The Apache Tomcat Servlet/JSP Container

Apache Tomcat 7

Version 7.0.91, Sep 13 2018
Apache Logo


User Guide


Apache Tomcat Development


Tomcat 7.0.91 (violetagg)
add 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
fix Ensure that the HTTP Vary header is set correctly when using the CORS filter and improve the cacheability of requests that pass through the COPRS filter. (markt)
fix 62527: Revert restriction of JNDI to the java: namespace. (remm)
add Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported. Use this new class when reporting multiple container (e.g. web application) failures during start. (markt)
fix Correctly decode URL paths (+ should not be decoded to a space in the path) in the RequestDispatcher and the web application class loader. (markt)
add 62559: Add jaxb-*.jar to the list of JARs ignored by StandardJarScanner. (markt)
add 62560: Add oraclepki.jar to the list of JARs ignored by StandardJarScanner. (markt)
add 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat fails to start. (markt)
code Remove ServletException from declaration of Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by Tzafrir. (markt)
fix Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
code Simplify construction of appName from container name in JAASRealm. (fschumacher)
fix Improve the handling of path parameters when working with RequestDispatcher objects. (markt)
fix 62664: Process requests with content type multipart/form-data to servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
fix 62669: When using the SSIFilter and a resource does not specify a content type, do not force the content type to application/x-octet-stream. (markt)
fix When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt)
fix Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases. (markt)
fix 62526: Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string. Note that Java 6 does not support PKCS12 key stores configured to use a store password of the empty string. (markt)
fix 62670: Adjust the memory leak protection for the DriverManager so that JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via the service loader mechanism when the protection is enabled. (markt)
fix 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
fix 53011: When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. (markt)
add 53492: Make the Java file generation process multi-threaded. By default, one thread will be used per core. Based on a patch by Dan Fabulich. (markt)
fix 62603: Fix a potential race condition when development mode is disabled and background compilation checks are enabled. It was possible that some updates would not take effect and/or ClassNotFoundExceptions would occur. (markt)
fix Correct the JSP version in the X-PoweredBy HTTP header generated when the xpoweredBy option is enabled. (markt)
fix 62662: Fix the corruption of web.xml output during JSP compilation caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)
fix Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)
fix 62596: Remove the limit on the size of the initial HTTP upgrade request used to establish the web socket connection. (markt)
Web applications
add 62558: Add Russian translations for the Manager and Host Manager web applications. Based on a patch by Ivan Krasnov. (markt)
add 62561: Add advanced class loader configuration information regarding the use of the Server and Shared class loaders to the documentation web application. (markt)
add Expand the information in the documentation web application regarding the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. (markt)
fix 62652: Make it clearer that the version of DBCP that is packaged in Tomcat 7.0.x is DBCP 1. (markt)
add 62666: Expand internationalisation support in the Manager application to include the server status page and provide Russian translations in addition to English. Patch provided by Artem Chebykin. (markt)
fix 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
fix Ensures that the specified rxBufSize is correctly set to receiver buffer size. (kfujino)
fix Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
fix Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. (markt)
Tomcat 7.0.90 (violetagg)released 2018-07-06
fix 62498: Correct a regression in the fix for CVE-2017-12617 that caused request failures for some requests when using the VirtualDirContext. (markt)
fix Delete reference to removed class that prevented Tomcat from starting when running under a security manager. (markt)
Tomcat 7.0.89 (violetagg)not released
fix JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
fix Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt)
add 51953: Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges are defined using CIDR notation. Based on a patch by Francis Galiegue. (markt)
fix 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
fix Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
fix Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.1 and the manifest should reflect that. (markt)
fix Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
add 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
fix In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
fix Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
fix Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
fix 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)
fix Log an error message if the AJP connector detects the the reverse proxy is sending AJP messages that are too large for the configured packetSize. (markt)
fix 62371: Improve logging of Host validation failures. (markt)
fix Correctly handle a digest authorization header when the user name contains an escaped character. (markt)
fix Correctly handle a digest authorization header when one of the hex field values ends the header with in an invalid character. (markt)
