Apache Tomcat Changelog

What's new in Apache Tomcat 9.0.6

Mar 19, 2018

TLS stability improvements.
Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve.
Add an async HTTP/2 parser for NIO2.
Add documentation for the Host Manager web application. Patch provided by Marek Czernek.

New in Apache Tomcat 8.0.36 (Jun 14, 2016)

Catalina:
Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
Fix: Fix error message when failed to register MBean. (kfujino)
Coyote:
Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
Jasper:
Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
Fix: 59640: NPEs with not found TLDs. (remm)
Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
Web applications:
Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
jdbc-pool:
Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
Other:
Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

New in Apache Tomcat 8.0.33 (Mar 24, 2016)

Catalina:
Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
Code: Remove unnecessary code. There is no support for context level cluster. (kfujino)
Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
Fix: Fix the type of InstanceManager attribute of mbean definition of StandardContext. (kfujino)
Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
Fix: 57809: Deprecate the custom context attribute org.apache.tomcat.util.scan.MergedWebXml which will be removed in Tomcat 9. (markt)
Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
Fix: Storeconfig handling of alternate cookie processors. (markt/remm)
Fix: Storeconfig handling for socket properties. (remm)
Add: Log a warning message if a user tries to configure the default session timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval() method. (markt)
Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
Coyote:
Fix: 58646: Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. (markt)
Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
Fix: 59081: Retain the user defined cipher order when defining ciphers using the OpenSSL format. (markt)
Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
Add: Add support for additional OpenSSL cipher aliases from OpenSSL master when specifying ciphers using the OpenSSL syntax. (markt)
Jasper:
Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
Update: 58111: Update to the Eclipse JDT Compiler 4.5. (markt)
Add: Add Java 9 support for JSPs. (markt)
WebSocket:
Fix: 59014: Ensure that a WebSocket close message can be sent after a close message has been received. (markt)
Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
Fix: 59189: Explicitly release the native memory held by the Inflater and Deflater when using PerMessageDeflate and the WebSocket session ends. Based on a patch by Henrik Olsson. (markt)
Web applications:
Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
Fix: Fix a potential indefinite wait in the Comet Chat servlet in the examples web application. (markt)
Tribes:
Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
Other:
Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
Update: Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)

New in Apache Tomcat 8.0.32 (Feb 10, 2016)

New in Apache Tomcat 8.0.30 (Dec 6, 2015)

Catalina:
Fix: 34319: Only load those keys in StoreBase.processExpire from JDBCStore, that are old enough, to be expired. Based on a patch by Tom Anderson. (fschumacher)
Add: 56917: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later redirects to use relative URIs. This is controlled by a new attribute useRelativeRedirects on the Context and defaults to true. (markt)
Fix: 58629: Allow an embedded Tomcat instance to start when the Service has no Engine configured. (markt)
Fix: 58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)
Fix: 58660: Correct a regression in 8.0.29 caused by the change that moved the redirection for context roots from the Mapper to the Default Servlet. (markt)
Fix: Fixed potential NPE in HostConfig while deploying an application. Issue reported by coverity scan. (violetagg)
Fix: 58655: Fix an IllegalStateException when calling HttpServletResponse.sendRedirect() with the RemoteIpFilter. This was caused by trying to correctly generate the absolute URI for the redirect. With the fix for 56917, redirects may now be relative making the sendRedirect() implementation for the RemoteIpFilter much simpler. This also addresses issues where the redirect may not have behaved as expected when redirecting from http to https to from https to http. (markt)
Fix: 58657: Exceptions in a Servlet 3.1 ReadListener or WriteListener do not need to be immediately fatal to the connection. Allow an error response to be written. (markt)
Coyote:
Fix: Improve upgrade context classloader handling by using Context.bind and unbind. (remm)
Jasper:
Fix: 57136#c25: Change default value of quoteAttributeEL setting in Jasper to be true for better compatibility with other implementations and older versions of Tomcat (8.0.26/7.0.64 and earlier). Add command line option -no-quoteAttributeEL in JspC. (kkolinko)
Cluster:
Fix: Fix potential integer overflow in DeltaSession. Reported by coverity scan. (fschumacher)
WebSocket:
Add: 55006: The WebSocket client now honors the java.net.java.net.ProxySelector configuration (using the HTTP type) when establishing WebSocket connections to servers. Based on a patch by Niki Dokovski. (markt)
Fix: 58624: Correct a thread safety issue that meant that blocking message writes could block indefinitely if the WebSocket connection was closed while a message write was in progress. (markt)
Web Applications:
Fix: 58631: Correct the continuation character use in the Windows Service How-To page of the documentation web application. (markt)
Tribes:
Fix: Ensure that the static member is registered to the add suspect list even if the static member that is registered to the remove suspect list has disappeared. (kfujino)
Fix: Correct the warning log of when the member that is not registered in the membership is detected. (kfujino)
Fix: When using a static cluster, add the members that have been cached in the membership service to the map members list in order to ensure that the map member is a static member. (kfujino)
jdbc-pool:
Fix: Correct evaluation of system property org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader. It was basically ignored before. Reported by coverity scan. (fschumacher)
Fix: Fix potential integer overflow in ConnectionPool and PooledConnection. Reported by coverity scan. (fschumacher)
Other:
Update: Update optional Checkstyle library to 6.13. (kkolinko)

New in Apache Tomcat 8.0.29 (Nov 24, 2015)

