar was not excluded from the standard JAR scanning by default. (markt)
Coyote:
Fix: 57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt)
Fix: Add text/javascript,application/javascript to the default list of compressable MIME types. (violetagg)
Fix: 58103: When pipelining requests, and the previous request was an async request, ensure that the socket is removed from the waiting requests so that the async timeout thread doesn't process it during the next request. (markt)
Fix: 58151: Correctly handle EOF in the AJP APR/native connector to prevent the connector entering a loop and generate excessive CPU load. (markt)
Fix: In the AJP and HTTP NIO connectors, ensure that the socket timeout is correctly set before adding the socket back to the poller for read. (markt)
Fix: 58157: Ensure that the handling of async timeouts does not result in an unnecessary dispatch to a container thread that could result in the current socket being added to the Poller multiple times with multiple attempts to process the same event for the same socket. (markt)
Fix: Correct a coupe of edge cases in RequestUtil.normalize(). (markt)
Jasper:
Fix: 58110: Like scriptlet sections, declaration sections of JSP pages have a one-to-one mapping of lines to the generated .java file. Use this information to provide more accurate error messages if a compilation error occurs in a declaration section. (markt)
Fix: 58119: When tags are compiled they must be placed in the org/apache/jsp/tag/web directory. Correct a regression in the fix for 52725. (violetagg)
Fix: Fix a resource leak in JspC identified by Eclipse. (markt)
Fix: 58178: Expressions in a tag file should use the tag file's PageContext rather than that of the containing page. (markt)
Fix: Following on from the fix for 58178, expressions in a tag file should use the tag file's imports rather than those of the containing page. (markt)
WebSocket:
Fix: 58166: Allow applications to send close codes in the range 3000-4999 inclusive. (markt)
Fix: 58232: Avoid possible NPE when adding endpoints programmatically to the javax.websocket.server.ServerContainer. Based on a patch provided by bastian.(violetagg)
Web applications:
Fix: Correct the incorrect document of QueryTimeoutInterceptor. The setting value is not in milliseconds but in seconds. (kfujino)
Fix: 58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt)
Fix: Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt)
jdbc-pool:
Fix: 58042: The default value of logFailed attribute of SlowQueryReport is changed to false so that the failed queries are not logged by default. (kfujino)
Fix: Fix potential NPE in QueryTimeoutInterceptor. (kfujino)
Fix: Add support for stopping the pool cleaner via JMX. (kfujino)
Fix: The fairness attribute and ignoreExceptionOnPreLoad attribute do not allow a change via JMX. (kfujino)
Fix: If the timeBetweenEvictionRunsMillis attribute is changed via jmx, it should restart the pool cleaner because this attribute affects the execution interval of the pool cleaner. (kfujino)
Fix: Eliminate the dependence on maxActive of busy queues and idle queue in order to enable the expansion of the pool size via JMX. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.8.1. (kkolinko)
Fix: Update sample Eclipse IDE configuration to exclude test/webapp* and similar paths from compiler sourcepath. (kkolinko)
Update: Update package renamed Apache Commons Pool to Commons Pool 2.4.2. (markt)
Update: Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1. (markt)
Add: Support the use of the threads attribute on Ant's junit task. Note that using this with a value of greater than one will disbale Cobertura code coverage. (markt)

New in Apache Tomcat 8.0.24 (Jul 7, 2015)

Catalina:
Fix: 57938: Correctly handle empty form fields when a form is submitted as multipart/form-data, the maxPostSize attribute of the Connector has been set to a negative value and the Context has been configured with a value of true for allowCasualMultipartParsing. The meaning of the value zero for the maxPostSize has also been changed to mean a limit of zero rather than no limit to align it with maxSavePostSize and to be more intuitive. (markt)
Add: 57939: Catch and log exceptions thrown by LifecycleListener implementations to prevent them from stopping the execution of subsequent LifecycleListeners. (markt)
Fix: 57977: Correctly bind and unbind the web application class loader during execution of the PersistentValve. (markt)
Fix: Remove some unnecessary code from the web application class loader and deprecate the now unused validate() method since the requirements of SRV.10.7.2 are met using cleaner code in loadClass(String, boolean) and filter(). (markt)
Fix: Correct a bug that prevented the web application class loader's filter() from working correctly. It only returned true for classes in sub-packages of the listed packages, but not classes located in the packages themselves. (markt)
Fix: Add the WebSocket API classes to the list of classes that the web application class loader will always delegate to its parent for loading first. (markt)
Fix: 58015: Ensure that whenever the web application class loader checks to see if it should delegate first, it also checks the result of the filter() method which may indicate that it should always delegate first for the current class/resource regardless of the value of the delegate configuration option. (markt)
Fix: 58023: Fix potentially excessive memory usage due to unnecessary caching of JAR manifests in the web application class loader. (markt)
Fix: 57700: Ensure that Container event ADD_CHILD_EVENT will be sent in all cases. (violetagg)
Fix: 58086: Ensure that WAR URLs are handled properly when using ANT for web application deployment. Based on a patch provided by Lukasz Jader. (violetagg)
Fix: Fix CredentialHandler element handling in storeconfig. (remm)
Coyote:
Fix: 57265: Further fix to address a potential threading issue when sendfile is used in conjunction with TLS. (markt)
Fix: 57936: Improve robustness of the acceptor thread count parameter for NIO2, since it must be set to 1. Submitted by Oliver Kant. (remm)
Add: 57943: Added a work-around to catch ConcurrentModificationExceptions during Poller timeout processing that were causing the Poller thread to stop. The root cause of these exceptions is currently unknown. (markt)
Fix: 57944: Ensure that if non-blocking I/O listeners are set on a non-container thread that the expected listener events are still triggered. (markt)
Fix: Fix possible very long (1000 seconds) timeout with APR/native connector. (markt)
Add: Support "-" separator in the SSLProtocol configuration of the APR/native connector for protocol exclusion. (rjung)
Fix: 58004: Fix AJP buffering output data even in blocking mode. (remm)
WebSocket:
Fix: 57969: Provide path parameters to POJO via per session javax.websocket.server.ServerEndpointConfig as they vary between different requests. (violetagg)
Fix: 57974: Session.getOpenSessions should return all sessions associated with a given endpoint instance, rather than all sessions from the endpoint class. (remm)
Web applications:
Fix: 57282: Update request processing sequence diagrams. Updated diagrams provided by Stephen Chen. (markt)
Fix: 57971: Correct the documentation for the cluster configuration setting recoverySleepTime. (markt)
Add: 57758: Add document of testOnConnect attribute in jdbc-pool doc. (kfujino)
Add: Add description of validatorClassName attribute to testXXXX attributes in jdbc-pool docs. (kfujino)
Tribes:
Code: Use StringManager to provide i18n support in the org.apache.catalina.tribes packages. (kfujino)
Fix: Do not set the nodes that failed to replication to the backup nodes. Ensure that the nodes that the data has been successfully replicated are set to the backup node. (kfujino)
Fix: When failed to replication, rather than all member is handled as a failed member, exclude the failure members from backup members. (kfujino)
jdbc-pool:
Fix: Refactoring of the removeOldest method in SlowQueryReport to behave as expected. (kfujino)
Fix: 57783: Fix NullPointerException in SlowQueryReport. To avoid this NPE, Refactor SlowQueryReport#removeOldest and handle the abandoned connection properly. (kfujino)
Fix: 58042: In SlowQueryReportJmx, the LogSlow and logFailed attributes that inherited from SlowQueryReport are used as a condition of whether JMX notifications are sent. (kfujino)
Fix: Ensure that specified Boolean attribute values of SlowQueryReport reflect correctly. The LogSlow and the logFailed are not system property, these are attributes of SlowQueryReport. (kfujino)
Other:
Update: Update package renamed Apache Commons BCEL to r1682271 to pick up some some code clean up. (markt)
Update: Update package renamed Apache Commons DBCP to r1682314 to pick up the DBCP 2.1 release and additional fixes since then. (markt)
Update: Update package renamed Apache Commons Pool to the 2.4 release. (markt)
Update: Update package renamed Apache Commons File upload to r1682322 to pick up the post 1.3.1 fixes. (markt)
Update: Update package renamed Apache Commons Codes to r1682326. No functional changes. Javadoc only. (markt)
Update: Update optional Checkstyle library to 6.7. (kkolinko)

New in Apache Tomcat 8.0.23 (Jul 7, 2015)

Catalina:
Add: 54618: Add a new HttpHeaderSecurityFilter that adds the Strict-Transport-Security, X-Frame-Options and X-Content-Type-Options HTTP headers to the response. (markt)
Fix: 57875: Add javax.websocket.* to the classes for which the web application class loader always delegates first. (markt)
Fix: 57871: Ensure that setting the the allowHttpSepsInV0 property of a LegacyCookieProcessor to false only prevents HTTP separators from being used without quotes. (markt)
Fix: Add a workaround for issues with SPNEGO authentication when running on Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the applyJava8u40Fix attribute of the SPNEGO authenticator if necessary. (markt)
Fix: 57926: Restore the original X-Forwarded-By and X-Forwarded-For headers after processing by the RemoteIPValve . (markt)
Coyote:
Fix: Follow up to previous fix that removed the behavior difference between NIO and NIO2 for SSL, which caused corruption with NIO2. (remm)
Fix: 57931: Ensure that TLS connections with the NIO or NIO2 HTTP connectors that experience issues during the handshake (e.g. missing or invalid client certificate) are closed cleanly and that the client receives the correct error code rather than simply closing the connection. (markt)
Jasper:
Fix: 56438: Add debug logging to TLD discovery that logs positive and negative results for JARs, resource paths and directories. Patch provided by VIN. (markt)
Fix: 57802: Correct the default implementation of convertToType() provided by javax.el.ELResolver. (markt)
Fix: 57887: Fix compilation of recursive tag files packaged in a JAR. (markt)
Cluster:
Fix: Make sure that stream is closed after using it in DeltaSession.applyDiff(). (kfujino)
Code: Use StringManager to provide i18n support in the org.apache.catalina.ha packages. (kfujino)
Code: Add the context name to log messages when replication context failed to start. (kfujino)
Web applications:
Fix: 57875: Update the web application class loader documentation to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards. (markt)
Fix: 57896: Document system property org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER that was introduced in Tomcat 8.0.0. (kkolinko)
Tribes:
Fix: Ensure that the state transfer flag is updated to true only when the map states have been transferred correctly from existing map members. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.6. (kkolinko)

New in Apache Tomcat 8.0.22 (May 8, 2015)

Catalina:
57736: Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted. (markt)
57752: Exclude non-cached resources from the Cache statistics for resource lookups. Patch provided by Adam Mlodzinski. (markt)
Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
57556: Refine the previous fix fo rthis issue so that the real path returned only has a trialing separator if the requested path ended with /. (markt)
57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
Fix wrong logger name of org.apache.catalina.webresources.StandardRoot. (kfujino)
57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
57841: Improve error logging during web application start. (markt)
57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
57863: Fix the RewriteMap support in RewriteValve that did not use the correct key value to look up entries. Based on a patch provided by Tatsuya Bessho. (markt)
Coyote:
57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
Remove the experimental support for SPDY. No current user agent supports the version of SPDY that the experiment targetted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete. (markt)
Possible incomplete writes with SSL NIO2. (remm)
Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO differences between NIO and NIO2 that don't seem to be justified. (remm)
After some errors, the pending flags could remain set when using SSL NIO2. (remm)
57833: When using JKS based keystores for NIO or NIO2, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
57837: Add text/css to the default list of compressable MIME types. (markt)
Jasper:
57845: Ensure that, if the same JSP is accessed directly and via a declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)
Cluster:
Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)
WebSocket:
57761: Ensure that the opening HTTP request is correctly formatted when the WebSocket client connects to a server root. (remm)
57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)
Web applications:
57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
Tribes:
Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)
Other:
Add missing pom for tomcat-storeconfig. (remm)
Update optional Checkstyle library to 6.5. (kkolinko)
57707: Improve error message when trying to run a release build on a non-Windows platform and Wine is not available. (markt)

New in Apache Tomcat 8.0.21 (Mar 28, 2015)

Catalina:
Add: 49785: Enable StartTLS connections for JNDIRealm. (fschumacher)
Fix: When docBase refers internal war and unpackWARs is set to false, avoid registration of the invalid redeploy resource that has been added ".war" extension in duplicate. (kfujino)
Fix: If WAR exists, it is not necessary to trigger a reload when adding a Directory. (kfujino)
Fix: 55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8. Based upon a patch provided by Ognjen Blagojevic. (schultz)
Fix: 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist. (markt)
Fix: When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads. (markt)
Fix: 57601: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by the Default servlet. (jboynes/markt)
Fix: 57602: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by a servlet that extends HttpServlet. (markt)
Fix: 57621: When an async request completes, ensure that any remaining request body data is swallowed. (markt)
Fix: 57637: Do not create unnecessary sessions when using PersistentValve. (jboynes/fschumacher)
Fix: 57645: Correct a regression in the fix for 57190 that incorrectly required the path passed to ServletContext.getContext(String) to be an exact match to a path to an existing context. (markt)
Fix: Make sure that unpackWAR attribute of Context is handled correctly in HostConfig. (kfujino)
Fix: When deploying a WAR file that contains a context.xml file and unpackWARs is false ignore any context.xml file that may exist in an expanded directory associated with the WAR. (markt)
Fix: 57675: Correctly quote strings when using the extended access log. (markt)
Add: Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running. Tomcat does this by adding a META-INF/war-tracking file to the expanded directory and setting the last modified time of this file to the last modified time of the WAR. If Tomcat detects a modified WAR via this mechanism the web application will be redeployed (i.e. the expanded directory will be removed and the modified WAR expanded in its place). (markt)
Fix: 57704: Fix potential NPEs during web application start/stop when org.apache.tomcat.InstanceManager is not initialized. (violetagg)
Add: Use the simplified digest output for digest.bat|sh when generating digests with no salt and a single iteration to make it easier to use with DIGEST authentication. (markt)
Fix: Add support for LAST_ACCESS_AT_START system property to SingleSignOn. (kfujino)
Code: Refactor Authenticator implementations to reduce code duplication. (markt)
Fix: 57724: Handle the case in the CORS filter where a user agent includes an origin header for a non-CORS request. (markt)
Fix: When searching for SCIs o.a.catalina.Context.getParentClassLoader will be used instead of java.lang.ClassLoader.getParent. Thus one can provide the correct parent class loader when running embedded Tomcat in other environments such as OSGi. (violetagg)
Fix: 57743: Fix a locked file / resource leak issue when a JAR is accessed just before or during web application undeploy. Patch provided by Pavel Avgustinov. (markt)
Coyote:
Add: 57540: Make TLS/SSL protocol available in a new request attribute (org.apache.tomcat.util.net.secure_protocol_version). (Note that AJP connectors will require mod_jk 1.2.41 or later, or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see the bug comments for details.) Based upon a patch provided by Ralf Hauser. (schultz)
Fix: Fix a cipher ordering issue when using the OpenSSL syntax for JSSE cipher configuration to ensure that ephemeral ECDH with AES is preferred to ephemeral ECDH with anything else. (markt)
Fix: 57570: Make the processing of trailer headers with chunked input optional and disabled by default. (markt)
Fix: 57592: Correctly handle the case where an AsyncContext is used for non-blocking I/O and is completed during a write operation. (markt)
Fix: 57638: Avoid an IllegalArgumentException when an AJP request body chunk larger than the socket read buffer is being read. This typically requires a larger than default AJP packetSize. (markt)
Fix: 57674: Avoid a BufferOverflowException when an AJP response body chunk larger than the socket write buffer is being written. This typically requires a larger than default AJP packetSize. (markt)
Update: Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 branch. (markt)
Fix: Numerous fixes to the APR/native connector to improve robustness. (markt)
Fix: Stop caching and re-using SocketWrapper instances. With the introduction of upgrade and non-blocking I/O, I/O can occur on non-container threads. This makes it nearly impossible to track whether a SocketWrapper is still being references or not. making re-use a risky proposition. (markt)
Code: Refactor Connector authentication (only used by AJP) into a separate method. (markt)
Add: 57708: Implement a new feature for AJP connectors - Tomcat Authorization. If the new tomcatAuthorization attribute is set to true (it is disabled by default) Tomcat will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user. (markt)
Fix: Fix an issue that meant that any pipe-lined data read by Tomcat before an asynchronous request completed was lost during the completion of the asynchronous request. This mean that the pipe-lined request(s) would be lost and/or corrupted. (markt)
Update: Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt)
Jasper:
Fix: 57135: Package imports via javax.el.ImportHandler should only import public, concrete classes. (markt)
Fix: 57583: Cache 'Not Found' results in javax.el.ImportHandler.resolveClass() to save repeated attempts to load classes that are known not to exist to improve performance. (markt)
Fix: 57626: Correct a regression introduced in the 8.0.16 fix for ensuring Jars were closed after use, that broke recompilation of modified JSPs that depended on a tag file packaged in a Jar. (markt)
Fix: 57627: Correctly determine last modified times for dependencies when a tag file packaged in a JAR depends on a tag file packaged in a second JAR. (markt)
Fix: 57647: Ensure INFO message is logged when scanning jars for TLDs if the scan does not find a TLD in any jar. Previously a message would only be logged if a TLD was not found in all scanned jars. (jboynes)
Update: 57662: Update all references to the ECJ compiler to version 4.4.2. (violetagg)
Cluster:
Fix: Remove unnecessary method that always returns true. The domain filtering works on DomainFilterInterceptor. (kfujino)
WebSocket:
Fix: Correct a bug in the permessage-deflate implementation that meant that the incorrect op-codes were used if an uncompressed message was converted into more than one compressed message. (markt)
Add: 57676: List conflicting WebSocket endpoint classes when there is a path conflict. Based upon a patch proposed by yangkun. (schultz)
Web applications:
Fix: 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt)
Fix: 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch provided by Phil Steitz. (markt)
Fix: Remove incorrect note from context configuration page in the documentation web application that stated WAR files located outside the appBase were never unpacked. (markt)
Fix: 57683: Ensure that if a client aborts their connection to the stock ticker example (the only way a client can disconnect), the example continues to work for existing and new clients. (markt)
Fix: Make it clear that when using digested passwords with DIGEST authentication that no salt and only a single iteration must be used when generating the digest. (markt)
Update: Update examples to use Apache Standard Taglib 1.2.5. (jboynes)
Extras:
Fix: 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server. (markt)
Tribes:
Fix: When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members. (kfujino)
Fix: Make sure that refuse the messages from a different domain in DomainFilterInterceptor. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.4.1. (kkolinko)
Fix: 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. (markt)
Update: Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)

