Links User Guide Reference Apache Tomcat Development | ChangelogTomcat 7.0.91 (violetagg) |
Catalina |
 |
61692: Add the ability to control which HTTP methods are
handled by the CGI Servlet via a new initialization parameter
cgiMethods . (markt)
|
 |
Ensure that the HTTP Vary header is set correctly when using the CORS
filter and improve the cacheability of requests that pass through the
COPRS filter. (markt)
|
 |
62527: Revert restriction of JNDI to the java:
namespace. (remm)
|
 |
Introduce a new class - MultiThrowable - to report
exceptions when multiple actions are taken where each action may throw
an exception but all actions are taken before any errors are reported.
Use this new class when reporting multiple container (e.g. web
application) failures during start. (markt)
|
 |
Correctly decode URL paths (+ should not be decoded to a
space in the path) in the RequestDispatcher and the web
application class loader. (markt)
|
 |
62559: Add jaxb-*.jar to the list of JARs
ignored by StandardJarScanner . (markt)
|
 |
62560: Add oraclepki.jar to the list of JARs
ignored by StandardJarScanner . (markt)
|
 |
62607: Return a non-zero exit code from
catalina.[bat|sh] run if Tomcat fails to start. (markt)
|
 |
Remove ServletException from declaration of
Tomcat.addWebapp(String,String) since it is never thrown.
Patch provided by Tzafrir. (markt)
|
 |
Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
|
 |
Simplify construction of appName from container name in JAASRealm. (fschumacher)
|
 |
Improve the handling of path parameters when working with
RequestDispatcher objects. (markt)
|
 |
62664: Process requests with content type
multipart/form-data to servlets with a
@MultipartConfig annotation regardless of HTTP method.
(markt)
|
 |
62669: When using the SSIFilter and a resource does not
specify a content type, do not force the content type to
application/x-octet-stream . (markt)
|
 |
When generating a redirect to a directory in the Default Servlet, avoid
generating a protocol relative redirect. (markt)
|
|
Coyote |
 |
Refactor code that adds an additional header name to the
Vary HTTP response header to use a common utility method
that addresses several additional edge cases. (markt)
|
 |
62526: Correctly handle PKCS12 format key stores when the key
store password is configured to be the empty string. Note that Java 6
does not support PKCS12 key stores configured to use a store password of
the empty string. (markt)
|
 |
62670: Adjust the memory leak protection for the
DriverManager so that JDBC drivers located in
$CATALINA_HOME/lib and $CATALINA_BASE/lib are
loaded via the service loader mechanism when the protection is enabled.
(markt)
|
 |
62685: Correct an error in host name validation parsing that
did not allow a fully qualified domain name to terminate with a period.
Patch provided by AG. (markt)
|
|
Jasper |
 |
53011: When pre-compiling with JspC, report all compilation
errors rather than stopping after the first error. A new option
-failFast can be used to restore the previous behaviour of
stopping after the first error. Based on a patch provided by Marc Pompl.
(markt)
|
 |
53492: Make the Java file generation process multi-threaded.
By default, one thread will be used per core. Based on a patch by Dan
Fabulich. (markt)
|
 |
62603: Fix a potential race condition when development mode
is disabled and background compilation checks are enabled. It was
possible that some updates would not take effect and/or
ClassNotFoundException s would occur. (markt)
|
 |
Correct the JSP version in the X-PoweredBy HTTP header generated when
the xpoweredBy option is enabled. (markt)
|
 |
62662: Fix the corruption of web.xml output during JSP
compilation caused by the fix for 53492. Patch provided by
Bernhard Frauendienst. (markt)
|
 |
Correct parsing of XML whitespace in TLD function signatures that
incorrectly only looked for the space character. (markt)
|
|
WebSocket |
 |
62596: Remove the limit on the size of the initial HTTP
upgrade request used to establish the web socket connection. (markt)
|
|
Web applications |
 |
62558: Add Russian translations for the Manager and Host
Manager web applications. Based on a patch by Ivan Krasnov. (markt)
|
 |
62561: Add advanced class loader configuration information
regarding the use of the Server and Shared class loaders to the
documentation web application. (markt)
|
 |
Expand the information in the documentation web application regarding
the use of CATALINA_HOME and CATALINA_BASE .
Patch provided by Marek Czernek. (markt)
|
 |
62652: Make it clearer that the version of DBCP that is
packaged in Tomcat 7.0.x is DBCP 1. (markt)
|
 |
62666: Expand internationalisation support in the Manager
application to include the server status page and provide Russian
translations in addition to English. Patch provided by Artem Chebykin.
