Apache Tomcat Changelog

New in version 8.0.24

July 7th, 2015
  • Provide path parameters to POJO based WebSocket endpoints to the per session javax.websocket.server.ServerEndpointConfig instance as the path parameters will vary between sessions.
  • Various fixes to the SlowQueryReport in jdbc-pool.
  • Various improvements to how Tomcat implements the requirements of SRV.10.7.2 (not loading Java SE and implemented specification classes from web applications).

New in version 8.0.23 (May 22nd, 2015)

  • Catalina:
  • Add: 54618: Add a new HttpHeaderSecurityFilter that adds the Strict-Transport-Security, X-Frame-Options and X-Content-Type-Options HTTP headers to the response. (markt)
  • Fix: 57875: Add javax.websocket.* to the classes for which the web application class loader always delegates first. (markt)
  • Fix: 57871: Ensure that setting the the allowHttpSepsInV0 property of a LegacyCookieProcessor to false only prevents HTTP separators from being used without quotes. (markt)
  • Fix: Add a workaround for issues with SPNEGO authentication when running on Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the applyJava8u40Fix attribute of the SPNEGO authenticator if necessary. (markt)
  • Fix: 57926: Restore the original X-Forwarded-By and X-Forwarded-For headers after processing by the RemoteIPValve . (markt)
  • Coyote:
  • Fix: Follow up to previous fix that removed the behavior difference between NIO and NIO2 for SSL, which caused corruption with NIO2. (remm)
  • Fix: 57931: Ensure that TLS connections with the NIO or NIO2 HTTP connectors that experience issues during the handhshake (e.g. missing or invalid client certificate) are closed cleanly and that the client receives the correct error code rather than simply closing the connection. (markt)
  • Jasper:
  • Fix: 56438: Add debug logging to TLD discovery that logs positive and negative results for JARs, resource paths and directories. Patch provided by VIN. (markt)
  • Fix: 57802: Correct the default implementation of convertToType() provided by javax.el.ELResolver. (markt)
  • Fix: 57887: Fix compilation of recursive tag files packaged in a JAR. (markt)
  • Cluster:
  • Fix: Make sure that stream is closed after using it in DeltaSession.applyDiff(). (kfujino)
  • Code: Use StringManager to provide i18n support in the org.apache.catalina.ha packages. (kfujino)
  • Code: Add the context name to log messages when replication context failed to start. (kfujino)
  • Web applications:
  • Fix: 57875: Update the web application class loader documentation to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards. (markt)
  • Fix: 57896: Document system property org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER that was introduced in Tomcat 8.0.0. (kkolinko)
  • Tribes:
  • Fix: Ensure that the state transfer flag is updated to true only when the map states have been transferred correctly from existing map members. (kfujino)
  • Other:
  • Update: Update optional Checkstyle library to 6.6. (kkolinko)

New in version 8.0.22 (May 6th, 2015)

  • Catalina:
  • Fix: 57736: Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted. (markt)
  • Fix: 57752: Exclude non-cached resources from the Cache statistics for resource lookups. Patch provided by Adam Mlodzinski. (markt)
  • Add: Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
  • Fix: 57556: Refine the previous fix fo rthis issue so that the real path returned only has a trialing separator if the requested path ended with /. (markt)
  • Fix: 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
  • Fix: Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
  • Fix: Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
  • Fix: 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
  • Fix: Fix wrong logger name of org.apache.catalina.webresources.StandardRoot. (kfujino)
  • Fix: 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
  • Fix: 57841: Improve error logging during web application start. (markt)
  • Fix: 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
  • Fix: 57863: Fix the RewriteMap support in RewriteValve that did not use the correct key value to look up entries. Based on a patch provided by Tatsuya Bessho. (markt)
  • Coyote:
  • Fix: 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
  • Code: Remove the experimental support for SPDY. No current user agent supports the version of SPDY that the experiment targetted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete. (markt)
  • Fix: Possible incomplete writes with SSL NIO2. (remm)
  • Fix: Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO differences between NIO and NIO2 that don't seem to be justified. (remm)
  • Fix: After some errors, the pending flags could remain set when using SSL NIO2. (remm)
  • Fix: 57833: When using JKS based keystores for NIO or NIO2, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
  • Fix: 57837: Add text/css to the default list of compressable MIME types. (markt)
  • Jasper:
  • Fix: 57845: Ensure that, if the same JSP is accessed directly and via a declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
  • Fix: 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)
  • Cluster:
  • Fix: Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
  • Add: Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
  • Fix: Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)
  • WebSocket:
  • Fix: 57761: Ensure that the opening HTTP request is correctly formatted when the WebSocket client connects to a server root. (remm)
  • Fix: 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
  • Fix: 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
  • Fix: Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
  • Fix: 57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)
  • Web applications:
  • Add: 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
  • Fix: 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)
  • Tribes:
  • Fix: Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)
  • Other:
  • Fix: Add missing pom for tomcat-storeconfig. (remm)
  • Update: Update optional Checkstyle library to 6.5. (kkolinko)
  • Fix: 57707: Improve error message when trying to run a release build on a non-Windows platform and Wine is not available. (markt)

New in version 8.0.21 (March 27th, 2015)

  • Catalina:
  • Add: 49785: Enable StartTLS connections for JNDIRealm. (fschumacher)
  • Fix: When docBase refers internal war and unpackWARs is set to false, avoid registration of the invalid redeploy resource that has been added ".war" extension in duplicate. (kfujino)
  • Fix: If WAR exists, it is not necessary to trigger a reload when adding a Directory. (kfujino)
  • Fix: 55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8. Based upon a patch provided by Ognjen Blagojevic. (schultz)
  • Fix: 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist. (markt)
  • Fix: When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads. (markt)
  • Fix: 57601: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by the Default servlet. (jboynes/markt)
  • Fix: 57602: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by a servlet that extends HttpServlet. (markt)
  • Fix: 57621: When an async request completes, ensure that any remaining request body data is swallowed. (markt)
  • Fix: 57637: Do not create unnecessary sessions when using PersistentValve. (jboynes/fschumacher)
  • Fix: 57645: Correct a regression in the fix for 57190 that incorrectly required the path passed to ServletContext.getContext(String) to be an exact match to a path to an existing context. (markt)
  • Fix: Make sure that unpackWAR attribute of Context is handled correctly in HostConfig. (kfujino)
  • Fix: When deploying a WAR file that contains a context.xml file and unpackWARs is false ignore any context.xml file that may exist in an expanded directory associated with the WAR. (markt)
  • Fix: 57675: Correctly quote strings when using the extended access log. (markt)
  • Add: Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running. Tomcat does this by adding a META-INF/war-tracking file to the expanded directory and setting the last modified time of this file to the last modified time of the WAR. If Tomcat detects a modified WAR via this mechanism the web application will be redeployed (i.e. the expanded directory will be removed and the modified WAR expanded in its place). (markt)
  • Fix: 57704: Fix potential NPEs during web application start/stop when org.apache.tomcat.InstanceManager is not initialized. (violetagg)
  • Add: Use the simplified digest output for digest.bat|sh when generating digests with no salt and a single iteration to make it easier to use with DIGEST authentication. (markt)
  • Fix: Add support for LAST_ACCESS_AT_START system property to SingleSignOn. (kfujino)
  • Code: Refactor Authenticator implementations to reduce code duplication. (markt)
  • Fix: 57724: Handle the case in the CORS filter where a user agent includes an origin header for a non-CORS request. (markt)
  • Fix: When searching for SCIs o.a.catalina.Context.getParentClassLoader will be used instead of java.lang.ClassLoader.getParent. Thus one can provide the correct parent class loader when running embedded Tomcat in other environments such as OSGi. (violetagg)
  • Fix: 57743: Fix a locked file / resource leak issue when a JAR is accessed just before or during web application undeploy. Patch provided by Pavel Avgustinov. (markt)
  • Coyote:
  • Add: 57540: Make TLS/SSL protocol available in a new request attribute (org.apache.tomcat.util.net.secure_protocol_version). (Note that AJP connectors will require mod_jk 1.2.41 or later, or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see the bug comments for details.) Based upon a patch provided by Ralf Hauser. (schultz)
  • Fix: Fix a cipher ordering issue when using the OpenSSL syntax for JSSE cipher configuration to ensure that ephemeral ECDH with AES is preferred to ephemeral ECDH with anything else. (markt)
  • Fix: 57570: Make the processing of trailer headers with chunked input optional and disabled by default. (markt)
  • Fix: 57592: Correctly handle the case where an AsyncContext is used for non-blocking I/O and is completed during a write operation. (markt)
  • Fix: 57638: Avoid an IllegalArgumentException when an AJP request body chunk larger than the socket read buffer is being read. This typically requires a larger than default AJP packetSize. (markt)
  • Fix: 57674: Avoid a BufferOverflowException when an AJP response body chunk larger than the socket write buffer is being written. This typically requires a larger than default AJP packetSize. (markt)
  • Update: Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 branch. (markt)
  • Fix: Numerous fixes to the APR/native connector to improve robustness. (markt)
  • Fix: Stop caching and re-using SocketWrapper instances. With the introduction of upgrade and non-blocking I/O, I/O can occur on non-container threads. This makes it nearly impossible to track whether a SocketWrapper is still being references or not. making re-use a risky proposition. (markt)
  • Code: Refactor Connector authentication (only used by AJP) into a separate method. (markt)
  • Add: 57708: Implement a new feature for AJP connectors - Tomcat Authorization. If the new tomcatAuthorization attribute is set to true (it is disabled by default) Tomcat will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user. (markt)
  • Fix: Fix an issue that meant that any pipe-lined data read by Tomcat before an asynchronous request completed was lost during the completion of the asynchronous request. This mean that the pipe-lined request(s) would be lost and/or corrupted. (markt)
  • Update: Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt)
  • Jasper:
  • Fix: 57135: Package imports via javax.el.ImportHandler should only import public, concrete classes. (markt)
  • Fix: 57583: Cache 'Not Found' results in javax.el.ImportHandler.resolveClass() to save repeated attempts to load classes that are known not to exist to improve performance. (markt)
  • Fix: 57626: Correct a regression introduced in the 8.0.16 fix for ensuring Jars were closed after use, that broke recompilation of modified JSPs that depended on a tag file packaged in a Jar. (markt)
  • Fix: 57627: Correctly determine last modified times for dependencies when a tag file packaged in a JAR depends on a tag file packaged in a second JAR. (markt)
  • Fix: 57647: Ensure INFO message is logged when scanning jars for TLDs if the scan does not find a TLD in any jar. Previously a message would only be logged if a TLD was not found in all scanned jars. (jboynes)
  • Update: 57662: Update all references to the ECJ compiler to version 4.4.2. (violetagg)
  • Cluster:
  • Fix: Remove unnecessary method that always returns true. The domain filtering works on DomainFilterInterceptor. (kfujino)
  • WebSocket:
  • Fix: Correct a bug in the permessage-deflate implementation that meant that the incorrect op-codes were used if an uncompressed message was converted into more than one compressed message. (markt)
  • Add: 57676: List conflicting WebSocket endpoint classes when there is a path conflict. Based upon a patch proposed by yangkun. (schultz)
  • Web applications:
  • Fix: 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt)
  • Fix: 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch provided by Phil Steitz. (markt)
  • Fix: Remove incorrect note from context configuration page in the documentation web application that stated WAR files located outside the appBase were never unpacked. (markt)
  • Fix: 57683: Ensure that if a client aborts their connection to the stock ticker example (the only way a client can disconnect), the example continues to work for existing and new clients. (markt)
  • Fix: Make it clear that when using digested passwords with DIGEST authentication that no salt and only a single iteration must be used when generating the digest. (markt)
  • Update: Update examples to use Apache Standard Taglib 1.2.5. (jboynes)
  • Extras:
  • Fix: 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server. (markt)
  • Tribes:
  • Fix: When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members. (kfujino)
  • Fix: Make sure that refuse the messages from a different domain in DomainFilterInterceptor. (kfujino)
  • Other:
  • Update: Update optional Checkstyle library to 6.4.1. (kkolinko)
  • Fix: 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. (markt)
  • Update: Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)

