Ensure a very unlikely concurrency issue is avoided when writing WebSocket messages. Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions.
Pull request provided by Alexander Norz. Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. Expand the coverage of the Japanese translations provided with Apache Tomcat.
Update the internal fork of Apache Commons Codec to dd4 , 1. Update the internal fork of Apache Commons FileUpload to , 2. Make a best efforts attempt to clean-up if a request fails during processing due to an OutOfMemoryException. Ensure that ServletRequest. Ensure that only a full token is matched and that the match is case insensitive. Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported.
Patch provided by Karl von Randow. Fix a race condition that could mean changes to a modified JSP were not visible to end users.
Correct the description of the default value for the server attribute in the security How-To. Correct the documentation for the maxConnections attribute of the Connector in the documentation web application.
Patch provided by Guoxiong Li. Expand the coverage and quality of the French translations provided with Apache Tomcat. Expand the coverage and quality of the Korean translations provided with Apache Tomcat. Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Patch provided by Jop Zinkweg. Patch provided by S. Ali Tokmen. Add a new PropertySource implementation, EnvironmentPropertySource , that can be used to do property replacement in configuration files with environment variables.
Based on a pull request provided by Thomas Meyer. Add error logging to detect similar bugs. Based on a pull request by liguoxiong. Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no longer supported versions of Windows that could not support larger pollsets. Web Socket. When running on Java 9 and above, don't attempt to instantiate WebSocket Endpoints found in modules that are not exported.
Fix various issues with the Javadoc generated for the documentation web application to enable release builds to be built with Java 10 onwards. Fix a large number of Javadoc and documentation typos. Patch provided by KangZhiDong. Spelling and formatting corrections for the cluster how-to. Pull request provided by Bill Mitchell. When connections are validated without an explicit validation query, ensure that any transactions opened by the validation process are committed.
Patch provided by Pascal Davoust. This makes the installation behaviour consistent with the Windows installer. The original executable names will be restored when the Windows service is removed. The renaming can be enabled by using the new --rename option after the service name.
This corrects several regressions in Commons Daemon 1. Limit the default JPDA remote debugging interface listen address to localhost Tighten up the default file permissions for the. Allow customization of service. Back-port various corrections and improvements to the English versions of the i18n messages.
Back-port various corrections and improvements to the Spanish i18n messages. Back-port various corrections and improvements to the French i18n messages. Back-port various corrections and improvements to the Japanese i18n messages. Back-port various corrections and improvements to the Russian i18n messages.
Include the available German translations in the standard Tomcat distribution. Back-port additions and updates to the German i18n messages. Add simplified Chinese translations to the standard Tomcat distribution.
Contributed by Peter Uhnak. Remove unused i18n messages and associated translations. Deprecate org. Its functionality was only used for unit tests in org. TesterSupport and has been moved there. When performing a silent install with the Windows Installer, ensure that the registry entries are added to the bit registry when using a bit JVM.
Use a build property to define the minimum supported Java version and use that build property to reduce the number of edits required to update the minimum supported Java version. This corrects a regression in Commons Daemon 1. Correct parsing of invalid host names that contain bytes in the range to and reject them with a response rather than triggering an internal error that results in a response.
Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. Patch provided by Martin Lemanski. Identified by Coverity scan. Fix a potential concurrency issue in the StringCache identified by Coverity scan. Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Fix a potential resource leak on some exception paths in the DataSourceRealm.
Fix a potential resource leak on an exception path when parsing JSP files. Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Avoid a NullPointerException when a Context is defined in server.
Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error.
For any given resource a method that returns a status code will not be listed in the Allow header and a method listed in the Allow header will not return a status code. If an unhandled exception occurs on a asynchronous thread started via AsyncContext.
Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. Fix to avoid the possibility of long poll times for individual pollers when using multiple pollers with APR. Refactor the fix for so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. This avoids a SEVERE log message every time the check is performed when the host associated with a group member is not powered on.
Change the default shutdown port used by the Windows installer from to -1 disabled. Limit access to the chosen installation directory to local administrators, Local System and Local Service. This provides improved support for Java This also changes the user configured by the Windows installer for the Windows service from Local System to the lower privileged Local Service. The entire stack trace is now indented by an additional TAB character.
When using the OneLineFormatter , don't print a blank line in the log after printing a stack trace. Use the test command to check for terminal availability rather than the tty command since the tty based test fails on non-English locales.
The default value is false. With additional thanks to YourKit Java profiler for helping to track down the wasted memory and the root causes. When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k.