(markt)
|
 |
62676: Expand the CORS filter documentation to make it clear
that explicit configuration is required to enable support for
cross-origin requests. (markt)
|
|
Tribes |
 |
Ensures that the specified rxBufSize is correctly set to
receiver buffer size. (kfujino)
|
|
Other |
 |
Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
|
 |
Correct various spelling errors throughout the source code and
documentation. Patch provided by Kazuhiro Sera. (markt)
|
|
|
Tomcat 7.0.90 (violetagg) | released 2018-07-06 |
Catalina |
 |
62498: Correct a regression in the fix for CVE-2017-12617
that caused request failures for some requests when using the
VirtualDirContext . (markt)
|
 |
Delete reference to removed class that prevented Tomcat from starting
when running under a security manager. (markt)
|
|
|
Tomcat 7.0.89 (violetagg) | not released |
Catalina |
 |
JNDI resources that are defined with injection targets but no value are
now treated as if the resource is not defined. (markt)
|
 |
Ensure that JNDI names used for <lookup-name> entries
in web.xml and for lookup elements of
@Resource annotations specify a name with an explicit
java: namespace. (markt)
|
 |
51953: Add the RemoteCIDRFilter and
RemoteCIDRValve that can be used to allow/deny requests
based on IPv4 and/or IPv6 client address where the IP ranges are defined
using CIDR notation. Based on a patch by Francis Galiegue. (markt)
|
 |
62343: Make CORS filter defaults more secure. This is the fix
for CVE-2018-8014. (markt)
|
 |
Make all loggers associated with Tomcat provided Filters non-static to
ensure that log messages are not lost when a web application is
reloaded. (markt)
|
 |
Correct the manifest for the annotations-api.jar. The JAR implements the
Common Annotations API 1.1 and the manifest should reflect that. (markt)
|
 |
Switch to non-static loggers where there is a possibility of a logger
becoming associated with a web application class loader causing log
messages to be lost if the web application is stopped. (markt)
|
 |
62389: Add the IPv6 loopback address to the default
internalProxies regular expression. Patch by Craig Andrews.
(markt)
|
 |
In the RemoteIpValve and RemoteIpFilter ,
correctly handle the case when the request passes through one or more
trustedProxies but no internalProxies . Based
on a patch by zhanhb. (markt)
|
 |
Correct the logic in MBeanFactory.removeConnector() to
ensure that the correct Connector is removed when there are multiple
Connectors using different addresses but the same port. (markt)
|
 |
Make JAASRealm mis-configuration more obvious by requiring
the authenticated Subject to include at least one Principal of a type
specified by userClassNames . (markt)
|
 |
62476: Use GMT timezone for the value of
Expires header as required by HTTP specification
(RFC 7231, 7234). (kkolinko)
|
|
Coyote |
 |
Log an error message if the AJP connector detects the the reverse proxy
is sending AJP messages that are too large for the configured
packetSize . (markt)
|
 |
62371: Improve logging of Host validation failures. (markt)
|
 |
Correctly handle a digest authorization header when the user name
contains an escaped character. (markt)
|
 |
Correctly handle a digest authorization header when one of the hex
field values ends the header with in an invalid character. (markt)
|
|
Jasper |
 |
Update web.xml, web-fragment.xml and web.xml extracts generated by JspC
to use the Servlet 3.0 version of the relevant schemas. (markt)
|
 |
Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do
not contain leading zeros in the IPv4 part. Based on a patch by Katya
Stoycheva. (markt)
|
 |
62080: Ensure that all reads of the current thread's context
class loader made by the UEL API and implementation are performed via a
PrivilegedAction to ensure that a
SecurityException is not triggered when running under a
SecurityManager . (mark)
|
|
WebSocket |
 |
When decoding of path parameter failed, make sure to throw
DecodeException instead of throwing
ArrayIndexOutOfBoundsException . (kfujino)
|
 |
Enable host name verification when using TLS with the WebSocket client.
(markt)
|
|
Web applications |
62395: Clarify the meaning of the connector attribute
minSpareThreads in the documentation web application.
