Apache Tomcat Changelog

New in version 8.0.18

January 28th, 2015
  • A regression that caused response truncation when using forwarding (57475) has been fixed.
  • Various improvements to ReplicatedMap in Tribes.

New in version 8.0.17 Beta (January 21st, 2015)

  • Catalina:
  • Fix: Correct a regression in the previous fix for 57252 that broke request listeners for non-async requests that triggered an error that was handled by the ErrorReportingValve. (markt/violetagg)
  • Coyote:
  • Fix: Add flushing to send ack in the NIO2 connector. (remm)

New in version 8.0.15 Beta (November 13th, 2014)

  • Catalina:
  • Add: 43548: Add an XML schema for the tomcat-users.xml file. (markt)
  • Add: 43682: Add support for referring to the current context, host and service name in per Context logging.properties files by using the properties ${classloader.webappName}, ${classloader.hostName} and ${classloader.serviceName}. (markt)
  • Add: 47919: Extend the information logged when Tomcat starts to optionally log the values of command line arguments (enabled by default) and environment variables (disabled by default). Note that the values added to CATALINA_OPTS and JAVA_OPTS environment variables will be logged, as they are used to build up the command line. (markt)
  • Add: 49939: Expose the method that clears the static resource cache for a web application via JMX. (markt)
  • Fix: 55951: Allow cookies to use UTF-8 encoded values in HTTP headers. This requires the use of the RFC6265 CookieProcessor. (markt)
  • Fix: 55984: Using the allow separators in version 0 cookies option with the legacy cookie processor should only apply to version 0 cookies. Version 1 cookies with values that contain separators should not be affected and should continue to be quoted. (markt)
  • Add: 56393: Add support for RFC6265 cookie parsing and generation. This is currently disabled by default and may be enabled via the CookieProcessor element of a Context. (markt)
  • Add: 56394: Introduce new configuration element CookieProcessor in Context to allow context-specific configuration of cookie processing options. Attributes of Context element that were added in Tomcat 8.0.13 to allow configuration of a new experimental RFC6265 based cookie parser (useRfc6265 and cookieEncoding) are replaced by this new configuration element. (markt)
  • Fix: Improve the previous fix for 56401. Avoid logging version information in the constructor since it then gets logged at undesirable times such as when using StoreConfig. (markt)
  • Fix: 56403: Add pluggable password derivation support to the Realms via the new CredentialHandler interface. (markt/schultz)
  • Fix: 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
  • Add: Deprecate the use of system proprties to control cookie parsing and replace them with attributes on the new CookieProcessor that may be configured on a per context basis. (markt)
  • Fix: Correct an edge case and allow a cookie if the value starts with an equals character and the CookieProcessor is not configured to allow equals characters in cookie values but is configured to allow name only cookies. (markt)
  • Fix: 57022: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs. (markt)
  • Fix: 57027: Add additional validation for stored credentials used by Realms when the credential is stored using hex encoding. (markt)
  • Fix: 57038: Add a WebResource.getCodeBase() method, implement for all WebResource implementations and then use it in the web application class loader to set the correct code base for resources loaded from JARs and WARs. (markt)
  • Fix: Correct a couple of NPEs in the JNDI Realm that could be triggered with when not specifying a roleBase and enabling roleSearchAsUser. (markt)
  • Fix: Correctly handle relative values for the docBase attribute of a Context. (markt)
  • Fix: Ensure that log messages generated by the web application class loader correctly identify the associated Context when multiple versions of a Context with the same path are present. (markt)
  • Fix: Remove the unnecessary registration of context.xml as a redeploy resource. The context.xml having an external docBase has already been registered as a redeploy resource at first. (kfujino)
  • Fix: 57089: Ensure that configuration of a session ID generator is not lost when a web application is reloaded. (markt)
  • Fix: 57105: When parsing web.xml do not limit the buffer element of the jsp-property-group element to integer values as the allowed values are kb or none. (markt)
  • Update: Update the minimum required version of the Tomcat Native library (if used) to 1.1.32. (markt)
  • Fix: Update storeconfig with newly introduced elements: SessionIdGenerator, CookieProcessor, JarScanner and JarScanFilter. (remm)
  • Fix: Throw a NullPointerException if a null string is passed to the write(String,int,int) method of the PrintWriter obtained from the ServletResponse. (markt)
  • Fix: Cookie rewrite flag abbreviation should be CO rather than C. (remm)
  • Fix: 57153: When the StandardJarScanner is configured to scan the full class path, ensure that class path entries added directly to the web application class loader are scanned. (markt)
  • Fix: AsyncContext should remain usable until fireOnComplete is called. (remm)
  • Fix: AsyncContext createListener should wrap any instantiation exception using a ServletException. (remm)
  • Fix: 57155: Allow a web application to be configured that does not have a docBase on the file system. This is primarily intended for use when embedding. (markt)