New in version 8.0.20 (February 20th, 2015)

  • Fix: Fix a concurrency issue that meant that a change in socket timeout (e.g. when switching to asynchronous I/O) did not always take effect immediately. (markt)

New in version 7.0.59 (February 10th, 2015)

  • Session ID Generator is now extensible.

New in version 8.0.18 (January 28th, 2015)

  • A regression that caused response truncation when using forwarding (57475) has been fixed.
  • Various improvements to ReplicatedMap in Tribes.

New in version 8.0.17 Beta (January 21st, 2015)

  • Catalina:
  • Fix: Correct a regression in the previous fix for 57252 that broke request listeners for non-async requests that triggered an error that was handled by the ErrorReportingValve. (markt/violetagg)
  • Coyote:
  • Fix: Add flushing to send ack in the NIO2 connector. (remm)

New in version 8.0.15 Beta (November 13th, 2014)

  • Catalina:
  • Add: 43548: Add an XML schema for the tomcat-users.xml file. (markt)
  • Add: 43682: Add support for referring to the current context, host and service name in per Context logging.properties files by using the properties ${classloader.webappName}, ${classloader.hostName} and ${classloader.serviceName}. (markt)
  • Add: 47919: Extend the information logged when Tomcat starts to optionally log the values of command line arguments (enabled by default) and environment variables (disabled by default). Note that the values added to CATALINA_OPTS and JAVA_OPTS environment variables will be logged, as they are used to build up the command line. (markt)
  • Add: 49939: Expose the method that clears the static resource cache for a web application via JMX. (markt)
  • Fix: 55951: Allow cookies to use UTF-8 encoded values in HTTP headers. This requires the use of the RFC6265 CookieProcessor. (markt)
  • Fix: 55984: Using the allow separators in version 0 cookies option with the legacy cookie processor should only apply to version 0 cookies. Version 1 cookies with values that contain separators should not be affected and should continue to be quoted. (markt)
  • Add: 56393: Add support for RFC6265 cookie parsing and generation. This is currently disabled by default and may be enabled via the CookieProcessor element of a Context. (markt)
  • Add: 56394: Introduce new configuration element CookieProcessor in Context to allow context-specific configuration of cookie processing options. Attributes of Context element that were added in Tomcat 8.0.13 to allow configuration of a new experimental RFC6265 based cookie parser (useRfc6265 and cookieEncoding) are replaced by this new configuration element. (markt)
  • Fix: Improve the previous fix for 56401. Avoid logging version information in the constructor since it then gets logged at undesirable times such as when using StoreConfig. (markt)
  • Fix: 56403: Add pluggable password derivation support to the Realms via the new CredentialHandler interface. (markt/schultz)
  • Fix: 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
  • Add: Deprecate the use of system proprties to control cookie parsing and replace them with attributes on the new CookieProcessor that may be configured on a per context basis. (markt)
  • Fix: Correct an edge case and allow a cookie if the value starts with an equals character and the CookieProcessor is not configured to allow equals characters in cookie values but is configured to allow name only cookies. (markt)
  • Fix: 57022: Ensure SPNEGO authentication continues to work with the JNDI Realm using delegated credentials with recent Oracle JREs. (markt)
  • Fix: 57027: Add additional validation for stored credentials used by Realms when the credential is stored using hex encoding. (markt)
  • Fix: 57038: Add a WebResource.getCodeBase() method, implement for all WebResource implementations and then use it in the web application class loader to set the correct code base for resources loaded from JARs and WARs. (markt)
  • Fix: Correct a couple of NPEs in the JNDI Realm that could be triggered with when not specifying a roleBase and enabling roleSearchAsUser. (markt)
  • Fix: Correctly handle relative values for the docBase attribute of a Context. (markt)
  • Fix: Ensure that log messages generated by the web application class loader correctly identify the associated Context when multiple versions of a Context with the same path are present. (markt)
  • Fix: Remove the unnecessary registration of context.xml as a redeploy resource. The context.xml having an external docBase has already been registered as a redeploy resource at first. (kfujino)
  • Fix: 57089: Ensure that configuration of a session ID generator is not lost when a web application is reloaded. (markt)
  • Fix: 57105: When parsing web.xml do not limit the buffer element of the jsp-property-group element to integer values as the allowed values are kb or none. (markt)
  • Update: Update the minimum required version of the Tomcat Native library (if used) to 1.1.32. (markt)
  • Fix: Update storeconfig with newly introduced elements: SessionIdGenerator, CookieProcessor, JarScanner and JarScanFilter. (remm)
  • Fix: Throw a NullPointerException if a null string is passed to the write(String,int,int) method of the PrintWriter obtained from the ServletResponse. (markt)
  • Fix: Cookie rewrite flag abbreviation should be CO rather than C. (remm)
  • Fix: 57153: When the StandardJarScanner is configured to scan the full class path, ensure that class path entries added directly to the web application class loader are scanned. (markt)
  • Fix: AsyncContext should remain usable until fireOnComplete is called. (remm)
  • Fix: AsyncContext createListener should wrap any instantiation exception using a ServletException. (remm)
  • Fix: 57155: Allow a web application to be configured that does not have a docBase on the file system. This is primarily intended for use when embedding. (markt)
  • Fix: Propagate header ordering from fileupload to the part implementation. (remm)
  • Coyote:
  • Add: 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. This feature requires Tomcat Native library 1.1.32 or later. (schultz/jfclere)
  • Code: Cache the Encoder instances used to convert Strings to byte arrays in the Connectors (e.g. when writing HTTP headers) to improve throughput. (markt)
  • Add: Disable SSLv3 by default for JSSE based HTTPS connectors (BIO, NIO and NIO2). The change also ensures that SSLv2 is disabled for these connectors although SSLv2 should already be disabled by default by the JRE. (markt)
  • Add: Disable SSLv3 by default for the APR/native HTTPS connector. (markt)
  • Fix: Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
  • Fix: Trigger an error if an invalid attempt is made to use non-blocking IO. (markt)
  • Fix: 57157: Allow calls to AsyncContext.start(Runnable) during non-blocking IO reads and writes. (markt)
  • Fix: Async state MUST_COMPLETE should still be started. (remm)
  • Jasper:
  • Fix: 57099: Ensure that semi-colons are not permitted in JSP import page directives. (markt)
  • Fix: 57113: Fix broken package imports in Expression Language when more than one package was imported and the desired class was not in the last package imported. (markt)
  • Fix: 57132: Fix import conflicts reporting in Expression Language. (kkolinko)
  • Fix: When coercing an object to a given type, only attempt coercion to an array if both the object type and the target type are an array type. (violetagg/markt)
  • Fix: Improve handling of invalid input to javax.el.ImportHandler.resolveClass(). (markt)
  • Fix: Allow the same class to be added to an instance of javax.el.ImportHandler more than once without triggering an error. The second and subsequent calls for the same class will be ignored. (markt)
  • Fix: 57136: Ensure only \${ and \#{ are treated as escapes for ${ and #{ rather than \$ and \# being treated as escapes for $ and # when processing literal expressions in expression language. (markt)
  • Fix: When coercing an object to an array type in Expression Language, handle the case where the source object is an array of primitives. (markt/kkolinko)
  • Fix: Do not throw an exception on missing JSP file servlet initialization. (remm)
  • Fix: 57148: When coercing an object to a given type and a PropertyEditor has been registered for the type correctly coerce the empty string to null if the PropertyEditor throws an exception. (kkolinko/markt)
  • Fix: 57153: Correctly scan for TLDs located in directories that represent exanded JARs files that have been added to the web application class loader's class path. (markt)
  • Fix: 57141: Enable EL in JSPs to refer to static fields of imported classes including the standard java.lang.* imports. (markt)
  • Cluster:
  • Fix: Add support for the SessionIdGenerator to cluster manager template. (kfujino)
  • Fix: Avoid possible integer overflows reported by Coverity Scan. (fschumacher)
  • WebSocket:
  • Fix: 57054: Correctly handle the case in the WebSocket client when the HTTP response to the upgrade request can not be read in a single pass; either because the buffer is too small or the server sent the response in multiple packets. (markt)
  • Add: Extend support for the permessage-deflate extension to the client implementation. (markt)