General:
Update: 58596: Clarify the description in RUNNING.txt of how environment variables are used. (markt)
Catalina:
Add: Extend the fix for 57136 to provide a JSP Servlet initialisation parameter per web application that controls whether o not EL in JSP attributes is processed as if it uses JSP attribute quoting. By default, EL does not use JSP attribute quoting. (markt)
Fix: 57799: InputStream.available() was causing an IO operation to occur even in blocking mode, which caused problems with NIO2. (remm)
Add: Extend the fix for 58228 to include ServletContext.getRealPath(). (markt)
Add: 58486: Protect against two further possible memory leaks associated with XML parsing. (markt)
Fix: 58490: Fixed NPE thrown when scanning for javax.servlet.ServletContainerInitializer in case the web application is not extracted. (violetagg)
Code: 58497: Make AbstractHttp11Processor easy to extend. (markt)
Fix: 58508: Escape role names when generating associated MBeans in case the role name contains characters not permitted in an MBean name. (markt)
Fix: 58518: Correct a regression in the fix for 56777 that added support for URIs in config file locations. File paths on Windows could previously be specified with \ or / as the separator. 56777 broke that. (markt)
Fix: 58519: Fix ISE thrown by web application classloader in some error conditions due to trying to call initCause() on a ClassNotFoundException which is not permitted. (markt)
Fix: 58534: Removed repeated conditional tests in o.a.tomcat.websocket.pojo.PojoMethodMapping and o.a.tomcat.util.net.AprEndpoint Patch provided by Anthony Whitford. (violetagg)
Fix: 58535: Use Collections.reverseOrder when a reverse ordering is needed. (violetagg)
Fix: 58537, 58546: Some of the inner classes in o.a.catalina.valves.ExtendedAccessLogValve and o.a.tomcat.util.net.SecureNio2Channel are made static. Patch provided by Anthony Whitford. (violetagg)
Fix: 58540: Removed unused code from o.a.catalina.connector.Request. Patch provided by Anthony Whitford. (violetagg)
Fix: 58541, 58544: It is more efficient to call Integer.toString(int) instead of Integer.valueOf(int).toString() when only a string representation of a primitive is needed. Based on a patch provided by Anthony Whitford. (violetagg)
Fix: 58541, 58547: It is more efficient to call valueOf(...) instead of Number constructor. Based on a patch provided by Anthony Whitford. (violetagg)
Fix: 58545: In some use cases it is more efficient to use Map.entrySet() instead of Map.keySet() Based on a patch provided by Anthony Whitford. (violetagg)
Fix: Ensure that ServletRequest.getContentLengthLong is used instead of ServletRequest.getContentLength for servlets and valves provided by Tomcat. The API is available since Servlet specification 3.1. (violetagg)
Add: Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs. (violetagg)
Fix: 58578: Avoid NPE accessing cookies during access logging for request that had no context mapping. (remm)
Fix: Avoid UnsupportedOperationException when releasing an user-provided URLStreamHandlerFactory. Patch provided by Cristian Talau. (violetagg)
Fix: 58581: If a custom error page fails, fall back to the standard error page rather than throwing an NPE. Based on a patch by Huxing Zhang. (markt)
Fix: 58582: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (schultz)
Fix: Handle the unlikely case where different versions of a web application are deployed with different session settings. (markt)
Add: Add a new Context option, enabled by default, that enables an additional check that a client provided session ID is in use in at least one other web application before allowing it to be used as the ID for a new session in the current web application. (markt)
Add: Add support for DIGEST authentication to the JNDIRealm. Based on a patch by Alexis Hassler. (markt)
Fix: 58603: Ensure that HttpServletRequest.getRequestURL() returns the correct value when using the RemoteIpFilter. (markt)
Fix: Ensure that in an embedded Tomcat the logging configuration is not lost during garbage collection. (violetagg)
Add: Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt)
Coyote:
Fix: Cancel pending blocking IO operation following a timeout in the NIO2 connector. (remm)
Fix: Add instance manager support for upgrade handlers, and set context class loader. (remm)
Update: Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL changes. In particular, TLSv1.0 is no an alias for those ciphers that require TLSv1 and will no work with SDSLv3. TLSv1 remains an alias for SSLv3. (markt)
Jasper
Add: Deprecate the STRICT_QUOTE_ESCAPING system property and replace it with an initialisation parameter for the JSP Servlet. This enables per web application control of this configuration setting. (markt)
Cluster:
Fix: Optimize the session lock range in DeltaManager.requestCompleted. (kfujino)
Fix: Enable an explicit configuration of local member in the static cluster membership. (kfujino)
Tribes:
Code: Distinguish the handling of the shutdown payload and member verification clearly. When handling shutdown payload, verification completion message is not required. (kfujino)
Fix: When starting the StaticMembershipInterceptor, StaticMembershipInterceptor checks the required Interceptors. If the required Interceptor does not exist, it issues warning logs. (kfujino)
WebSocket:
Fix: Use instance manager for server endpoint instances. (remm)
Web applications:
Add: Make it clear in the documentation for the CGI servlet that the debug page is not considered secure and should not be used in production. (markt)
Fix: The domain attribute of StaticMember is not required but optional. (kfujino)
jdbc-pool:
Fix: 58489: Correct QueryStatsComparator to hold up the general contract for Comparator. (fschumacher)
Fix: When creating a QueryStats object, ensure that maxQueries is checked. If maxQueries is a value less than or equal to 0, QueryStats are never created. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.12.1. (kkolinko)
Add: Add support for creating a FindBugs report when building Tomcat. It is disabled by default. (violetagg)

New in Apache Tomcat 8.0.28 (Oct 13, 2015)

New in Apache Tomcat 8.0.24 (Jul 7, 2015)

New in Apache Tomcat 8.0.23 (May 22, 2015)

Catalina:
Add: 54618: Add a new HttpHeaderSecurityFilter that adds the Strict-Transport-Security, X-Frame-Options and X-Content-Type-Options HTTP headers to the response. (markt)
Fix: 57875: Add javax.websocket.* to the classes for which the web application class loader always delegates first. (markt)
Fix: 57871: Ensure that setting the the allowHttpSepsInV0 property of a LegacyCookieProcessor to false only prevents HTTP separators from being used without quotes. (markt)
Fix: Add a workaround for issues with SPNEGO authentication when running on Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the applyJava8u40Fix attribute of the SPNEGO authenticator if necessary. (markt)
Fix: 57926: Restore the original X-Forwarded-By and X-Forwarded-For headers after processing by the RemoteIPValve . (markt)
Coyote:
Fix: Follow up to previous fix that removed the behavior difference between NIO and NIO2 for SSL, which caused corruption with NIO2. (remm)
Fix: 57931: Ensure that TLS connections with the NIO or NIO2 HTTP connectors that experience issues during the handhshake (e.g. missing or invalid client certificate) are closed cleanly and that the client receives the correct error code rather than simply closing the connection. (markt)
Jasper:
Fix: 56438: Add debug logging to TLD discovery that logs positive and negative results for JARs, resource paths and directories. Patch provided by VIN. (markt)
Fix: 57802: Correct the default implementation of convertToType() provided by javax.el.ELResolver. (markt)
Fix: 57887: Fix compilation of recursive tag files packaged in a JAR. (markt)
Cluster:
Fix: Make sure that stream is closed after using it in DeltaSession.applyDiff(). (kfujino)
Code: Use StringManager to provide i18n support in the org.apache.catalina.ha packages. (kfujino)
Code: Add the context name to log messages when replication context failed to start. (kfujino)
Web applications:
Fix: 57875: Update the web application class loader documentation to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards. (markt)
Fix: 57896: Document system property org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER that was introduced in Tomcat 8.0.0. (kkolinko)
Tribes:
Fix: Ensure that the state transfer flag is updated to true only when the map states have been transferred correctly from existing map members. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.6. (kkolinko)

New in Apache Tomcat 8.0.22 (May 6, 2015)

Catalina:
Fix: 57736: Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted. (markt)
Fix: 57752: Exclude non-cached resources from the Cache statistics for resource lookups. Patch provided by Adam Mlodzinski. (markt)
Add: Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
Fix: 57556: Refine the previous fix fo rthis issue so that the real path returned only has a trialing separator if the requested path ended with /. (markt)
Fix: 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
Fix: Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
Fix: Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
Fix: 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
Fix: Fix wrong logger name of org.apache.catalina.webresources.StandardRoot. (kfujino)
Fix: 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
Fix: 57841: Improve error logging during web application start. (markt)
Fix: 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
Fix: 57863: Fix the RewriteMap support in RewriteValve that did not use the correct key value to look up entries. Based on a patch provided by Tatsuya Bessho. (markt)
Coyote:
Fix: 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
Code: Remove the experimental support for SPDY. No current user agent supports the version of SPDY that the experiment targetted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete. (markt)
Fix: Possible incomplete writes with SSL NIO2. (remm)
Fix: Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO differences between NIO and NIO2 that don't seem to be justified. (remm)
Fix: After some errors, the pending flags could remain set when using SSL NIO2. (remm)
Fix: 57833: When using JKS based keystores for NIO or NIO2, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
Fix: 57837: Add text/css to the default list of compressable MIME types. (markt)
Jasper:
Fix: 57845: Ensure that, if the same JSP is accessed directly and via a declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
Fix: 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)
Cluster:
Fix: Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
Add: Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
Fix: Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)
WebSocket:
Fix: 57761: Ensure that the opening HTTP request is correctly formatted when the WebSocket client connects to a server root. (remm)
Fix: 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
Fix: 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
Fix: Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
Fix: 57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)
Web applications:
Add: 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
Fix: 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
Tribes:
Fix: Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)
Other:
Fix: Add missing pom for tomcat-storeconfig. (remm)
Update: Update optional Checkstyle library to 6.5. (kkolinko)
Fix: 57707: Improve error message when trying to run a release build on a non-Windows platform and Wine is not available. (markt)

New in Apache Tomcat 8.0.21 (Mar 27, 2015)