New in Apache Tomcat 8.0.18 (Feb 24, 2015)

Catalina:
Fix: 57178: The CORS filter now treats null as a valid origin that matches *. Patch provided by Gregor Zurowski. (markt)
Fix: 57425: Don't add attributes with null value or name to the replicated context. (fschumacher)
Add: 57431: Enable usage of custom class for context creation when using embedded tomcat. (fschumacher)
Fix: 57446: Ensure that ServletContextListeners that have limited access to ServletContext methods are called with the same ServletContext instance for both contextInitialized() and contextDestroyed(). (markt)
Fix: 57455: Explicitly block the use of the double-quote character when configuring the common, server and shared class loaders since double-quote is used to quote values that contain commas. (markt)
Fix: 57461: When an instance of org.apache.catalina.startup.VersionLoggerListener logs the result of System.getProperty("java.home") don't report it in a manner that makes it look like the JAVA_HOME environment variable. (markt)
Fix: 57476: Ensure the responses written as part of a forward are fully written. This fixes a regression in 8.0.15 caused by the fix for 57252. (markt)
Fix: While closing streams for given resources ensure that if an exception happens it will be handled properly. Issue is reported by Coverity Scan. (violetagg)
Fix: 57481: Fix IllegalStateException at the end of the request when using non-blocking reads with the HTTP BIO connector. (markt)
Fix: Change Response to use UEncoder instances with shared safeChars. (fschumacher)
Fix: Ensure that when static resources are served from JARs, only static resources are served. (markt)
Add: Allow VersionLoggerListener to log all system properties. This feature is off by default. (kkolinko)
Jasper:
Fix: Ensure that classes imported via the page directive are made available to the EL environment via the ImportHandler. Issue is reported by Coverity Scan. (violetagg)
Fix: 57441: Do not trigger an error when using functions defined by lambdas or imported via an ImportHandler in an EL expression in a JSP. (markt)
Cluster:
Fix: Fix mbean descriptor of ClusterSingleSignOn. (kfujino)
Fix: 57473: Add sanity check to FarmWebDeployer's WarWatcher to detect suspected incorrect permissions on the watch directory. (schultz)
Tribes:
Fix: Clarify the handling of Copy message and Copy nodes. (kfujino)
Fix: Copy node does not need to send the entry data. It is enough to send only the node information of the entry. (kfujino)
Fix: ReplicatedMap should send the Copy message when replicating. (kfujino)
Fix: Fix behavior of ReplicatedMap when member has disappeared. If map entry is primary, rebuild the backup members. If primary node of map entry has disappeared, backup node is promoted to primary. (kfujino)

New in Apache Tomcat 8.0.17 (Jan 17, 2015)

New in Apache Tomcat 8.0.15 (Nov 13, 2014)

Catalina:
Add: 43548: Add an XML schema for the tomcat-users.xml file. (markt)
Add: 43682: Add support for referring to the current context, host and service name in per Context logging.properties files by using the properties ${classloader.webappName}, ${classloader.hostName} and ${classloader.serviceName}. (markt)
Add: 47919: Extend the information logged when Tomcat starts to optionally log the values of command line arguments (enabled by default) and environment variables (disabled by default). Note that the values added to CATALINA_OPTS and JAVA_OPTS environment variables will be logged, as they are used to build up the command line. (markt)
Add: 49939: Expose the method that clears the static resource cache for a web application via JMX. (markt)
Fix: 55951: Allow cookies to use UTF-8 encoded values in HTTP headers. This requires the use of the RFC6265 CookieProcessor. (markt)
Fix: 55984: Using the allow separators in version 0 cookies option with the legacy cookie processor should only apply to version 0 cookies. Version 1 cookies with values that contain separators should not be affected and should continue to be quoted. (markt)
Add: 56393: Add support for RFC6265 cookie parsing and generation. This is currently disabled by default and may be enabled via the CookieProcessor element of a Context. (markt)
Add: 56394: Introduce new configuration element CookieProcessor in Context to allow context-specific configuration of cookie processing options. Attributes of Context element that were added in Tomcat 8.0.13 to allow configuration of a new experimental RFC6265 based cookie parser (useRfc6265 and cookieEncoding) are replaced by this new configuration element. (markt)
Fix: Improve the previous fix for 56401. Avoid logging version information in the constructor since it then gets logged at undesirable times such as when using StoreConfig. (markt)
Fix: 56403: Add pluggable password derivation support to the Realms via the new CredentialHandler interface. (markt/schultz)
Fix: 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
Add: Deprecate the use of system proprties to control cookie parsing and replace them with attributes on the new CookieProcessor that may be configured on a per context basis. (markt)
Fix: Correct an edge case and allow a cookie if the value starts with an equals character and the CookieProcessor is not configured to allow equals characters in cookie values but is configured to allow name only cookies. (markt)
Fix: 57022: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs. (markt)
Fix: 57027: Add additional validation for stored credentials used by Realms when the credential is stored using hex encoding. (markt)
Fix: 57038: Add a WebResource.getCodeBase() method, implement for all WebResource implementations and then use it in the web application class loader to set the correct code base for resources loaded from JARs and WARs. (markt)
Fix: Correct a couple of NPEs in the JNDI Realm that could be triggered with when not specifying a roleBase and enabling roleSearchAsUser. (markt)
Fix: Correctly handle relative values for the docBase attribute of a Context. (markt)
Fix: Ensure that log messages generated by the web application class loader correctly identify the associated Context when multiple versions of a Context with the same path are present. (markt)
Fix: Remove the unnecessary registration of context.xml as a redeploy resource. The context.xml having an external docBase has already been registered as a redeploy resource at first. (kfujino)
Fix: 57089: Ensure that configuration of a session ID generator is not lost when a web application is reloaded. (markt)
Fix: 57105: When parsing web.xml do not limit the buffer element of the jsp-property-group element to integer values as the allowed values are kb or none. (markt)
Update: Update the minimum required version of the Tomcat Native library (if used) to 1.1.32. (markt)
Fix: Update storeconfig with newly introduced elements: SessionIdGenerator, CookieProcessor, JarScanner and JarScanFilter. (remm)
Fix: Throw a NullPointerException if a null string is passed to the write(String,int,int) method of the PrintWriter obtained from the ServletResponse. (markt)
Fix: Cookie rewrite flag abbreviation should be CO rather than C. (remm)
Fix: 57153: When the StandardJarScanner is configured to scan the full class path, ensure that class path entries added directly to the web application class loader are scanned. (markt)
Fix: AsyncContext should remain usable until fireOnComplete is called. (remm)
Fix: AsyncContext createListener should wrap any instantiation exception using a ServletException. (remm)
Fix: 57155: Allow a web application to be configured that does not have a docBase on the file system. This is primarily intended for use when embedding. (markt)
Fix: Propagate header ordering from fileupload to the part implementation. (remm)
Coyote:
Add: 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. This feature requires Tomcat Native library 1.1.32 or later. (schultz/jfclere)
Code: Cache the Encoder instances used to convert Strings to byte arrays in the Connectors (e.g. when writing HTTP headers) to improve throughput. (markt)
Add: Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and NIO2). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE. (markt)
Add: Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
Fix: Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
Fix: Trigger an error if an invalid attempt is made to use non-blocking IO. (markt)
Fix: 57157: Allow calls to AsyncContext.start(Runnable) during non-blocking IO reads and writes. (markt)
Fix: Async state MUST_COMPLETE should still be started. (remm)
Jasper:
Fix: 57099: Ensure that semi-colons are not permitted in JSP import page directives. (markt)
Fix: 57113: Fix broken package imports in Expression Language when more than one package was imported and the desired class was not in the last package imported. (markt)
Fix: 57132: Fix import conflicts reporting in Expression Language. (kkolinko)
Fix: When coercing an object to a given type, only attempt coercion to an array if both the object type and the target type are an array type. (violetagg/markt)
Fix: Improve handling of invalid input to javax.el.ImportHandler.resolveClass(). (markt)
Fix: Allow the same class to be added to an instance of javax.el.ImportHandler more than once without triggering an error. The second and subsequent calls for the same class will be ignored. (markt)
Fix: 57136: Ensure only \${ and \#{ are treated as escapes for ${ and #{ rather than \$ and \# being treated as escapes for $ and # when processing literal expressions in expression language. (markt)
Fix: When coercing an object to an array type in Expression Langauage, handle the case where the source object is an array of primitives. (markt/kkolinko)
Fix: Do not throw an exception on missing JSP file servlet initialization. (remm)
Fix: 57148: When coercing an object to a given type and a PropertyEditor has been registered for the type correctly coerce the empty string to null if the PropertyEditor throws an exception. (kkolinko/markt)
Fix: 57153: Correctly scan for TLDs located in directories that represent exanded JARs files that have been added to the web application class loader's class path. (markt)
Fix: 57141: Enable EL in JSPs to refer to static fields of imported classes including the standard java.lang.* imports. (markt)
Cluster:
Fix: Add support for the SessionIdGenerator to cluster manager template. (kfujino)
Fix: Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
WebSocket:
Fix: 57054: Correctly handle the case in the WebSocket client when the HTTP response to the upgrade request can not be read in a single pass; either because the buffer is too small or the server sent the response in multiple packets. (markt)
Add: Extend support for the permessage-deflate extension to the client implementation. (markt)
Fix: Fix client subprotocol handling. (remm)
Fix: Add null checks for arguments in remote endpoint. (remm/kkolinko)
Fix: 57091: Work around the behaviour of the Oracle JRE when creating new threads in an applet environment that breaks the WebSocket client implementation. Patch provided by Niklas Hallqvist. (markt)
Fix: 57118: Ensure that that an EncodeException is thrown by RemoteEndpoint.Basic.sendObject(Object) rather than an IOException when no suitable Encoder is configured for the given Object. (markt)
Web applications:
Fix: Correct a couple of broken links in the Javadoc. (markt)
Fix: Correct documentation for ServerCookie.ALLOW_NAME_ONLY system property. (kkolinko)
Fix: 57049: Clarified that jvmRoute can be set in 's jvmRoute or in a system property. (schultz)
Fix: Correct version of Java WebSocket mentioned in documentation (s/1.0/1.1/). (markt/kkolinko)
Update: Suppress timestamp comments in Javadoc. (kkolinko)
Fix: 57147: Various corrections to the JDBC Store section of the session manager configuration page of the documentation web application. (markt)
Tribes:
Fix: 45282: Improve shutdown of NIO receiver so that sockets are closed cleanly. (fhanik/markt)
jdbc-pool:
Fix: 57005: Fix javadoc errors when building with Java 8. Patch provided by Pierre Viret. (markt)
Fix: 57079: Use Tomcat version number for jdbc-pool module when building and shipping the module as part of Tomcat. (markt)
Fix: Fix broken overview page in javadoc generated via "javadoc" task in jdbc-pool build.xml file. (kkolinko)
Other:
Fix: 56079: The uninstaller packaged with the Apache Tomcat Windows installer is now digitally signed. (markt)
Fix: Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format instead of 12-hour one and use UTC timezone. (markt/kkolinko)
Fix: Update the package renamed copy of Apache Commons DBCP 2 to revision 1631450 to pick up additional fixes since the 2.0.1 release including Javadoc corrections to fix errors when compiling with Java 8. (markt)
Update: 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
Code: In Tomcat tests: log name of the current test method at start time. (kkolinko)

New in Apache Tomcat 8.0.14 (Oct 1, 2014)

New in Apache Tomcat 8.0.12 (Sep 22, 2014)

New in Apache Tomcat 8.0.11 (Sep 22, 2014)

Catalina:
Fix: 56658: Fix regression that a context was inaccessible after reload. (kkolinko)
Fix: 56710: Do not map requests to servlets when context is being reloaded. (kkolinko)
Fix: 56712: Fix session idle time calculations in PersistenceManager. (kkolinko)
Fix: 56717: Fix duplicate registration of MapperListener during repeated starts of embedded Tomcat. (kkolinko)
Add: 56724: Write an error message to Tomcat logs if container background thread is aborted unexpectedly. (kkolinko)
Fix: When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
Fix: Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
Fix: 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
Fix: 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
Fix: 56784: Fix a couple of rare but theoretically possible atomicity bugs. (markt)
Fix: 56785: Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. (markt)
Fix: 56796: Remove unnecessary sleep when stopping a web application. (markt)
Fix: 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (markt)
Fix: 56815: When the gzip option is enabled for the DefaultServlet ensure that a suitable Vary header is returned for resources that might be returned directly in compressed form. (markt)
Fix: Do not mark threads from the container thread pool as container threads when being used to process AsyncContext.start(Runnable) so processing is correctly transferred back to a genuine container thread when necessary. (markt)
Add: Add simple caching for calls to StandardRoot.getResources() in the new (for 8.0.x) resources implementation. (markt)
Fix: 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
Fix: 56840: Avoid NPE when the rewrite valve is mapped to a context. (remm)
Fix: Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
Fix: 56848: Improve handling of accept-language headers. (markt)
Fix: 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
Coyote:
Fix: Fix NIO2 sendfile state tracking and error handling to fix various corruption issues. (remm)
Fix: Missing timeout for NIO2 sendfile writes. (remm)
Fix: Allow inline processing for NIO2 sendfile and optimize keepalive behavior. (remm)
Fix: Fix excessive NIO2 sendfile direct memory use in some cases, sendfile will now instead use the regular socket write buffer as configured. (remm)
Fix: 56661: Fix getLocalAddr() for AJP connectors. The complete fix is only available with a recent AJP forwarder like the forthcoming mod_jk 1.2.41. (rjung)
Fix: Use default ciphers defined as HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 so that no weak ciphers are enabled by default. (remm)
Fix: 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
Fix: 56810: Remove use of Java 8 specific API calls in unit tests for OpenSSL to JSSE cipher conversion. (markt)
Jasper:
Fix: 56709: Fix system property name in a log message. Submitted by Robert Kish. (remm)
Fix: 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
WebSocket:
Fix: 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
Web applications:
Fix: Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
jdbc-pool:
Fix: 53088: More identifiable thread name. (fhanik)
Fix: 53200: Selective logging for slow versus failed queries. (fhanik)
Fix: 53853: More flexible classloading. (fhanik)
Fix: 54225: Disallow empty init SQL. (fhanik)
Fix: 54227: Evaluate max age upon borrow. (fhanik)
Fix: 54235: Disallow nested pools exploitating using data source. (fhanik)
Fix: 54395: Fix JDBC interceptor parsing bug. (fhanik)
Fix: 54537: Performance improvement in StatementFinalizer. (fhanik)
Fix: 54978: Make sure proper connection validation always happens, regardless of config. (fhanik)
Fix: 56318: Ability to trace statement creation in StatementFinalizer. (fhanik)
Fix: 56789: getPool() returns the actual pool, always. (fhanik)
Other:
Add: 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
Add: 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)