(markt)
|
jdbc-pool |
 |
When logValidationErrors is set to true, the connection
validation error is logged as SEVERE instead of
WARNING . (kfujino)
|
|
Other |
 |
62391: Remove references to javaw.exe as this
file is not required by Tomcat and the references prevent the use of the
Server JRE. (markt)
|
 |
Update the packaged version of the Tomcat Native Library to 1.2.17 to
pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL
1.0.2o. (markt)
|
 |
Implement checksum checks when downloading dependencies that are used
to build Tomcat. (kkolinko)
|
|
|
Tomcat 7.0.88 (violetagg) | released 2018-05-11 |
Catalina |
 |
Treat the <mapped-name> element of a
<env-entry> in web.xml in the same way as the
mappedName element of the equivalent @Resource
annotation. Both now attempt to set the mappedName property
of the resource. (markt)
|
 |
Correct the processing of resources with
<injection-target> s defined in web.xml. First look
for a match using JavaBean property names and then, only if a match is
not found, look for a match using fields. (markt)
|
 |
When restoring a saved request with a request body after FORM
authentication, ensure that calls to the HttpServletRequest
methods getRequestURI() , getQueryString() and
getProtocol() are not corrupted by the processing of the
saved request body. (markt)
|
 |
Fix startup failure when running under SecurityManager, a regression
from the fix for bug 62273. (kkolinko)
|
 |
62353: Correct a regression introduced in Tomcat 7.0.86.
Restore the ability for Tomcat 7 to run on Java 6 where Common
Annotations 1.0 is available. Document the requirement to use the Java
endorsed mechanism to use Common Annotations 1.1. (markt)
|
 |
Refactor the org.apache.naming package to reduce duplicate
code. Duplicate code identified by the Simian tool. (markt)
|
 |
50019: Add support for <lookup-name> .
Based on a patch by Gurkan Erdogdu. (markt)
|
 |
60490: Various formatting and layout improvements for the
ErrorReportValve . Patch provided by Michael Osipov. (markt)
|
 |
Relax Host validation by removing the requirement that the final
component of a FQDN must be alphabetic. (markt)
|
|
Jasper |
 |
50234: Add the capability to generate a web-fragment.xml file
to JspC. (markt)
|
 |
62350: Refactor
org.apache.jasper.runtime.BodyContentImpl so a
SecurityException is not thrown when running under a
SecurityManger and additional permissions are not required in the
catalina.policy file. This is a follow-up to the fix for
43925. (kkolinko/markt)
|
|
Cluster |
 |
Remove duplicate calls when creating a replicated session to reduce the
time taken to create the session and thereby reduce the chances of a
subsequent session update message being ignored because the session does
not yet exist. (markt)
|
|
Tribes |
 |
Ensure that the correct default value is returned when retrieve unset
properties in McastService . (kfujino)
|
|
Other |
 |
Add a .gitattributes file to make sure that Git
handles test data files for bug 52121 as binary. (kkolinko)
|
|
|
Tomcat 7.0.87 (violetagg) | not released |
Catalina |
 |
62316: Correct a regression in some refactoring that
broke the default factory for JDBC datasources. (markt)
|
 |
Fix a rare edge case that is unlikely to occur in real usage. This edge
case meant that writing long streams of UTF-8 characters to the HTTP
response that consisted almost entirely of surrogate pairs could result
in one surrogate pair being dropped. (markt)
|
 |
Register MBean when DataSource Resource
type="javax.sql.XADataSource" .
Patch provided by Masafumi Miura. (csutherl)
|
 |
Update the internal fork of Apache Commons BCEL to r1829827 to add early
access Java 11 support to the annotation scanning code. (markt)
|
 |
62297: Enable the CrawlerSessionManagerValve to
correctly handle bots that crawl multiple hosts and/or web applications
when the Valve is configured on a Host or an Engine. (fschumacher)
|
 |
Collapse multiple leading / characters to a single
/ in the return value of
HttpServletRequest#getContextPath() to avoid issues if the
value is used with HttpServletResponse#sendRedirect() . This
behaviour is enabled by default and configurable via the new Context
attribute allowMultipleLeadingForwardSlashInPath . (markt)
|
 |
Improve handing of overflow in the UTF-8 decoder with supplementary
characters. (markt)
|
|
Coyote |
 |
Enable strict validation of the provided host name and port for all
connectors. Requests with invalid host names and/or ports will be
rejected with a 400 response. (markt)
|
 |
Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1
requests must include a Host header and any request that
does not must be rejected with a 400 response. (markt)
|
 |
Implement the requirements of RFC 7230 that any HTTP/1.1 request that
specifies a host in the request line, must specify the same host in the
Host header and that any such request that does not, must
be rejected with a 400 response. This check is optional and disabled by
default. It may be enabled with the
allowHostHeaderMismatch attribute of the Connector. (markt)
|
 |
Implement the requirements of RFC 7230 that any HTTP/1.1 request that
contains multiple Host headers is rejected with a 400
response. (markt)
|
 |
62273: Implement configuration options to work-around
specification non-compliant user agents (including all the major
browsers) that do not correctly %nn encode URI paths and query strings
as required by RFC 7230 and RFC 3986. (markt)
|
|
Jasper |
 |
Enable ECJ version 4.7 and later to be used as a drop in replacement for
the ECJ version that ships with Apache Tomcat. (markt)
|
 |
Enable Java 10 to be specified as a JSP source and/or target if a newer
ECJ version is used. (markt)
|
 |
62287: Do not rely on hash codes to test instances of
ValueExpressionImpl for equality. Patch provided by Mark
Struberg. (markt)
|
|
WebSocket |
 |
62301: Correct a regression in the fix for 61491
that didn't correctly handle a final empty message part in all
circumstances when using PerMessageDeflate . (markt)
|
|
Other |
 |
Avoid warning when running under Cygwin when the
JAVA_ENDORSED_DIRS environment variable is not set. Patch
provided by Zemian Deng. (markt)
|
|
|
Tomcat 7.0.86 (violetagg) | released 2018-04-13 |
Catalina |
 |
51195: Avoid a false positive report of a web application
memory leak by clearing ObjectStreamClass$Caches of classes
loaded by the web application when the web application is stopped.