  • Fix: Propagate header ordering from fileupload to the part implementation. (remm)
  • Coyote:
  • Add: 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. This feature requires Tomcat Native library 1.1.32 or later. (schultz/jfclere)
  • Code: Cache the Encoder instances used to convert Strings to byte arrays in the Connectors (e.g. when writing HTTP headers) to improve throughput. (markt)
  • Add: Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and NIO2). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE. (markt)
  • Add: Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
  • Fix: Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
  • Fix: Trigger an error if an invalid attempt is made to use non-blocking IO. (markt)
  • Fix: 57157: Allow calls to AsyncContext.start(Runnable) during non-blocking IO reads and writes. (markt)
  • Fix: Async state MUST_COMPLETE should still be started. (remm)
  • Jasper:
  • Fix: 57099: Ensure that semi-colons are not permitted in JSP import page directives. (markt)
  • Fix: 57113: Fix broken package imports in Expression Language when more than one package was imported and the desired class was not in the last package imported. (markt)
  • Fix: 57132: Fix import conflicts reporting in Expression Language. (kkolinko)
  • Fix: When coercing an object to a given type, only attempt coercion to an array if both the object type and the target type are an array type. (violetagg/markt)
  • Fix: Improve handling of invalid input to javax.el.ImportHandler.resolveClass(). (markt)
  • Fix: Allow the same class to be added to an instance of javax.el.ImportHandler more than once without triggering an error. The second and subsequent calls for the same class will be ignored. (markt)
  • Fix: 57136: Ensure only \${ and \#{ are treated as escapes for ${ and #{ rather than \$ and \# being treated as escapes for $ and # when processing literal expressions in expression language. (markt)
  • Fix: When coercing an object to an array type in Expression Language, handle the case where the source object is an array of primitives. (markt/kkolinko)
  • Fix: Do not throw an exception on missing JSP file servlet initialization. (remm)
  • Fix: 57148: When coercing an object to a given type and a PropertyEditor has been registered for the type correctly coerce the empty string to null if the PropertyEditor throws an exception. (kkolinko/markt)
  • Fix: 57153: Correctly scan for TLDs located in directories that represent exanded JARs files that have been added to the web application class loader's class path. (markt)
  • Fix: 57141: Enable EL in JSPs to refer to static fields of imported classes including the standard java.lang.* imports. (markt)
  • Cluster:
  • Fix: Add support for the SessionIdGenerator to cluster manager template. (kfujino)
  • Fix: Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
  • WebSocket:
  • Fix: 57054: Correctly handle the case in the WebSocket client when the HTTP response to the upgrade request can not be read in a single pass; either because the buffer is too small or the server sent the response in multiple packets. (markt)
  • Add: Extend support for the permessage-deflate extension to the client implementation. (markt)
  • Fix: Fix client subprotocol handling. (remm)
  • Fix: Add null checks for arguments in remote endpoint. (remm/kkolinko)
  • Fix: 57091: Work around the behaviour of the Oracle JRE when creating new threads in an applet environment that breaks the WebSocket client implementation. Patch provided by Niklas Hallqvist. (markt)
  • Fix: 57118: Ensure that that an EncodeException is thrown by RemoteEndpoint.Basic.sendObject(Object) rather than an IOException when no suitable Encoder is configured for the given Object. (markt)
  • Web applications:
  • Fix: Correct a couple of broken links in the Javadoc. (markt)
  • Fix: Correct documentation for ServerCookie.ALLOW_NAME_ONLY system property. (kkolinko)
  • Fix: 57049: Clarified that jvmRoute can be set in 's jvmRoute or in a system property. (schultz)
  • Fix: Correct version of Java WebSocket mentioned in documentation (s/1.0/1.1/). (markt/kkolinko)
  • Update: Suppress timestamp comments in Javadoc. (kkolinko)
  • Fix: 57147: Various corrections to the JDBC Store section of the session manager configuration page of the documentation web application. (markt)
  • Tribes:
  • Fix: 45282: Improve shutdown of NIO receiver so that sockets are closed cleanly. (fhanik/markt)
  • jdbc-pool:
  • Fix: 57005: Fix javadoc errors when building with Java 8. Patch provided by Pierre Viret. (markt)
  • Fix: 57079: Use Tomcat version number for jdbc-pool module when building and shipping the module as part of Tomcat. (markt)
  • Fix: Fix broken overview page in javadoc generated via "javadoc" task in jdbc-pool build.xml file. (kkolinko)
  • Other:
  • Fix: 56079: The uninstaller packaged with the Apache Tomcat Windows installer is now digitally signed. (markt)
  • Fix: Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format instead of 12-hour one and use UTC timezone. (markt/kkolinko)
  • Fix: Update the package renamed copy of Apache Commons DBCP 2 to revision 1631450 to pick up additional fixes since the 2.0.1 release including Javadoc corrections to fix errors when compiling with Java 8. (markt)
  • Update: 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
  • Code: In Tomcat tests: log name of the current test method at start time. (kkolinko)