fix Update web.xml, web-fragment.xml and web.xml extracts generated by JspC to use the Servlet 3.0 version of the relevant schemas. (markt)
fix Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do not contain leading zeros in the IPv4 part. Based on a patch by Katya Stoycheva. (markt)
fix 62080: Ensure that all reads of the current thread's context class loader made by the UEL API and implementation are performed via a PrivilegedAction to ensure that a SecurityException is not triggered when running under a SecurityManager. (mark)
fix When decoding of path parameter failed, make sure to throw DecodeException instead of throwing ArrayIndexOutOfBoundsException. (kfujino)
fix Enable host name verification when using TLS with the WebSocket client. (markt)
Web applications
62395: Clarify the meaning of the connector attribute minSpareThreads in the documentation web application. (markt)
fix When logValidationErrors is set to true, the connection validation error is logged as SEVERE instead of WARNING. (kfujino)
fix 62391: Remove references to javaw.exe as this file is not required by Tomcat and the references prevent the use of the Server JRE. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.17 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o. (markt)
add Implement checksum checks when downloading dependencies that are used to build Tomcat. (kkolinko)
Tomcat 7.0.88 (violetagg)released 2018-05-11
fix Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
fix Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
fix When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
fix Fix startup failure when running under SecurityManager, a regression from the fix for bug 62273. (kkolinko)
fix 62353: Correct a regression introduced in Tomcat 7.0.86. Restore the ability for Tomcat 7 to run on Java 6 where Common Annotations 1.0 is available. Document the requirement to use the Java endorsed mechanism to use Common Annotations 1.1. (markt)
code Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
fix 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
fix 60490: Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. (markt)
fix Relax Host validation by removing the requirement that the final component of a FQDN must be alphabetic. (markt)
add 50234: Add the capability to generate a web-fragment.xml file to JspC. (markt)
fix 62350: Refactor org.apache.jasper.runtime.BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina.policy file. This is a follow-up to the fix for 43925. (kkolinko/markt)
fix Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist. (markt)
fix Ensure that the correct default value is returned when retrieve unset properties in McastService. (kfujino)
fix Add a .gitattributes file to make sure that Git handles test data files for bug 52121 as binary. (kkolinko)
Tomcat 7.0.87 (violetagg)not released
fix 62316: Correct a regression in some refactoring that broke the default factory for JDBC datasources. (markt)
fix Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
fix Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
add Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
fix 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
add Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
fix Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
add Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
fix Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 requests must include a Host header and any request that does not must be rejected with a 400 response. (markt)
fix Implement the requirements of RFC 7230 that any HTTP/1.1 request that specifies a host in the request line, must specify the same host in the Host header and that any such request that does not, must be rejected with a 400 response. This check is optional and disabled by default. It may be enabled with the allowHostHeaderMismatch attribute of the Connector. (markt)
fix Implement the requirements of RFC 7230 that any HTTP/1.1 request that contains multiple Host headers is rejected with a 400 response. (markt)
add 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
fix Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
fix Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
fix 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
fix 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
fix Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)
Tomcat 7.0.86 (violetagg)released 2018-04-13
fix 51195: Avoid a false positive report of a web application memory leak by clearing ObjectStreamClass$Caches of classes loaded by the web application when the web application is stopped. (markt)
fix 52688: Add support for the maxDays attribute to the AccessLogValve and ExtendedAccessLogValve. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined. (markt)
fix Prevent Tomcat from applying gzip compression to content that is already compressed with brotli compression. Based on a patch provided by burka. (markt)
fix 62090: Null container names are not allowed. (remm)
fix 62104: Fix programmatic login regression as the NonLoginAuthenticator has to be set for it to work (if no login method is specified). (remm)
fix 62117: Improve error message in when calling kill -0 <pid> fails. Based on a suggestion from Mark Morschhaeuser. (markt)
fix 62118: Correctly create a JNDI ServiceRef using the specified interface rather than the concrete type. Based on a suggestion by Ángel Álvarez Páscua. (markt)
fix Fix for RequestDumperFilter log attribute. Patch provided by Kirill Romanov via Github. (violetagg)
fix 62123: Avoid ConcurrentModificationException when attempting to clean up application triggered RMI memory leaks on web application stop. (markt)
fix 62168: When using the PersistentManager honor a value of -1 for minIdleSwap and do not swap out sessions to keep the number of active sessions under maxActive. Patch provided by Holger Sunke. (markt)