(markt)
|
 |
52688: Add support for the maxDays attribute to
the AccessLogValve and ExtendedAccessLogValve .
This allows the maximum number of days for which rotated access logs
should be retained before deletion to be defined. (markt)
|
 |
Prevent Tomcat from applying gzip compression to content that is already
compressed with brotli compression. Based on a patch provided by burka.
(markt)
|
 |
62090: Null container names are not allowed. (remm)
|
 |
62104: Fix programmatic login regression as the
NonLoginAuthenticator has to be set for it to work (if no login method
is specified). (remm)
|
 |
62117: Improve error message in catalina.sh when
calling kill -0 <pid> fails. Based on a suggestion
from Mark Morschhaeuser. (markt)
|
 |
62118: Correctly create a JNDI ServiceRef using
the specified interface rather than the concrete type. Based on a
suggestion by Ángel Álvarez Páscua. (markt)
|
 |
Fix for RequestDumperFilter log attribute. Patch provided
by Kirill Romanov via Github. (violetagg)
|
 |
62123: Avoid ConcurrentModificationException
when attempting to clean up application triggered RMI memory leaks on
web application stop. (markt)
|
 |
62168: When using the PersistentManager honor a
value of -1 for minIdleSwap and do not swap
out sessions to keep the number of active sessions under
maxActive . Patch provided by Holger Sunke. (markt)
|
 |
62172: Improve Javadoc for
org.apache.catalina.startup.Constants and ensure that the
constants are correctly used. (markt)
|
 |
62175: Avoid infinite recursion, when trying to validate
a session while loading it with PersistentManager .
(fschumacher)
|
 |
Ensure that NamingContextListener instances are only
notified once of property changes on the associated naming resources.
(markt)
|
 |
62224: Disable the forkJoinCommonPoolProtection
of the JreMemoryLeakPreventionListener when running on Java
9 and above since the underlying JRE bug has been fixed. (markt)
|
 |
62263: Avoid a NullPointerException when the
RemoteIpValve processes a request for which no Context can
be found. (markt)
|
|
Coyote |
 |
Correct off-by-one error in thread pool that allowed thread pools to
increase in size to one more than the configured limit. Patch provided
by usc. (markt)
|
|
Web applications |
 |
Work-around a known, non-specification compliant behaviour in some
versions of IE that can allow XSS when the Manager application generates
a plain text response. Based on a suggestion from Muthukumar Marikani.
(markt)
|
 |
Add document for FragmentationInterceptor . (kfujino)
|
 |
Document how the roles for an authenticated user are determined when the
CombinedRealm is used. (markt)
|
|
jdbc-pool |
 |
Ensure that SQLWarning has been cleared when connection
returns to the pool. (kfujino)
|
 |
Ensure that parameters have been cleared when
PreparedStatement and/or CallableStatement are
cached. (kfujino)
|
 |
Enable PoolCleaner to be started even if validationQuery
is not set. (kfujino)
|
|
Other |
 |
Update the build script so MD5 hashes are no longer generated for
releases as per the change in the ASF distribution policy. (markt)
|
 |
62164: Switch the build script to use TLS for downloads from
SourceForge and Maven Central to avoid failures due to HTTP to HTTPS
redirects. (markt)
|
|
|
Tomcat 7.0.85 (violetagg) | released 2018-02-13 |
Catalina |
 |
Prevent a stack trace being written to standard out when running on Java
10 due to changes in the LogManager implementation. (markt)
|
 |
Avoid duplicate load attempts if one has been made already. (remm)
|
 |
Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine.