New in version 7.0.56 (October 15th, 2014)

  • Catalina:
  • fix When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
  • fix Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
  • fix 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
  • fix 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
  • fix 56771: When lookup for a resource in all the alternate or backup javax.naming.directory.DirContext, javax.naming.NameNotFoundException will be thrown at the end of the search if the resource is not available in these alternate or backup javax.naming.directory.DirContext. Based on a patch by Sheldon Shao. (violetagg)
  • fix 56796: Remove unnecessary sleep when stopping a web application. (markt)
  • fix 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (kkolinko)
  • fix 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
  • fix 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
  • code 56882: Add testcase for processing of forwards and includes when Context have been reloaded. (kkolinko)
  • fix 56900: Fix some potential resource leaks when reading property files reported by Coverity Scan. Based on patches provided by Felix Schumacher. (markt)
  • fix 56902: Fix a potential resource leak in the Default Servlet reported by Coverity Scan. Based on a patch provided by Felix Schumacher. (markt)
  • fix 56903: Correct the return value for StandardContext.getResourceOnlyServlets() so that multiple names are separated by commas. Identified by Coverity Scan and fixed based on a patch by Felix Schumacher. (markt)
  • fix Fixed the multipart elements merge operation performed during web application deployment. Identified by Coverity Scan. (violetagg)
  • fix Correct the information written by ExtendedAccessLogValve when a format token x-O(XXX) is used so that multiple values for a header XXX are separated by commas. Identified by Coverity Scan. (violetagg)
  • fix Fix a potential resource leak when reading MANIFEST.MF file for extension dependencies reported by Coverity Scan. (violetagg)
  • fix Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
  • fix Fix some potential resource leaks when reading properties, files and other resources. Reported by Coverity Scan. (violetagg)
  • fix When using parallel deployment and undeployOldVersions feature is enabled on a Host, correctly undeploy context of old version. Make sure that Tomcat does not undeploy older Context if current context is not running. (kfujino)
  • fix When deploying war, add XML file in the config base to the redeploy resources if war does not have META-INF/context.xml or deployXML is false. If XML file is created in the config base, redeploy will occur. (kfujino)
  • code Various changes to reduce unnecessary code in Tomcat's copy of Apache Commons BCEL to reduce the time taken for annotation scanning when web applications start. Includes contributions from kkolinko and hzhang9. (markt)
  • fix 56938: Ensure web applications that have mixed case context paths and are deployed as directories are correctly removed on undeploy when running on a case sensitive file system. (markt)
  • add 57004: Add stuckThreadCount property to StuckThreadDetectionValve's JMX bean. Patch provided by Jiří Pejchal. (schultz)
  • fix 57011: Ensure that the request and response are correctly recycled when processing errors during async processing. (markt)
  • fix 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
  • Coyote:
  • fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
  • fix 56910: Prevent the invalid value of -1 being used for maxConnections with APR connectors. (markt)
  • fix Ensure that AjpNioProtocol and AjpAprProtocol enable the KeepAliveTimeout. (kfujino)
  • Jasper:
  • fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
  • fix 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
  • fix Correct a logic error in the JasperElResolver. There was no functional impact but the code was less efficient as a result of the error. Based on a patch by martinschaef. (markt)
  • fix Ensure that the implementation of javax.servlet.jsp.PageContext.include(String) and javax.servlet.jsp.PageContext.include(String, boolean) will throw IOException when an I/O error occur during the operation. (violetagg)
  • fix 56908: Fix some potential resource leaks when reading jar files. Reported by Coverity Scan. Based on patch provided by Felix Schumacher. (violetagg)
  • fix 56991: Deprecate the use of a request attribute to pass a declaration to Jasper and prevent an infinite loop if this technique is used in conjunction with an include. (markt)
  • fix Fix a potential resource leak in JDTCompiler when checking wether a resource is a package. Reported by Coverity Scan. (fschumacher)
  • WebSocket:
  • code 56446: Clearer handling of exceptions when calling a method on a POJO based WebSocket endpoint. Based on a suggestion by Eugene Chung. (markt)
  • fix 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
  • fix 56905: Make destruction on web application stop of thread group used for WebSocket connections more robust. (kkolinko/markt)
  • fix 56907: Ensure that client IO threads are stopped if a secure WebSocket client connection fails. (markt)
  • fix When a WebSocket client attempts to write to a closed connection, handle the resulting IllegalStateException in a manner consistent with the handling of an IOException. (markt)
  • add Add support for the permessage-deflate extension. This is currently limited to decompressing incoming messages on the server side. It is expected that support will be extended to outgoing messages and to the client side shortly. (markt)
  • add Extend support for the permessage-deflate extension to compression of outgoing messages on the server side. (markt)
  • fix 56982: Return the actual negotiated extensions rather than an empty list for Session.getNegotiatedExtensions(). (markt)
  • update Update the WebSocket implementation to support the Java WebSocket specification version 1.1. (markt)
  • Web applications:
  • fix Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
  • update Update the Windows authentication documentation after some additional testing to answer the remaining questions. (markt)
  • fix Correct a couple of broken links in the Javadoc. (markt)
  • Other:
  • add 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
  • add 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
  • fix 56895: Correctly compose JAVA_OPTS in catalina.bat so that escape sequences are preserved. Patch by Lucas Theisen. (markt)
  • update 56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko)
  • fix 56990: Ensure that the ide-eclipse build target downloads all the libraries required by the default Eclipse configuration files and configures Eclipse to use Java 6 for the project. Add build target ide-eclipse-websocket that creates a separate linked project that compiles websocket classes of Tomcat 7 with Java 7 compiler. (kkolinko)

New in version 8.0.14 Beta (September 30th, 2014)

  • Other:
  • Fix: 56079: The Apache Tomcat Windows installer, the Apache Tomcat Windows service and the Apache Tomcat Windows service monitor application are now digitally signed. (markt)

New in version 8.0.12 Beta (September 3rd, 2014)

  • Jasper:
  • Fix: Correct a logic error in the JasperElResolver. There was no functional impact but the code was less efficient as a result of the error. Based on a patch by martinschaef. (markt)
  • Other:
  • Add: 56323: Include the *.bat files when installing Tomcat via the Windows installer. (markt)

New in version 8.0.11 Beta (August 27th, 2014)