Catalina:
Add: 49785: Enable StartTLS connections for JNDIRealm. (fschumacher)
Fix: When docBase refers internal war and unpackWARs is set to false, avoid registration of the invalid redeploy resource that has been added ".war" extension in duplicate. (kfujino)
Fix: If WAR exists, it is not necessary to trigger a reload when adding a Directory. (kfujino)
Fix: 55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8. Based upon a patch provided by Ognjen Blagojevic. (schultz)
Fix: 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist. (markt)
Fix: When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads. (markt)
Fix: 57601: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by the Default servlet. (jboynes/markt)
Fix: 57602: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by a servlet that extends HttpServlet. (markt)
Fix: 57621: When an async request completes, ensure that any remaining request body data is swallowed. (markt)
Fix: 57637: Do not create unnecessary sessions when using PersistentValve. (jboynes/fschumacher)
Fix: 57645: Correct a regression in the fix for 57190 that incorrectly required the path passed to ServletContext.getContext(String) to be an exact match to a path to an existing context. (markt)
Fix: Make sure that unpackWAR attribute of Context is handled correctly in HostConfig. (kfujino)
Fix: When deploying a WAR file that contains a context.xml file and unpackWARs is false ignore any context.xml file that may exist in an expanded directory associated with the WAR. (markt)
Fix: 57675: Correctly quote strings when using the extended access log. (markt)
Add: Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running. Tomcat does this by adding a META-INF/war-tracking file to the expanded directory and setting the last modified time of this file to the last modified time of the WAR. If Tomcat detects a modified WAR via this mechanism the web application will be redeployed (i.e. the expanded directory will be removed and the modified WAR expanded in its place). (markt)
Fix: 57704: Fix potential NPEs during web application start/stop when org.apache.tomcat.InstanceManager is not initialized. (violetagg)
Add: Use the simplified digest output for digest.bat|sh when generating digests with no salt and a single iteration to make it easier to use with DIGEST authentication. (markt)
Fix: Add support for LAST_ACCESS_AT_START system property to SingleSignOn. (kfujino)
Code: Refactor Authenticator implementations to reduce code duplication. (markt)
Fix: 57724: Handle the case in the CORS filter where a user agent includes an origin header for a non-CORS request. (markt)
Fix: When searching for SCIs o.a.catalina.Context.getParentClassLoader will be used instead of java.lang.ClassLoader.getParent. Thus one can provide the correct parent class loader when running embedded Tomcat in other environments such as OSGi. (violetagg)
Fix: 57743: Fix a locked file / resource leak issue when a JAR is accessed just before or during web application undeploy. Patch provided by Pavel Avgustinov. (markt)
Coyote:
Add: 57540: Make TLS/SSL protocol available in a new request attribute (org.apache.tomcat.util.net.secure_protocol_version). (Note that AJP connectors will require mod_jk 1.2.41 or later, or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see the bug comments for details.) Based upon a patch provided by Ralf Hauser. (schultz)
Fix: Fix a cipher ordering issue when using the OpenSSL syntax for JSSE cipher configuration to ensure that ephemeral ECDH with AES is preferred to ephemeral ECDH with anything else. (markt)
Fix: 57570: Make the processing of trailer headers with chunked input optional and disabled by default. (markt)
Fix: 57592: Correctly handle the case where an AsyncContext is used for non-blocking I/O and is completed during a write operation. (markt)
Fix: 57638: Avoid an IllegalArgumentException when an AJP request body chunk larger than the socket read buffer is being read. This typically requires a larger than default AJP packetSize. (markt)
Fix: 57674: Avoid a BufferOverflowException when an AJP response body chunk larger than the socket write buffer is being written. This typically requires a larger than default AJP packetSize. (markt)
Update: Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 branch. (markt)
Fix: Numerous fixes to the APR/native connector to improve robustness. (markt)
Fix: Stop caching and re-using SocketWrapper instances. With the introduction of upgrade and non-blocking I/O, I/O can occur on non-container threads. This makes it nearly impossible to track whether a SocketWrapper is still being references or not. making re-use a risky proposition. (markt)
Code: Refactor Connector authentication (only used by AJP) into a separate method. (markt)
Add: 57708: Implement a new feature for AJP connectors - Tomcat Authorization. If the new tomcatAuthorization attribute is set to true (it is disabled by default) Tomcat will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user. (markt)
Fix: Fix an issue that meant that any pipe-lined data read by Tomcat before an asynchronous request completed was lost during the completion of the asynchronous request. This mean that the pipe-lined request(s) would be lost and/or corrupted. (markt)
Update: Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt)
Jasper:
Fix: 57135: Package imports via javax.el.ImportHandler should only import public, concrete classes. (markt)
Fix: 57583: Cache 'Not Found' results in javax.el.ImportHandler.resolveClass() to save repeated attempts to load classes that are known not to exist to improve performance. (markt)
Fix: 57626: Correct a regression introduced in the 8.0.16 fix for ensuring Jars were closed after use, that broke recompilation of modified JSPs that depended on a tag file packaged in a Jar. (markt)
Fix: 57627: Correctly determine last modified times for dependencies when a tag file packaged in a JAR depends on a tag file packaged in a second JAR. (markt)
Fix: 57647: Ensure INFO message is logged when scanning jars for TLDs if the scan does not find a TLD in any jar. Previously a message would only be logged if a TLD was not found in all scanned jars. (jboynes)
Update: 57662: Update all references to the ECJ compiler to version 4.4.2. (violetagg)
Cluster:
Fix: Remove unnecessary method that always returns true. The domain filtering works on DomainFilterInterceptor. (kfujino)
WebSocket:
Fix: Correct a bug in the permessage-deflate implementation that meant that the incorrect op-codes were used if an uncompressed message was converted into more than one compressed message. (markt)
Add: 57676: List conflicting WebSocket endpoint classes when there is a path conflict. Based upon a patch proposed by yangkun. (schultz)
Web applications:
Fix: 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt)
Fix: 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch provided by Phil Steitz. (markt)
Fix: Remove incorrect note from context configuration page in the documentation web application that stated WAR files located outside the appBase were never unpacked. (markt)
Fix: 57683: Ensure that if a client aborts their connection to the stock ticker example (the only way a client can disconnect), the example continues to work for existing and new clients. (markt)
Fix: Make it clear that when using digested passwords with DIGEST authentication that no salt and only a single iteration must be used when generating the digest. (markt)
Update: Update examples to use Apache Standard Taglib 1.2.5. (jboynes)
Extras:
Fix: 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server. (markt)
Tribes:
Fix: When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members. (kfujino)
Fix: Make sure that refuse the messages from a different domain in DomainFilterInterceptor. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.4.1. (kkolinko)
Fix: 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. (markt)
Update: Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)

New in Apache Tomcat 8.0.20 (Feb 20, 2015)

New in Apache Tomcat 7.0.59 (Feb 10, 2015)

New in Apache Tomcat 8.0.18 (Jan 28, 2015)

New in Apache Tomcat 8.0.17 Beta (Jan 21, 2015)

New in Apache Tomcat 8.0.15 Beta (Nov 13, 2014)