New in Apache Tomcat 8.0.10 (Sep 22, 2014)

Catalina:
Fix: 44312: Log an error if there is a conflict between Host and Alias names. Improve host management methods in Mapper to avoid occasionally removing a wrong host. Check that host management operations are performed on the host and not on an alias. (kkolinko)
Code: 56611: Refactor code to remove inefficient calls to Method.isAnnotationPresent(). Based on a patch by Jian Mou. (markt/kkolinko)
Fix: Fix regression in StandardContext.removeApplicationListener(), introduced by the fix for bug 56588. (kkolinko)
Fix: 56653: Fix concurrency issue with lists of contexts in Mapper when stopping Contexts. (kkolinko)
Fix: 56657: When using parallel deployment, if the same session id matches different versions of a web application, prefer the latest version. Ensure that remapping selects the version that we expect. (kkolinko)
Fix: Assert that mapping result object is empty before performing mapping work in Mapper. (kkolinko)
Code: Remove context and wrapper fields in Request class and deprecate their setters. (kkolinko)
Fix: 56658: Avoid delay between registrations of mappings for context and for its servlets. (kkolinko)
Fix: 56665: Correct the generation of the effective web.xml when elements contain an empty string as value. (violetagg)
Fix: Fix storeconfig exception routing issues, so that a major problem should avoid configuration overwrite. (remm)
Fix: Add configuration fields for header names in SSLValve. (remm)
Fix: 56666: When clearing the SSO cookie use the same values for domain, path, httpOnly and secure as were used to set the SSO cookie. (markt)
Fix: 56677: Ensure that HttpServletRequest.getServletContext() returns the correct value during a cross-context dispatch. (markt)
Fix: 56684: Ensure that Tomcat does not shut down if the socket waiting for the shutdown command experiences a SocketTimeoutException. (markt)
Fix: 56693: Fix various issues in the static resource cache implementation where the cache retained a stale entry after the successful completion of an operation that always invalidates the cache entry such as a delete operation. (markt)
Fix: When the current PathInfo is modified as a result of dispatching a request, ensure that a call to HttpServletRequest.getPathTranslated() returns a value that is based on the modified PathInfo. (markt)
Fix: 56698: When persisting idle sessions, only persist newly idle sessions. Patch provided by Felix Schumacher. (markt)
Coyote:
Fix: 56663: Fix edge cases demonstrated by ByteCounter relating to data available, remaining and extra write events, mostly occurring with non blocking Servlet 3.1. (remm)
Fix: Avoid possible NPE stopping endpoints that are not started (stop shouldn't do anything in that case). (remm)
Add: 56704: Add support for OpenSSL syntax for ciphers when using JSSE SSL connectors. Submitted by Emmanuel Hugonnet. (remm)
Update: Allow to configure maxSwallowSize attribute of an HTTP connector via JMX. (kkolinko)
Jasper:
Fix: 56543: Update to the Eclipse JDT Compiler 4.4. (violetagg)
Fix: 56652: Add support for method parameters that use arrays and varargs to ELProcessor.defineFunction().(markt)
WebSocket:
Add: Add support for the permessage-deflate extension. This is currently limited to decompressing incoming messages on the server side. It is expected that support will be extended to outgoing messages and to the client side shortly. (markt)
Web applications:
Fix: Attempt to obfuscate session cookie values associated with other web applications when viewing HTTP request headers with the Cookies example from the examples web application. This reduces the opportunity to use this example for malicious purposes should the advice to remove the examples web application from security sensitive systems be ignored. (markt)
Fix: 56694: Remove references to Manager attribute checkInterval from documentation and Javadoc since it no longer exists. Based on a patch by Felix Schumacher. Also remove other references to checkInterval that are no longer valid. (markt)
Other:
Update: Update the API stability section of the release notes now that Tomcat 8 has had its first stable release. (markt)
Update: Improve build.xml so that when Eclipse JDT Compiler is updated, it will delete the old JAR from build/lib directory. (kkolinko)
Code: Simplify implementation of "setproxy" target in build.xml. (kkolinko)
Update: Update optional Checkstyle library to 5.7. (kkolinko)
Update: 56596: Update to Tomcat Native Library version 1.1.31 to pick up the Windows binaries that are based on OpenSSL 1.0.1h. (markt)
Fix: 56685: Add quotes necessary for daemon.sh to work correctly on Solaris. Based on a suggesiton by lfuka. (markt)
Update: Update package renamed Apache Commons Pool2 to r1609323 to pick various bug fixes. (markt)
Update: Update package renamed Apache Commons DBCP2 to r1609329 to pick up a minor bug fix. (markt)
Update: Update package renamed Apache Commons FileUpload to r1596086 to pick various bug fixes. (markt)

New in Apache Tomcat 8.0.9 (Jun 27, 2014)

Catalina:
Fix: 55282: Ensure that one and the same application listener is added only once when starting the web application. (violetagg)
Fix: 55975: Apply consistent escaping for double quote and backslash characters when escaping cookie values. (markt)
Code: 56387: Improve the code that handles an attempt to load a class after a web application has been stopped. Use common code to handle this case regardless of the access path and don't throw an exception purely to log a stack trace. (markt)
Code: 56399: Improve implementation of CoyoteAdapter.checkRecycled() to do not use an exception for flow control. (kkolinko)
Add: 56461: New failCtxIfServletStartFails attribute on Context and Host configuration to force the context startup to fail if a load-on-startup servlet fails its startup. (slaurent)
Add: 56526: Improved the StuckThreadDetectionValve to optionally interrupt stuck threads to attempt to unblock them. (slaurent)
Fix: 56545: Pre-load two additional classes, the loading of which may otherwise be triggered by a web application which in turn would trigger an exception when running under a security manager. (markt)
Update: 56546: Reduce logging level for stack traces of stuck web application threads printed by WebappClassLoader.clearReferencesThreads() from error to info. (kkolinko)
Code: Refactor and simplify common code in object factories in org.apache.catalina.naming package, found thanks to Simian (Similarity Analyser) tool. Improve handling of Throwable. (markt/kkolinko)
Fix: Relax cookie naming restrictions. Cookie attribute names used in the Set-Cookie header may be used unambiguously as cookie names. The restriction that prevented such usage has been removed. (jboynes/markt)
Fix: Further relax cookie naming restrictions. Version 0 (a.k.a Netscape format) cookies may now use names that start with the $ character. (jboynes/markt)
Fix: Restrict cookie naming so that the = character is no longer permitted in a version 0 (a.k.a. Netscape format) cookie name. While Tomcat allowed this, browsers always truncated the name at the = character leading to a mis-match between the cookie the server set and the cookie returned by the browser. (jboynes/markt)
Add: Add a simple ServiceLoader based discovery mechanism to the JULI LogFactory to make it easier to use JULI and Tomcat components that depend on JULI (such as Jasper) independently from Tomcat. Patch provided by Greg Wilkins. (markt)
Fix: 56578: Correct regression in the fix for 56339 that prevented sessions from expiring when using clustering. (markt)
Fix: 56588: Remove code previously added to enforce the requirements of section 4.4 of the Servlet 3.1 specification. The code is no longer required now that Jasper initialization has been refactored and TLD defined listeners are added via a different code path that already enforces the specification requirements. (markt)
Fix: 56600: In WebdavServlet: Do not waste time generating response for broken PROPFIND request. (kkolinko)
Fix: Provide a better error message when asynchronous operations are not supported by a filter or servlet. Patch provided by Romain Manni-Bucau. (violetagg)
Fix: 56606: User entries in tomcat-users.xml file are recommended to use "username" attribute rather than legacy "name" attribute. Fix inconsistencies in Windows installer, examples. Update digester rules and documentation for MemoryRealm. (markt/kkolinko)
Code: 56611: Refactor code to remove inefficient calls to Method.isAnnotationPresent(). Based on a patch by Jian Mou. (markt)
Coyote:
Fix: 56518: When using NIO, do not attempt to write to the socket if the thread is marked interrupted as this will lead to a connection limit leak. This fix was based on analysis of the issue by hanyong. (markt)
Fix: 56521: Re-use the asynchronous write buffer between writes to reduce allocation and GC overhead. Based on a patch by leonzhx. Also make the buffer size configurable and remove copying of data within buffer when the buffer is only partially written on a subsequent write. (markt)
Fix: Ensure that a request without a body is correctly handled during Comet processing. This fixes the Comet chat example. (markt)
Fix: Fix input concurrency issue in NIO2 upgrade. (remm)
Fix: Correct a copy/paste error and return a 500 response rather than a 400 response when an internal server error occurs on early stages of request processing. (markt)
Code: 56582: Use switch(actionCode) in processors instead of a chain of "elseif"s. (kkolinko)
Fix: 56582#c1: Implement DISPATCH_EXECUTE action for AJP connectors. (kkolinko)
Fix: If request contains an unrecognized Expect header, respond with error 417 (Expectation Failed), according to RFC2616 chapter 14.20. (markt)
Fix: When an error occurs after the response has been committed close the connection immediately rather than attempting to finish the response to make it easier for the client to differentiate between a complete response and one that failed part way though. (markt)
Code: Remove the beta tag from the NIO2 connectors. (remm)
Fix: 56620: Avoid bogus access log entries when pausing the NIO HTTP connector and ensure that access log entries generated by error conditions use the correct request start time. (markt)
Fix: Improve configuration of cache sizes in the endpoint. (markt)
Add: Add a new limit, defaulting to 2MB, for the amount of data Tomcat will swallow for an aborted upload. (markt)
Jasper:
Fix: 56334#c15: Fix a regression in EL parsing when quoted string follows a whitespace. (kkolinko/markt)
Update: 56543: Update to the Eclipse JDT Compiler 4.4RC4 to pick up some fixes for Java 8 support. (markt/kkolinko)
Fix: 56561: Avoid NoSuchElementException while handling attributes with empty string value. (violetagg)
Code: Do not configure a JspFactory in the JasperInitializer if one has already been set as might be the case in some embedding scenarios. (markt)
Add: Add a simple implementation of InstanceManager and have Jasper use it if no other InstanceManager is provided. This makes it easier to use Jasper independently from Tomcat. Patch provided by Greg Wilkins. (markt)
Fix: 56568: Allow any HTTP method when a JSP is being used as an error page. (markt)
Update: 56581: If an error on a JSP page occurs when response has already been committed, do not clear the buffer of JspWriter, but flush it. It will make more clear where the error occurred. (kkolinko)
Fix: 56612: Correctly parse two consecutive escaped single quotes when used in UEL expression in a JSP. (markt)
Update: Move code that parses EL expressions within JSP template text from Parser to JspReader class for better performance. (kkolinko)
Fix: 56636: Correctly identify the required method when specified via ELProcessor.defineFunction(String,String,String,String) when using Expression Language. (markt)
Fix: 56638: When using ELProcessor.defineFunction(String,String,String,String) and no function name is specified, use the method name as the function name as required by the specification. (markt)
WebSocket:
Code: 56446: Clearer handling of exceptions when calling a method on a POJO based WebSocket endpoint. Based on a suggestion by Eugene Chung. (markt)
Fix: When a WebSocket client attempts to write to a closed connection, handle the resulting IllegalStateException in a manner consistent with the handling of an IOException. (markt)
Fix: Add more varied endpoints for echo testing. (remm)
Fix: 56577: Improve the executor configuration used for the callbacks associated with asynchronous writes. (markt)
Web applications:
Fix: Set the path for cookies created by the examples web application so they only returned to the examples application. This reduces the opportunity for using such cookies for malicious purposes should the advice to remove the examples web application from security sensitive systems be ignored. (markt/kkolinko)
Fix: Attempt to obfuscate session cookie values associated with other web applications when viewing HTTP request headers with the Request Header example from the examples web application. This reduces the opportunity to use this example for malicious purposes should the advice to remove the examples web application from security sensitive systems be ignored. (markt)
Add: Add options for all of the WebSocket echo endpoints to the WebSocket echo example in the examples web application. (markt)
Fix: Ensure that the asynchronous WebSocket echo endpoint in the examples web application always waits for the previous message to complete before it sends the next. (markt)
Other:
Update: Update package renamed Apache Commons DBCP2 to r1596858. (markt)

New in Apache Tomcat 7.0.54 (May 24, 2014)

Catalina:
Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 decoder tests to account for UTF-8 decoding improvements in Java 8. The custom UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)
56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)
56321: When a WAR is modified, undeploy the web application before deleting any expanded directory as the undeploy process may refer to classes that need to be loaded from the expanded directory. If the expanded directory is deleted first, any attempt to load a new class during undeploy will fail. (markt)
56339: Avoid an infinite loop if an application calls session.invalidate() from the session destroyed event for that session. (markt)
56365: Simplify file name pattern matching code in StandardJarScanner. Ignore leading and trailing whitespace and empty strings when configuring patterns. Improve documentation. (kkolinko)
56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)
56382: Information about finished deployment and its execution time is added to the log files. Patch is provided by Danila Galimov. (violetagg)
56383: Properties for disabling server information and error report are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt)
Modify generic exception handling so that StackOverflowError is not treated as a fatal error and can handled and/or logged as required. (markt)
56409: Avoid StackOverflowError on non-Windows systems if a file named \ is encountered when scanning for TLDs. (markt)
56430: Extend checks for suspicious URL patterns to include patterns of the form *.a.b which are not valid patterns for extension mappings. (markt)
Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt)
Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt)
56441: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component attribute. The logging level is raised from debug to warning. (markt)
56451: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt)
56463: Property for disabling server information is added to the DefaultServlet. Server information is presented in the response sent to the client when directory listings is enabled. (violetagg)
Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)
Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)
Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)
56472: Allow NamingContextListener to clean up on stop if its start failed. (kkolinko)
56492: Avoid eclipse debugger pausing on uncaught exceptions when tomcat renews its threads. (slaurent)
Minor fixes to ThreadLocalLeakPreventionListener. Do not trigger threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. Improve documentation. (kkolinko)
Correct regression introduced in r797162 that broke authentication of users when using the JAASMemoryLoginModule. (markt)
56501: HttpServletRequest.getContextPath() should return the undecoded context path used by the user agent. (markt)
56523: When using SPNEGO authentication, log the exceptions associated with failed user logins at debug level rather than error level. (markt)
56536: Ensure that HttpSessionBindingListener.valueUnbound() uses the correct class loader when the SingleSignOn valve is used. (markt)
Coyote:
56399: Assert that both Coyote and Catalina request objects have been properly recycled. (kkolinko)
56416: Correct documentation for default value of socket linger for the AJP and HTTP connectors. (markt)
Jasper:
56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko)
56425: Improve method matching for EL expressions. When looking for matching methods, an exact match between parameter types is preferred followed by an assignable match followed by a coercible match. (markt)
Correct the handling of back-slash escaping in the EL parser and no longer require that \$ or \# must be followed by { in order for the back-slash escaping to take effect. (markt)
56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Patch provided by Hariprasad Manchi. (violetagg)
Cluster:
Remove cluster and replicationValve from cluster manager template. These instance are not necessary to template. (kfujino)
Add support for cross context session replication to org.apache.catalina.ha.session.BackupManager. (kfujino)
Remove the unnecessary cross context check. It does not matter whether the context that is referenced by other context is set to crossContext=true. The context that refers to the different context must be set to crossContext=true. (kfujino)
Move to org.apache.catalina.ha.session.ClusterManagerBase common logics of org.apache.catalina.ha.session.BackupManager and org.apache.catalina.ha.session.DeltaManager. (kfujino)
Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In order to add or remove cluster valve to Container, use pipeline instead of IntrospectionUtils. (kfujino)
There is no need to set cluster instance when SimpleTcpCluster.unregisterClusterValve is called. Set null than cluster instance for cleanup. (kfujino)
Backport refactoring of AbstractReplicatedMap to implement Map rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. (markt)
WebSocket:
56343: Avoid a NPE if Tomcat's Java WebSocket 1.0 implementation is used with the Java WebSocket 1.0 API JAR from the reference implementation. (markt)
Increase the default maximum size of the executor used by the WebSocket implementation for call backs associated with asynchronous writes from 10 to 200. (markt)
Add a warning if the thread group created for WebSocket asynchronous write call backs can not be destroyed when the web application is stopped. (markt)
Ensure that threads created to support WebSocket clients are stopped when no longer required. This will happen automatically for WebSocket client connections initiated by web applications but stand alone clients must call WsWebSocketContainer.destroy(). (markt)
56449: When creating a new session, add the message handlers to the session before calling Endpoint.onOpen() so the message handlers are in place should the onOpen() method trigger the sending of any messages. (markt)
56458: Report WebSocket sessions that are created over secure connections as secure rather than as not secure. (markt)
Stop threads used for secure WebSocket client connections when they are no longer required and give them better names for easier debugging while they are running. (markt)
Web applications:
Add Support for copyXML attribute of Host to Host Manager. (kfujino)
Ensure that "name" request parameter is used as a application base of host if "webapps" request parameter is not set when adding host in HostManager Application. (kfujino)
Correct documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko)
55215: Improve log4j configuration example. Clarify access logging documentation. Based on patches provided by Brian Burch. (kkolinko)
55383: Backport improved HTML markup for tables and code fragments from Tomcat 8 documentation. (kkolinko)
56418: Ensure that the Manager web application does not report success for a web application deployment that fails. (slaurent)
Fix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko)
Improve valves documentation. Split valves into groups. (kkolinko)
Other:
Align DisplayName of Tomcat installed by service.bat with one installed by the *.exe installer. Print a warning in case if neither server nor client jvm is found by service.bat. (kkolinko)
56363: Update to version 1.1.30 of Tomcat Native library. (schultz)
Update package renamed Apache Commons BCEL to r1593495 to pick up some additional changes for Java 7 support and some code clean up. (markt)
In tests: allow to configure directory where JUnit reports and access log are written to. (kkolinko)