  • Catalina:
  • Fix: 56658: Fix regression that a context was inaccessible after reload. (kkolinko)
  • Fix: 56710: Do not map requests to servlets when context is being reloaded. (kkolinko)
  • Fix: 56712: Fix session idle time calculations in PersistenceManager. (kkolinko)
  • Fix: 56717: Fix duplicate registration of MapperListener during repeated starts of embedded Tomcat. (kkolinko)
  • Add: 56724: Write an error message to Tomcat logs if container background thread is aborted unexpectedly. (kkolinko)
  • Fix: When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
  • Fix: Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
  • Fix: 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
  • Fix: 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
  • Fix: 56784: Fix a couple of rare but theoretically possible atomicity bugs. (markt)
  • Fix: 56785: Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. (markt)
  • Fix: 56796: Remove unnecessary sleep when stopping a web application. (markt)
  • Fix: 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (markt)
  • Fix: 56815: When the gzip option is enabled for the DefaultServlet ensure that a suitable Vary header is returned for resources that might be returned directly in compressed form. (markt)
  • Fix: Do not mark threads from the container thread pool as container threads when being used to process AsyncContext.start(Runnable) so processing is correctly transferred back to a genuine container thread when necessary. (markt)
  • Add: Add simple caching for calls to StandardRoot.getResources() in the new (for 8.0.x) resources implementation. (markt)
  • Fix: 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
  • Fix: 56840: Avoid NPE when the rewrite valve is mapped to a context. (remm)
  • Fix: Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
  • Fix: 56848: Improve handling of accept-language headers. (markt)
  • Fix: 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
  • Coyote:
  • Fix: Fix NIO2 sendfile state tracking and error handling to fix various corruption issues. (remm)
  • Fix: Missing timeout for NIO2 sendfile writes. (remm)
  • Fix: Allow inline processing for NIO2 sendfile and optimize keepalive behavior. (remm)
  • Fix: Fix excessive NIO2 sendfile direct memory use in some cases, sendfile will now instead use the regular socket write buffer as configured. (remm)
  • Fix: 56661: Fix getLocalAddr() for AJP connectors. The complete fix is only available with a recent AJP forwarder like the forthcoming mod_jk 1.2.41. (rjung)
  • Fix: Use default ciphers defined as HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 so that no weak ciphers are enabled by default. (remm)
  • Fix: 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
  • Fix: 56810: Remove use of Java 8 specific API calls in unit tests for OpenSSL to JSSE cipher conversion. (markt)
  • Jasper:
  • Fix: 56709: Fix system property name in a log message. Submitted by Robert Kish. (remm)
  • Fix: 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
  • WebSocket:
  • Fix: 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
  • Web applications:
  • Fix: Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
  • jdbc-pool:
  • Fix: 53088: More identifiable thread name. (fhanik)
  • Fix: 53200: Selective logging for slow versus failed queries. (fhanik)
  • Fix: 53853: More flexible classloading. (fhanik)
  • Fix: 54225: Disallow empty init SQL. (fhanik)
  • Fix: 54227: Evaluate max age upon borrow. (fhanik)
  • Fix: 54235: Disallow nested pools exploitating using data source. (fhanik)
  • Fix: 54395: Fix JDBC interceptor parsing bug. (fhanik)
  • Fix: 54537: Performance improvement in StatementFinalizer. (fhanik)
  • Fix: 54978: Make sure proper connection validation always happens, regardless of config. (fhanik)
  • Fix: 56318: Ability to trace statement creation in StatementFinalizer. (fhanik)
  • Fix: 56789: getPool() returns the actual pool, always. (fhanik)
  • Other:
  • Add: 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
  • Add: 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)

New in version 7.0.55 (August 22nd, 2014)

  • Update to the Eclipse JDT Compiler 4.4
  • Better error handling when the error occurs after the response has been committed
  • Various improvements to the Mapper including fixing some concurrency bugs
  • Update to Tomcat Native Library version 1.1.31 to pick up the Windows binaries that are based on OpenSSL 1.0.1h

New in version 7.0.54 (May 28th, 2014)

  • Extend and improve memory leak protection and fix a few leaks that crept in during the various refactorings
  • Add additional protection against a failure to correctly recycle the request and response objects
  • APR/native library version updated to 1.1.30.

New in version 8.0.1 Beta (February 4th, 2014)

  • Catalina:
  • Fix: Change default value of xmlBlockExternal attribute of Context. It is true now. (kkolinko)
  • Coyote:
  • Fix: Correct regression in the fix for 55996 that meant that asynchronous requests might timeout too early. (markt)
  • Jasper:
  • Fix: Change default value of the blockExternal attribute of JspC task. The default value is true. Add support for -no-blockExternal switch when JspC is run as a standalone application. (kkolinko)
  • WebSocket:
  • Fix: Do not return an empty string for the Sec-WebSocket-Protocol HTTP header when no sub-protocol has been requested or no sub-protocol could be agreed as RFC6455 requires that no Sec-WebSocket-Protocol header is returned in this case. (markt)

New in version 8.0.0 RC10 (January 14th, 2014)

  • Catalina:
  • Add: Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
  • Add: Implement JSR 245 MR2 - JSP 2.3. (markt)
  • Add: Implement JSR 341 - Unified Expression Language 3.0. (markt)
  • Add: Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
  • Update: 46727: Refactor default servlet to make it easier to sub-class to implement finer grained control of the file encoding. Based on a patch by Fred Toth. (markt)
  • Add: 45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
  • Code: Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
  • Code: 51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
  • Code: Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
  • Update: 52092: JULI now uses the OneLineFormatter and AsyncFileHandler by default. (markt)
  • Fix: 52558: Refactor CometConnectionManagerValve so that it does not prevent the session from being serialized in when running in a cluster. (markt)
  • Fix: 52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
  • Code: Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
  • Code: Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
  • Code: Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
  • Code: Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
  • Add: Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
  • Add: URL rewrite valve, similar in functionality to mod_rewrite. (remm)
  • Add: Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
  • Add: 54095: Add support to the Default Servlet for serving gzipped versions of static resources directly from disk as an alternative to Tomcat compressing them on each request. Patch by Philippe Marschall. (markt)
  • Fix: 54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
  • Add: Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
  • Fix: 55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
  • Fix: 55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
  • Code: Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
  • Code: 55246: Move TLD scanning to a ServletContainerInitializer provided by Jasper. Includes removal of TldConfig lifecycle listener and associated Context properties. (jboynes)
  • Add: 55317: Facilitate weaving by allowing ClassFileTransformer to be added to WebppClassLoader. Patch by Nick Williams. (markt)
  • Fix: 55620: Enable Tomcat to start when either $CATALINA_HOME and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
  • Code: Initialize the JSP runtime in Jasper's initializer to avoid need for a Jasper-specific lifecycle listener. JasperListener has been removed. (jboynes)
  • Fix: Change ordering of elements of JMX objects names so components are grouped more logically in JConsole. Generally, components are now grouped by Host and then by Context. (markt)
  • Coyote:
  • Add: Experimental support for SPDY. Includes contributions from Sheldon Shao. (costin)
  • Code: The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
  • Code: Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
  • Fix: 54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
  • Code: Refactor char encoding/decoding using NIO APIs. (remm)
  • Update: Change the default URIEncoding for all connectors from ISO-8859-1 to UTF-8. (markt)
  • Jasper:
  • Code: Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
  • Code: Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
  • Add: Create test cases for JspC. Patch by Jeremy Boynes. (markt)
  • Code: 55246: TLD scanning is now performed by JasperInitializer (a ServletContainerInitializer) removing the need for support within the Servlet container itself. The scan is now performed only once rather than in two passes reducing startup time. (jboynes)
  • Fix: 55251: Do not allow JspC task to fail silently if the web.xml or web.xml fragment can not be generated. (markt)
  • Cluster:
  • Code: Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
  • Code: Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
  • Code: Remove unused expireSessionsOnShutdown attribute in org.apache.catalina.ha.session.BackupManager. (kfujino)
  • Web applications:
  • Add: Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
  • Update: 48550: Update examples web application to use UTF-8. (markt)
  • Update: 55383: Improve the design and correct the HTML markup of the documentation web application. Patches provided by Konstantin Preißer. (markt)
  • Tribes:
  • Code: Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
  • Other:
  • Code: Remove unused, deprecated code. (markt)
  • Code: Remove static info String and associated getInfo() method where present. (markt)
  • Update: (r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
  • Fix: 53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
  • Add: 54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
  • Fix: 55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)
  • Fix: 55372: When starting Tomcat with the jpda option to enable remote debugging, by default only listen on localhost for connections from a debugger. Prior to this change, Tomcat listened on all known addresses. (markt)