Catalina:
Add: 43548: Add an XML schema for the tomcat-users.xml file. (markt)
Add: 43682: Add support for referring to the current context, host and service name in per Context logging.properties files by using the properties ${classloader.webappName}, ${classloader.hostName} and ${classloader.serviceName}. (markt)
Add: 47919: Extend the information logged when Tomcat starts to optionally log the values of command line arguments (enabled by default) and environment variables (disabled by default). Note that the values added to CATALINA_OPTS and JAVA_OPTS environment variables will be logged, as they are used to build up the command line. (markt)
Add: 49939: Expose the method that clears the static resource cache for a web application via JMX. (markt)
Fix: 55951: Allow cookies to use UTF-8 encoded values in HTTP headers. This requires the use of the RFC6265 CookieProcessor. (markt)
Fix: 55984: Using the allow separators in version 0 cookies option with the legacy cookie processor should only apply to version 0 cookies. Version 1 cookies with values that contain separators should not be affected and should continue to be quoted. (markt)
Add: 56393: Add support for RFC6265 cookie parsing and generation. This is currently disabled by default and may be enabled via the CookieProcessor element of a Context. (markt)
Add: 56394: Introduce new configuration element CookieProcessor in Context to allow context-specific configuration of cookie processing options. Attributes of Context element that were added in Tomcat 8.0.13 to allow configuration of a new experimental RFC6265 based cookie parser (useRfc6265 and cookieEncoding) are replaced by this new configuration element. (markt)
Fix: Improve the previous fix for 56401. Avoid logging version information in the constructor since it then gets logged at undesirable times such as when using StoreConfig. (markt)
Fix: 56403: Add pluggable password derivation support to the Realms via the new CredentialHandler interface. (markt/schultz)
Fix: 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
Add: Deprecate the use of system proprties to control cookie parsing and replace them with attributes on the new CookieProcessor that may be configured on a per context basis. (markt)
Fix: Correct an edge case and allow a cookie if the value starts with an equals character and the CookieProcessor is not configured to allow equals characters in cookie values but is configured to allow name only cookies. (markt)
Fix: 57022: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs. (markt)
Fix: 57027: Add additional validation for stored credentials used by Realms when the credential is stored using hex encoding. (markt)
Fix: 57038: Add a WebResource.getCodeBase() method, implement for all WebResource implementations and then use it in the web application class loader to set the correct code base for resources loaded from JARs and WARs. (markt)
Fix: Correct a couple of NPEs in the JNDI Realm that could be triggered with when not specifying a roleBase and enabling roleSearchAsUser. (markt)
Fix: Correctly handle relative values for the docBase attribute of a Context. (markt)
Fix: Ensure that log messages generated by the web application class loader correctly identify the associated Context when multiple versions of a Context with the same path are present. (markt)
Fix: Remove the unnecessary registration of context.xml as a redeploy resource. The context.xml having an external docBase has already been registered as a redeploy resource at first. (kfujino)
Fix: 57089: Ensure that configuration of a session ID generator is not lost when a web application is reloaded. (markt)
Fix: 57105: When parsing web.xml do not limit the buffer element of the jsp-property-group element to integer values as the allowed values are kb or none. (markt)
Update: Update the minimum required version of the Tomcat Native library (if used) to 1.1.32. (markt)
Fix: Update storeconfig with newly introduced elements: SessionIdGenerator, CookieProcessor, JarScanner and JarScanFilter. (remm)
Fix: Throw a NullPointerException if a null string is passed to the write(String,int,int) method of the PrintWriter obtained from the ServletResponse. (markt)
Fix: Cookie rewrite flag abbreviation should be CO rather than C. (remm)
Fix: 57153: When the StandardJarScanner is configured to scan the full class path, ensure that class path entries added directly to the web application class loader are scanned. (markt)
Fix: AsyncContext should remain usable until fireOnComplete is called. (remm)
Fix: AsyncContext createListener should wrap any instantiation exception using a ServletException. (remm)
Fix: 57155: Allow a web application to be configured that does not have a docBase on the file system. This is primarily intended for use when embedding. (markt)
Fix: Propagate header ordering from fileupload to the part implementation. (remm)
Coyote:
Add: 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. This feature requires Tomcat Native library 1.1.32 or later. (schultz/jfclere)
Code: Cache the Encoder instances used to convert Strings to byte arrays in the Connectors (e.g. when writing HTTP headers) to improve throughput. (markt)
Add: Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and NIO2). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE. (markt)
Add: Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
Fix: Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
Fix: Trigger an error if an invalid attempt is made to use non-blocking IO. (markt)
Fix: 57157: Allow calls to AsyncContext.start(Runnable) during non-blocking IO reads and writes. (markt)
Fix: Async state MUST_COMPLETE should still be started. (remm)
Jasper:
Fix: 57099: Ensure that semi-colons are not permitted in JSP import page directives. (markt)
Fix: 57113: Fix broken package imports in Expression Language when more than one package was imported and the desired class was not in the last package imported. (markt)
Fix: 57132: Fix import conflicts reporting in Expression Language. (kkolinko)
Fix: When coercing an object to a given type, only attempt coercion to an array if both the object type and the target type are an array type. (violetagg/markt)
Fix: Improve handling of invalid input to javax.el.ImportHandler.resolveClass(). (markt)
Fix: Allow the same class to be added to an instance of javax.el.ImportHandler more than once without triggering an error. The second and subsequent calls for the same class will be ignored. (markt)
Fix: 57136: Ensure only \${ and \#{ are treated as escapes for ${ and #{ rather than \$ and \# being treated as escapes for $ and # when processing literal expressions in expression language. (markt)
Fix: When coercing an object to an array type in Expression Language, handle the case where the source object is an array of primitives. (markt/kkolinko)
Fix: Do not throw an exception on missing JSP file servlet initialization. (remm)
Fix: 57148: When coercing an object to a given type and a PropertyEditor has been registered for the type correctly coerce the empty string to null if the PropertyEditor throws an exception. (kkolinko/markt)
Fix: 57153: Correctly scan for TLDs located in directories that represent exanded JARs files that have been added to the web application class loader's class path. (markt)
Fix: 57141: Enable EL in JSPs to refer to static fields of imported classes including the standard java.lang.* imports. (markt)
Cluster:
Fix: Add support for the SessionIdGenerator to cluster manager template. (kfujino)
Fix: Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
WebSocket:
Fix: 57054: Correctly handle the case in the WebSocket client when the HTTP response to the upgrade request can not be read in a single pass; either because the buffer is too small or the server sent the response in multiple packets. (markt)
Add: Extend support for the permessage-deflate extension to the client implementation. (markt)
Fix: Fix client subprotocol handling. (remm)
Fix: Add null checks for arguments in remote endpoint. (remm/kkolinko)
Fix: 57091: Work around the behaviour of the Oracle JRE when creating new threads in an applet environment that breaks the WebSocket client implementation. Patch provided by Niklas Hallqvist. (markt)
Fix: 57118: Ensure that that an EncodeException is thrown by RemoteEndpoint.Basic.sendObject(Object) rather than an IOException when no suitable Encoder is configured for the given Object. (markt)
Web applications:
Fix: Correct a couple of broken links in the Javadoc. (markt)
Fix: Correct documentation for ServerCookie.ALLOW_NAME_ONLY system property. (kkolinko)
Fix: 57049: Clarified that jvmRoute can be set in 's jvmRoute or in a system property. (schultz)
Fix: Correct version of Java WebSocket mentioned in documentation (s/1.0/1.1/). (markt/kkolinko)
Update: Suppress timestamp comments in Javadoc. (kkolinko)
Fix: 57147: Various corrections to the JDBC Store section of the session manager configuration page of the documentation web application. (markt)
Tribes:
Fix: 45282: Improve shutdown of NIO receiver so that sockets are closed cleanly. (fhanik/markt)
jdbc-pool:
Fix: 57005: Fix javadoc errors when building with Java 8. Patch provided by Pierre Viret. (markt)
Fix: 57079: Use Tomcat version number for jdbc-pool module when building and shipping the module as part of Tomcat. (markt)
Fix: Fix broken overview page in javadoc generated via "javadoc" task in jdbc-pool build.xml file. (kkolinko)
Other:
Fix: 56079: The uninstaller packaged with the Apache Tomcat Windows installer is now digitally signed. (markt)
Fix: Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format instead of 12-hour one and use UTC timezone. (markt/kkolinko)
Fix: Update the package renamed copy of Apache Commons DBCP 2 to revision 1631450 to pick up additional fixes since the 2.0.1 release including Javadoc corrections to fix errors when compiling with Java 8. (markt)
Update: 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
Code: In Tomcat tests: log name of the current test method at start time. (kkolinko)