New in Apache Tomcat 8.0.8 Beta (May 22, 2014)

New in Apache Tomcat 7.0.53 (Apr 2, 2014)

Catalina:
Make it easier for applications embedding and/or extending Tomcat to modify the javaseClassLoader attribute of the WebappClassLoader. (markt)
Improve the robustness of web application undeployment based on some code analysis triggered by the report for 54315. (markt)
56219: Improve merging process for web.xml files to take account of the elements and attributes supported by the Servlet version of the merged file. (markt)
56190: The response should be closed (i.e. no further output is permitted) when a call to AsyncContext.complete() takes effect. (markt)
56236: Enable Tomcat to work with alternative Servlet and JSP API JARs that package the XML schemas in such as way as to require a dependency on the JSP API before enabling validation for web.xml. Tomcat has no such dependency. (markt)
56246: Fix NullPointerException in MemoryRealm when authenticating an unknown user. (markt)
56248: Allow the deployer to update an existing WAR file without undeploying the existing application if the update flag is set. This allows any existing custom context.xml for the application to be retained. To update an application and remove any existing context.xml simply undeploy the old version of the application before deploying the new version. (markt)
Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt)
Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. (markt)
56293: Cache resources loaded by the class loader from /META-INF/services/ for better performance for repeated look ups. (markt)
Coyote:
53119: Make sure the NIO AJP output buffer is cleared on any error to prevent any possible overflow if it is written to again before the connection is closed. This extends the original fix for the APR/native output buffer to the NIO connector. (kkolinko)
56172: Avoid possible request corruption when using the AJP NIO connector and a request is sent using more than one AJP message. Patch provided by Amund Elstad. (markt)
56213: Reduce garbage collection when the NIO connector is under heavy load. (markt)
Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko)
Fix possible overflow when parsing long values from a byte array. (markt)
Jasper:
54475: Add Java 8 support to SMAP generation for JSPs. Patch by Robbie Gibson. (markt)
55483: Improve handing of overloaded methods and constructors in expression language implementation. (markt)
56208: Restore the validateXml option to Jasper that was previously renamed validateTld. Both options are now supported. validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt)
56223: Throw an IllegalStateException if a call is made to ServletContext.setInitParameter() after the ServletContext has been initialized. (markt)
56265: Do not escape values of dynamic tag attributes containing EL expressions. (kkolinko)
Make the default compiler source and target versions for JSPs Java 6 since Tomcat 7 requires Java 6 as a minimum. (markt)
56283: Update to the Eclipse JDT Compiler P20140317-1600 which adds support for Java 8 syntax to JSPs. Add support for value "1.8" for the compilerSourceVM and compilerTargetVM options. (markt)
WebSocket:
Avoid a possible deadlock when one thread is shutting down a connection while another thread is trying to write to it. (markt)
Call onError if an exception is thrown calling onClose when closing a session. (remm)
Web applications:
In the documentation: add support for several documentation tags from Tomcat 8. Such as . (kkolinko)
56093: Add the SSL Valve to the documentation web application. (markt)
56217: Improve readability by using left alignment for the table cell containing the request information on the Manager application status page. (markt)
Fixed java.lang.NegativeArraySizeException when using "Expire sessions" command in the manager web application on a context where the session timeout is disabled. (kfujino)
Add support for LAST_ACCESS_AT_START system property to Manager web application. (kfujino)
Add definition of org.apache.catalina.ant.FindLeaksTask. (kfujino)
56273: If the Manager web application does not perform an operation because the web application is already being serviced, report an error rather than reporting success. (markt)
56304: Add a note to the documentation about not using WebSocket with BIO HTTP in production. (markt)
Other:
56143: Improve service.bat so that it can be launched from a non-UAC console. This includes using a single call to tomcat7.exe to install the Windows service rather than three calls, and using command line arguments instead of environment variables to pass the settings. (markt/kkolinko)
Fix regression in 7.0.52: when using service.bat install to install the service the values for --StdOutput, --StdError options were passed as blank instead of "auto". (kkolinko)
Align options between service.bat and exe Windows installer. For service.bat the changes are in --Classpath, --DisplayName, --StartPath, --StopPath. For exe installer the changes are in --JvmMs, --JvmMx options, which are now 128 Mb and 256 Mb respectively instead of being empty. Explicitly specify --LogPath path when uninstalling Windows service, avoiding default value for that option. (kkolinko)
Simplify Windows *.bat files: remove %OS% checks, as java 6 does not run on ancient non-NT operating systems. (kkolinko)
56137: Explicitly use the BIO connector in the SSL example in server.xml so it doesn't break if APR is enabled. (markt)
56139: Avoid a web application class loader leak in some unit tests when running on Windows. (markt)
Correct build script to avoid building JARs with empty packages. (markt)
Allow to limit JUnit test run to a number of selected test case methods. (kkolinko)
56189: Remove used file cpappend.bat from the distribution. (markt)

New in Apache Tomcat 8.0.5 Beta (Mar 28, 2014)

New in Apache Tomcat 7.0.52 (Feb 20, 2014)

New in Apache Tomcat 7.0.50 (Feb 13, 2014)

Catalina:
fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
code Streamline handling of WebSocket messages whe no handler is configured for the message currently being received. (markt)
fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
Coyote:
fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
Jasper:
fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
Cluster:
fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
Web applications:
fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
Extras:
update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)

New in Apache Tomcat 8.0.3 Beta (Feb 13, 2014)

New in Apache Tomcat 8.0.1 Beta (Feb 3, 2014)

New in Apache Tomcat 8.0.0 RC 10 (Dec 28, 2013)

Catalina:
Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
Implement JSR 245 MR2 - JSP 2.3. (markt)
Implement JSR 341 - Unified Expression Language 3.0. (markt)
Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
46727: Refactor default servlet to make it easier to sub-class to implement finer grained control of the file encoding. Based on a patch by Fred Toth. (markt)
45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
52092: JULI now uses the OneLineFormatter and AsyncFileHandler by default. (markt)
52558: Refactor CometConnectionManagerValve so that it does not prevent the session from being serialized in when running in a cluster. (markt)
52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
URL rewrite valve, similar in functionality to mod_rewrite. (remm)
Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
54095: Add support to the Default Servlet for serving gzipped versions of static resources directly from disk as an alternative to Tomcat compressing them on each request. Patch by Philippe Marschall. (markt)
54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
55246: Move TLD scanning to a ServletContainerInitializer provided by Jasper. Includes removal of TldConfig lifecycle listener and associated Context properties. (jboynes)
55317: Facilitate weaving by allowing ClassFileTransformer to be added to WebppClassLoader. Patch by Nick Williams. (markt)
55620: Enable Tomcat to start when either $CATALINA_HOME and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
Initialize the JSP runtime in Jasper's initializer to avoid need for a Jasper-specific lifecycle listener. JasperListener has been removed. (jboynes)
Chnage ordering of elements of JMX objects names so components are grouped more logically in JConsole. Generally, components are now grouped by Host and then by Context. (markt)
Coyote:
Experimental support for SPDY. Includes contributions from Sheldon Shao. (costin)
The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
Refactor char encoding/decoding using NIO APIs. (remm)
Change the default URIEncoding for all connectors from ISO-8859-1 to UTF-8. (markt)
Jasper:
Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
Create test cases for JspC. Patch by Jeremy Boynes. (markt)
55246: TLD scanning is now performed by JasperInitializer (a ServletContainerInitializer) removing the need for support within the Servlet container itself. The scan is now performed only once rather than in two passes reducing startup time. (jboynes)
55251: Do not allow JspC task to fail silently if the web.xml or web.xml fragment can not be generated. (markt)
Cluster:
Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
Remove unused expireSessionsOnShutdown attribute in org.apache.catalina.ha.session.BackupManager. (kfujino)
Web applications:
Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
48550: Update examples web application to use UTF-8. (markt)
55383: Improve the design and correct the HTML markup of the documentation web application. Patches provided by Konstantin Preißer. (markt)
Tribes:
Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
Other:
Remove unused, deprecated code. (markt)
Remove static info String and associated getInfo() method where present. (markt)
(r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)
55372: When starting Tomcat with the jpda option to enable remote debugging, by default only listen on localhost for connections from a debugger. Prior to this change, Tomcat listened on all known addresses. (markt)

New in Apache Tomcat 7.0.47 (Oct 28, 2013)

New in Apache Tomcat 8.0.0 RC 5 (Oct 21, 2013)

New in Apache Tomcat 8.0.0 RC 2 (Sep 30, 2013)

Catalina:
Add: Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
Add: Implement JSR 245 MR2 - JSP 2.3. (markt)
Add: Implement JSR 341 - Unified Expression Language 3.0. (markt)
Add: Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
Update: 46727: Refactor default servlet to make it easier to sub-class to implement finer grained control of the file encoding. Based on a patch by Fred Toth. (markt)
Add: 45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
Code: Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
Code: 51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
Code: Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
Update: 52092: JULI now uses the OneLineFormatter and AsyncFileHandler by default. (markt)
Fix: 52558: Refactor CometConnectionManagerValve so that it does not prevent the session from being serialized in when running in a cluster. (markt)
Fix: 52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
Code: Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
Code: Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
Code: Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
Code: Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
Add: Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
Add: URL rewrite valve, similar in functionality to mod_rewrite. (remm)
Add: Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
Fix: 54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
Add: Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
Fix: 55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
Fix: 55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
Code: Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
Code: 55246: Move TLD scanning to a ServletContainerInitializer provided by Jasper. Includes removal of TldConfig lifecycle listener and associated Context properties. (jboynes)
Coyote:
Add: Experimental support for SDPY. Includes contributions from Sheldon Shao. (costin)
Code: The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
Code: Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
Fix: 54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
Code: Refactor char encoding/decoding using NIO APIs. (remm)
Update: Change the default URIEncoding for all connectors from ISO-8859-1 to UTF-8. (markt)
Jasper:
Code: Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
Code: Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
Add: Create test cases for JspC. Patch by Jeremy Boynes. (markt)
Code: 55246: TLD scanning is now performed by JasperInitializer (a ServletContainerInitializer) removing the need for support within the Servlet container itself. The scan is now performed only once rather than in two passes reducing startup time. (jboynes)
Cluster:
Code: Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
Code: Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
Web applications:
Add: Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
Update: 48550: Update examples web application to use UTF-8. (markt)
Update: 55383: Improve the design and correct the HTML markup of the documentation web application. Patches provided by Konstantin Preißer. (markt)
Tribes:
Code: Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
Other:
Code: Remove unused, deprecated code. (markt)
Code: Remove static info String and associated getInfo() method where present. (markt)
Update: (r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
Fix: 53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
Add: 54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
Fix: 55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)
Fix: 55372: When starting Tomcat with the jpda option to enable remote debugging, by default only listen on localhost for connections from a debugger. Prior to this change, Tomcat listened on all known addresses. (markt)

New in Apache Tomcat 8.0.0 RC 1 (Aug 12, 2013)

Catalina:
Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
URL rewrite valve, similar in functionality to mod_rewrite. (remm)
Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
Coyote:
Experimental support for SDPY. Includes contributions from Sheldon Shao. (costin)
The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
Refactor char encoding/decoding using NIO APIs. (remm)
Jasper:
Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
Create test cases for JspC. Patch by Jeremy Boynes. (markt)
Cluster:
Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
Web applications:
Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
Tribes:
Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
Other:
Remove unused, deprecated code. (markt)
Remove static info String and associated getInfo() method where present. (markt)
(r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)

New in Apache Tomcat 7.0.42 (Jul 6, 2013)

Catalina:
fix: Enforce the restriction described in section 4.4 of the Servlet 3.0 specification that requires the new pluggability methods only to be available to ServletContextListeners defined in one of the specified ways. (markt)
fix: Better handle FORM authentication when requesting a resource as an unauthenticated user that is only protected for a sub-set of HTTP methods that does not include GET. (markt)
fix: Add support for a JAAS Realm instance to use a dedicated configuration rather than the JVM global JAAS configuration. This is most likely to be useful for per web application JAAS Realms. Based on a patch by eolivelli. (markt)
fix: Fix JAR file scanning when Tomcat is deployed via Java Web Start. Patch provided by Nick Williams. (markt)
add: Add the ability to configure the RMI bind address when using the JMX remote lifecycle listener. Patch provided by Alexey Noskov. (markt)
fix: Ensure original exception is reported if JDBC Realm fails to read a user's credentials. (markt)
fix, 55108, 55109, 55110, 55158 & 55159: Small performance improvements. Patches provided by Adrian Nistor. (markt/violetagg)
add: Add support for time to first byte in the AccessLogValve. Patch provided by Jeremy Boynes. (markt)
fix: If the Server container fails to start, don't allow the Catalina wrapper to start (used when running from the command line and when running as a service) since Tomcat will not be able to do any useful work. (markt)
fix: Update the JreMemoryLeakPreventionListener to take account of changes in the behaviour of java.beans.Introspector.flushCaches() and sun.awt.AppContext.getAppContext() in Java 7. (markt)
fix: Avoid WARNING log message of Users:type=UserDatabase,database=UserDatabase at Tomcat shutdown. (pero)
fix: Avoid ClassCastException when an asynchronous dispatch is invoked in an asynchronous cycle which is started by a call to ServletRequest.startAsync(ServletRequest,ServletResponse) where ServletRequest/ServletResponse are custom implementations. (violetagg)
fix: Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding and decoding) that broke the JNDI Realm when userPassword was set and passwords were hashed with MD5 or SHA1. (markt/kkolinko)
fix: Correct the mechanism for the path calculation in AsyncContext.dispatch(). (violetagg)
fix: Avoid constant focus grabbing when running the Tomcat unit tests under Java 6 on OSX. Patch provided by Casey Lucas. (markt)
fix: Don't ignore connectionUploadTimeout setting when using HTTP NIO connector. (markt)
fix: Correctly handle regular expressions within SSI expressions that contain an equals character. (markt)
Coyote:
fix: Correctly handle infinite soTimeout for BIO HTTP connector. Based on a patch by Nick Bunn. (markt)
fix: Correctly handle infinite soTimeout when disableUploadTimeout is set to false. Patch provided by Nick Bunn. (violetagg)
Cluster:
fix: Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
fix: Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)
add: Add logging of when a member is unable to join the cluster. (kfujino)
fix: Replace Tribes's TaskQueue as executor's workQueue in order to ensure that executor's maxThread works correctly. (kfujino)
fix: Fix an additional code path that could lead to multiple threads attempting to modify the same selector key set. (markt)
Web applications:
add: Complete the document for MessageDispatch15Interceptor. (kfujino)
add: Document the circumstances under which Tomcat will add a javax.mail.Authenticator to mail sessions created via a JNDI resource. (markt)
fix: Correct the Javadoc for the remote IP valve so the correct name is used to refer to the proxiesHeader property. (markt)
jdbc-pool:
fix: Fixed Export-Package header and uses directives in MANIFEST.MF. Change the version for package org.apache.juli.logging to "0" in Import-Package header. Thus any version of that package can be used.
Other:
update: Update Maven Cental location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko)
update: Update JUnit to version 4.11. Configure separate download for Hamcrest 1.3 core library as its classes are no longer included in junit.jar. (kkolinko)
fix: When using a forced stop, allow a short period of time (5s) for the process to die before returning. Patch provided by mukarram.baig. (markt)
fix: Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. (markt)