(remm)
|
 |
58143: Fix calling classloading transformers broken in 7.0.70
by the fix for 59619. This was observed when using Spring
weaving. (rjung)
|
 |
62000: When a JNDI reference cannot be resolved, ensure that
the root cause exception is reported rather than swallowed. (markt)
|
 |
62036: When caching an authenticated user Principal in the
session when the web application is configured with the
NonLoginAuthenticator , cache the internal Principal object
rather than the user facing Principal object as Tomcat requires the
internal object to correctly process later authorization checks. (markt)
|
 |
62067: Correctly apply security constraints mapped to the
context root using a URL pattern of "" . (markt)
|
 |
When using Tomcat embedded, only perform Authenticator configuration
once during web application start. (markt)
|
 |
Process all ServletSecurity annotations at web application
start rather than at servlet load time to ensure constraints are applied
consistently. (markt)
|
 |
Minor optimization when calling class transformers. (rjung)
|
|
Web applications |
 |
48672: Add documentation for the Host Manager web
application. Patch provided by Marek Czernek. (markt)
|
|
Other |
 |
Update the NSIS Installer used to build the Windows installer to version
3.03. (kkolinko)
|
|
|
Tomcat 7.0.84 (violetagg) | released 2018-01-24 |
Catalina |
 |
47214: Use a loop to preload anonymous inner classes
when running under a SecurityManager , to be safe for
future changes in the code or using a different compiler. (kkolinko)
|
 |
57619: Implement a small optimisation to how JAR URLs are
processed to reduce the storage of duplicate String objects in memory.
Patch provided by Dmitri Blinov. (markt)
|
 |
61810: Support configure the interval to keep all jars open
if no jar is accessed, a non-positive interval indicates
keeping jars always open. (huxing)
|
 |
61886: Pre-load additional classes to prevent
SecurityException s if the first request received when
running under a SecurityManager is an asynchronous Servlet.
(markt)
|
 |
61916: Extend the AddDefaultCharsetFilter to add
a character set when the content type is set via
setHeader() or addHeader() as well as when it
is set via setContentType() . (markt)
|
 |
61999: maxSavePostSize set to 0 should disable saving POST
data during authentication. (remm)
|
|
Coyote |
 |
61886: Log errors on non-container threads at
DEBUG rather than INFO . The exception will be
made available to the application via the asynchronous error handling
mechanism. (markt)
|
 |
61993: Improve handling for ByteChunk and
CharChunk instances that grow close to the maximum size
allowed by the JRE. (markt)
|
|
Jasper |
 |
43925: Add a new system property
(org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE ) to
control the size of the buffer used by Jasper when buffering tag bodies.
(markt)
|
|
Web applications |
 |
61223: Add the mbeans-descriptors.dtd file to the custom
MBean documentation so users have a reference to use when constructing
mbeans-descriptors.xml files for custom components. (markt)
|
 |
Partial fix for 61886. Ensure that multiple threads do not
attempt to complete the AsyncContext if an I/O error occurs
in the stock ticker example Servlet. (markt)
|
 |
61886: Prevent ConcurrentModificationException
when running the asynchronous stock ticker in the examples web
application. (markt)
|
 |
61886: Prevent NullPointerException and other
errors if the stock ticker example is running when the examples web
application is stopped. (markt)
|
 |
61910: Clarify the meaning of the allowLinking
option in the documentation web application. (markt)
|
 |
Add OCSP configuration information to the SSL How-To. Patch provided by
Marek Czernek. (markt)
|
 |
62006: Document the new JvmOptions9 command line
parameter for tomcat7.exe . (markt)
|
|
jdbc-pool |
 |
61312: Prevent NullPointerException n when using
the statement cache of connection that has been closed. (kfujino)
|
|
Other |
 |
Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23)
to pick up some code clean-up. (markt)
|
 |
Update the internal fork of Commons Codec to r1817136 to pick up some
code clean-up. (markt)
|
 |
The native source bundles (for Commons Daemon and Tomcat Native) are no
longer copied to the bin directory for the deploy target. They are now
only copied to the bin directory for the release target. (markt)
|
|
|
Tomcat 7.0.83 (violetagg) | not released |
Catalina |
 |
When running under Java 9 or later, and the
urlCacheProtection option of the
JreMemoryLeakPreventionListener is enabled, use the API
added in Java 9 to only disable the caching for JAR URL connections.
(markt)
|
 |
61581: Fix possible SecurityException when using
the APR/native connector with a SecurityManager . (markt)
|
< |
|
|