Ensure that the JarScanner correctly tests whether JARs found on the class path should be skipped when running on Java 9 or later. Encode the output of the SSI printenv command.
This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows.
This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. Based on a patch by Thomas Collignon. Patch provided by nightwatchcyber. Update the copy of Apache Commons Pool to 1. Add JDBC 4. Switch from Checkstyle to the JRE6 backport and update to version 8. This allows Tomcat 7 to use the newer configuration format required by Gump that uses the latest Checkstyle snapshot while still building with Java 6.
Patch provided by Tom Groot. Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. Based on a patch provided by rmannibucau. Implement the requirements of section 8.
Correct the Javadoc for Context. Simplify the value of jarsToSkip property in catalina. Use prefix pattern instead of listing each language. Submitted by Benoit Courtilly. When running under a SecurityManager , ensure that the ServiceLoader look-up for the default javax.
Configurator implementation completes correctly rather than silently using the hard-coded fall-back. Implement the requirements of section 5. Implement the requirements of section 4. Ensure a DeploymentException rather than an IllegalArgumentException is thrown if a method annotated with OnMessage does not conform to the requirements set out in the Javadoc.
Improve algorithm that determines if two OnMessage annotations have been added for the same message type. Prior to this change some matches were missed. An alternative solution has been implemented. Sending messages via getSendStream and getSendWriter will now only result in messages on the wire if data is written to the OutputStream or Writer.
Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream or getSendWriter. Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. Fix messages used by Manager and Host Manager web applications.
Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. Patch provided by Zemian Deng. Update the packaged version of the Tomcat Native Library to 1.
Enable compilation and test execution with Java Note that the deprecated class org. Base64 will be excluded from the build in this case as it depends on JRE classes that have been removed in Java 11 onwards. Expand the coverage and quality of the Russian translations provided with Apache Tomcat.
Add documentation about the files context. Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. Patch submitted by zikfat.
Ignore an attribute named source on Context elements provided by StandardContext. Based on a patch by mdfst Correct a typo in the Spanish resource files. Add TLSv1. Such requests are unusual but not invalid. Patch provided by Michael Orr. Fix a regression in the TLD whitespace parsing fix that broke parsing when whitespace was present between the method name and the parameters.
Based on a patch by Jordi Llach. Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported.
Use this new class when reporting multiple container e. Remove ServletException from declaration of Tomcat. Patch provided by Tzafrir. Improve the handling of path parameters when working with RequestDispatcher objects. When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases.
Note that Java 6 does not support PKCS12 key stores configured to use a store password of the empty string. Patch provided by AG. A new option -failFast can be used to restore the previous behaviour of stopping after the first error.
Based on a patch provided by Marc Pompl. By default, one thread will be used per core. Based on a patch by Dan Fabulich. Patch provided by Bernhard Frauendienst. Based on a patch by Ivan Krasnov. Patch provided by Marek Czernek. Patch provided by Artem Chebykin. Ensures that the specified rxBufSize is correctly set to receiver buffer size.
Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. Delete reference to removed class that prevented Tomcat from starting when running under a security manager. JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. Based on a patch by Francis Galiegue. Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded.
Correct the manifest for the annotations-api. Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. Patch by Craig Andrews. Based on a patch by zhanhb. Correct the logic in MBeanFactory.
Log an error message if the AJP connector detects that the reverse proxy is sending AJP messages that are too large for the configured packetSize.
Correctly handle a digest authorization header when the user name contains an escaped character. Correctly handle a digest authorization header when one of the hex field values ends the header with in an invalid character. Update web. Based on a patch by Katya Stoycheva. Implement checksum checks when downloading dependencies that are used to build Tomcat. Both now attempt to set the mappedName property of the resource. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields.
Fix startup failure when running under SecurityManager, a regression from the fix for bug Restore the ability for Tomcat 7 to run on Java 6 where Common Annotations 1. Document the requirement to use the Java endorsed mechanism to use Common Annotations 1. Refactor the org. Duplicate code identified by the Simian tool. Based on a patch by Gurkan Erdogdu. Patch provided by Michael Osipov.
Relax Host validation by removing the requirement that the final component of a FQDN must be alphabetic. BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina. This is a follow-up to the fix for Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist.
Ensure that the correct default value is returned when retrieve unset properties in McastService. Add a. Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped.
Patch provided by Masafumi Miura. Improve handing of overflow in the UTF-8 decoder with supplementary characters. Enable strict validation of the provided host name and port for all connectors. This check is optional and disabled by default. It may be enabled with the allowHostHeaderMismatch attribute of the Connector.