  • Fix: Fix client subprotocol handling. (remm)
  • Fix: Add null checks for arguments in remote endpoint. (remm/kkolinko)
  • Fix: 57091: Work around the behaviour of the Oracle JRE when creating new threads in an applet environment that breaks the WebSocket client implementation. Patch provided by Niklas Hallqvist. (markt)
  • Fix: 57118: Ensure that that an EncodeException is thrown by RemoteEndpoint.Basic.sendObject(Object) rather than an IOException when no suitable Encoder is configured for the given Object. (markt)
  • Web applications:
  • Fix: Correct a couple of broken links in the Javadoc. (markt)
  • Fix: Correct documentation for ServerCookie.ALLOW_NAME_ONLY system property. (kkolinko)
  • Fix: 57049: Clarified that jvmRoute can be set in 's jvmRoute or in a system property. (schultz)
  • Fix: Correct version of Java WebSocket mentioned in documentation (s/1.0/1.1/). (markt/kkolinko)
  • Update: Suppress timestamp comments in Javadoc. (kkolinko)
  • Fix: 57147: Various corrections to the JDBC Store section of the session manager configuration page of the documentation web application. (markt)
  • Tribes:
  • Fix: 45282: Improve shutdown of NIO receiver so that sockets are closed cleanly. (fhanik/markt)
  • jdbc-pool:
  • Fix: 57005: Fix javadoc errors when building with Java 8. Patch provided by Pierre Viret. (markt)
  • Fix: 57079: Use Tomcat version number for jdbc-pool module when building and shipping the module as part of Tomcat. (markt)
  • Fix: Fix broken overview page in javadoc generated via "javadoc" task in jdbc-pool build.xml file. (kkolinko)
  • Other:
  • Fix: 56079: The uninstaller packaged with the Apache Tomcat Windows installer is now digitally signed. (markt)
  • Fix: Fix timestamps in Tomcat build and jdbc-pool to use 24-hour format instead of 12-hour one and use UTC timezone. (markt/kkolinko)
  • Fix: Update the package renamed copy of Apache Commons DBCP 2 to revision 1631450 to pick up additional fixes since the 2.0.1 release including Javadoc corrections to fix errors when compiling with Java 8. (markt)
  • Update: 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
  • Code: In Tomcat tests: log name of the current test method at start time. (kkolinko)

New in version 7.0.56 (October 15th, 2014)

  • Catalina:
  • fix When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
  • fix Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
  • fix 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
  • fix 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
  • fix 56771: When lookup for a resource in all the alternate or backup javax.naming.directory.DirContext, javax.naming.NameNotFoundException will be thrown at the end of the search if the resource is not available in these alternate or backup javax.naming.directory.DirContext. Based on a patch by Sheldon Shao. (violetagg)
  • fix 56796: Remove unnecessary sleep when stopping a web application. (markt)
  • fix 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (kkolinko)
  • fix 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
  • fix 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
  • code 56882: Add testcase for processing of forwards and includes when Context have been reloaded. (kkolinko)
  • fix 56900: Fix some potential resource leaks when reading property files reported by Coverity Scan. Based on patches provided by Felix Schumacher. (markt)
  • fix 56902: Fix a potential resource leak in the Default Servlet reported by Coverity Scan. Based on a patch provided by Felix Schumacher. (markt)
  • fix 56903: Correct the return value for StandardContext.getResourceOnlyServlets() so that multiple names are separated by commas. Identified by Coverity Scan and fixed based on a patch by Felix Schumacher. (markt)
  • fix Fixed the multipart elements merge operation performed during web application deployment. Identified by Coverity Scan. (violetagg)
  • fix Correct the information written by ExtendedAccessLogValve when a format token x-O(XXX) is used so that multiple values for a header XXX are separated by commas. Identified by Coverity Scan. (violetagg)
  • fix Fix a potential resource leak when reading MANIFEST.MF file for extension dependencies reported by Coverity Scan. (violetagg)
  • fix Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
  • fix Fix some potential resource leaks when reading properties, files and other resources. Reported by Coverity Scan. (violetagg)
  • fix When using parallel deployment and undeployOldVersions feature is enabled on a Host, correctly undeploy context of old version. Make sure that Tomcat does not undeploy older Context if current context is not running. (kfujino)
  • fix When deploying war, add XML file in the config base to the redeploy resources if war does not have META-INF/context.xml or deployXML is false. If XML file is created in the config base, redeploy will occur. (kfujino)
  • code Various changes to reduce unnecessary code in Tomcat's copy of Apache Commons BCEL to reduce the time taken for annotation scanning when web applications start. Includes contributions from kkolinko and hzhang9. (markt)
  • fix 56938: Ensure web applications that have mixed case context paths and are deployed as directories are correctly removed on undeploy when running on a case sensitive file system. (markt)
  • add 57004: Add stuckThreadCount property to StuckThreadDetectionValve's JMX bean. Patch provided by Jiří Pejchal. (schultz)
  • fix 57011: Ensure that the request and response are correctly recycled when processing errors during async processing. (markt)
  • fix 57016: When using the PersistentValve do not remove sessions from the store when persisting them. (markt)
  • Coyote:
  • fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
  • fix 56910: Prevent the invalid value of -1 being used for maxConnections with APR connectors. (markt)
  • fix Ensure that AjpNioProtocol and AjpAprProtocol enable the KeepAliveTimeout. (kfujino)
  • Jasper:
  • fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
  • fix 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
  • fix Correct a logic error in the JasperElResolver. There was no functional impact but the code was less efficient as a result of the error. Based on a patch by martinschaef. (markt)
  • fix Ensure that the implementation of javax.servlet.jsp.PageContext.include(String) and javax.servlet.jsp.PageContext.include(String, boolean) will throw IOException when an I/O error occur during the operation. (violetagg)
  • fix 56908: Fix some potential resource leaks when reading jar files. Reported by Coverity Scan. Based on patch provided by Felix Schumacher. (violetagg)
  • fix 56991: Deprecate the use of a request attribute to pass a declaration to Jasper and prevent an infinite loop if this technique is used in conjunction with an include. (markt)
  • fix Fix a potential resource leak in JDTCompiler when checking wether a resource is a package. Reported by Coverity Scan. (fschumacher)
  • WebSocket:
  • code 56446: Clearer handling of exceptions when calling a method on a POJO based WebSocket endpoint. Based on a suggestion by Eugene Chung. (markt)
  • fix 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
  • fix 56905: Make destruction on web application stop of thread group used for WebSocket connections more robust. (kkolinko/markt)
  • fix 56907: Ensure that client IO threads are stopped if a secure WebSocket client connection fails. (markt)
  • fix When a WebSocket client attempts to write to a closed connection, handle the resulting IllegalStateException in a manner consistent with the handling of an IOException. (markt)
  • add Add support for the permessage-deflate extension. This is currently limited to decompressing incoming messages on the server side. It is expected that support will be extended to outgoing messages and to the client side shortly. (markt)
  • add Extend support for the permessage-deflate extension to compression of outgoing messages on the server side. (markt)
  • fix 56982: Return the actual negotiated extensions rather than an empty list for Session.getNegotiatedExtensions(). (markt)
  • update Update the WebSocket implementation to support the Java WebSocket specification version 1.1. (markt)
  • Web applications:
  • fix Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
  • update Update the Windows authentication documentation after some additional testing to answer the remaining questions. (markt)
  • fix Correct a couple of broken links in the Javadoc. (markt)
  • Other:
  • add 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
  • add 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
  • fix 56895: Correctly compose JAVA_OPTS in catalina.bat so that escape sequences are preserved. Patch by Lucas Theisen. (markt)
  • update 56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko)
  • fix 56990: Ensure that the ide-eclipse build target downloads all the libraries required by the default Eclipse configuration files and configures Eclipse to use Java 6 for the project. Add build target ide-eclipse-websocket that creates a separate linked project that compiles websocket classes of Tomcat 7 with Java 7 compiler. (kkolinko)