New in Apache Tomcat 7.0.56 (Oct 15, 2014)

Catalina:
fix When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
fix Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
fix 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
fix 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
fix 56771: When lookup for a resource in all the alternate or backup javax.naming.directory.DirContext, javax.naming.NameNotFoundException will be thrown at the end of the search if the resource is not available in these alternate or backup javax.naming.directory.DirContext. Based on a patch by Sheldon Shao. (violetagg)
fix 56796: Remove unnecessary sleep when stopping a web application. (markt)
fix 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (kkolinko)
fix 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
fix 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
code 56882: Add testcase for processing of forwards and includes when Context have been reloaded. (kkolinko)
fix 56900: Fix some potential resource leaks when reading property files reported by Coverity Scan. Based on patches provided by Felix Schumacher. (markt)
fix 56902: Fix a potential resource leak in the Default Servlet reported by Coverity Scan. Based on a patch provided by Felix Schumacher. (markt)
fix 56903: Correct the return value for StandardContext.getResourceOnlyServlets() so that multiple names are separated by commas. Identified by Coverity Scan and fixed based on a patch by Felix Schumacher. (markt)
fix Fixed the multipart elements merge operation performed during web application deployment. Identified by Coverity Scan. (violetagg)
fix Correct the information written by ExtendedAccessLogValve when a format token x-O(XXX) is used so that multiple values for a header XXX are separated by commas. Identified by Coverity Scan. (violetagg)
fix Fix a potential resource leak when reading MANIFEST.MF file for extension dependencies reported by Coverity Scan. (violetagg)
fix Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
fix Fix some potential resource leaks when reading properties, files and other resources. Reported by Coverity Scan. (violetagg)
fix When using parallel deployment and undeployOldVersions feature is enabled on a Host, correctly undeploy context of old version. Make sure that Tomcat does not undeploy older Context if current context is not running. (kfujino)
fix When deploying war, add XML file in the config base to the redeploy resources if war does not have META-INF/context.xml or deployXML is false. If XML file is created in the config base, redeploy will occur. (kfujino)
code Various changes to reduce unnecessary code in Tomcat's copy of Apache Commons BCEL to reduce the time taken for annotation scanning when web applications start. Includes contributions from kkolinko and hzhang9. (markt)
fix 56938: Ensure web applications that have mixed case context paths and are deployed as directories are correctly removed on undeploy when running on a case sensitive file system. (markt)
add 57004: Add stuckThreadCount property to StuckThreadDetectionValve's JMX bean. Patch provided by Jiří Pejchal. (schultz)
fix 57011: Ensure that the request and response are correctly recycled when processing errors during async processing. (markt)
fix 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
Coyote:
fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
fix 56910: Prevent the invalid value of -1 being used for maxConnections with APR connectors. (markt)
fix Ensure that AjpNioProtocol and AjpAprProtocol enable the KeepAliveTimeout. (kfujino)
Jasper:
fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
fix 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
fix Correct a logic error in the JasperElResolver. There was no functional impact but the code was less efficient as a result of the error. Based on a patch by martinschaef. (markt)
fix Ensure that the implementation of javax.servlet.jsp.PageContext.include(String) and javax.servlet.jsp.PageContext.include(String, boolean) will throw IOException when an I/O error occur during the operation. (violetagg)
fix 56908: Fix some potential resource leaks when reading jar files. Reported by Coverity Scan. Based on patch provided by Felix Schumacher. (violetagg)
fix 56991: Deprecate the use of a request attribute to pass a declaration to Jasper and prevent an infinite loop if this technique is used in conjunction with an include. (markt)
fix Fix a potential resource leak in JDTCompiler when checking wether a resource is a package. Reported by Coverity Scan. (fschumacher)
WebSocket:
code 56446: Clearer handling of exceptions when calling a method on a POJO based WebSocket endpoint. Based on a suggestion by Eugene Chung. (markt)
fix 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
fix 56905: Make destruction on web application stop of thread group used for WebSocket connections more robust. (kkolinko/markt)
fix 56907: Ensure that client IO threads are stopped if a secure WebSocket client connection fails. (markt)
fix When a WebSocket client attempts to write to a closed connection, handle the resulting IllegalStateException in a manner consistent with the handling of an IOException. (markt)
add Add support for the permessage-deflate extension. This is currently limited to decompressing incoming messages on the server side. It is expected that support will be extended to outgoing messages and to the client side shortly. (markt)
add Extend support for the permessage-deflate extension to compression of outgoing messages on the server side. (markt)
fix 56982: Return the actual negotiated extensions rather than an empty list for Session.getNegotiatedExtensions(). (markt)
update Update the WebSocket implementation to support the Java WebSocket specification version 1.1. (markt)
Web applications:
fix Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
update Update the Windows authentication documentation after some additional testing to answer the remaining questions. (markt)
fix Correct a couple of broken links in the Javadoc. (markt)
Other:
add 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
add 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
fix 56895: Correctly compose JAVA_OPTS in catalina.bat so that escape sequences are preserved. Patch by Lucas Theisen. (markt)
update 56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko)
fix 56990: Ensure that the ide-eclipse build target downloads all the libraries required by the default Eclipse configuration files and configures Eclipse to use Java 6 for the project. Add build target ide-eclipse-websocket that creates a separate linked project that compiles websocket classes of Tomcat 7 with Java 7 compiler. (kkolinko)

New in Apache Tomcat 8.0.14 Beta (Sep 30, 2014)

New in Apache Tomcat 8.0.12 Beta (Sep 3, 2014)

New in Apache Tomcat 8.0.11 Beta (Aug 27, 2014)

Catalina:
Fix: 56658: Fix regression that a context was inaccessible after reload. (kkolinko)
Fix: 56710: Do not map requests to servlets when context is being reloaded. (kkolinko)
Fix: 56712: Fix session idle time calculations in PersistenceManager. (kkolinko)
Fix: 56717: Fix duplicate registration of MapperListener during repeated starts of embedded Tomcat. (kkolinko)
Add: 56724: Write an error message to Tomcat logs if container background thread is aborted unexpectedly. (kkolinko)
Fix: When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
Fix: Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
Fix: 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
Fix: 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
Fix: 56784: Fix a couple of rare but theoretically possible atomicity bugs. (markt)
Fix: 56785: Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. (markt)
Fix: 56796: Remove unnecessary sleep when stopping a web application. (markt)
Fix: 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (markt)
Fix: 56815: When the gzip option is enabled for the DefaultServlet ensure that a suitable Vary header is returned for resources that might be returned directly in compressed form. (markt)
Fix: Do not mark threads from the container thread pool as container threads when being used to process AsyncContext.start(Runnable) so processing is correctly transferred back to a genuine container thread when necessary. (markt)
Add: Add simple caching for calls to StandardRoot.getResources() in the new (for 8.0.x) resources implementation. (markt)
Fix: 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
Fix: 56840: Avoid NPE when the rewrite valve is mapped to a context. (remm)
Fix: Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
Fix: 56848: Improve handling of accept-language headers. (markt)
Fix: 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
Coyote:
Fix: Fix NIO2 sendfile state tracking and error handling to fix various corruption issues. (remm)
Fix: Missing timeout for NIO2 sendfile writes. (remm)
Fix: Allow inline processing for NIO2 sendfile and optimize keepalive behavior. (remm)
Fix: Fix excessive NIO2 sendfile direct memory use in some cases, sendfile will now instead use the regular socket write buffer as configured. (remm)
Fix: 56661: Fix getLocalAddr() for AJP connectors. The complete fix is only available with a recent AJP forwarder like the forthcoming mod_jk 1.2.41. (rjung)
Fix: Use default ciphers defined as HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 so that no weak ciphers are enabled by default. (remm)
Fix: 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
Fix: 56810: Remove use of Java 8 specific API calls in unit tests for OpenSSL to JSSE cipher conversion. (markt)
Jasper:
Fix: 56709: Fix system property name in a log message. Submitted by Robert Kish. (remm)
Fix: 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
WebSocket:
Fix: 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
Web applications:
Fix: Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
jdbc-pool:
Fix: 53088: More identifiable thread name. (fhanik)
Fix: 53200: Selective logging for slow versus failed queries. (fhanik)
Fix: 53853: More flexible classloading. (fhanik)
Fix: 54225: Disallow empty init SQL. (fhanik)
Fix: 54227: Evaluate max age upon borrow. (fhanik)
Fix: 54235: Disallow nested pools exploitating using data source. (fhanik)
Fix: 54395: Fix JDBC interceptor parsing bug. (fhanik)
Fix: 54537: Performance improvement in StatementFinalizer. (fhanik)
Fix: 54978: Make sure proper connection validation always happens, regardless of config. (fhanik)
Fix: 56318: Ability to trace statement creation in StatementFinalizer. (fhanik)
Fix: 56789: getPool() returns the actual pool, always. (fhanik)
Other:
Add: 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
Add: 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)