New in Apache Tomcat 7.0.41 (Jun 12, 2013)

Catalina:
fix 54703: Make parsing of HTTP Content-Type headers tolerant of any CR or LF characters that appear in the value passed by the application. Also fix some whitespace parsing issues identified by the additional test cases. (markt)
fix Prevent possible WAR file locking when reading a context.xml file from an unexpanded WAR file. Note that in normal usage, the JreMemoryLeakPreventionListener would protect against this. (markt)
fix Ensure that when auto deployment runs for a Host, it uses the latest values for copyXML, deployXML and unpackWARs. (markt)
fix 54939: Provide logging (using a UserDataHelper) when HTTP header parsing fails (e.g. when maxHeaderCount is exceeded). (markt)
add 54944: Enhancements to the unit tests for FORM authentication. Patch provided by Brian Burch. (markt)
fix 54955: When a reload of the application is performed ensure that a subsequent request to the context root does not result in a 404 response. (violetagg)
fix 54971: Ensure that the correct location is used when writing files via javax.servlet.http.Part.write(String). (markt)
fix 54974: Ensure that SessionCookieConfig#set will throw IllegalStateException if the ServletContext from which this SessionCookieConfig was acquired has already been initialized. (violetagg)
fix 54981: Ensure that ServletContext#getJspConfigDescriptor() will return null when there is no jsp configuration provided by web.xml/web-fragment.xml. (violetagg)
fix Ensure that when Tomcat's anti-resource locking features are used that the temporary copy of the web application and not the original is removed when the web application stops. (markt)
fix 54984: Use the correct encoding when processing a form data posted as multipart/form-data even when the request parameters are not parsed. (violetagg)
fix 54999: The old JSESSIONIDSSO needs to be removed when SSO is being used and logout() and login() occur within a single request. Patch provided by Keith Mashinter. (markt)
add 55035: Add support for the version attribute to the deploy command of the Ant tasks for interfacing with the text based Manager application. Patch provided by Sergey Tcherednichenko. (markt)
add 55046: Add a Servlet Filter that implements CORS. Patch provided by Mohit Soni. (markt)
add 55052: JULI's LogManager now additionally looks for logging properties without prefixes if the property cannot be found with a prefix. (markt)
fix Ensure that only the first asynchronous dispatch operation for a given asynchronous cycle will be performed. Any subsequent asynchronous dispatch operation for the same asynchronous cycle will be ignored and IllegalStateException will be thrown. (violetagg)
Coyote:
fix 54947: Fix the HTTP NIO connector that incorrectly rejected a request if the CRLF terminating the request line was split across multiple packets. Patch by Konstantin Preißer. (markt)
Jasper:
fix 54964: Allow tag plug-ins to be packaged with a web application. Patch provided by Sheldon Shao. (markt)
fix 54968: Return the correct version number (2.2) of the JSP specification that is supported by the JSP engine when javax.servlet.jsp.JspEngineInfo#getSpecificationVersion() is invoked. (violetagg)
Cluster:
add Add maxValidTime attribute to prevent the leak of FileMessageFactory in FarmWarDeployer. (kfujino)
code Simplify the code of ReplicationValve: Rather than get cluster instance from container on every request, use instance variable. (kfujino)
add Add maxWait attribute that the senderPool will wait when there are no available senders. (kfujino)
add Improve error message by including specified timeout if failed to retrieve a data sender. (kfujino)
add Add removeSuspectsTimeout attribute in order to remove a suspect node in TcpFailureDetector. (kfujino)
Web applications:
fix 54931: Add information to the Window Service how-to about installing and running multiple instances. Based on a patch by Chris Derham. (markt)
fix 54932: Correct the link to Tribes documentation. (violetagg)
add Add document for o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)

New in Apache Tomcat 7.0.40 (May 11, 2013)

Catalina:
update: Update Tomcat's internal copy of Commons FileUpload to FileUpload 1.3.
54178: Protect against AsyncListener implementations that throw RuntimeExceptions in response to an event.
54791: Restore tools.jar entry in jarsToSkip property to prevent warnings when running Tomcat from Eclipse.
54851: When scanning for web fragments, directories without any web-fragment.xml should not impact the status of distributable element. Patch provided by Trask Stalnaker.
When an error occurs during the sending of a WebSocket message, notify the Inbound side (where all the events occur that the application reacts to) that an error has occurred and that the connection is being closed.
54906: Better error message if a ConcurrentModificationException occurs while checking for memory leaks when a web application stops. Also ensure that the exception does not cause remaining checks to be skipped.
fix - Allow 204 responses (no content) to include entity headers as required by RFC2616.
Coyote:
fix - Ensure write errors when using HTTP Upgrade with the APR/native connector result in IOExceptions rather than errors being silently swallowed.
Jasper:
54802: Provide location information for exceptions thrown by JspDocumentParser.
54801: Do not attempt to parse text that looks like an EL expressions inside a scriptlet in a JSP document because EL expressions are not permitted in scriptlets.
54821: Do not attept to parse text that looks like an EL expressions in a JSP document if EL expressions have been disabled.
54888: Add support for CSV lists with the ForEach tag plugin. Patch provided by Sheldon Shao.
Cluster:
fix - Add several improvements for FarmWarDeployer.
Web applications:
54872: Correct Cluster Receiver page of Tomcat documentation.
jdbc-pool:
update - Document StatementCache interceptor.
fix - Fix minor threading issue in ConnectionPool.
fix - 54732: Fix leak of statements in StatementCache interceptor.
fix - Fix NPE in SlowQueryReportJmx when running TestSlowQueryReport test.
Other:
update - Update to Eclipse JDT Compiler 4.2.2.
update - 54890: Update to Apache Commons Daemon 1.0.15.
update - Convert remaining unit tests to JUnit 4 and enable Checkstyle rule that forbids use of methods from JUnit 3.
fix - Remove unneeded permissions for reading UserDataHelper properties from catalina.policy file. The class that needed those was moved in 7.0.26.

New in Apache Tomcat 7.0.39 (Mar 27, 2013)

New in Apache Tomcat 7.0.37 (Feb 22, 2013)

New in Apache Tomcat 7.0.36 (Feb 22, 2013)

Catalina:
fix Make additional allowances for buggy client implementations of HTTP DIGEST authentication. This is a follow-on to 54060. (markt)
fix 54438: Fix a regression in the fix for 52953 that triggered a NPE when digested passwords were used and an authentication attempt was made for a user that did not exist in the realm. (markt)
fix 54448: Correctly handle @Resource annotations on primitives. Patch provided by Violeta Georgieva. (markt)
fix 54450: Correctly handle resource injection when part of the servlet properties uses @Resource and the other uses injection-target. Patch provided by Violeta Georgieva. (markt)
fix 54458: Include exception when logging errors in the DataSourceRealm. Patch provided by Violeta Georgieva. (markt)
fix 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (markt)
fix Prevent the SSO deregister when web application is stopped or reloaded. When StandardManager(pathname="") or DeltaManager stops normally, all sessions in the context are expired. In this case, because most sessions is not time-out, SSO deregister was triggered. (kfujino)
fix Include the exception in the log message if the parsing of the context.xml file fails. (markt/kkolinko)
fix 54497: Make memory leak detection code more robust so a failure in the leak detection code does not prevent the Context from stopping unless the error is fatal to the JVM. (markt)
fix 54507: Do not start the background thread that is used to expiring sessions (amongst other things) until the web application is fully started. Stop the background thread as soon as the web application is stopped. (markt)
Coyote:
fix 54324: Allow APR connector to disable TLS compression if OpenSSL supports it. (schultz)
fix 54406: Fix NIO HTTPS connector to prune specified ciphers and sslEnableProtocols options to those supported by the SSL implementation, sharing logic with the BIO connector. Modified ciphers and sslEnabledProtocols option pruning to not silently revert to JVM defaults when none of the options specified are supported - new behaviour is to warn and explicitly enable no options. (timw)
fix Align NIO HTTP connector with other HTTP connectors and include leading blank lines when determining the size of the HTTP headers. (markt)
Jasper:
fix 53869: Performance improvement for pages with lots of heavily nested tags. Retain a reference to the root JSP context rather than traversing the hierarchy on every call. Based on a patch suggested by Sheldon Shao. (markt)
fix 54440: Correct a regression caused by the changes for 54240 that broke compilation of JSPs with JspC. Patch provided by Sheldon Shao. (markt)
fix 54466: Improve error message by including the name of the file when the java file generated from a tag file cannot be compiled. Based on a patch by Sheldon Shao. (markt)
Cluster:
fix Fix incorrect increment of counterSend_EVT_SESSION_EXPIRED and counterSend_EVT_CHANGE_SESSION_ID. These values are not incremented if no members active in cluster group. (kfujino)
fix 54476: Correct error in Javadoc of GroupChannel send methods to maker clear that the minimum length of the destination member array is one, not two. (markt)
fix Prevent SSO deregister when node shutdown normally in cluster environment. (kfujino)
fix Check cluster member before sending replicate message in ClusterSingleSignOn. (kfujino)
Web applications:
fix 54461: Improve the documentation for the compiler attribute in the Jasper how-to. (markt)
add Add Jespa to the list of third-party Windows authentication providers and make external links in the documentation for those providers no-follow. (markt)
Tribes:
fix 54496: Don't use a hard-coded class name in MemberImpl.toString(). (markt)
Other:
update Update to Commons Daemon 1.0.12. (markt)

New in Apache Tomcat 7.0.35 (Jan 17, 2013)

Catalina:
54247: Prevent ClassNotFoundExceptions on stop when running as a service. (markt)
54249: Ensure resource properties are available when the context path contains encoded characters such as a space. This triggered compilation issues in Jasper. Patch provided by Polina Genova. (markt)
54256: Improve error reporting when a JAR file fails extension validation by including the name of the JAR file in the exception. (markt)
Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko)
Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one. (kkolinko)
Cleanup method cache lookup code in SecurityUtil class. (kkolinko)
Make the Tomcat 7 non-JSR356 WebSocket implementation non-blocking (where supported by the connector) between the HTTP upgrade and the first WebSocket message from the client to the server. (markt)
54262: Ensure that an empty element in the main web.xml file disables scanning for web fragments. Based on a patch by Violeta Georgieva. (markt)
54284: As per clarification from the Servlet EG, anonymous Filters and Servlets are not permitted. Patch by Violeta Georgieva. (markt)
54371: Prevent exceptions when processing web fragments for unexpanded WAR files when the context path contains characters that need to be encoded in URLs such as spaces. Based on a patch by Polina Genova. (markt)
54372: Make HTTP Digest authentication header parsing tolerant of invalid headers sent by known buggy clients. (markt)
54377: Correctly set request attributes for AccessLog in RemoteIpFilter. Patch by Violeta Georgieva. (markt)
54379: Implement support for post-construct and pre-destroy elements in web.xml. Patch by Violeta Georgieva. (markt)
54380: Do not try to register servlets or contexts into the mapper too early (which just caused a warning to be logged). (kkolinko)
Fix NPE in WebappLoader.stopInternal when stop is called after a failed start. (kkolinko)
54381: Add support for receiving WebSocket pong messages. (markt)
54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
Fix ArrayIndexOutOfBoundsException in HttpParser when parsing incorrect HTTP headers. (kkolinko)
54387: Deployment must fail when multiple servlets are mapped to the same url-pattern. (markt)
54391: Provide a value for the javax.servlet.context.orderedLibs attribute. (markt)
Coyote:
54248: Ensure that byte order marks are swallowed when using a Reader to read a request body with a BOM for those encodings that require byte order marks. (markt)
Fix release of processors in AjpNioProtocol. Wrong object was used as a key in the connections map. (kkolinko)
Jasper:
54240: Add support for auto-detection and configuration of JARs on the classpath that provide tag plug-in implementations. Based on a patch by Sheldon Shao. (markt)
54241: Revert the fix for 35410 as it was not compliant with the JSP specification, specifically that must be translated to out.print(obj) which in turn becomes out.write(String.valueOf(obj)). This will trigger a NullPointerException if obj.toString() returns null. The fix for 35410 incorrectly suppressed the NullPointerException in this case. (markt)
54242: Correct handle null iterations with in the JSTL ForEach tag plug-in implementation. Patch provided by Sheldon Shao. (markt)
54260: Avoid NullPointerException when using JSP unloading and tag files. (markt)
54370: Improve handling of nulls when trying to match sets of parameters to a method in EL. (markt)
54338: Correctly coerce the value to the expected type when using the tag plug-in for the JSTL set tag. Patch provided by Sheldon Shao. (markt)
Web applications:
54244: Clarify the documentation for the BIO and NIO SSL configuration attributes sslEnabledProtocols and sslProtocol within the documentation web application. (markt)
Integrate documentation of Tomcat 7 with Apache Comments System. People can leave their comments when reading documentation online at the tomcat.apache.org site. (rjung)
Other:
54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. (schultz)

New in Apache Tomcat 7.0.34 (Dec 12, 2012)

New in Apache Tomcat 7.0.33 (Dec 12, 2012)