New in version 8.0.14 Beta (September 30th, 2014)

  • Other:
  • Fix: 56079: The Apache Tomcat Windows installer, the Apache Tomcat Windows service and the Apache Tomcat Windows service monitor application are now digitally signed. (markt)

New in version 8.0.12 Beta (September 3rd, 2014)

  • Jasper:
  • Fix: Correct a logic error in the JasperElResolver. There was no functional impact but the code was less efficient as a result of the error. Based on a patch by martinschaef. (markt)
  • Other:
  • Add: 56323: Include the *.bat files when installing Tomcat via the Windows installer. (markt)

New in version 8.0.11 Beta (August 27th, 2014)

  • Catalina:
  • Fix: 56658: Fix regression that a context was inaccessible after reload. (kkolinko)
  • Fix: 56710: Do not map requests to servlets when context is being reloaded. (kkolinko)
  • Fix: 56712: Fix session idle time calculations in PersistenceManager. (kkolinko)
  • Fix: 56717: Fix duplicate registration of MapperListener during repeated starts of embedded Tomcat. (kkolinko)
  • Add: 56724: Write an error message to Tomcat logs if container background thread is aborted unexpectedly. (kkolinko)
  • Fix: When scanning class files (e.g. for annotations) and reading the number of parameters in a MethodParameters structure only read a single byte (rather than two bytes) as per the JVM specification. Patch provided by Francesco Komauli. (markt)
  • Fix: Allow the JNDI Realm to start even if the directory is not available. The directory not being available is not fatal once the Realm is started and it need not be fatal when the Realm starts. Based on a patch by Cédric Couralet. (markt)
  • Fix: 56736: Avoid an incorrect IllegalStateException if the async timeout fires after a non-container thread has called AsyncContext.dispatch() but before a container thread starts processing the dispatch. (markt)
  • Fix: 56739: If an application handles an error on an application thread during asynchronous processing by calling HttpServletResponse.sendError(), then ensure that the application is given an opportunity to report that error via an appropriate application defined error page if one is configured. (markt)
  • Fix: 56784: Fix a couple of rare but theoretically possible atomicity bugs. (markt)
  • Fix: 56785: Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. (markt)
  • Fix: 56796: Remove unnecessary sleep when stopping a web application. (markt)
  • Fix: 56801: Improve performance of org.apache.tomcat.util.file.Matcher which is to filter JARs for scanning during web application start. Based on a patch by Sheldon Shao. (markt)
  • Fix: 56815: When the gzip option is enabled for the DefaultServlet ensure that a suitable Vary header is returned for resources that might be returned directly in compressed form. (markt)
  • Fix: Do not mark threads from the container thread pool as container threads when being used to process AsyncContext.start(Runnable) so processing is correctly transferred back to a genuine container thread when necessary. (markt)
  • Add: Add simple caching for calls to StandardRoot.getResources() in the new (for 8.0.x) resources implementation. (markt)
  • Fix: 56825: Enable pre-emptive authentication to work with the SSL authenticator. Based on a patch by jlmonteiro. (markt)
  • Fix: 56840: Avoid NPE when the rewrite valve is mapped to a context. (remm)
  • Fix: Correctly handle multiple accept-language headers rather than just using the first header to determine the user's preferred Locale. (markt)
  • Fix: 56848: Improve handling of accept-language headers. (markt)
  • Fix: 56857: Fix thread safety issue when calling ServletContext methods while running under a security manager. (markt)
  • Coyote:
  • Fix: Fix NIO2 sendfile state tracking and error handling to fix various corruption issues. (remm)
  • Fix: Missing timeout for NIO2 sendfile writes. (remm)
  • Fix: Allow inline processing for NIO2 sendfile and optimize keepalive behavior. (remm)
  • Fix: Fix excessive NIO2 sendfile direct memory use in some cases, sendfile will now instead use the regular socket write buffer as configured. (remm)
  • Fix: 56661: Fix getLocalAddr() for AJP connectors. The complete fix is only available with a recent AJP forwarder like the forthcoming mod_jk 1.2.41. (rjung)
  • Fix: Use default ciphers defined as HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 so that no weak ciphers are enabled by default. (remm)
  • Fix: 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt)
  • Fix: 56810: Remove use of Java 8 specific API calls in unit tests for OpenSSL to JSSE cipher conversion. (markt)
  • Jasper:
  • Fix: 56709: Fix system property name in a log message. Submitted by Robert Kish. (remm)
  • Fix: 56797: When matching a method in an EL expression, do not treat bridge methods as duplicates of the method they bridge to. In this case always call the target of the bridge method. (markt)
  • WebSocket:
  • Fix: 56746: Allow secure WebSocket client threads to use the current context class loader rather than explicitly setting it to the class loader that loaded the WebSocket implementation. This allows WebSocket client connections from within web applications to access, amongst other things, the JNDI resources associated with the web application. (markt)
  • Web applications:
  • Fix: Correct the label in the list of sessions by idle time for the bin that represents the idle time immediately below the maximum permitted idle time when using the expire command of the Manager application. (markt)
  • jdbc-pool:
  • Fix: 53088: More identifiable thread name. (fhanik)
  • Fix: 53200: Selective logging for slow versus failed queries. (fhanik)
  • Fix: 53853: More flexible classloading. (fhanik)
  • Fix: 54225: Disallow empty init SQL. (fhanik)
  • Fix: 54227: Evaluate max age upon borrow. (fhanik)
  • Fix: 54235: Disallow nested pools exploitating using data source. (fhanik)
  • Fix: 54395: Fix JDBC interceptor parsing bug. (fhanik)
  • Fix: 54537: Performance improvement in StatementFinalizer. (fhanik)
  • Fix: 54978: Make sure proper connection validation always happens, regardless of config. (fhanik)
  • Fix: 56318: Ability to trace statement creation in StatementFinalizer. (fhanik)
  • Fix: 56789: getPool() returns the actual pool, always. (fhanik)
  • Other:
  • Add: 56788: Display the full version in the list of installed applications when installed via the Windows installer package. Patch provided by Alexandre Garnier. (markt)
  • Add: 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)

New in version 7.0.55 (August 22nd, 2014)

  • Update to the Eclipse JDT Compiler 4.4
  • Better error handling when the error occurs after the response has been committed
  • Various improvements to the Mapper including fixing some concurrency bugs
  • Update to Tomcat Native Library version 1.1.31 to pick up the Windows binaries that are based on OpenSSL 1.0.1h

New in version 7.0.54 (May 28th, 2014)

  • Extend and improve memory leak protection and fix a few leaks that crept in during the various refactorings
  • Add additional protection against a failure to correctly recycle the request and response objects
  • APR/native library version updated to 1.1.30.