New in version 7.0.50 (January 9th, 2014)

  • Catalina:
  • fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
  • fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
  • code Streamline handling of WebSocket messages whe no handler is configured for the message currently being received. (markt)
  • fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
  • fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
  • fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
  • Coyote:
  • fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
  • Jasper:
  • fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
  • Cluster:
  • fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
  • fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
  • Web applications:
  • fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
  • Extras:
  • update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)

New in version 8.0.0 RC5 (October 25th, 2013)

  • Improved stability of the APR/native connector when using WebSocket
  • Add a drawing board example to the WebSocket examples.
  • Add support for directly serving gzipped versions of a resource via the default servlet.

New in version 7.0.47 (October 25th, 2013)

  • Coyote:
  • Fix regression with legacy WebSocket implementation in NIO and APR connectors. (markt)
  • Web applications:
  • Avoid hang observed with Java 6 on Windows when stopping the Tomcat process via CTRL-C. (markt)
  • Other:
  • 55663: NOTICE files are corrected according to NOTICE files requirements. (violetagg)

New in version 8.0.0 RC3 (October 1st, 2013)

  • Support for Java Servlet 3.1, JavaServer Pages 2.3, Java Unified Expression Language 3.0 and Java WebSocket 1.0.
  • The default connector implementation is now the Java non-blocking implementation (NIO) for both HTTP and AJP.
  • A new resources implementation that replaces Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories with a single, consistent approach for configuring additional web application resources. The new resources implementation can also be used to implement overlays (using a master WAR as the basis for multiple web applications that each have their own customizations).

New in version 8.0.0 RC1 (August 12th, 2013)

  • Support for Java Servlet 3.1, JavaServer Pages 2.3, Java Unified Expression Language 3.0 and Java WebSocket 1.0.
  • The default connector implementation is now the Java non-blocking implementation (NIO) for both HTTP and AJP.
  • A new resources implementation that replaces Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories with a single, consistent approach for configuring additional web application resources. The new resources implementation can also be used to implement overlays (using a master WAR as the basis for multiple web applications that each have their own customizations).

New in version 7.0.42 (July 6th, 2013)

  • Catalina:
  • fix Enforce the restriction described in section 4.4 of the Servlet 3.0 specification that requires the new pluggability methods only to be available to ServletContextListeners defined in one of the specified ways. (markt)
  • fix Better handle FORM authentication when requesting a resource as an unauthenticated user that is only protected for a sub-set of HTTP methods that does not include GET. (markt)
  • fix 53777: Add support for a JAAS Realm instance to use a dedicated configuration rather than the JVM global JAAS configuration. This is most likely to be useful for per web application JAAS Realms. Based on a patch by eolivelli. (markt)
  • fix 54745: Fix JAR file scanning when Tomcat is deployed via Java Web Start. Patch provided by Nick Williams. (markt)
  • add 55017: Add the ability to configure the RMI bind address when using the JMX remote lifecycle listener. Patch provided by Alexey Noskov. (markt)
  • fix 55071: Ensure original exception is reported if JDBC Realm fails to read a user's credentials. (markt)
  • fix 55073, 55108, 55109, 55110, 55158 & 55159: Small performance improvements. Patches provided by Adrian Nistor. (markt/violetagg)
  • add 55102: Add support for time to first byte in the AccessLogValve. Patch provided by Jeremy Boynes. (markt)
  • fix 55125: If the Server container fails to start, don't allow the Catalina wrapper to start (used when running from the command line and when running as a service) since Tomcat will not be able to do any useful work. (markt)
  • fix Update the JreMemoryLeakPreventionListener to take account of changes in the behaviour of java.beans.Introspector.flushCaches() and sun.awt.AppContext.getAppContext() in Java 7. (markt)
  • fix Avoid WARNING log message of Users:type=UserDatabase,database=UserDatabase at Tomcat shutdown. (pero)
  • fix Avoid ClassCastException when an asynchronous dispatch is invoked in an asynchronous cycle which is started by a call to ServletRequest.startAsync(ServletRequest,ServletResponse) where ServletRequest/ServletResponse are custom implementations. (violetagg)
  • fix Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding and decoding) that broke the JNDI Realm when userPassword was set and passwords were hashed with MD5 or SHA1. (markt/kkolinko)
  • fix Correct the mechanism for the path calculation in AsyncContext.dispatch(). (violetagg)
  • fix 55155: Avoid constant focus grabbing when running the Tomcat unit tests under Java 6 on OSX. Patch provided by Casey Lucas. (markt)
  • fix 55160: Don't ignore connectionUploadTimeout setting when using HTTP NIO connector. (markt)
  • fix 55176: Correctly handle regular expressions within SSI expressions that contain an equals character. (markt)
  • Coyote:
  • fix 55177: Correctly handle infinite soTimeout for BIO HTTP connector. Based on a patch by Nick Bunn. (markt)
  • fix 55180: Correctly handle infinite soTimeout when disableUploadTimeout is set to false. Patch provided by Nick Bunn. (violetagg)
  • Cluster:
  • fix Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
  • fix Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)
  • add Add logging of when a member is unable to join the cluster. (kfujino)
  • fix Replace Tribes's TaskQueue as executor's workQueue in order to ensure that executor's maxThread works correctly. (kfujino)
  • fix 54086: Fix an additional code path that could lead to multiple threads attempting to modify the same selector key set. (markt)
  • Web applications:
  • add Complete the document for MessageDispatch15Interceptor. (kfujino)
  • add 53655: Document the circumstances under which Tomcat will add a javax.mail.Authenticator to mail sessions created via a JNDI resource. (markt)
  • fix 55179: Correct the Javadoc for the remote IP valve so the correct name is used to refer to the proxiesHeader property. (markt)
  • jdbc-pool:
  • fix 55031: Fixed Export-Package header and uses directives in MANIFEST.MF. Change the version for package org.apache.juli.logging to "0" in Import-Package header. Thus any version of that package can be used. Patch provided by Martin Lichtin. (violetagg)
  • Other:
  • update Update Maven Cental location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko)
  • update Update JUnit to version 4.11. Configure separate download for Hamcrest 1.3 core library as its classes are no longer included in junit.jar. (kkolinko)
  • fix 54013: When using a forced stop, allow a short period of time (5s) for the process to die before returning. Patch provided by mukarram.baig. (markt)
  • fix 55119: Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. (markt)