Catalina:
add 53960, 54115: Extensions to HttpClient test helper class. Patches by Brian Burch. (markt/kkolinko)
fix 53993: Avoid a possible NPE in the AccessLogValve when the session ID is logged and a session is invalidated. (markt)
fix Add support for LAST_ACCESS_AT_START system property to PersistentManager. (kfujino)
add Update MIME type mapping with additional / updated mime.types from the Apache web server. (markt)
fix 54007: Fix a memory leak that prevented deletion of a context.xml file associated with a Context that had failed to deploy. Also fix the problems uncovered with undeploying such a Context once the leak had been fixed and the file could be deleted. (markt)
fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
fix 54060: Use a simple parser rather than a regular expression to parse HTTP Digest authentication headers so the header is correctly parsed. The new approach is also faster and generates less garbage. (markt)
fix 54068: Rewrite the web fragment ordering algorithm to resolve multiple issues that resulted in incorrect ordering or failure to find a correct, valid order. (markt)
update The HTTP header parser added to address 52811 has been removed and replaced with the light-weight HTTP header parser created to address 54060. The new parser includes a work-around for a bug in the Adobe Acrobat Reader 9.x plug-in for Microsoft Internet Explorer that was identified when the old parser was introduced (53814).
fix 54076: Add an alternative work-around for clients that use SPNEGO authentication and expect the authenticated user to be cached per connection (Tomcat only does this if an HTTP session is available). (markt)
fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt)
fix 54096: In web.xml, should accept any type that has a constructor that takes a single String or char. (markt)
add 54127: Add support for sending a WebSocket Ping. Patch provided by Sean Winterberger. (markt)
fix In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
fix Ensure AsyncListener.timeout() and AsyncListener.complete() are called with the correct thread context class loader. (fhanik)
fix 54123: If an asynchronous request times out without any AsyncListeners defined, a 500 error will be triggered. (markt)
fix 54124: Correct provided value of request attribute javax.servlet.async.request_uri and add missing request attribute javax.servlet.async.path_info. (markt)
add Add denyStatus initialization parameter to CsrfPreventionFilter, allowing to customize the HTTP status code used for denied requests. (kkolinko)
fix 54141: Increase the permitted number of nested Realm levels from 2 to 3 by default and make the limit configurable via a system property. (markt)
fix Revert occasional API change in BaseDirContext class that was done in 7.0.32. Methods should not be final. (kkolinko)
fix Prevent failures in the AccessLogValve when running under a SecurityManager and the first request received is an asynchronous one. (markt)
Coyote:
fix Correct an issue that prevented WebSockets from being used over SSL when using the HTTP NIO connector. (markt)
fix 54022: Ensure the Comet END event is triggered on client disconnect with APR/native on Windows Vista/2k8 or later. Patch provided by Douglas Beachy. (markt)
fix 54067: Ensure responses with 1xx response codes are correctly marked as not containing an entity body. This caused an issue for some WebSocket clients when an Transfer-Encoding header was sent with the 101 (HTTP upgrade) response. (markt)
Jasper:
code 53867: Optimise the XML escaping provided by the PageContext implementation. Based on a patch by Sheldon Shao. (markt)
code 53896: Use an optimised CompositeELResolver for Jasper that skips resolvers that are known to be unable to resolve the value. Patch by Jarek Gawor. (markt)
fix 53986: Correct a regression introduced by the fix for 53713. JSP comments that ended with the sequence ---%> (or any similar sequence with a odd number of - characters) was not correctly parsed. (markt)
fix 54011: Fix a bug in the tag plug-in for that triggered a JSP compilation error if the escapeXml attribute was used. Patch provided by Sheldon Shao. (markt)
code Follow up to 54011. Simplify generated code for . Based on a patch by Sheldon Shao. (markt)
fix 54012: Fix a bug in the tag plug-in infrastructure that meant the triggered a JSP compilation error when used in a tag file. Based on a patch provided by Sheldon Shao. (markt)
code 54017: Simplify coercion of String instances to Object. (markt)
fix 54144: Fix a bug in the tag plug-in for that meant that if the value of the tag evaluated to a java.io.Reader object then it was not correctly handled. (markt)
Cluster:
fix Add getSessionIdsFull operation to mbeans-descriptor. listSessionIdsFull no longer exist. (kfujino)
fix 54086: Fix threading issue when stopping an NioReceiver. (markt)
Web applications:
add 54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager web application. (kkolinko)
Tribes:
fix 54045: Make sure getMembers() returns available member when TcpFailureDetector works in static cluster. (kfujino)

New in Apache Tomcat 7.0.32 (Oct 8, 2012)

Dependency Changes:
Tomcat 7.0 is designed to run on Java SE 6 and later.
In addition, Tomcat 7.0 uses the Eclipse JDT Java compiler for compiling JSP pages. This means you no longer need to have the complete Java Development Kit (JDK) to run Tomcat, but a Java Runtime Environment
(JRE) is sufficient. The Eclipse JDT Java compiler is bundled with the binary Tomcat distributions. Tomcat can also be configured to use the compiler from the JDK to compile JSPs, or any other Java compiler supported by Apache Ant.
API Stability:
The public interfaces for the following classes are fixed and will not be changed at all during the remaining lifetime of the 7.x series: - javax/**/*
The public interfaces for the following classes may be added to in order to resolve bugs and/or add new features. No existing interface will be removed or changed although it may be deprecated.
The remaining classes are considered part of the Tomcat internals and may change without notice between point releases.
JNI Based Applications:
Applications that require native libraries must ensure that the libraries have been loaded prior to use.
To avoid this problem, place classes that load native libraries outside of the web application, and ensure that the loadLibrary() call is executed only once during the lifetime of a particular JVM.
Bundled APIs:
A standard installation of Tomcat 7.0 makes all of the following APIs available for use by web applications (by placing them in "lib"):
annotations-api.jar (Annotations package)
catalina.jar (Tomcat Catalina implementation)
catalina-ant.jar (Tomcat Catalina Ant tasks)
catalina-ha.jar (High availability package)
catalina-tribes.jar (Group communication)
ecj-3.7.2.jar (Eclipse JDT Java compiler)
el-api.jar (EL 2.2 API)
jasper.jar (Jasper 2 Compiler and Runtime)
jasper-el.jar (Jasper 2 EL implementation)
jsp-api.jar (JSP 2.2 API)
servlet-api.jar (Servlet 3.0 API)
tomcat-api.jar (Interfaces shared by Catalina and Jasper)
tomcat-coyote.jar (Tomcat connectors and utility classes)
tomcat-dbcp.jar (package renamed database connection pool based on Commons DBCP)
You can make additional APIs available to all of your web applications by putting unpacked classes into a "classes" directory (not created by default), or by placing them in JAR files in the "lib" directory.
To override the XML parser implementation or interfaces, use the endorsed mechanism of the JVM. The default configuration defines JARs located in "endorsed" as endorsed.
Web application reloading and static fields in shared libraries:
Some shared libraries (many are part of the JDK) keep references to objects instantiated by the web application. To avoid class loading related problems (ClassCastExceptions, messages indicating that the classloader is stopped, etc.), the shared libraries state should be reinitialized.
Something which might help is to avoid putting classes which would be referenced by a shared static field in the web application classloader, and putting them in the shared classloader instead (JARs should be put in the "lib" folder, and classes should be put in the "classes" folder).
Enabling SSI and CGI Support:
Because of the security risks associated with CGI and SSI available to web applications, these features are disabled by default.
Security manager URLs:
In order to grant security permissions to JARs located inside the web application repository, use URLs of of the following format in your policy file: file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar
Symlinking static resources:
By default, Unix symlinks will not work when used in a web application to link resources located outside the web application root directory.
This behavior is optional, and the "allowLinking" flag may be used to disable the check.

New in Apache Tomcat 7.0.30 (Sep 6, 2012)

New in Apache Tomcat 7.0.29 (Jul 19, 2012)

Catalina:
Add support for searching for roles in JNDI/LDAP using another value than the actual DN or username specified. Rather it will use a value from the users directory entry. The new attribute introduced to the JNDIRealm is userRoleAttribute (fhanik)
Fix checking of recommended tcnative library version when using the APR connector. (rjung)
0306: Improve StuckThreadDetectionValve: add stuckThreadNames property as a pair for the stuckThreadIds one, add thread ids to the log messages. (kkolinko)
52135: Add support for a default error page to be defined in web.xml by defining an error page with just a nested location element. It appears this feature was intended to be included in the Servlet 3.0 specification but was accidently left out. (markt)
53450: Correct regression in fix for 52999 that could easily trigger a deadlock when deploying a ROOT web application. (markt)
As per section 1.6.2 of the Servlet 3.0 specification and clarification from the Servlet Expert Group, the servlet specification version declared in web.xml no longer controls if Tomcat scans for annotations. Annotation scanning is now always performed - regardless of the version declared in web.xml - unless metadata complete is set to true. (markt)
As per clarification from the Servlet Expert Group, JARs are always checked for ServletContainerInitializers regardless of the setting of metadata complete. (markt)
53465: Populate mapped-name property for resources defined in web.xml. Based on a patch by Violeta Georgieva. (markt)
Make the request available when establishing a WebSocket connection. (markt)
53467: Correct a regression in the fix for 53257 that introduced problems for JSPs that used characters that must be encoded if used in a URI. (markt)
Coyote:
53430: Avoid a JVM crash when a connector that requires the APR/native library is explicitly specified and the library, or a recent enough version of it, is not available. (markt)
Jasper:
53421: Provide a more helpful error message if a getter or setter cannot be found for a bean property when using expression language. (markt)
53460: Allow container to handle errors if the creation of the PageContext fails rather than swallowing the error. (markt)
Web applications:
Update the WebSocket examples in the examples web application so that they work with secure connections (wss) as well as non-secure (ws) connections. (markt)
53456: Minor corrections and improvements to the HTTP connector configuration reference. Patch provided by sebb. (markt)
53459: Correction and clarifications to the SSL Connector configuration examples in the SSL how-to. (markt)
53464: Correct reference to sample init.d script for use with jsvc in the documentation web application. (markt)
53473: Correct the allowed values for the SSI option isVirtualWebappRelative which are true or false. (markt)
Document roleNested property of JNDIRealm in Configuration Reference. (kkolinko)
jdbc-pool:
53445 (r1354173): Allow configurable name for SlowQueryReportJmx (fhanik)
53416 (r1354641): Multiple pools with the same name should register under JMX (fhanik)
Other:
Fix cleanup of temporary files in TestNamingContext test. (kkolinko)
Remove a few files from the source distribution that are not required since they are copied / generated during the build. (markt)
Add manifest files to the set of files for which the line-ending is changed to match the OS defaults in the source distributions. (markt)
Align Jk Ant tasks definitions between antlib.xml and catalina.tasks files, introducing jkupdate as synonym for jkstatus. The latter one is deprecated. Simplify bin/catalina-tasks.xml, replacing taskdef with typedef and adding Ant condition implementations used with JMX to jmxaccessor.tasks file. (kkolinko)
53454: Return correct content-length header for HEAD requests when content length is greater than 2GB. (markt)

New in Apache Tomcat 7.0.26 (Feb 23, 2012)

Catalina:
Provide constants for commonly used Charset objects and use these constants where appropriate. (markt)
Refactor the fix for 52184 to correct two issues (a missing class and incorrect class/method names) when using the extras logging packages. (markt)
52444: Only load classes during HandlesTypes processing if the class is a match. Previously, every class in the web application was loaded regardless of whether it was a match or not. (markt)
52488: Correct typo: exipre -> expire. (markt)
Add a unit test for SSO authentication. Patch provided by Brian Burch. (markt)
52511: Correct regression in the fix for 51741 that caused a harmless exception to be logged when scanning for annotations and WEB-INF/classes did not exist. (markt)
Refactor to remove a circular dependency between org.apache.catalina and org.apache.naming. (markt)
Remove some initialisation code from the standard start process (i.e. via the scripts) that was intended for embedding but is not required when performing a standard start.(markt)
Add new method to MBeanFactory that allows any Valve to be created and deprecate the methods to create specific Valves. (markt)
Partial sync of MIME type mapping with mime.types from the Apache web server. (rjung)
52577: Fix a regression in the fix for 52328. Prevent output truncation when reset() is called on a response. (mark)
52586: Remove an old and now unnecessary hack that modified the path info reported via the javax.servlet.forward.path_info request attribute when forwarding to an error page. (markt)
52587: Ensure that if it is necessary to fall back to the default NullRealm, the NullRealm instance is created early enough for it to be correctly initialised. (markt)
Fix millisecond output in AccessLogValve when using a SimpleDateFormat based time pattern. (rjung)
52591: When dumping MBean data, skip attributes where getters throw UnsupportedOperationException. (markt)
52607: Ensure that the extension validator checks the JARs in the shared and common class loaders for extensions. (markt)
Correct a threading issue in the generation of the list of standard authenticators during Context initialization that could lead to a web application failing to start if Contexts were started in parallel. (markt)
52669: Correct regression that broke annotation processing in /WEB-INF/classes for web applications deployed as WARs, packageless classes and some embedding scenarios. The regression was introduced by the invalid assumptions made in the fix for 51741. (markt)
52671: When dumping MBean data, skip attributes where getters throw NullPointerException. (markt)
Coyote:
51543: Provide a meaningful error message when writing more response headers than permitted. (markt)
52547: Ensure that bytes written (which is used by the access log) is correctly reset after an HTTP 1.0 request has been processed. (markt)
Minor refactoring to reduce code duplication in the HTTP connectors. (markt)
52606: Ensure that POST bodies are available for reply after FORM authentication when using the AJP connectors. (markt)
Jasper:
52474: Ensure that leading and trailing white space is removed from listener class names when parsing TLD files. (markt)
52480: When converting class path entries from URLs to files/directories, ensure that any URL encoded characters are converted. Fixes JSP compilation with javac when Tomcat is installed at a path that includes spaces. (markt)
52666: Correct coercion order in EL when processing the equality and inequality operators. (markt)
Web applications:
Improve BUILDING.txt. Update instructions for building. Add instructions for using Checkstyle and running the tests. (kkolinko)
38216: Improve handling of null return values in the JMX proxy servlet which is part of the Manager application. (kkolinko)
52515: Make it clear in the Realm how-to in the documentation web application that digested password storage when using DIGEST authentication requires that MD5 digests are used. (markt)
52634: Fix typos in JSP examples. Patch provided by Felix Schumacher. (rjung)
52641: Remove mentioning of ldap.jar from docs. Patch provided by Felix Schumacher. (rjung)
jdbc-pool:
Fix code style issues and enable Checkstyle checks for jdbc-pool when it is built within Tomcat. (kkolinko)
51582 Correct set and reset the query cache to avoid NPE (fhanik)
Other:
Update Commons Daemon to 1.0.9 to resolve 52548 which meant that services created with service.bat did not set the catalina.home and catalina.base system properties. (markt)
Implement check for correct end-of-line characters in the source files. It is run as separate target in build.xml. (kkolinko)

New in Apache Tomcat 7.0.25 (Jan 23, 2012)

New in Apache Tomcat 7.0.23 (Nov 28, 2011)

New in Apache Tomcat 7.0.21 (Sep 2, 2011)

New in Apache Tomcat 7.0.20 (Aug 12, 2011)

Catalina:
Corrected missing comma in the value of jarsToSkip property in conf/catalina.properties file, which caused tomcat-jdbc.jar and commons-beanutils*.jar to be not ignored when scanning jars for tag libraries. (kkolinko)
41709: Provide exception messages where no message is provided currently for IllegalStateExcpetions triggered by calling HttpServletResponse methods when the reponse is committed. (markt)
51509: Fix potential concurrency issue in CSRF prevention filter that may lead to some requests failing that should not. (markt)
51518: Correct error in web.xml parsing rules for the tag when using absolute ordering. (markt)
Move the SetCharacterEncoding filter from the examples web application to the org.apache.catalina.filters package so it is available for all web applications. (markt)
51550: Internal errors in Tomcat components that process requests before they are passed to a web application, such as Authenticators, now return a 500 response rather than a 200 response. (markt)
51555: Allow destroy() to be called on Lifecycle components that are in the initialized state. (markt)
Add x-threadname pattern format token to ExtendedAccessLogValve to log the current request thread name. Based on a patch from Felix Schumacher. (timw)
51584: Ensure file paths are encoded/decoded when translated to/from URLs when working with resources from a Context so special characters don't cause issues. (markt)
51586: Expand error handling to cover anything that is recoverable (or might be recoverable) when loading classes during HandlesTypes processing. (markt)
51588: Make it easier to extend the AccessLogValve to add support for custom elements. (markt)
Ensure that calls to StandardWrapper methods() that may trigger creation of a Servlet instance always do so in way that correctly instantiates a Servlet instance. (markt)
In JDBCStore: Committing connection if autoCommit is false. Make sure committed connection is returned to the pool if datasource is enabled. (kfujino)
Split condition attribute of AccessLogValve into two, conditionIf and conditionUnless. Implement conditional logging that logs only if a request attribute is present. (kkolinko)
Allow to have several AccessLogValve instances in the same scope (e.g. in the same Context). (kkolinko)
51610: If an unchecked exception occurs during a lifecycle transition (e.g. web application start) ensure that the component is put into the failed state. (markt)
51614: Avoid calling store.load() and session.expire() twice in PersistentManager when expiring sessions. (kfujino)
Prevent spurious log warnings on container stop if a child component has previously failed. (markt)
Add missing getter and setter for the alwaysUseSession attribute of the authenticators. (markt)
Coyote:
49595: Prevent JVM crash with the AJP APR connector when flushing a closed socket. (jfclere)
50394: Return -1 instead throwing an exception when encountering an EOF while processing an input stream with the HTTP APR connector. (jfclere)
Correctly handle a connectionTimeout value of -1 (no timeout) for the HTTP NIO and AJP NIO connectors. (markt)
51503: Add additional validation that prevents a connector from starting if it does not have a port > 0. (markt)
51557: Ignore HTTP headers that do not comply with RFC 2616 and use header names that are not tokens. (markt)
Improve error handling for HTTP APR if an error occurs while using sendfile. (markt)
Ensure that when using sendfile, HTTP APR sockets are not added to multiple pollers. This may cause errors during shutdown. (markt)
Set reuse flag of final AJP END_RESPONSE packet to 0 if we plan to close the connection. (rjung)
Correctly indicate if socket is closing when calling recycle for the AJP NIO processor. Note since the flag is unused in this case there were no bugs triggered by the re-factoring error. (rjung)
Jasper:
51532: JSP files with dependencies in JARs were recompiled on every access leading to poor performance. (markt)
51544: Correctly resolve bean methods in EL so accessible methods that are overridden by inaccessible methods do not cause an IllegalAccessException. (markt)
Web applications:
41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt)
48997: Fixed some typos and correct cross-referencing to the HTTP Connector documentation with the SSL How-To page of the documentation web application. (markt)
49122: Improvements and fixes for index page for ROOT web application. Based on a patch provided by pidster. (markt)
51516: Correct documentation web application to show correct system property name for changing the name of the SSO session cookie. (markt)
Configure the Manager and Host Manager web applications with the Set Character Encoding Filter to make the default request character encoding UTF-8 to improve i18n support. Note that best results will be obtained if the connector is also configured with URIEncoding="UTF-8".(markt)
Update the documentation web application to be even more explicit about the implications of setting the path attribute on a Context element in server.xml. (markt)
51561: Update the Realm page within the documentation web application to recommend the use of digest.[bat|sh] to generate digests rather than calling RealmBase directly. (markt)
51567: Update the class loading page of the documentation web application to include information on the search order for the common class loader when separate values are used for $CATALINA_HOME and $CATALINA_BASE. (markt)
Improve class loading documentation and logging documentation. (kkolinko)
Add information to the security page of the the documentation web application for the ciphers attribute of the Connector element. (markt)
Other:
51503: Add additional validation to Windows installer that ensure that the shutdown port, HTTP port and AJP port are all specified during the install process. (markt)
51531: Update sample Eclipse classpath file to reflect updated ECJ jar. Patch provided by Ian Brandt. (markt)
Convert Tomcat unit tests to JUnit 4. (kkolinko)
Update optional CheckStyle library to 5.4. (kkolinko)
Remove resolveHosts attribute from AccessLogValve configuration in the default server.xml. It was documented in 7.0.19 that it has no effect. (kkolinko)
Simplify mapping for jsp servlet in the default web.xml. (kkolinko)
Correctly handle uninstall with the Windows installer of the service is installed with a name that contains a '-' character. (markt)
51598: Prevent direct invocation of the Windows uninstaller without a service name from executing since the uninstall will not be complete. (markt)
Use Tomcat icon (cat) instead of Apache Commons Daemon (feather) one in the list of uninstallable programs on Windows. (kkolinko)
Update to Apache Commons Daemon 1.0.7. (markt)
51621: Add additional required JARs to the deployer distribution. (markt)
Fix a small number of warnings reported by FindBugs. (markt)
Update to version 1.1.22 of the native component for the AJP APR/native and HTTP APR/native connectors. (markt)