fix 62172: Improve Javadoc for org.apache.catalina.startup.Constants and ensure that the constants are correctly used. (markt)
fix 62175: Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. (fschumacher)
fix Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. (markt)
add 62224: Disable the forkJoinCommonPoolProtection of the JreMemoryLeakPreventionListener when running on Java 9 and above since the underlying JRE bug has been fixed. (markt)
fix 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
fix Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
Web applications
add Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response. Based on a suggestion from Muthukumar Marikani. (markt)
add Add document for FragmentationInterceptor. (kfujino)
add Document how the roles for an authenticated user are determined when the CombinedRealm is used. (markt)
fix Ensure that SQLWarning has been cleared when connection returns to the pool. (kfujino)
fix Ensure that parameters have been cleared when PreparedStatement and/or CallableStatement are cached. (kfujino)
fix Enable PoolCleaner to be started even if validationQuery is not set. (kfujino)
update Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy. (markt)
fix 62164: Switch the build script to use TLS for downloads from SourceForge and Maven Central to avoid failures due to HTTP to HTTPS redirects. (markt)
Tomcat 7.0.85 (violetagg)released 2018-02-13
fix Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. (markt)
fix Avoid duplicate load attempts if one has been made already. (remm)
fix Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. (remm)
fix 58143: Fix calling classloading transformers broken in 7.0.70 by the fix for 59619. This was observed when using Spring weaving. (rjung)
fix 62000: When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. (markt)
fix 62036: When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator, cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt)
fix 62067: Correctly apply security constraints mapped to the context root using a URL pattern of "". (markt)
fix When using Tomcat embedded, only perform Authenticator configuration once during web application start. (markt)
fix Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. (markt)
fix Minor optimization when calling class transformers. (rjung)
Web applications
add 48672: Add documentation for the Host Manager web application. Patch provided by Marek Czernek. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.03. (kkolinko)
Tomcat 7.0.84 (violetagg)released 2018-01-24
fix 47214: Use a loop to preload anonymous inner classes when running under a SecurityManager, to be safe for future changes in the code or using a different compiler. (kkolinko)
add 57619: Implement a small optimisation to how JAR URLs are processed to reduce the storage of duplicate String objects in memory. Patch provided by Dmitri Blinov. (markt)
add 61810: Support configure the interval to keep all jars open if no jar is accessed, a non-positive interval indicates keeping jars always open. (huxing)
fix 61886: Pre-load additional classes to prevent SecurityExceptions if the first request received when running under a SecurityManager is an asynchronous Servlet. (markt)
fix 61916: Extend the AddDefaultCharsetFilter to add a character set when the content type is set via setHeader() or addHeader() as well as when it is set via setContentType(). (markt)
fix 61999: maxSavePostSize set to 0 should disable saving POST data during authentication. (remm)
fix 61886: Log errors on non-container threads at DEBUG rather than INFO. The exception will be made available to the application via the asynchronous error handling mechanism. (markt)
fix 61993: Improve handling for ByteChunk and CharChunk instances that grow close to the maximum size allowed by the JRE. (markt)
add 43925: Add a new system property (org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE) to control the size of the buffer used by Jasper when buffering tag bodies. (markt)
Web applications
add 61223: Add the mbeans-descriptors.dtd file to the custom MBean documentation so users have a reference to use when constructing mbeans-descriptors.xml files for custom components. (markt)
fix Partial fix for 61886. Ensure that multiple threads do not attempt to complete the AsyncContext if an I/O error occurs in the stock ticker example Servlet. (markt)
fix 61886: Prevent ConcurrentModificationException when running the asynchronous stock ticker in the examples web application. (markt)
fix 61886: Prevent NullPointerException and other errors if the stock ticker example is running when the examples web application is stopped. (markt)
fix 61910: Clarify the meaning of the allowLinking option in the documentation web application. (markt)
add Add OCSP configuration information to the SSL How-To. Patch provided by Marek Czernek. (markt)
fix 62006: Document the new JvmOptions9 command line parameter for tomcat7.exe. (markt)
fix 61312: Prevent NullPointerExceptionn when using the statement cache of connection that has been closed. (kfujino)
update Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) to pick up some code clean-up. (markt)
update Update the internal fork of Commons Codec to r1817136 to pick up some code clean-up. (markt)
fix The native source bundles (for Commons Daemon and Tomcat Native) are no longer copied to the bin directory for the deploy target. They are now only copied to the bin directory for the release target. (markt)
Tomcat 7.0.83 (violetagg)not released
add When running under Java 9 or later, and the urlCacheProtection option of the JreMemoryLeakPreventionListener is enabled, use the API added in Java 9 to only disable the caching for JAR URL connections. (markt)
fix 61581: Fix possible SecurityException when using the APR/native connector with a SecurityManager. (markt)