New in version 7.0.41 (June 11th, 2013)

  • Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
  • Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)

New in version 6.0.37 (May 9th, 2013)

  • 52055: Ensure that filters are recycled. (markt/kkolinko)
  • 52184: Reduce log level for invalid cookies. (markt)
  • 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Šebek. (schultz)
  • 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
  • In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
  • 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
  • 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko)
  • 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt)
  • memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko)
  • 54382: NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
  • 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko)
  • update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt)

New in version 7.0.40 (May 9th, 2013)

  • Update Tomcat's internal copy of Commons FileUpload to FileUpload 1.3. (markt)
  • 54178: Protect against AsyncListener implementations that throw RuntimeExceptions in response to an event. (markt)
  • 54791: Restore tools.jar entry in jarsToSkip property to prevent warnings when running Tomcat from Eclipse. (markt)
  • 54851: When scanning for web fragments, directories without any web-fragment.xml should not impact the status of distributable element. Patch provided by Trask Stalnaker. (violetagg)
  • When an error occurs during the sending of a WebSocket message, notify the Inbound side (where all the events occur that the application reacts to) that an error has occurred and that the connection is being closed. (markt)

New in version 7.0.39 (March 27th, 2013)

  • Catalina:
  • Ensure a log message is generated when a web application fails to start due to an error processing a ServletContainerInitializer. (markt)
  • Prevent NPE in JAR scanning when running in an environment where the bootstrap class loader is not an ancestor of the web application class loader such as OSGi environments. (violetagg)
  • Ensure that, if a call to UEncoder#encodeURL is made, all internal structures are properly cleaned. (violetagg)
  • add 54660: Enable the modification of an access log's fileDateFormat attribute while the access log is in use. The change will take effect when the next entry is made to the access log. (markt)
  • update Update Tomcat's internal copy of Commons FileUpload to FileUpload trunk, revision 1458500 and the associated extract from Commons IO to 2.4. (markt)
  • 54702: Prevent file descriptors leak and ensure that files are closed when parsing web application deployment descriptors. (violetagg)
  • 54707: Further relax the parsing of DIGEST authentication headers to allow for buggy clients that quote values that RFC2617 states should not be quoted. (markt/kkolinko)
  • Enable support for MBeans with multiple operations with the same name but different signatures. (markt)
  • code Deprecate Tomcat's internal Base 64 encoder/decoder and switch to using a package renamed copy of the Commons Codec implementation. (markt)
  • Ensure that StandardJarScanner#scan will use the provided class loader when scanning the class loader hierarchy. (violetagg)
  • Coyote:
  • 54690:a regression caused by the previousfor 54406. If no values are specified for sslEnabledProtocols or ciphers use the default values for server sockets rather than the default values for client sockets. (markt)
  • Web applications:
  • update Correct Deployer, Manager and Context pages of Tomcat documentation. (kkolinko)
  • jdbc-pool:
  • 52318: Version for imported package org.apache.juli.logging is extended to include also 7.0.x versions. Theis applicable only when running in OSGi environment. Patch provided by Martin Lichtin. (violetagg)
  • 54599: Do not print connection password in PoolProperties.toString(). Based on a patch by Daniel Mikusa. (kkolinko)
  • 54684: Add javax.naming.spi to Import-Package header in MANIFEST.MF in order to resolve ClassNotFoundException when running in OSGi environment. (violetagg)
  • Other:
  • Update to Apache Commons Daemon 1.0.14 to resolve 54609 which meant that installation of Windows service could fail producing incorrect service launch command. (mturk)
  • Ensure HEAD requests return the correct content length when the requested resource uses a Writer. Patch by Nick Williams. (markt)

New in version 7.0.37 (February 18th, 2013)

  • Catalina:
  • fix 54521: Ensure that concurrent requests that require a DIGEST authentication challenge receive different nonce values. (markt)
  • fix 54534: Ensure that, if a call to StandardWrapper#isSingleThreadModel() triggers the loading of a Servlet, the correct class loader is used. (markt)
  • fix 54536: Ensure the default error page is displayed if a custom HTTP status code is used when calling HttpServletResponse#sendError(int, String). (markt)
  • Coyote:
  • fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt)
  • update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (markt)
  • Jasper:
  • add 54239: Enable web applications to provide their own Expression Language interpreter to enable them to optimise processing of expressions. Based on a patch by Sheldon Shao. (markt)
  • Web applications:
  • add 54505: Create clearer links from the JNDI How-To to the Tomcat specific options for configuring JNDI resources. (markt)
  • Other:
  • update Update to Apache Commons Daemon 1.0.13. (markt)