New in version 8.0.1 Beta (February 4th, 2014)

  • Catalina:
  • Fix: Change default value of xmlBlockExternal attribute of Context. It is true now. (kkolinko)
  • Coyote:
  • Fix: Correct regression in the fix for 55996 that meant that asynchronous requests might timeout too early. (markt)
  • Jasper:
  • Fix: Change default value of the blockExternal attribute of JspC task. The default value is true. Add support for -no-blockExternal switch when JspC is run as a standalone application. (kkolinko)
  • WebSocket:
  • Fix: Do not return an empty string for the Sec-WebSocket-Protocol HTTP header when no sub-protocol has been requested or no sub-protocol could be agreed as RFC6455 requires that no Sec-WebSocket-Protocol header is returned in this case. (markt)

New in version 8.0.0 RC10 (January 14th, 2014)

  • Catalina:
  • Add: Implement JSR 340 - Servlet 3.1. The JSR 340 implementation includes contributions from Nick Williams and Jeremy Boynes. (markt)
  • Add: Implement JSR 245 MR2 - JSP 2.3. (markt)
  • Add: Implement JSR 341 - Unified Expression Language 3.0. (markt)
  • Add: Implement JSR 356 - WebSockets. The JSR 356 implementation includes contributions from Nick Williams, Rossen Stoyanchev and Niki Dokovski. (markt)
  • Update: 46727: Refactor default servlet to make it easier to sub-class to implement finer grained control of the file encoding. Based on a patch by Fred Toth. (markt)
  • Add: 45995: Align Tomcat with Apache httpd and perform MIME type mapping based on file extension in a case insensitive manner. (markt)
  • Code: Remove duplicate code that converted a Host's appBase attribute to a canonical file. (markt)
  • Code: 51408: Replace calls to Charset.defaultCharset() with an explicit reference to the ISO-8859-1 Charset. (markt)
  • Code: Refactor initialization code to use a single, consistent approach to determining the Catalina home (binary) and base (instance) directories. The search order for home is catalina.home system property, parent of current directory if boootstrap.jar is present and finally current working directory. The search order for Catalina base is catalina.base system property falling back to the value for Catalina home. (markt)
  • Update: 52092: JULI now uses the OneLineFormatter and AsyncFileHandler by default. (markt)
  • Fix: 52558: Refactor CometConnectionManagerValve so that it does not prevent the session from being serialized in when running in a cluster. (markt)
  • Fix: 52767: Remove reference to MySQL specific autoReconnect property in JDBCAccessLogValve. (markt)
  • Code: Make the Mapper type-safe. Hosts, Contexts and Wrappers are no longer handled as plain objects, instead they keep their type. Code using the Mapper doesn't need to cast objects returned by the mapper. (rjung)
  • Code: Move Manager, Loader and Resources from Container to Context since Context is the only place they are used. The documentation already states (and has done for some time) that Context is the only valid location for these nested components. (markt)
  • Code: Move the Mapper from the Connector to the Service since the Mapper is identical for all Connectors of a given Service and it is common for there to be multiple Connectors for a Service (http, https and ajp). This means there is now only ever one Mapper per Service rather than possibly multiple identically configured Mapper objects. (markt)
  • Code: Remove the per Context Mapper objects and use the Mapper from the Service. This removes the need to maintain two copies of the mappings for Servlets and Filters. (markt)
  • Add: Implement a new Resources implementation that merges Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories into a single framework rather than a separate one for each feature. (markt)
  • Add: URL rewrite valve, similar in functionality to mod_rewrite. (remm)
  • Add: Port storeconfig functionality, which can persist to server.xml and context.xml runtime container configuration changes. (remm)
  • Add: 54095: Add support to the Default Servlet for serving gzipped versions of static resources directly from disk as an alternative to Tomcat compressing them on each request. Patch by Philippe Marschall. (markt)
  • Fix: 54708: Change the name of the working directory for the ROOT application (located under $CATALINA_BASE/work by default) from _ to ROOT. (markt)
  • Add: Change default configuration so that a change to the global web.xml file will trigger a reload of all web applications. (markt)
  • Fix: 55101: Make BASIC authentication more tolerant of whitespace. Patch provided by Brian Burch. (markt)
  • Fix: 55166: Move JSP descriptor and tag library descriptor schemas to servlet-api.jar to enable relative references between the schemas to be correctly resolved. (markt)
  • Code: Refactor the descriptor parsing code into a separate module that can be used by both Catalina and Jasper. Includes patches provided by Jeremy Boynes. (violetagg/markt)
  • Code: 55246: Move TLD scanning to a ServletContainerInitializer provided by Jasper. Includes removal of TldConfig lifecycle listener and associated Context properties. (jboynes)
  • Add: 55317: Facilitate weaving by allowing ClassFileTransformer to be added to WebppClassLoader. Patch by Nick Williams. (markt)
  • Fix: 55620: Enable Tomcat to start when either $CATALINA_HOME and/or $CATALINA_BASE contains a comma character. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon on Windows. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a colon on Linux/FreeBSD/etc. (markt)
  • Code: Initialize the JSP runtime in Jasper's initializer to avoid need for a Jasper-specific lifecycle listener. JasperListener has been removed. (jboynes)
  • Fix: Change ordering of elements of JMX objects names so components are grouped more logically in JConsole. Generally, components are now grouped by Host and then by Context. (markt)
  • Coyote:
  • Add: Experimental support for SPDY. Includes contributions from Sheldon Shao. (costin)
  • Code: The default connector is now the Java NIO connector even when specifying HTTP/1.1 as protocol (fhanik)
  • Code: Update default value of pollerThreadCount for the NIO connector. The new default value will never go above 2 regardless of available processors. (fhanik)
  • Fix: 54010: Remove some unnecessary code (duplicate calls to configure the scheme as https for AJP requests originally received over HTTPS). (markt)
  • Code: Refactor char encoding/decoding using NIO APIs. (remm)
  • Update: Change the default URIEncoding for all connectors from ISO-8859-1 to UTF-8. (markt)
  • Jasper:
  • Code: Simplify API of ErrorDispatcher class by using varargs. (kkolinko)
  • Code: Update Jasper to use the new common web.xml parsing code. Includes patches by Jeremy Boynes. (markt/violetagg)
  • Add: Create test cases for JspC. Patch by Jeremy Boynes. (markt)
  • Code: 55246: TLD scanning is now performed by JasperInitializer (a ServletContainerInitializer) removing the need for support within the Servlet container itself. The scan is now performed only once rather than in two passes reducing startup time. (jboynes)
  • Fix: 55251: Do not allow JspC task to fail silently if the web.xml or web.xml fragment can not be generated. (markt)
  • Cluster:
  • Code: Remove unused JvmRouteSessionIDBinderListener and SessionIDMessage. (kfujino)
  • Code: Modify method signature in ReplicationValve. Cluster instance is not necessary to argument of method. (kfujino)
  • Code: Remove unused expireSessionsOnShutdown attribute in org.apache.catalina.ha.session.BackupManager. (kfujino)
  • Web applications:
  • Add: Extend the diagnostic information provided by the Manager web application to include details of the configured SSL ciphers suites for each connector. (markt)
  • Update: 48550: Update examples web application to use UTF-8. (markt)
  • Update: 55383: Improve the design and correct the HTML markup of the documentation web application. Patches provided by Konstantin Preißer. (markt)
  • Tribes:
  • Code: Refactor AbstractReplicatedMap to use generics. A key side-effect of this is that the class now implements Map rather than extends ConcurrentMap. (markt)
  • Other:
  • Code: Remove unused, deprecated code. (markt)
  • Code: Remove static info String and associated getInfo() method where present. (markt)
  • Update: (r1353242, r1353410): Remove Ant tasks jasper2 and jkstatus. The correct names are jasper and jkupdate. (kkolinko)
  • Fix: 53529: Clean-up the handling of InterruptedException throughout the code base. (markt)
  • Add: 54899: Provide an initial implementation of NetBeans support. Patch provided by Brian Burch. (markt)
  • Fix: 55166: Move the JSP descriptor and tag library descriptor schema defintion files from jsp-api.jar to servlet-api.jar so relative includes between the J2EE, Servlet and JSP schemas are correctly resolved. (markt)
  • Fix: 55372: When starting Tomcat with the jpda option to enable remote debugging, by default only listen on localhost for connections from a debugger. Prior to this change, Tomcat listened on all known addresses. (markt)

New in version 7.0.50 (January 9th, 2014)