New in Apache Tomcat 7.0.55 (Aug 22, 2014)

New in Apache Tomcat 7.0.54 (May 28, 2014)

New in Apache Tomcat 8.0.1 Beta (Feb 4, 2014)

New in Apache Tomcat 8.0.0 RC10 (Jan 14, 2014)

Catalina:
Add: Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
Add: Implement JSR 245 MR2 - JSP 2.3. (markt)
Add: Implement JSR 341 - Unified Expression Language 3.0. (markt)
Add: Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
Update: 46727: Refactor default servlet to make it easier to sub-class to implement finer grained control of the file encoding. Based on a patch by Fred Toth. (markt)
Add: 45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
Code: Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
Code: 51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
Code: Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
Update: 52092: JULI now uses the OneLineFormatter and AsyncFileHandler by default. (markt)
Fix: 52558: Refactor CometConnectionManagerValve so that it does not prevent the session from being serialized in when running in a cluster. (markt)
Fix: 52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
Code: Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
Code: Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
Code: Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
Code: Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
Add: Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
Add: URL rewrite valve, similar in functionality to mod_rewrite. (remm)
Add: Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
Add: 54095: Add support to the Default Servlet for serving gzipped versions of static resources directly from disk as an alternative to Tomcat compressing them on each request. Patch by Philippe Marschall. (markt)
Fix: 54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
Add: Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
Fix: 55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
Fix: 55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
Code: Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
Code: 55246: Move TLD scanning to a ServletContainerInitializer provided by Jasper. Includes removal of TldConfig lifecycle listener and associated Context properties. (jboynes)
Add: 55317: Facilitate weaving by allowing ClassFileTransformer to be added to WebppClassLoader. Patch by Nick Williams. (markt)
Fix: 55620: Enable Tomcat to start when either $CATALINA_HOME and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
Code: Initialize the JSP runtime in Jasper's initializer to avoid need for a Jasper-specific lifecycle listener. JasperListener has been removed. (jboynes)
Fix: Change ordering of elements of JMX objects names so components are grouped more logically in JConsole. Generally, components are now grouped by Host and then by Context. (markt)
Coyote:
Add: Experimental support for SPDY. Includes contributions from Sheldon Shao. (costin)
Code: The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
Code: Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
Fix: 54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
Code: Refactor char encoding/decoding using NIO APIs. (remm)
Update: Change the default URIEncoding for all connectors from ISO-8859-1 to UTF-8. (markt)
Jasper:
Code: Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
Code: Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
Add: Create test cases for JspC. Patch by Jeremy Boynes. (markt)
Code: 55246: TLD scanning is now performed by JasperInitializer (a ServletContainerInitializer) removing the need for support within the Servlet container itself. The scan is now performed only once rather than in two passes reducing startup time. (jboynes)
Fix: 55251: Do not allow JspC task to fail silently if the web.xml or web.xml fragment can not be generated. (markt)
Cluster:
Code: Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
Code: Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
Code: Remove unused expireSessionsOnShutdown attribute in org.apache.catalina.ha.session.BackupManager. (kfujino)
Web applications:
Add: Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
Update: 48550: Update examples web application to use UTF-8. (markt)
Update: 55383: Improve the design and correct the HTML markup of the documentation web application. Patches provided by Konstantin Preißer. (markt)
Tribes:
Code: Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
Other:
Code: Remove unused, deprecated code. (markt)
Code: Remove static info String and associated getInfo() method where present. (markt)
Update: (r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
Fix: 53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
Add: 54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
Fix: 55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)
Fix: 55372: When starting Tomcat with the jpda option to enable remote debugging, by default only listen on localhost for connections from a debugger. Prior to this change, Tomcat listened on all known addresses. (markt)

New in Apache Tomcat 7.0.50 (Jan 9, 2014)

Catalina:
fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
code Streamline handling of WebSocket messages whe no handler is configured for the message currently being received. (markt)
fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
Coyote:
fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
Jasper:
fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
Cluster:
fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
Web applications:
fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
Extras:
update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)

New in Apache Tomcat 8.0.0 RC5 (Oct 25, 2013)

New in Apache Tomcat 7.0.47 (Oct 25, 2013)

New in Apache Tomcat 8.0.0 RC3 (Oct 1, 2013)

New in Apache Tomcat 8.0.0 RC1 (Aug 12, 2013)

New in Apache Tomcat 7.0.42 (Jul 6, 2013)