New in version 7.0.35 (January 16th, 2013)

  • 54247: Prevent ClassNotFoundExceptions on stop when running as a service. (markt)
  • fix 54249: Ensure resource properties are available when the context path contains encoded characters such as a space. This triggered compilation issues in Jasper. Patch provided by Polina Genova. (markt)
  • fix 54256: Improve error reporting when a JAR file fails extension validation by including the name of the JAR file in the exception. (markt)
  • fix Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko)
  • fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one. (kkolinko)
  • code Cleanup method cache lookup code in SecurityUtil class. (kkolinko)
  • add Make the Tomcat 7 non-JSR356 WebSocket implementation non-blocking (where supported by the connector) between the HTTP upgrade and the first WebSocket message from the client to the server. (markt)
  • fix 54262: Ensure that an empty element in the main web.xml file disables scanning for web fragments. Based on a patch by Violeta Georgieva. (markt)
  • fix 54284: As per clarification from the Servlet EG, anonymous Filters and Servlets are not permitted. Patch by Violeta Georgieva. (markt)
  • fix 54371: Prevent exceptions when processing web fragments for unexpanded WAR files when the context path contains characters that need to be encoded in URLs such as spaces. Based on a patch by Polina Genova. (markt)
  • add 54372: Make HTTP Digest authentication header parsing tolerant of invalid headers sent by known buggy clients. (markt)
  • fix 54377: Correctly set request attributes for AccessLog in RemoteIpFilter. Patch by Violeta Georgieva. (markt)
  • fix 54379: Implement support for post-construct and pre-destroy elements in web.xml. Patch by Violeta Georgieva. (markt)
  • fix 54380: Do not try to register servlets or contexts into the mapper too early (which just caused a warning to be logged). (kkolinko)
  • fix Fix NPE in WebappLoader.stopInternal when stop is called after a failed start. (kkolinko)
  • add 54381: Add support for receiving WebSocket pong messages. (markt)
  • fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
  • fix Fix ArrayIndexOutOfBoundsException in HttpParser when parsing incorrect HTTP headers. (kkolinko)
  • fix 54387: Deployment must fail when multiple servlets are mapped to the same url-pattern. (markt)
  • fix 54391: Provide a value for the javax.servlet.context.orderedLibs attribute. (markt)

New in version 7.0.32 (October 8th, 2012)

  • Significantly reduced memory footprint during web application start while Servlet 3.0 annotation and SCI scanning is in progress.
  • Adds support for scanning of classes that use Java 7 specific byte code for Servlet 3.0 annotation and SCI scanning.
  • Improvements to DIGEST and FORM authentication.

New in version 7.0.6 (January 27th, 2011)