New in Apache Tomcat 7.0.19 (Jul 20, 2011)

Catalina:
Add option to activate access log for unit tests. (rjung)
Fix regression in year number formatting for AccessLogValve. (rjung)
46252: Allow to specify character set to be used to write the access log in AccessLogValve. (kkolinko)
51494: Prevent an NPE when a long running request completes if the associated web application was destroyed while the request was processing. (markt)
Allow choosing a locale for timestamp formatting in AccessLogValve. (rjung)
When generating access logs for errors, log at the Context/Host level if a Context or Host can be identified for the failed request. (markt)
In JULI FileHandler and in AccessLogValve create a directory automatically when it is specified as a part of the file name, e.g. in the prefix attribute. Earlier this happened only if it was specified with the directory attribute. (kkolinko)
Log a failure if access log file cannot be opened. (kkolinko)
Use en_US as locale for timestamps in ExtendedAccessLogValve. (rjung)
Use en_US as locale for creationdate in WebdavServlet. (rjung)
Coyote:
51477: Support all SSL protocol combinations in the APR/native connector. This only works when using the native library version 1.1.21 or later, which is not yet released. (rjung)
Various refactorings to reduce code duplication and unnecessary code in the connectors. (markt)
Correct regression introduced in 7.0.17 that triggered 400 entries in the AccessLog when using the AJP/BIO connector. (markt)
Fix regression producing invalid MBean names when using IPV6 addresses for connectors. (rjung)
Add missing thread name in RequestProcessor when Servlet 3 Async is used. Fixes null thread name in access log and JMX MBean. (rjung)
Fix CVE-2011-2526. Protect against infinite loops (HTTP NIO) and crashes (HTTP APR) if sendfile is configured to send more data than is available in the file. (markt)
Prevent NPEs when a socket is closed in non-error conditions after sendfile processing when using the HTTP NIO connector. (markt)
Cluster:
Remove unnecessary server.xml parsing code for old cluster implementation that does not ship as part of Tomcat 7. (markt)
Web applications:
Add additional information to the documentation web application on the benefits and remaining risks when running under a security manager. (markt)
51490: Correct broken HTML in JSP tag plugin examples and improve the example to make failures more obvious. Based on suggestions by Charles. (markt)
Document ExtendedAccessLogValve. (rjung)
Correct default value of enableLookups for connectors and mention, that resolveHosts for the AccessLogValve is replaced by enableLookups. (rjung)
Other:
Update to Commons Daemon 1.0.6. (markt)
Update to Eclipse JDT Compiler 3.7. (markt)
Include jdbc-pool into tomcat release. (fhanik)

New in Apache Tomcat 7.0.16 (Jun 17, 2011)

Catalina:
fix 51249: Further improve system property replacement code in ClassLoaderLogManager of Tomcat JULI to cover some corner cases. (kkolinko)
fix 51264: Improve the previous fix for this issue by returning the connection to the pool when not in use so it does not appear to be an abandoned connection. Patch provided by Felix Schumacher. (markt)
fix 51324: Improve handling of exceptions when flushing the response buffer to ensure that the doFlush flag does not get stuck in the enabled state. Patch provided by Jeremy Norris. (markt)
fix Correct a regression in the fix for 51278 that prevented any web application from being marked as distributable. (kfujino/markt)
fix Correct a regression in the fix for 51278 that prevented a web application from overriding the default welcome files. (markt)
fix Enable remaining valves for Servlet 3 asynchronous processing support. (markt)
fix Avoid possible NPE when logging requests received during embedded Tomcat shutdown. (markt)
fix 51340: Fix thread-safety issue when parsing multiple web.xml files in parallel. Apache Tomcat does not do this but products that embed it may. (markt)
fix 51344: Fix problem with Lifecycle re-factoring for deprecated embedded class that prevented events being triggered. (markt)
fix 51348: Prevent possible NPE when processing WebDAV locks. (markt)
Coyote:
fix When parsing the port in the HTTP host header, treat the port as a base 10 integer rather than a hexadecimal one. (rjung/markt/kkolinko)
update Various refactorings to reduce code duplication and unnecessary code in the connectors. (markt)
Jasper:
update: Change JAR scanning log messages where no TLDs are found to DEBUG level and replace the multiple messages with a single INFO level message that indicates that at least one JAR was scanned needlessly and how to obtain more info. (markt)
Cluster:
fix Enable Servlet 3 asynchronous processing support when using clustering. (markt)
Web applications:
fix Correct the log4j configuration settings when defining conversion patterns in the documentation web application. (markt)

New in Apache Tomcat 7.0.14 (May 13, 2011)

New in Apache Tomcat 7.0.5 Beta (Dec 22, 2010)

General:
Update to Commons Daemon 1.0.4. (mturk)
Catalina:
3839: Provide a mechanism to gracefully handle the case where users book-mark the form login page or otherwise misuse the FORM authentication process. Based on a suggestion by Mark Morris. (markt)
49180: Add option to disable log rotation in juli FileHandler. Patch provided by Pid (pidster at apache). (funkman)
49991: Ensure servlet request listeners are fired for the login and error pages during FORM authentication. (markt)
50107: When removing a Host via JMX, do not attempt to destroy the host's pipeline twice. Patch provided by Eiji Takahashi. (markt)
50138: Fix threading issues in org.apache.catalina.security.SecurityUtil. (markt)
50157: Ensure MapperListener is only added to a container object once. (markt)
50159: Add a new attribute for elements, singleton, that controls whether or not a new object is created every time a JNDI lookup is performed to obtain the resource. The default value is true, which will return the same instance of the resource in every JNDI lookup. (markt)
50168: Separate the Lifecycle.DESTROY_EVENT into Lifecycle.BEFORE_DESTROY_EVENT and Lifecycle.AFTER_DESTROY_EVENT. Use the additional state to ensure that Context objects are only destroyed once. (markt)
50169: Ensure that when a Container is started that it doesn't try and register with the mapper unless its parent has already started. Patch provided by Eiji Takahashi. (markt)
50222: Modify memory leak prevention code so it pins the system class loader in memory rather than than the common class loader, which is better for embedded systems. Patch provided by Christopher Schultz. (markt)
50228: Improve recycling of BodyContentImpl. (kkolinko)
Improve debug logging for MapperListener registration. (markt)
Expose names of LifecycleListeners and ContainerListeners for StandardContext via JMX. (markt)
Add a new option, resourceOnlyServlets, to Context elements that provides a mechanism for working around the issues caused by new requirements for welcome file mapping introduced in Servlet 3.0. By default, the existing Tomcat 6.0.x welcome file handling is used. (markt)
Make Tomcat more tolerant of null when generating JMX names for Valves. (markt)
Make AccessLogValve attribute enabled changeable via JMX. (pero)
Correct infinite loop if ServletRequest.startAsync(ServletRequest, ServletResponse) was called. (markt)
50232: Remove dependency between StoreBase and PersistentManager and associated code clean-up. Patch provided by Tiago Batista. (markt)
50252: Prevent ClassCastException when using a . Patch provided by Eiji Takahashi. (markt)
Reduce synchronization in session managers to improve performance of session creation. (markt)
If starting children automatically when adding them to a container (e.g. when adding a Context to a Host) don't lock the parent's set of children whilst the new child is being started since this can block other threads and cause issues such as lost cluster messages. (markt)
Implement support for parallel deployment. This allows multiple versions of the same web application to be deployed to the same context path at the same time. Users without a current session will be mapped to the latest version of the web application. Users with a current session will continue to use the version of the web application with which the session is associated until the session expires. (markt)
50308: Allow asynchronous request processing to call AsyncContext.dispatch() once the asynchronous request has timed out. (markt)
Make memory leak prevention code that clears ThreadLocal instances more robust against objects with toString() methods that throw exceptions. (markt)
Coyote:
49860: Complete support for handling trailing headers in chunked HTTP requests. (markt)
Impose a limit on the length of the trailing headers. The limit is configurable with a system property and is 8192 by default. (kkolinko)
50207: Ensure Comet timeout events are triggered. This bug was a regression triggered by the fix for 49884. (markt)
Jasper:
49297: Enforce the rules in the JSP specification for parsing the attributes of custom and standard actions that require that the attribute names are unique within an element and that there is whitespace before the attribute name. The whitespace test can be disabled by setting the system property org.apache.jasper.compiler.Parser.STRICT_WHITESPACE to false. Attributes of the page directive have slightly different rules. The implementation of that part of the fix is based on a patch by genspring. (markt)
50105: When processing composite EL expressions use Enum.name() rather than Enum.toString() as required by the EL specification. (markt)
Fix minor thread-safety and performance issues in the implementation of maxLoadedJsps. (rjung)
Add support for unloading JSPs that have not been requested for a long time using the new parameter jspIdleTimeout. (rjung)
Add logging and JMX support to JSP unloading. (rjung)
50192: Improve performance for EL when running under a security manager. Based on a patch by Robert Goff. (markt)
50273: Provide a workaround for an HP-UX issue that can result in large numbers of SEVERE log messages appearing in the logs as a result of normal operation. (markt)
50293: Increase the size of internal ELResolver array from 2 to 8 since in typical usage there are at least 5 resolvers. Based on a patch by Robert Goff. (markt)
Cluster:
Add support for maxActiveSessions attribute to BackupManager. (kfujino)
Improve sending an access message in DeltaManager. maxInactiveInterval of not Manager but the session is used. If maxInactiveInterval is negative, an access message is not sending. (kfujino)
50183: BIO sender was not scheduling tasks to the executor during normal operation. Patch provided by Ariel. (markt)
50184: Add an option to the RpcChannel to enable the Channel send options to be set for the reply message. Based on a patch by Ariel. (markt)
Ensure that a new Context waiting for session data from other nodes in the cluster does not block the processing of clustering messages for other Contexts. (markt)
Web applications
49426: Localize messages in the Manager application based on the Locale of the user rather than the default Locale of the server. (markt)
Localize messages in the Host Manager application based on the Locale of the user rather than the default Locale of the server. (markt)
50242: Provide a sample log4j configuration that more closely matches the default JULI configuration. Patch provided by Christopher Schultz. (markt)
Restore the ability to edit the contents of /WEB-INF and /META-INF via WebDAV via the provision of a new configuration option, allowSpecialPaths. (markt)
Correct broken links for on-line JavaDocs. (markt)
50230: Add new DistributedManager interface that is implemented by the Backup Manager to remove circular dependency between tomcat-catalina-ha and tomcat-catalina modules. Also allows third-party distributed Manager implementations to report full session information through the HTML Manager. (markt)
Improve Tomcat Logging documentation. (kkolinko)
50303: Update JNDI how-to to reflect the new JavaMail download location and that JAF is now included in Java SE 6. (markt)
Fix ordering functionality on sessions page for the HTML Manager application. (markt)
Fix primary sessions not always being treated as such in the HTML Manager application. (markt)
Fix message not being displayed after session attribute removal in the HTML Manager application. (markt)
50310: Fix display of Servlet information in the Manager application. (markt)
CVE-2010-4172: Multiple XSS in the Manager application. (markt/kkolinko)
50316: Fix display of negative values in the Manager application. (kkolinko)
50318: Avoid NPE when trying to view session detail for an expired session in the Manager application. (markt)
Other:
Correct a handful of Javadoc warnings. (markt)
22965: Fix some typos and formatting issues in the global web.xml file. Based on a patch by Yann Cébron. (markt)
Extend Checkstyle validation checks to check for unused imports. (markt)
General code clean-up to reduce (not eliminate) the number of warnings reported by IDEs. (markt)
50140: Don't ignore a user specified installation directory when performing a silent install with the Windows installer on 64-bit platforms. (markt)
Reimplemented Windows installer dialogs, using modern libraries (nsDialogs, MUI2). (kkolinko)
When installing with the Windows installer on 64-bit platforms, allow the user to select either a 32-bit JDK or a 64-bit JDK. If a 32-bit JDK is selected, the 32-bit service wrapper and the 32-bit native DLL will be installed. If a 64-bit JDK is selected, the 64-bit service wrapper and the 64-bit native DLL will be installed. (markt/kkolinko)
Create Windows shortcuts for the Manager and Host Manager webapps. (kkolinko)
Support /? command line option in the Windows Installer. (kkolinko)
Display and allow to change roles for the Tomcat admin user in the Windows installer. (kkolinko)
In the Windows installer: do not leave stale server.xml and tomcat-users.xml fragments in the $TEMP folder. (kkolinko)
49819: Redesign of home page by Pid (pidster at apache). (timw)

New in Apache Tomcat 6.0.28 (Jul 10, 2010)

New in Apache Tomcat 7.0.0 Beta (Jun 30, 2010)