  • Catalina:
  • fix Handle the case where a context.xml file is added to a web application deployed from a directory. Previously the file was ignored until Tomcat was restarted. Now (assuming automatic deployment is enabled) it will trigger a redeploy of the web application. (markt)
  • fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
  • code Streamline handling of WebSocket messages whe no handler is configured for the message currently being received. (markt)
  • fix Handle the case where a WebSocket annotation configures a message size limit larger than the default permitted by Tomcat. (markt)
  • fix 55855: This is a partial fix that bypasses the relatively expensive check for a WebSocket upgrade request if no WebSocket endpoints have been registered. (markt)
  • fix 55905: Prevent a NPE when web.xml references a taglib file that does not exist. Provide better error message. (violetagg)
  • Coyote:
  • fix When using the BIO connector with an internal executor, do not display a warning that the executor has not shutdown as the default configuration for BIO connectors is not to wait. This is because threads in keep-alive connections cannot be interrupted and therefore the warning was nearly always displayed. (markt)
  • Jasper:
  • fix JspC uses servlet context initialization parameters to pass configuration so ensure that the servlet context used supports initialization parameters. (markt)
  • Cluster:
  • fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel Listener of group channel before sending MapMessage.MSG_STOP message. This prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is added to member map again by ping at heartbeat thread in the node that received the MapMessage.MSG_STOP. (kfujino)
  • fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
  • Web applications:
  • fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino)
  • Extras:
  • update Update dependencies that are used to build tomcat-juli extras component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to version 1.2.17. (rjung)

New in version 8.0.0 RC5 (October 25th, 2013)

  • Improved stability of the APR/native connector when using WebSocket
  • Add a drawing board example to the WebSocket examples.
  • Add support for directly serving gzipped versions of a resource via the default servlet.

New in version 7.0.47 (October 25th, 2013)

  • Coyote:
  • Fix regression with legacy WebSocket implementation in NIO and APR connectors. (markt)
  • Web applications:
  • Avoid hang observed with Java 6 on Windows when stopping the Tomcat process via CTRL-C. (markt)
  • Other:
  • 55663: NOTICE files are corrected according to NOTICE files requirements. (violetagg)

New in version 8.0.0 RC3 (October 1st, 2013)

  • Support for Java Servlet 3.1, JavaServer Pages 2.3, Java Unified Expression Language 3.0 and Java WebSocket 1.0.
  • The default connector implementation is now the Java non-blocking implementation (NIO) for both HTTP and AJP.
  • A new resources implementation that replaces Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories with a single, consistent approach for configuring additional web application resources. The new resources implementation can also be used to implement overlays (using a master WAR as the basis for multiple web applications that each have their own customizations).

New in version 8.0.0 RC1 (August 12th, 2013)

  • Support for Java Servlet 3.1, JavaServer Pages 2.3, Java Unified Expression Language 3.0 and Java WebSocket 1.0.
  • The default connector implementation is now the Java non-blocking implementation (NIO) for both HTTP and AJP.
  • A new resources implementation that replaces Aliases, VirtualLoader, VirtualDirContext, JAR resources and external repositories with a single, consistent approach for configuring additional web application resources. The new resources implementation can also be used to implement overlays (using a master WAR as the basis for multiple web applications that each have their own customizations).

New in version 7.0.42 (July 6th, 2013)

  • Catalina:
  • fix Enforce the restriction described in section 4.4 of the Servlet 3.0 specification that requires the new pluggability methods only to be available to ServletContextListeners defined in one of the specified ways. (markt)
  • fix Better handle FORM authentication when requesting a resource as an unauthenticated user that is only protected for a sub-set of HTTP methods that does not include GET. (markt)
  • fix 53777: Add support for a JAAS Realm instance to use a dedicated configuration rather than the JVM global JAAS configuration. This is most likely to be useful for per web application JAAS Realms. Based on a patch by eolivelli. (markt)
  • fix 54745: Fix JAR file scanning when Tomcat is deployed via Java Web Start. Patch provided by Nick Williams. (markt)
  • add 55017: Add the ability to configure the RMI bind address when using the JMX remote lifecycle listener. Patch provided by Alexey Noskov. (markt)
  • fix 55071: Ensure original exception is reported if JDBC Realm fails to read a user's credentials. (markt)
  • fix 55073, 55108, 55109, 55110, 55158 & 55159: Small performance improvements. Patches provided by Adrian Nistor. (markt/violetagg)
  • add 55102: Add support for time to first byte in the AccessLogValve. Patch provided by Jeremy Boynes. (markt)
  • fix 55125: If the Server container fails to start, don't allow the Catalina wrapper to start (used when running from the command line and when running as a service) since Tomcat will not be able to do any useful work. (markt)
  • fix Update the JreMemoryLeakPreventionListener to take account of changes in the behaviour of java.beans.Introspector.flushCaches() and sun.awt.AppContext.getAppContext() in Java 7. (markt)
  • fix Avoid WARNING log message of Users:type=UserDatabase,database=UserDatabase at Tomcat shutdown. (pero)
  • fix Avoid ClassCastException when an asynchronous dispatch is invoked in an asynchronous cycle which is started by a call to ServletRequest.startAsync(ServletRequest,ServletResponse) where ServletRequest/ServletResponse are custom implementations. (violetagg)
  • fix Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding and decoding) that broke the JNDI Realm when userPassword was set and passwords were hashed with MD5 or SHA1. (markt/kkolinko)
  • fix Correct the mechanism for the path calculation in AsyncContext.dispatch(). (violetagg)
  • fix 55155: Avoid constant focus grabbing when running the Tomcat unit tests under Java 6 on OSX. Patch provided by Casey Lucas. (markt)
  • fix 55160: Don't ignore connectionUploadTimeout setting when using HTTP NIO connector. (markt)
  • fix 55176: Correctly handle regular expressions within SSI expressions that contain an equals character. (markt)
  • Coyote:
  • fix 55177: Correctly handle infinite soTimeout for BIO HTTP connector. Based on a patch by Nick Bunn. (markt)
  • fix 55180: Correctly handle infinite soTimeout when disableUploadTimeout is set to false. Patch provided by Nick Bunn. (violetagg)
  • Cluster:
  • fix Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
  • fix Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)
  • add Add logging of when a member is unable to join the cluster. (kfujino)
  • fix Replace Tribes's TaskQueue as executor's workQueue in order to ensure that executor's maxThread works correctly. (kfujino)
  • fix 54086: Fix an additional code path that could lead to multiple threads attempting to modify the same selector key set. (markt)
  • Web applications:
  • add Complete the document for MessageDispatch15Interceptor. (kfujino)
  • add 53655: Document the circumstances under which Tomcat will add a javax.mail.Authenticator to mail sessions created via a JNDI resource. (markt)
  • fix 55179: Correct the Javadoc for the remote IP valve so the correct name is used to refer to the proxiesHeader property. (markt)
  • jdbc-pool:
  • fix 55031: Fixed Export-Package header and uses directives in MANIFEST.MF. Change the version for package org.apache.juli.logging to "0" in Import-Package header. Thus any version of that package can be used. Patch provided by Martin Lichtin. (violetagg)
  • Other:
  • update Update Maven Cental location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko)
  • update Update JUnit to version 4.11. Configure separate download for Hamcrest 1.3 core library as its classes are no longer included in junit.jar. (kkolinko)
  • fix 54013: When using a forced stop, allow a short period of time (5s) for the process to die before returning. Patch provided by mukarram.baig. (markt)
  • fix 55119: Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. (markt)

New in version 7.0.41 (June 11th, 2013)

  • Delete leftover of war file from tempDir when removing invalid FileMessageFactory. (kfujino)
  • Ensure that the keepAlive of NioSender works correctly when keepAliveCount/keepAliveTime is set to a value greater than 0. (kfujino)

New in version 6.0.37 (May 9th, 2013)

  • 52055: Ensure that filters are recycled. (markt/kkolinko)
  • 52184: Reduce log level for invalid cookies. (markt)
  • 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Šebek. (schultz)
  • 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
  • In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
  • 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
  • 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko)
  • 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt)
  • memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko)
  • 54382: NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
  • 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko)
  • update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt)

New in version 7.0.40 (May 9th, 2013)

  • Update Tomcat's internal copy of Commons FileUpload to FileUpload 1.3. (markt)
  • 54178: Protect against AsyncListener implementations that throw RuntimeExceptions in response to an event. (markt)
  • 54791: Restore tools.jar entry in jarsToSkip property to prevent warnings when running Tomcat from Eclipse. (markt)
  • 54851: When scanning for web fragments, directories without any web-fragment.xml should not impact the status of distributable element. Patch provided by Trask Stalnaker. (violetagg)
  • When an error occurs during the sending of a WebSocket message, notify the Inbound side (where all the events occur that the application reacts to) that an error has occurred and that the connection is being closed. (markt)