  • General:
  • Update to Commons Daemon 1.0.5. (mturk)
  • Catalina:
  • 8705: org.apache.catalina.SessionListener now extends java.util.EventListener. (markt)
  • 10526: Add an option to the Authenticators to force the creation of a session on authentication which may offer some performance benefits. (markt)
  • 10972: Improve error message if the className attribute is missing on an element in server.xml where it is required. (markt)
  • 48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz)
  • 48822: Include context name in case of error while stopping or starting a context during its reload. Patch provided by Marc Guillemot. (slaurent)
  • 48837: Extend thread local memory leak detection to include classes loaded by subordinate class loaders to the web application's class loader such as the Jasper class loader. Based on a patch by Sylvain Laurent. (markt)
  • 48973: Avoid creating a SESSIONS.ser file when stopping an application if there's no session. Patch provided by Marc Guillemot. (slaurent)
  • 49000: No longer accept specification invalid name only cookies by default. This behaviour can be restored using a system property. (markt)
  • 49159: Improve memory leak protection by renewing threads of the pool when a web application is stopped. (slaurent)
  • 49372: Re-fix after connector re-factoring. If connector initialisation fails (e.g. if a port is alreasy in use) do not trigger an LifecycleException for an invalid state transition. (markt)
  • 49543 Allow Tomcat to use shared data sources with per application credentials. (fhanik)
  • 49650: Remove unnecessary entries package.access property defined in catalina.properties. Patch provided by Owen Farrell. (markt)
  • 50106: Correct several MBean descriptors. Patch provided by Eiji Takahashi. (markt)
  • Further performance improvements to session ID generation. Remove legacy configuration options that are no longer required. Provide additional options to control the SecureRandom instances used to generate session IDs. (markt)
  • 50201: Update the access log reference in StandardEngine when the ROOT web application is redeployed, started, stopped or defaultHost is changed. (markt/kkolinko)
  • 50282: Load javax.security.auth.login.Configuration with JreMemoryLeakPreventionListener to avoid memory leak when stopping a web application that would use JAAS. (slaurent)
  • 50351: Fix the regression that broke BeanFactory resources caused by the previous fix for 50159. (markt)
  • 50352: Ensure that AsyncListener.onComplete() is fired when AsyncContext.complete() is called. (markt)
  • 50358: Set the correct LifecycleState when stopping instances of the deprecated Embedded class. (markt)
  • Further Lifecycle refactoring for Connectors and associated components. (markt)
  • Correct handling of versioned web applications in deployer. (markt)
  • Correct removal of LifeCycleListenters from Containers via JMX. (markt)
  • Don't use nulls to construct log messages. (markt)
  • Code clean-up. Replace use of inefficient constructors with more efficient alternatives. (markt)
  • 50411: Ensure sessions are removed from the Store associated with a PersistentManager. (markt)
  • 50413: Ensure 304 responses are not returned when using static files as error pages. (markt/kkolinko)
  • 50448: Fix possible IllegalStateException caused by recent session management refactoring. (markt)
  • Ensure aliases settings for a context are retained after a context is reloaded. (markt)
  • Log a warning if context.xml files define values for properties that do not exist (e.g. if there is a typo in a property name). (markt)
  • 50453: Correctly handle multiple X-Forwarded-For headers in the RemoteIpFilter and RemoteIpValve. Patch provided by Jim Riggs. (markt)
  • 50541: Add support for setting the size limit and time limit for LDAP seaches when using the JNDI Realm with userSearch. (markt)
  • All configuration options that use regular expression now require a single regular expression (using java.util.regex) rather than a list of comma-separated or semi-colon-separated expressions. (markt)
  • 50496: Bytes sent in the access log are now counted after compression, chunking etc rather than before. (markt)
  • 50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt)
  • 50554: Code clean up. (markt)
  • 50556: Improve JreMemoryLeakPreventionListener to prevent a potential class loader leak caused by a thread spawned when the class com.sun.jndi.ldap.LdapPoolManager is initialized and the system property com.sun.jndi.ldap.connect.pool.timeout is set to a value greater than 0. (slaurent)
  • Coyote:
  • 47319: Return the client's IP address rather than null for calls to getRemoteHost() when the APR connector is used with enableLookups="true" but the IP address is not resolveable. (markt)
  • 50108: Add get/set methods for Connector property minSpareThreads. Patch provided by Eiji Takahashi. (markt)
  • 50360: Provide an option to control when the socket associated with a connector is bound. By default, the socket is bound on Connector.init() and released on Connector.destroy() as per the current behaviour but this can be changed so that the socket is bound on Connector.start() and released on Connector.stop(). This fix also includes further Lifecycle refactoring for Connectors and associated components. (markt)
  • Remove a huge memory leak in the NIO connector introduced by the fix for 49884. (markt)
  • 50467: Protected against NPE triggered by a race condition that causes the NIO poller to fail, preventing the processing of further requests. (markt)
  • Jasper:
  • 13731: Make variables in _jspService() method final where possible. (markt)
  • 50408: Fix NoSuchMethodException when using scoped variables with EL method invocation. (markt)
  • 50460: Avoid leak caused by using a cached exception instance in JspDocumentParser and ProxyDirContext. (kkolinko)
  • 50500: Use correct coercions (as per the EL spec) for arithmetic operations involving string values containing '.', 'e' or 'E'. Based on a patch by Brian Weisleder. (markt)
  • Cluster:
  • 50185: Add additional trace level logging to Tribes to assist with fault diagnosis. Based on a patch by Ariel. (markt)
  • Don't try and obtain session data from the cluster if the current node is the only node in the cluster. Log requesting session data as INFO rather than WARNING. (markt)
  • 50503: When web application has a version, Engine level Clustering works correctly. (kfujino)
  • 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)
  • Web applications:
  • 21157: Ensure cookies are written before the response is commited in the Cookie example. Patch provided by Stefan Radzom. (markt)
  • 50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)
  • Correctly validate provided context path so sessions for the ROOT web application can be viewed through the HTML Manager. (markt)
  • Improve documentation of database connection factory. (rjung)
  • 50488: Update classpath required when using jsvc and add a note regarding server VMs. (markt)
  • Further filtering of Manager display output. (kkolinko)
  • Other:
  • Don't configure Windows installer to use PID file since it is not removed when the service stops which prevents the service from starting. (markt)
  • 14416: Make TagLibraryInfo.getTag() more robust at handling nulls. (markt)
  • 50552: Avoid NPE that hides error message when using Ant tasks. (schultz)
  • Provide two alternative locations for the libraries downloaded from the ASF web site at build time. Use the main distribution site as default and the archive one as fallback. (kkolinko)

New in version 7.0.0 (June 30th, 2010)

  • Catalina:
  • Update Servlet support to the Servlet 3.0 specification. (all)
  • Improve and document VirtualWebappLoader. (rjung)
  • 43642:prestartminSpareThreads attribute for Executor. (jfclere)
  • Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik)
  • r620845 and r669119. Make shutdown address configurable. (jfclere)
  • r651977some missing control checks to ThreadWithAttributes. (markt)
  • r677640a startup class that does not require any configuration files. (costin)
  • r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt)
  • r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt)
  • r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik)
  • Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung)
  • Expose thisAccessedTime via Session interface. (rjung)
  • Provide a log format for JULI that provides the same information as the default but on a single line. (markt)
  • r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik)
  • Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt)
  • Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt)
  • 48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt)
  • Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)
  • Coyote:
  • Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk)
  • Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung)
  • r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik)
  • 46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt)
  • Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk)
  • r724239 NIO connector now always uses an Executor. (fhanik)
  • r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik)
  • r724849 Implement keep alive timeout for NIO connector. (fhanik)
  • Jasper:
  • Update JSP support to the JSP 2.2 specification. (markt)
  • Update EL support to the EL 2.2 specification. (markt)
  • r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko)
  • 48358:support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt)
  • 48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)
  • High Availability:
  • Add support for UDP and secure communication to tribes. (fhanik)
  • Add versioning to the tribes communication protocol to support future developments. (fhanik)
  • Add a demo on how to use the payload. (fhanik)
  • Started toJMX support to the cluster implementation. (markt)
  • r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik)
  • r630234 Additional checks for the NIO receiver. (fhanik)
  • r671650 Improve error message when multicast is not enabled. (fhanik)
  • Web applications:
  • r631321changelog to support the element in the documentation. (fhanik)
  • A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt)
  • CSRF protection was added to the Manager and Host Manager applications. (markt)
  • List array elements in the JMX proxy output of the Manager application. (rjung)
  • Extras:
  • A new JmxRemoteLifecycleListener that can be used tothe ports used for remote JMX connections, eg when using JConsole. (markt)
  • Modules:
  • r691359 Added in a Bayeux protocol implementation built on top of the Tomcat CometProcessor interface. (fhanik)
  • Other:
  • Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt)
  • All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt)
  • Parameterize version number throughout build scripts and source. (rjung)