Catalina:
fix Enforce the restriction described in section 4.4 of the Servlet 3.0 specification that requires the new pluggability methods only to be available to ServletContextListeners defined in one of the specified ways. (markt)
fix Better handle FORM authentication when requesting a resource as an unauthenticated user that is only protected for a sub-set of HTTP methods that does not include GET. (markt)
fix 53777: Add support for a JAAS Realm instance to use a dedicated configuration rather than the JVM global JAAS configuration. This is most likely to be useful for per web application JAAS Realms. Based on a patch by eolivelli. (markt)
fix 54745: Fix JAR file scanning when Tomcat is deployed via Java Web Start. Patch provided by Nick Williams. (markt)
add 55017: Add the ability to configure the RMI bind address when using the JMX remote lifecycle listener. Patch provided by Alexey Noskov. (markt)
fix 55071: Ensure original exception is reported if JDBC Realm fails to read a user's credentials. (markt)
fix 55073, 55108, 55109, 55110, 55158 & 55159: Small performance improvements. Patches provided by Adrian Nistor. (markt/violetagg)
add 55102: Add support for time to first byte in the AccessLogValve. Patch provided by Jeremy Boynes. (markt)
fix 55125: If the Server container fails to start, don't allow the Catalina wrapper to start (used when running from the command line and when running as a service) since Tomcat will not be able to do any useful work. (markt)
fix Update the JreMemoryLeakPreventionListener to take account of changes in the behaviour of java.beans.Introspector.flushCaches() and sun.awt.AppContext.getAppContext() in Java 7. (markt)
fix Avoid WARNING log message of Users:type=UserDatabase,database=UserDatabase at Tomcat shutdown. (pero)
fix Avoid ClassCastException when an asynchronous dispatch is invoked in an asynchronous cycle which is started by a call to ServletRequest.startAsync(ServletRequest,ServletResponse) where ServletRequest/ServletResponse are custom implementations. (violetagg)
fix Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding and decoding) that broke the JNDI Realm when userPassword was set and passwords were hashed with MD5 or SHA1. (markt/kkolinko)
fix Correct the mechanism for the path calculation in AsyncContext.dispatch(). (violetagg)
fix 55155: Avoid constant focus grabbing when running the Tomcat unit tests under Java 6 on OSX. Patch provided by Casey Lucas. (markt)
fix 55160: Don't ignore connectionUploadTimeout setting when using HTTP NIO connector. (markt)
fix 55176: Correctly handle regular expressions within SSI expressions that contain an equals character. (markt)
Coyote:
fix 55177: Correctly handle infinite soTimeout for BIO HTTP connector. Based on a patch by Nick Bunn. (markt)
fix 55180: Correctly handle infinite soTimeout when disableUploadTimeout is set to false. Patch provided by Nick Bunn. (violetagg)
Cluster:
fix Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
fix Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)
add Add logging of when a member is unable to join the cluster. (kfujino)
fix Replace Tribes's TaskQueue as executor's workQueue in order to ensure that executor's maxThread works correctly. (kfujino)
fix 54086: Fix an additional code path that could lead to multiple threads attempting to modify the same selector key set. (markt)
Web applications:
add Complete the document for MessageDispatch15Interceptor. (kfujino)
add 53655: Document the circumstances under which Tomcat will add a javax.mail.Authenticator to mail sessions created via a JNDI resource. (markt)
fix 55179: Correct the Javadoc for the remote IP valve so the correct name is used to refer to the proxiesHeader property. (markt)
jdbc-pool:
fix 55031: Fixed Export-Package header and uses directives in MANIFEST.MF. Change the version for package org.apache.juli.logging to "0" in Import-Package header. Thus any version of that package can be used. Patch provided by Martin Lichtin. (violetagg)
Other:
update Update Maven Cental location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko)
update Update JUnit to version 4.11. Configure separate download for Hamcrest 1.3 core library as its classes are no longer included in junit.jar. (kkolinko)
fix 54013: When using a forced stop, allow a short period of time (5s) for the process to die before returning. Patch provided by mukarram.baig. (markt)
fix 55119: Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. (markt)

New in Apache Tomcat 7.0.41 (Jun 11, 2013)

New in Apache Tomcat 6.0.37 (May 9, 2013)

New in Apache Tomcat 7.0.40 (May 9, 2013)

New in Apache Tomcat 7.0.39 (Mar 27, 2013)

Catalina:
Ensure a log message is generated when a web application fails to start due to an error processing a ServletContainerInitializer. (markt)
Prevent NPE in JAR scanning when running in an environment where the bootstrap class loader is not an ancestor of the web application class loader such as OSGi environments. (violetagg)
Ensure that, if a call to UEncoder#encodeURL is made, all internal structures are properly cleaned. (violetagg)
add 54660: Enable the modification of an access log's fileDateFormat attribute while the access log is in use. The change will take effect when the next entry is made to the access log. (markt)
update Update Tomcat's internal copy of Commons FileUpload to FileUpload trunk, revision 1458500 and the associated extract from Commons IO to 2.4. (markt)
54702: Prevent file descriptors leak and ensure that files are closed when parsing web application deployment descriptors. (violetagg)
54707: Further relax the parsing of DIGEST authentication headers to allow for buggy clients that quote values that RFC2617 states should not be quoted. (markt/kkolinko)
Enable support for MBeans with multiple operations with the same name but different signatures. (markt)
code Deprecate Tomcat's internal Base 64 encoder/decoder and switch to using a package renamed copy of the Commons Codec implementation. (markt)
Ensure that StandardJarScanner#scan will use the provided class loader when scanning the class loader hierarchy. (violetagg)
Coyote:
54690:a regression caused by the previousfor 54406. If no values are specified for sslEnabledProtocols or ciphers use the default values for server sockets rather than the default values for client sockets. (markt)
Web applications:
update Correct Deployer, Manager and Context pages of Tomcat documentation. (kkolinko)
jdbc-pool:
52318: Version for imported package org.apache.juli.logging is extended to include also 7.0.x versions. Theis applicable only when running in OSGi environment. Patch provided by Martin Lichtin. (violetagg)
54599: Do not print connection password in PoolProperties.toString(). Based on a patch by Daniel Mikusa. (kkolinko)
54684: Add javax.naming.spi to Import-Package header in MANIFEST.MF in order to resolve ClassNotFoundException when running in OSGi environment. (violetagg)
Other:
Update to Apache Commons Daemon 1.0.14 to resolve 54609 which meant that installation of Windows service could fail producing incorrect service launch command. (mturk)
Ensure HEAD requests return the correct content length when the requested resource uses a Writer. Patch by Nick Williams. (markt)

New in Apache Tomcat 7.0.37 (Feb 18, 2013)

New in Apache Tomcat 7.0.35 (Jan 16, 2013)

54247: Prevent ClassNotFoundExceptions on stop when running as a service. (markt)
fix 54249: Ensure resource properties are available when the context path contains encoded characters such as a space. This triggered compilation issues in Jasper. Patch provided by Polina Genova. (markt)
fix 54256: Improve error reporting when a JAR file fails extension validation by including the name of the JAR file in the exception. (markt)
fix Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko)
fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one. (kkolinko)
code Cleanup method cache lookup code in SecurityUtil class. (kkolinko)
add Make the Tomcat 7 non-JSR356 WebSocket implementation non-blocking (where supported by the connector) between the HTTP upgrade and the first WebSocket message from the client to the server. (markt)
fix 54262: Ensure that an empty element in the main web.xml file disables scanning for web fragments. Based on a patch by Violeta Georgieva. (markt)
fix 54284: As per clarification from the Servlet EG, anonymous Filters and Servlets are not permitted. Patch by Violeta Georgieva. (markt)
fix 54371: Prevent exceptions when processing web fragments for unexpanded WAR files when the context path contains characters that need to be encoded in URLs such as spaces. Based on a patch by Polina Genova. (markt)
add 54372: Make HTTP Digest authentication header parsing tolerant of invalid headers sent by known buggy clients. (markt)
fix 54377: Correctly set request attributes for AccessLog in RemoteIpFilter. Patch by Violeta Georgieva. (markt)
fix 54379: Implement support for post-construct and pre-destroy elements in web.xml. Patch by Violeta Georgieva. (markt)
fix 54380: Do not try to register servlets or contexts into the mapper too early (which just caused a warning to be logged). (kkolinko)
fix Fix NPE in WebappLoader.stopInternal when stop is called after a failed start. (kkolinko)
add 54381: Add support for receiving WebSocket pong messages. (markt)
fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
fix Fix ArrayIndexOutOfBoundsException in HttpParser when parsing incorrect HTTP headers. (kkolinko)
fix 54387: Deployment must fail when multiple servlets are mapped to the same url-pattern. (markt)
fix 54391: Provide a value for the javax.servlet.context.orderedLibs attribute. (markt)

New in Apache Tomcat 7.0.32 (Oct 8, 2012)

New in Apache Tomcat 7.0.6 (Jan 27, 2011)