New in version 7.0.39 (March 27th, 2013)

  • Catalina:
  • Ensure a log message is generated when a web application fails to start due to an error processing a ServletContainerInitializer. (markt)
  • Prevent NPE in JAR scanning when running in an environment where the bootstrap class loader is not an ancestor of the web application class loader such as OSGi environments. (violetagg)
  • Ensure that, if a call to UEncoder#encodeURL is made, all internal structures are properly cleaned. (violetagg)
  • add 54660: Enable the modification of an access log's fileDateFormat attribute while the access log is in use. The change will take effect when the next entry is made to the access log. (markt)
  • update Update Tomcat's internal copy of Commons FileUpload to FileUpload trunk, revision 1458500 and the associated extract from Commons IO to 2.4. (markt)
  • 54702: Prevent file descriptors leak and ensure that files are closed when parsing web application deployment descriptors. (violetagg)
  • 54707: Further relax the parsing of DIGEST authentication headers to allow for buggy clients that quote values that RFC2617 states should not be quoted. (markt/kkolinko)
  • Enable support for MBeans with multiple operations with the same name but different signatures. (markt)
  • code Deprecate Tomcat's internal Base 64 encoder/decoder and switch to using a package renamed copy of the Commons Codec implementation. (markt)
  • Ensure that StandardJarScanner#scan will use the provided class loader when scanning the class loader hierarchy. (violetagg)
  • Coyote:
  • 54690:a regression caused by the previousfor 54406. If no values are specified for sslEnabledProtocols or ciphers use the default values for server sockets rather than the default values for client sockets. (markt)
  • Web applications:
  • update Correct Deployer, Manager and Context pages of Tomcat documentation. (kkolinko)
  • jdbc-pool:
  • 52318: Version for imported package org.apache.juli.logging is extended to include also 7.0.x versions. Theis applicable only when running in OSGi environment. Patch provided by Martin Lichtin. (violetagg)
  • 54599: Do not print connection password in PoolProperties.toString(). Based on a patch by Daniel Mikusa. (kkolinko)
  • 54684: Add javax.naming.spi to Import-Package header in MANIFEST.MF in order to resolve ClassNotFoundException when running in OSGi environment. (violetagg)
  • Other:
  • Update to Apache Commons Daemon 1.0.14 to resolve 54609 which meant that installation of Windows service could fail producing incorrect service launch command. (mturk)
  • Ensure HEAD requests return the correct content length when the requested resource uses a Writer. Patch by Nick Williams. (markt)

New in version 7.0.37 (February 18th, 2013)

  • Catalina:
  • fix 54521: Ensure that concurrent requests that require a DIGEST authentication challenge receive different nonce values. (markt)
  • fix 54534: Ensure that, if a call to StandardWrapper#isSingleThreadModel() triggers the loading of a Servlet, the correct class loader is used. (markt)
  • fix 54536: Ensure the default error page is displayed if a custom HTTP status code is used when calling HttpServletResponse#sendError(int, String). (markt)
  • Coyote:
  • fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt)
  • update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (markt)
  • Jasper:
  • add 54239: Enable web applications to provide their own Expression Language interpreter to enable them to optimise processing of expressions. Based on a patch by Sheldon Shao. (markt)
  • Web applications:
  • add 54505: Create clearer links from the JNDI How-To to the Tomcat specific options for configuring JNDI resources. (markt)
  • Other:
  • update Update to Apache Commons Daemon 1.0.13. (markt)

New in version 7.0.35 (January 16th, 2013)

  • 54247: Prevent ClassNotFoundExceptions on stop when running as a service. (markt)
  • fix 54249: Ensure resource properties are available when the context path contains encoded characters such as a space. This triggered compilation issues in Jasper. Patch provided by Polina Genova. (markt)
  • fix 54256: Improve error reporting when a JAR file fails extension validation by including the name of the JAR file in the exception. (markt)
  • fix Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko)
  • fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one. (kkolinko)
  • code Cleanup method cache lookup code in SecurityUtil class. (kkolinko)
  • add Make the Tomcat 7 non-JSR356 WebSocket implementation non-blocking (where supported by the connector) between the HTTP upgrade and the first WebSocket message from the client to the server. (markt)
  • fix 54262: Ensure that an empty element in the main web.xml file disables scanning for web fragments. Based on a patch by Violeta Georgieva. (markt)
  • fix 54284: As per clarification from the Servlet EG, anonymous Filters and Servlets are not permitted. Patch by Violeta Georgieva. (markt)
  • fix 54371: Prevent exceptions when processing web fragments for unexpanded WAR files when the context path contains characters that need to be encoded in URLs such as spaces. Based on a patch by Polina Genova. (markt)
  • add 54372: Make HTTP Digest authentication header parsing tolerant of invalid headers sent by known buggy clients. (markt)
  • fix 54377: Correctly set request attributes for AccessLog in RemoteIpFilter. Patch by Violeta Georgieva. (markt)
  • fix 54379: Implement support for post-construct and pre-destroy elements in web.xml. Patch by Violeta Georgieva. (markt)
  • fix 54380: Do not try to register servlets or contexts into the mapper too early (which just caused a warning to be logged). (kkolinko)
  • fix Fix NPE in WebappLoader.stopInternal when stop is called after a failed start. (kkolinko)
  • add 54381: Add support for receiving WebSocket pong messages. (markt)
  • fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt)
  • fix Fix ArrayIndexOutOfBoundsException in HttpParser when parsing incorrect HTTP headers. (kkolinko)
  • fix 54387: Deployment must fail when multiple servlets are mapped to the same url-pattern. (markt)
  • fix 54391: Provide a value for the javax.servlet.context.orderedLibs attribute. (markt)

New in version 7.0.32 (October 8th, 2012)

  • Significantly reduced memory footprint during web application start while Servlet 3.0 annotation and SCI scanning is in progress.
  • Adds support for scanning of classes that use Java 7 specific byte code for Servlet 3.0 annotation and SCI scanning.
  • Improvements to DIGEST and FORM authentication.

New in version 7.0.6 (January 27th, 2011)