Catalina:
update: Update Servlet support to the Servlet 3.0 specification. (all)
update: Improve and document VirtualWebappLoader. (rjung)
add: 43642: Add prestartminSpareThreads attribute for Executor. (jfclere)
update: Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik)
update: r620845 and r669119. Make shutdown address configurable. (jfclere)
fix: r651977 Add some missing control checks to ThreadWithAttributes. (markt)
add: r677640 Add a startup class that does not require any configuration files. (costin)
fix: r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt)
fix: r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt)
add: r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik)
fix: Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung)
add: Expose thisAccessedTime via Session interface. (rjung)
add: Provide a log format for JULI that provides the same information as the default but on a single line. (markt)
add: r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik)
add: Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt)
update: Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt)
add: 48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt)
fix: Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)
Coyote:
update: Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk)
update: Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung)
update: r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik)
fix: 46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt)
update: Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk)
update: r724239 NIO connector now always uses an Executor. (fhanik)
update: r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik)
update: r724849 Implement keep alive timeout for NIO connector. (fhanik)
Jasper:
update: Update JSP support to the JSP 2.2 specification. (markt)
update: Update EL support to the EL 2.2 specification. (markt)
update: r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko)
add: 48358: Add support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt)
add: 48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)
High Availability:
add: Add support for UDP and secure communication to tribes. (fhanik)
add: Add versioning to the tribes communication protocol to support future developments. (fhanik)
add: Add a demo on how to use the payload. (fhanik)
add: Started to add JMX support to the cluster implementation. (markt)
fix: r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik)
fix: r630234 Additional checks for the NIO receiver. (fhanik)
update: r671650 Improve error message when multicast is not enabled. (fhanik)
Web applications:
update: r631321 Update changelog to support the element in the documentation. (fhanik)
add: A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt)
add: CSRF protection was added to the Manager and Host Manager applications. (markt)
add: List array elements in the JMX proxy output of the Manager application. (rjung)
Extras:
add: A new JmxRemoteLifecycleListener that can be used to fix the ports used for remote JMX connections, eg when using JConsole. (markt)
Modules:
add: r691359 Added in a Bayeux protocol implementation built on top of the Tomcat CometProcessor interface. (fhanik)
Other:
fix: Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt)
fix: All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt)
update: Parameterize version number throughout build scripts and source. (rjung)

New in Apache Tomcat 6.0.20 (Jun 3, 2009)

Catalina:
42579: Handle both relative and absolute search results in the JNDIRealm. Patch provided by Brandon DuRette. (markt)
46562: Close shtml files after processing to allow other processes to modify the files. (markt)
46815: Make the MemoryUserDatabase read-only by default. (markt)
46816: Align session manager mbean descriptor with implementation. (markt)
Fix a typo in the OPTIONS response from the default servlet. (markt)
46822: Remove unnecessary object creation from StandardContext. Patch provided by Anthony Whitford. (markt)
46866: Better initialisation of Random objects. (markt)
46875: Catch and handle possible IllegalStateExceptions in CometConnectionManagerValve related to session expiration. (markt)
Correct some errors reported when testing the WebDAV servlet with the Litmus test suite. (markt)
46933: Update StringManager to use Java 5 features. Patch provided by Jens Kapitza. (markt)
46990: Fix synchronization issues reported by FindBugs. Patch provided by Sebb. (markt)
Coyote:
Allow huge request body packets for AJP13. (rjung)
45026: Never return an empty HTTP status reason phrase. mod_jk and httpd 2.x do not like that. (rjung)
Set remote port for AJP connectors from the optional request attribute AJP_REMOTE_PORT. (rjung)
Update tc-native to 1.1.16 (markt)
46982: Correct reporting of DST offset in access logs. (markt)
46984: Invalid characters in HTTP request method now result in a 400 response. (markt)
46991: Fix AJP connector always reporting bytes received as zero. (markt)
Jasper:
37929: Fix invalidated session causing pageContext methods to fail. (markt)
41606: Prevent double initialisation of JSPs. Patch provided by Chris Halstead. (markt)
46354: ArrayIndexOutOfBoundsException when using org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true Patch provided by Konstantin Kolinko. (markt)
46909: Only include semi-colon in type attribute for when it is required. (markt)
47013: Use system property rather than hard-coded string for pre-compilation flag. (markt)
Cluster:
A node should ignore its own heartbeat messages. (rjung)
Webapps:
46509: Use correct link on error page in JSP security example. Patch provided by Michael Moody. (markt)
46599: Document known DAEMON issue. (markt)
46807: Correct docs for configuration of tag pooling. (markt)
46924: Clarify behaviour when auto deployment is enabled and a WAR, directory or context file is deleted or updated. (markt)
46958: All xml manager status output to work regardless of context path. (markt)
Other:
46351: Refactor the build script. Patch provided by Marc Guillemot. (markt)
46910: Properties files corrupted by build process. (remm)
46915: When resolving ResourceBundle properties, don't claim to have resolved the property unless we really have resolved it. (markt)
Fix .pdf and .exe corruption in -src.tar.gz distribution. (markt)
Enable running Tomcat directly from the build directory on linux systems. (markt)

New in Apache Tomcat 6.0.19 (Jun 3, 2009)

Catalina:
Manager application prints FAIL if application was deployed but failed to start (fhanik)
When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik)
37458: Correct sync issue that leads to NPE in rare circumstances. Patch provided by Konstantin Kolinko. (markt)
38553: Return 401 rather than 400 if client does not present a certificate CLIENT-CERT authentication. (markt)
38570: When checking docBase against appBase, make sure we check for an exact match against the appBase. (markt)
39013: When testing for invalid docBase, test for an exact match with the appBase dir. (markt)
39396: Don't include TRACEE in OPTIONS response unless we know it hasn't been disabled in the connector. (markt)
42747: Ensure context.xml takes effect on first deployment for WAR and DIR deployments. context.xml is now copied to CATALINA_BASE// for DIR as well as WAR deployments. (markt)
43071Start poller before acceptor (r719267)
Fix read/write timeout of async comet operations (r719264)
Implement async close behaviour for Comet/NIO. No-op for APR (same behavior as before) (r719262)
Default thread count for HTTP connectors is 200. (r713186)
Comet should always invoke END and properly invoke READ (r713174)
Fix class cast exception when shutting down a replicated context but no cluster has been configured in server.xml (r713177)
Dererence socket when its no longer used. Frees up socket buffers and memory. No functional change. (r713175)
Correct wrong "No role found" debug message, logged in RealmBase even if a role was found. (rjung)
44809Improve AprLifecycleListener Error Messages. (jfclere)
Log AccessControlException for context specific logging.properties during startup with security manager. (rjung)
41407: Add CLIENT-CERT support to the JAAS Realm. (markt)
42409: Make custom and standard error page handling consistent by using resetBuffer() which will not alter previously set headers. (markt)
42673: Fix SSI virtual includes for multi-level contexts. Patch provided by Peter Jodeleit. (markt)
42707: Make adding a host alias via JMX take effect immediately. (markt)
43656: Correct regression in previous fix for this bug. Patch provided by Nils Eckert. (markt)
45419: Set Accept-Ranges for static resources served by DefaultServlet. (markt)
45441: Correctly map filters for FORWARD and INCLUDE. (markt)
45447: Convert Spanish resource files to use UTF-8 and provide translations where previously missing. Patch provided by Jesus Marin. (markt)
45453: Remove potential race condition in JDBC Realm. Based on a patch by Santtu Hyrkk. (markt)
45576: Add DIGEST support to the JAAS Realm. (markt)
45585: Allow Tomcat to start if using $CATALINA_BASE but not JULI. Patch based on a suggestion by Ian Ward Comfort. (markt)
The JAAS Realm did not assign roles to authenticated users. (markt)
Provide full stacktrace and message when the ErrorReportValveClass can't be instantiated. (funkman)
45608: Make allocated servlet count synchronized to ensure the correct allocated servlet count is available during shutdown. (markt)
45628: When checking MANIFEST dependancies, JARs without dependencies should allows be considered to be full-filled. (markt)
45735: Improve ETag handling. (remm)
45785: Ignore directories named xxx.jar in WEB-INF/lib. (markt)
45823: Log missing request headers as '-' not 'null'. Based on a patch by Per Landberg. (markt)
45825: Correctly handle annotations in parent classes. Based on a patch by Florent Benoit. (markt)
45906: Further ETag handling improvements. Patch provided by Chris Hubick. (markt)
Add the CombinedRealm that enables authentication to be attempted against multiple realms. (markt)
Add the LockOutRealm that enables a standard Realm to be wrapped with the functionality to lock out a user after too many failed logins. (markt)
Make the upper size limit of the static resource cache configurable since the default of cacheMaxSize/20 gave too high a value for large caches. (markt)
Fix HTML decoding error in SSI processing. (markt)
Fix cast error in JULI log factory. (markt)
Fix some thread safety issues in date formatting. (markt)
Fix a String comparison bug in the digester property replacement that resulted in non-optimal operation. (markt)
Correct handle multi-level contexts defined using context.xml files. (markt)
45933: Don't use xml parser from web-app to process tld files. (markt)
45951: Support changing of JSESSIONID cookie name and jsessionid path parameter name. Based on a patch by Jean-frederic Clere. (markt)
46011: Make Principal accessible (if set) via Subject.getSubject(AccessController.getContext()) when processing filters. Based on a patch by tsveg1. (markt)
46075: When uploading files, don't create buffers at the maximum configured size. Use the default size and let the buffers grow to the maximum size if necessary. (markt)
46085: Fix a rare thread safety issue with session expiration. (markt)
46096: Support annotation processing whilst running under a security manager. (markt)
The invoker servlet has been deprecated and will be removed in Tomcat 7 onwards. (markt)
46105: Correctly set URI encoding when replaying a request after FORM authentication. (markt)
Remove unnecessary reference to commons-logging from the bootstrap JAR manifest. (markt)
46232: Enabled the XMl parser to be over-ridden using the standard endorsed mechanism. (markt)
46261: Treat / in a context name literally rather than converting it (inconsistently) to '/' - that is what '#' is for. (markt)
46298: Throw an SQLException with a useful message rather than a NPE if the URL for the JDBCRealm is invalid. Based on a patch by Owen Jacobson. (markt)
46304: Further fixes to make Principal accessible (if set) via Subject.getSubject(AccessController.getContext()) when processing filters. (markt)
46403: Provide a workaround for an IE and Safari bug that means the Max-Age attribute of a cookie is ignored. (markt)
46408: Fix invalid cast in security utility package. (markt)
Remove duplicate normalisation implementations and make normalise behaviour consistent throughout code base. (markt)
46683: Fix typo in French localisation file name for the org.apache.catalina.loader package. (markt)
46606: Make the max DEPTH for a WebDAV request configurable. The default is still 3. (markt)
44382: Add support for using httpOnly for session cookies. This is disabled by default. (markt/fhanik)
Fix possible NCDFE when using FORM authentication. (jfclere)
Fix possible synchronisation bottleneck in cookie creation. (markt)
Fix various spelling errors reported on the mailing lists. (markt)
Make the logging manager and properties file configurable via environment variables. (fhanik)
Coyote:
45154 Implement SEND_FILE behavior for SSL connections using NIO (fhanik)
Fix file descriptor leak during NIO send file behavior. (fhanik)
Implement usage of keyAlias attribute for NIO, previously attribute was ignored. (fhanik)
Prevent server from calling close on an already closed NIO socket. One that had timed out. (fhanik)
Fix bug with SEND_FILE behavior in NIO. Send file would delay until selector timed out, even though socket was ready to be written. (fhanik)
Fix possible NPE in NioEndpoint.java (fhanik)
Update tc-native to 1.1.15 in build.properties.default (jfclere)
43327: Socket bind fails when using APR on a system with IPv6 enabled but no explicit IPv6 address configured. (markt/jfclere)
44285: Make the SSL session cache size and timeout configurable. (markt)
45074: Add configuration parameters to enable the tuning of sendfile and poller thread count in the APR HTTP connector. Patch provided by Alex Barclay. (jfclere/markt)
45528: Add detection for invalid SSL configuration to prevent infinite logging loop on start-up. (markt)
45591: NPE on start-up failure in some cases. Based on a patch by Matt Passell. (markt)
46077: Expose deferAccept for configuration. Patch provided by Michael Leinartas. (markt)
Don't swallow input if we know the connection is going to be closed. (billbarker)
46125: Return a status code of 400 if the request headers are too large. (markt)
Make certain that classes are first loaded by trusted code when working in a sandbox. (billbarker)
Log a message if we reach maxThreads in a connector thread pool. (markt)
Enable the thread pool limits to be modified via JMX. (markt)
Fix HTTP/1.0 redirects handling with APR AJP connector. (remm)
46666: keepAliveTimeout should be used regardless of setting of disableUploadTimeout. (markt)
Jasper:
36923: Treat EL expressions as template text is EL expressions are disabled. (markt)
37515: Support 1.6 and 1.7 as source and target for compilation. (markt)
ClassCastException in EL ExpressionBuilder. (rjung)
Use more generics in EL to improve type safety. (rjung)
Use a lookahead to remove potential ambiguity in EL parsing. (markt)
Correct typo in JSP EL examples. (markt)
38197: Take account of jsp:attribute elements when pooling tags. (markt)
42077: Ensure the iterator returned by javax.el.CompositeELResolver#getFeatureDescriptor() skips any null FeatureDescriptors. Patch provided by Mathias Broekelmann. (markt)
42693: Fix JSP generation error with recursive tag file structure. (markt)
45427: Correctly handle unmatched quotes in EL expressions. (markt)
45511: The failure of the empty keyword was a regression caused by the previous fix for 42565. The original fix for 42565 has been reverted and a new fix applied. (markt)
45648: Don't trim the last character when parsing the EL namespace. (markt)
45666: Prevent infinite loop on include. (markt)
45691: Prevent generation of duplicate variable names when generating code for JSPs. (markt)
Correct signed/unsigned conversion error in ASCII parsing. (markt)
Fix various edge-cases when parsing EL, particularly inside attribute values. Note the the Expert Group has confirmed that JSP.1.6 takes precedence over JSP.1.3.10. Therefore EL in attributes must be escaped twice. (markt)
46047: Include the path to the JAR when recording dependencies that are located inside a JAR file. Patch provided by Cédric Mailleux. (markt)
46381: Composite expressions used for attribute values must be coerced to Strings. (markt)
46397: Don't pool tag instances that implement JspIdConsumer. (markt)
46462: Limit package test to just the o.a.jsp package to allow use of packages such as o.a.jspwiki. (markt)
46471: Fix naming clash when tags in different libraries have the same name. (markt)
46564: Make page encoding check for tagx compilation case-insensitive. (markt)
Cluster:
Prevent NPE for ReplicationValve (pero)
Provide TCP only start-up option when using static membership. (fhanik)
Document the multicast recovery options. (fhanik)
45261: Add a new SimpleCoordinator for tribes provided by Robert Newson. (markt)
45618: Make sure NIO selector is closed when no longer used. Unlikely to be an issue in normal usage. (markt)
45851: Fix out of order message processing issues with the FarmWarDeployer. (markt)
Fix small memory leak in FarmWarDeployer. (markt)
46357: Corrected test for host's parent must be an engine. (markt)
Fix so that JvmrouteBinderValve can rewrite session suffix with parallel requests from same client. (pero)
Webapps:
45940: Correct name of username attribute for JDBC resources in JNDI how to. (markt)
46035: Fix multiple typos in monitoring how to. (markt)
46067: Fix typos in Advanced IO how to. (markt)
46115: Correct Manager UI to show that path is required when using the deploy command. (markt)
46121: Add note to manager documentation regarding possible naming clash with new Ant 1.7 resources datatype and how to avoid it. (markt)
Remove unsed parameters from Native/APR example connector configuration in docs. (markt)
Use CSS based solution for printer-friendly docs. Patch provided by vitezslav.smid as part of GSoc with additional work by Tim Funk. (markt)
Update the FAQ linsk in the docs to refer to the wiki. Use xlst task rather than style task to generate docs. (funkman/markt)
Document the LifecycleListeners. (markt)
Fix broken URL mapping in the examples. (markt)
46563: Update doc for correct default for pollerThreadCount. (markt)
46600: Document maxKeepAliveRequests for the NIO connector. (markt)
Fix CVE-2009-0781. XSS in calendar example. (markt)
Other:
41861: Update service name to Apache Tomcat 6 to prevent conflicts with previous major Tomcat versions. (markt/rjung)
45852: Add special handling for cp932 (aka ms932) when creating tomcat-users.xml with Windows installer. (markt)
45878: Restore manifest, licence and notice files to the jsp and servlet jars. (markt)
45879: Move NOTICE file from documentation webapp to the installation directory. (markt)
Add a workaround for DBCP-191. Tomcat will now build without error on a 1.6 JDK but because it does this by skipping DBCP, release builds must be generated with a 1.5 JDK. (costin/markt)
46366: Correct information in RUNNING.txt regarding use of CATALINA_HOME and CATALINA_BASE. (markt)
Use more useful JPDA defaults in catalina.bat. (markt)
Correct error in 2.5 web-app XSD.