General:
Update to Commons Daemon 1.0.5. (mturk)
Catalina:
8705: org.apache.catalina.SessionListener now extends java.util.EventListener. (markt)
10526: Add an option to the Authenticators to force the creation of a session on authentication which may offer some performance benefits. (markt)
10972: Improve error message if the className attribute is missing on an element in server.xml where it is required. (markt)
48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz)
48822: Include context name in case of error while stopping or starting a context during its reload. Patch provided by Marc Guillemot. (slaurent)
48837: Extend thread local memory leak detection to include classes loaded by subordinate class loaders to the web application's class loader such as the Jasper class loader. Based on a patch by Sylvain Laurent. (markt)
48973: Avoid creating a SESSIONS.ser file when stopping an application if there's no session. Patch provided by Marc Guillemot. (slaurent)
49000: No longer accept specification invalid name only cookies by default. This behaviour can be restored using a system property. (markt)
49159: Improve memory leak protection by renewing threads of the pool when a web application is stopped. (slaurent)
49372: Re-fix after connector re-factoring. If connector initialisation fails (e.g. if a port is alreasy in use) do not trigger an LifecycleException for an invalid state transition. (markt)
49543 Allow Tomcat to use shared data sources with per application credentials. (fhanik)
49650: Remove unnecessary entries package.access property defined in catalina.properties. Patch provided by Owen Farrell. (markt)
50106: Correct several MBean descriptors. Patch provided by Eiji Takahashi. (markt)
Further performance improvements to session ID generation. Remove legacy configuration options that are no longer required. Provide additional options to control the SecureRandom instances used to generate session IDs. (markt)
50201: Update the access log reference in StandardEngine when the ROOT web application is redeployed, started, stopped or defaultHost is changed. (markt/kkolinko)
50282: Load javax.security.auth.login.Configuration with JreMemoryLeakPreventionListener to avoid memory leak when stopping a web application that would use JAAS. (slaurent)
50351: Fix the regression that broke BeanFactory resources caused by the previous fix for 50159. (markt)
50352: Ensure that AsyncListener.onComplete() is fired when AsyncContext.complete() is called. (markt)
50358: Set the correct LifecycleState when stopping instances of the deprecated Embedded class. (markt)
Further Lifecycle refactoring for Connectors and associated components. (markt)
Correct handling of versioned web applications in deployer. (markt)
Correct removal of LifeCycleListenters from Containers via JMX. (markt)
Don't use nulls to construct log messages. (markt)
Code clean-up. Replace use of inefficient constructors with more efficient alternatives. (markt)
50411: Ensure sessions are removed from the Store associated with a PersistentManager. (markt)
50413: Ensure 304 responses are not returned when using static files as error pages. (markt/kkolinko)
50448: Fix possible IllegalStateException caused by recent session management refactoring. (markt)
Ensure aliases settings for a context are retained after a context is reloaded. (markt)
Log a warning if context.xml files define values for properties that do not exist (e.g. if there is a typo in a property name). (markt)
50453: Correctly handle multiple X-Forwarded-For headers in the RemoteIpFilter and RemoteIpValve. Patch provided by Jim Riggs. (markt)
50541: Add support for setting the size limit and time limit for LDAP seaches when using the JNDI Realm with userSearch. (markt)
All configuration options that use regular expression now require a single regular expression (using java.util.regex) rather than a list of comma-separated or semi-colon-separated expressions. (markt)
50496: Bytes sent in the access log are now counted after compression, chunking etc rather than before. (markt)
50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt)
50554: Code clean up. (markt)
50556: Improve JreMemoryLeakPreventionListener to prevent a potential class loader leak caused by a thread spawned when the class com.sun.jndi.ldap.LdapPoolManager is initialized and the system property com.sun.jndi.ldap.connect.pool.timeout is set to a value greater than 0. (slaurent)
Coyote:
47319: Return the client's IP address rather than null for calls to getRemoteHost() when the APR connector is used with enableLookups="true" but the IP address is not resolveable. (markt)
50108: Add get/set methods for Connector property minSpareThreads. Patch provided by Eiji Takahashi. (markt)
50360: Provide an option to control when the socket associated with a connector is bound. By default, the socket is bound on Connector.init() and released on Connector.destroy() as per the current behaviour but this can be changed so that the socket is bound on Connector.start() and released on Connector.stop(). This fix also includes further Lifecycle refactoring for Connectors and associated components. (markt)
Remove a huge memory leak in the NIO connector introduced by the fix for 49884. (markt)
50467: Protected against NPE triggered by a race condition that causes the NIO poller to fail, preventing the processing of further requests. (markt)
Jasper:
13731: Make variables in _jspService() method final where possible. (markt)
50408: Fix NoSuchMethodException when using scoped variables with EL method invocation. (markt)
50460: Avoid leak caused by using a cached exception instance in JspDocumentParser and ProxyDirContext. (kkolinko)
50500: Use correct coercions (as per the EL spec) for arithmetic operations involving string values containing '.', 'e' or 'E'. Based on a patch by Brian Weisleder. (markt)
Cluster:
50185: Add additional trace level logging to Tribes to assist with fault diagnosis. Based on a patch by Ariel. (markt)
Don't try and obtain session data from the cluster if the current node is the only node in the cluster. Log requesting session data as INFO rather than WARNING. (markt)
50503: When web application has a version, Engine level Clustering works correctly. (kfujino)
50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)
Web applications:
21157: Ensure cookies are written before the response is commited in the Cookie example. Patch provided by Stefan Radzom. (markt)
50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)
Correctly validate provided context path so sessions for the ROOT web application can be viewed through the HTML Manager. (markt)
Improve documentation of database connection factory. (rjung)
50488: Update classpath required when using jsvc and add a note regarding server VMs. (markt)
Further filtering of Manager display output. (kkolinko)
Other:
Don't configure Windows installer to use PID file since it is not removed when the service stops which prevents the service from starting. (markt)
14416: Make TagLibraryInfo.getTag() more robust at handling nulls. (markt)
50552: Avoid NPE that hides error message when using Ant tasks. (schultz)
Provide two alternative locations for the libraries downloaded from the ASF web site at build time. Use the main distribution site as default and the archive one as fallback. (kkolinko)

New in Apache Tomcat 7.0.0 (Jun 30, 2010)

Catalina:
Update Servlet support to the Servlet 3.0 specification. (all)
Improve and document VirtualWebappLoader. (rjung)
43642:prestartminSpareThreads attribute for Executor. (jfclere)
Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik)
r620845 and r669119. Make shutdown address configurable. (jfclere)
r651977some missing control checks to ThreadWithAttributes. (markt)
r677640a startup class that does not require any configuration files. (costin)
r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt)
r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt)
r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik)
Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung)
Expose thisAccessedTime via Session interface. (rjung)
Provide a log format for JULI that provides the same information as the default but on a single line. (markt)
r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik)
Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt)
Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt)
48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt)
Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)
Coyote:
Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk)
Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung)
r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik)
46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt)
Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk)
r724239 NIO connector now always uses an Executor. (fhanik)
r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik)
r724849 Implement keep alive timeout for NIO connector. (fhanik)
Jasper:
Update JSP support to the JSP 2.2 specification. (markt)
Update EL support to the EL 2.2 specification. (markt)
r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko)
48358:support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt)
48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)
High Availability:
Add support for UDP and secure communication to tribes. (fhanik)
Add versioning to the tribes communication protocol to support future developments. (fhanik)
Add a demo on how to use the payload. (fhanik)
Started toJMX support to the cluster implementation. (markt)
r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik)
r630234 Additional checks for the NIO receiver. (fhanik)
r671650 Improve error message when multicast is not enabled. (fhanik)
Web applications:
r631321changelog to support the element in the documentation. (fhanik)
A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt)
CSRF protection was added to the Manager and Host Manager applications. (markt)
List array elements in the JMX proxy output of the Manager application. (rjung)
Extras:
A new JmxRemoteLifecycleListener that can be used tothe ports used for remote JMX connections, eg when using JConsole. (markt)
Modules:
r691359 Added in a Bayeux protocol implementation built on top of the Tomcat CometProcessor interface. (fhanik)
Other:
Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt)
All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt)
Parameterize version number throughout build scripts and source. (rjung)