  • General:
  • Update to Commons Daemon 1.0.5. (mturk)
  • Catalina:
  • 8705: org.apache.catalina.SessionListener now extends java.util.EventListener. (markt)
  • 10526: Add an option to the Authenticators to force the creation of a session on authentication which may offer some performance benefits. (markt)
  • 10972: Improve error message if the className attribute is missing on an element in server.xml where it is required. (markt)
  • 48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz)
  • 48822: Include context name in case of error while stopping or starting a context during its reload. Patch provided by Marc Guillemot. (slaurent)
  • 48837: Extend thread local memory leak detection to include classes loaded by subordinate class loaders to the web application's class loader such as the Jasper class loader. Based on a patch by Sylvain Laurent. (markt)
  • 48973: Avoid creating a SESSIONS.ser file when stopping an application if there's no session. Patch provided by Marc Guillemot. (slaurent)
  • 49000: No longer accept specification invalid name only cookies by default. This behaviour can be restored using a system property. (markt)
  • 49159: Improve memory leak protection by renewing threads of the pool when a web application is stopped. (slaurent)
  • 49372: Re-fix after connector re-factoring. If connector initialisation fails (e.g. if a port is alreasy in use) do not trigger an LifecycleException for an invalid state transition. (markt)
  • 49543 Allow Tomcat to use shared data sources with per application credentials. (fhanik)
  • 49650: Remove unnecessary entries package.access property defined in catalina.properties. Patch provided by Owen Farrell. (markt)
  • 50106: Correct several MBean descriptors. Patch provided by Eiji Takahashi. (markt)
  • Further performance improvements to session ID generation. Remove legacy configuration options that are no longer required. Provide additional options to control the SecureRandom instances used to generate session IDs. (markt)
  • 50201: Update the access log reference in StandardEngine when the ROOT web application is redeployed, started, stopped or defaultHost is changed. (markt/kkolinko)
  • 50282: Load javax.security.auth.login.Configuration with JreMemoryLeakPreventionListener to avoid memory leak when stopping a web application that would use JAAS. (slaurent)
  • 50351: Fix the regression that broke BeanFactory resources caused by the previous fix for 50159. (markt)
  • 50352: Ensure that AsyncListener.onComplete() is fired when AsyncContext.complete() is called. (markt)
  • 50358: Set the correct LifecycleState when stopping instances of the deprecated Embedded class. (markt)
  • Further Lifecycle refactoring for Connectors and associated components. (markt)
  • Correct handling of versioned web applications in deployer. (markt)
  • Correct removal of LifeCycleListenters from Containers via JMX. (markt)
  • Don't use nulls to construct log messages. (markt)
  • Code clean-up. Replace use of inefficient constructors with more efficient alternatives. (markt)
  • 50411: Ensure sessions are removed from the Store associated with a PersistentManager. (markt)
  • 50413: Ensure 304 responses are not returned when using static files as error pages. (markt/kkolinko)
  • 50448: Fix possible IllegalStateException caused by recent session management refactoring. (markt)
  • Ensure aliases settings for a context are retained after a context is reloaded. (markt)
  • Log a warning if context.xml files define values for properties that do not exist (e.g. if there is a typo in a property name). (markt)
  • 50453: Correctly handle multiple X-Forwarded-For headers in the RemoteIpFilter and RemoteIpValve. Patch provided by Jim Riggs. (markt)
  • 50541: Add support for setting the size limit and time limit for LDAP seaches when using the JNDI Realm with userSearch. (markt)
  • All configuration options that use regular expression now require a single regular expression (using java.util.regex) rather than a list of comma-separated or semi-colon-separated expressions. (markt)
  • 50496: Bytes sent in the access log are now counted after compression, chunking etc rather than before. (markt)
  • 50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt)
  • 50554: Code clean up. (markt)
  • 50556: Improve JreMemoryLeakPreventionListener to prevent a potential class loader leak caused by a thread spawned when the class com.sun.jndi.ldap.LdapPoolManager is initialized and the system property com.sun.jndi.ldap.connect.pool.timeout is set to a value greater than 0. (slaurent)
  • Coyote:
  • 47319: Return the client's IP address rather than null for calls to getRemoteHost() when the APR connector is used with enableLookups="true" but the IP address is not resolveable. (markt)
  • 50108: Add get/set methods for Connector property minSpareThreads. Patch provided by Eiji Takahashi. (markt)
  • 50360: Provide an option to control when the socket associated with a connector is bound. By default, the socket is bound on Connector.init() and released on Connector.destroy() as per the current behaviour but this can be changed so that the socket is bound on Connector.start() and released on Connector.stop(). This fix also includes further Lifecycle refactoring for Connectors and associated components. (markt)
  • Remove a huge memory leak in the NIO connector introduced by the fix for 49884. (markt)
  • 50467: Protected against NPE triggered by a race condition that causes the NIO poller to fail, preventing the processing of further requests. (markt)
  • Jasper:
  • 13731: Make variables in _jspService() method final where possible. (markt)
  • 50408: Fix NoSuchMethodException when using scoped variables with EL method invocation. (markt)
  • 50460: Avoid leak caused by using a cached exception instance in JspDocumentParser and ProxyDirContext. (kkolinko)
  • 50500: Use correct coercions (as per the EL spec) for arithmetic operations involving string values containing '.', 'e' or 'E'. Based on a patch by Brian Weisleder. (markt)
  • Cluster:
  • 50185: Add additional trace level logging to Tribes to assist with fault diagnosis. Based on a patch by Ariel. (markt)
  • Don't try and obtain session data from the cluster if the current node is the only node in the cluster. Log requesting session data as INFO rather than WARNING. (markt)
  • 50503: When web application has a version, Engine level Clustering works correctly. (kfujino)
  • 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)
  • Web applications:
  • 21157: Ensure cookies are written before the response is commited in the Cookie example. Patch provided by Stefan Radzom. (markt)
  • 50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)
  • Correctly validate provided context path so sessions for the ROOT web application can be viewed through the HTML Manager. (markt)
  • Improve documentation of database connection factory. (rjung)
  • 50488: Update classpath required when using jsvc and add a note regarding server VMs. (markt)
  • Further filtering of Manager display output. (kkolinko)
  • Other:
  • Don't configure Windows installer to use PID file since it is not removed when the service stops which prevents the service from starting. (markt)
  • 14416: Make TagLibraryInfo.getTag() more robust at handling nulls. (markt)
  • 50552: Avoid NPE that hides error message when using Ant tasks. (schultz)
  • Provide two alternative locations for the libraries downloaded from the ASF web site at build time. Use the main distribution site as default and the archive one as fallback. (kkolinko)

New in version 7.0.0 (June 30th, 2010)

  • Catalina:
  • Update Servlet support to the Servlet 3.0 specification. (all)
  • Improve and document VirtualWebappLoader. (rjung)
  • 43642:prestartminSpareThreads attribute for Executor. (jfclere)
  • Switch from AnnotationProcessor to InstanceManager. Patch provided by David Jecks with modifications by Remy. (remm/fhanik)
  • r620845 and r669119. Make shutdown address configurable. (jfclere)
  • r651977some missing control checks to ThreadWithAttributes. (markt)
  • r677640a startup class that does not require any configuration files. (costin)
  • r700532 Log if temporary file operations within the CGI servlet fail. Make sure header Reader is closed on failure. (markt)
  • r708541 Delete references to DefaultContext which was removed in 6.0.x. (markt)
  • r709018 Initial implementation of an asynchronous file handler for JULI. (fhanik)
  • Give session thisAccessedTime and lastAccessedTime clear semantics. (rjung)
  • Expose thisAccessedTime via Session interface. (rjung)
  • Provide a log format for JULI that provides the same information as the default but on a single line. (markt)
  • r723889 Provide the ability to configure the Executor job queue size and a timeout for adding jobs to the queue. (fhanik)
  • Add support for aliases to StandardContext. This allows content from other directories and/or WAR files to be mapped to paths within the context. (markt)
  • Provide clearer definition of Lifecycle interface, particularly start and stop, and align components that implement Lifecycle with this definition. (markt)
  • 48662: Provide a new option to control the copying of context XML descriptors from web applications to the host's xmlBase. Copying of XMl descriptors is now disabled by default. (markt)
  • Move comet classes from the org.apache.catalina package to the org.apache.catalina.comet package to allow comet to work under a security manager. (markt)
  • Coyote:
  • Port SSLInsecureRenegotiation from mod_ssl. This requires to use tomcat-native 1.2.21 that have option to detect this support from OpenSSL library. (mturk)
  • Allow bigger AJP packets also for request bodies and responses using the packetSize attribute of the Connector. (rjung)
  • r703017 Make Java socket options consistent between NIO and JIO connector. Expose all the socket options available on java.net.Socket (fhanik)
  • 46051: The writer returned by getWriter() now conforms to the PrintWriter specification and uses platform dependent line endings rather than always using \r\n. (markt)
  • Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk)
  • r724239 NIO connector now always uses an Executor. (fhanik)
  • r724393 Implement keepAliveCount for NIO connector in a thread safe manner. (fhanik)
  • r724849 Implement keep alive timeout for NIO connector. (fhanik)
  • Jasper:
  • Update JSP support to the JSP 2.2 specification. (markt)
  • Update EL support to the EL 2.2 specification. (markt)
  • r787978 Use "1.6" as the default value for compilerSourceVM and compilerTargetVM options of Jasper. (kkolinko)
  • 48358:support for limiting the number of JSPs that are loaded at any one time. Based on a patch by Isabel Drost. (markt)
  • 48689: Access TLD files through a new JarResource interface to make extending Jasper simpler, particularly in OSGi environments. Patch provided by Jarek Gawor. (markt)
  • High Availability:
  • Add support for UDP and secure communication to tribes. (fhanik)
  • Add versioning to the tribes communication protocol to support future developments. (fhanik)
  • Add a demo on how to use the payload. (fhanik)
  • Started toJMX support to the cluster implementation. (markt)
  • r609778 Minor fixes to the throughput interceptor and the NIO receiver. (fhanik)
  • r630234 Additional checks for the NIO receiver. (fhanik)
  • r671650 Improve error message when multicast is not enabled. (fhanik)
  • Web applications:
  • r631321changelog to support the element in the documentation. (fhanik)
  • A number of additional roles were added to the Manager and Host Manager applications to separate out permissions for the HTML interface, the text interface and the JMX proxy. (markt)
  • CSRF protection was added to the Manager and Host Manager applications. (markt)
  • List array elements in the JMX proxy output of the Manager application. (rjung)
  • Extras:
  • A new JmxRemoteLifecycleListener that can be used tothe ports used for remote JMX connections, eg when using JConsole. (markt)
  • Modules:
  • r691359 Added in a Bayeux protocol implementation built on top of the Tomcat CometProcessor interface. (fhanik)
  • Other:
  • Numerous code clean-up changes including the use of generics and removing unused imports, fields, parameters and methods. (markt)
  • All deprecated internal code has been removed. Warning: If you have custom components for a previous Tomcat version that extend internal Tomcat classes and override deprecated methods it is highly likely that they will no longer work. (markt)
  • Parameterize version number throughout build scripts and source. (rjung)