Enable ECJ version 4. Patch provided by Mark Struberg. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined. Prevent Tomcat from applying gzip compression to content that is already compressed with brotli compression. Based on a patch provided by burka. Based on a suggestion from Mark Morschhaeuser. Fix for RequestDumperFilter log attribute. Patch provided by Kirill Romanov via Github.
Patch provided by Holger Sunke. Constants and ensure that the constants are correctly used. Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc.
Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response. Based on a suggestion from Muthukumar Marikani. Document how the roles for an authenticated user are determined when the CombinedRealm is used. Ensure that SQLWarning has been cleared when connection returns to the pool. Enable PoolCleaner to be started even if validationQuery is not set. Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy.
Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. This was observed when using Spring weaving. When using Tomcat embedded, only perform Authenticator configuration once during web application start.
Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. Patch provided by Dmitri Blinov. The exception will be made available to the application via the asynchronous error handling mechanism.
Partial fix for Update the internal fork of Commons FileUpload to 6c00d57 to pick up some code clean-up. Update the internal fork of Commons Codec to r to pick up some code clean-up. The native source bundles for Commons Daemon and Tomcat Native are no longer copied to the bin directory for the deploy target.
They are now only copied to the bin directory for the release target. Revert the change from 7. Patch provided by isapir. Patch provided by Zilong Song. Patch submitted by J Fernandez.
Fix incorrect behavior that attempts to resend channel messages more than the actual setting value of maxRetryAttempts. Ensure that the remaining Sender can send channel messages by avoiding unintended ChannelException caused by comparing the number of failed members and the number of remaining Senders.
Ensure that remaining SelectionKeys that were not handled by throwing a ChannelException during SelectionKey processing are handled. Improve handling of endorsed directories.
When running on Java 9, any such attempted use of the endorsed directory mechanism will trigger an error and Tomcat will fail to start. Refactoring in preparation for Java 9. Refactor to avoid using some methods that will be deprecated in Java 9 onwards. Patch provided by Ralph Plawetzki. Add necessary Java 9 configuration options to the startup scripts to prevent warnings being generated on web application stop. Add generation of a SHA hash for release artifacts to the build script.
Update the Windows installer to use "The Apache Software Foundation" as the Publisher when Tomcat is displayed in the list of installed applications in Microsoft Windows.
Note that the default configuration does not change the existing behaviour. Correct regression in 7. Realms and Access Control - Description of how to configure Realms databases of users, passwords, and their associated roles for use in web applications that utilize Container Managed Security.
Security Manager - Configuring and using a Java Security Manager to support fine-grained control over the behavior of your web applications. Examples for many popular databases.
Classloading - Information about class loading in Apache Tomcat, including where to place your application classes so that they are visible. Proxy Support - Configuring Apache Tomcat to run behind a proxy server or a web server functioning as a proxy server. Default Servlet - Configuring the default servlet and customizing directory listings. Balancer - Configuring, using, and extending the load balancer application. Connectors - Connectors available in Apache Tomcat, and native web server integration.
Logging - Configuring logging in Apache Tomcat. Apache Portable Runtime - Using APR to provide superior performance, scalability and better integration with native server technologies. Stability is a subjective judgement and you should always read carefully the release notes for any version you intend to make use of.
If you are an early adopter of a release, we would love to hear your opinion about its stability as part of the vote: it takes place on the development mailing list. Beta releases are not expected to run stably.
Stable releases may contain a small number of relatively minor bugs. Stable releases are intended for production use and are expected to run stably for extended periods of time.
Apache Tomcat It builds on Tomcat Apache Tomcat 9. In addition to this, it includes the following significant improvements:. Apache Tomcat 8. In addition to that, it includes the following significant improvements:. It was created in March as a fork from Tomcat 9. M4 alpha milestone release. A stable release of Tomcat 9. Tomcat 8. Please refer to Migration guide for guidance on migrating to Tomcat 8.
There are significant changes in many areas under the hood, resulting in improved performance, stability, and total cost of ownership.
Please refer to the Apache Tomcat 8. Users of Tomcat 8. Related Content Hibernate Releases Version 1. GraalVM Java News Roundup: Hibernate Reactive 1.
Java News Roundup: Grails 5. What Does the Future Hold for Java? Why and How to Upgrade to Java 16 or What's New in Java Implementing Pipeline Microservicilities with Tekton.
Implementing Microservicilites with Istio. View an example Enter your e-mail address. Select your country Select a country I consent to InfoQ. Hello stranger! Get the most out of the InfoQ experience. Tell us what you think.
0コメント