The Apache Tomcat Servlet/JSP Container

Apache Tomcat 7

Version 7.0.96, Jul 24 2019
Apache Logo


User Guide


Apache Tomcat Development


Tomcat 7.0.96 (violetagg)
fix 63579: Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
fix Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
fix Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)
add Enable the unit tests to execute in parallel. (markt)
Tomcat 7.0.95 (violetagg)not released
add 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo)
fix Fix a potential resource leak when executing CGI scripts from a WAR file. Identified by Coverity scan. (markt)
fix Fix a potential concurrency issue in the StringCache identified by Coverity scan. (markt)
fix Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Identified by Coverity scan. (markt)
fix Fix a potential resource leak on some exception paths in the DataSourceRealm. Identified by Coverity scan. (markt)
fix Fix a potential resource leak on an exception path when parsing JSP files. Identified by Coverity scan. (markt)
fix Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
code Refactor ManagerServlet to avoid loading classes when filtering JNDI resources for resources of a specified type. (markt)
fix Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
add 43548: Add an XML schema for the tomcat-users.xml file. (markt)
fix 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the session is compatible with session serialization with mem-cached. Patch provided by Martin Lemanski. (markt)
fix Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt)
fix Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt)
add Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt)
fix 63531: Refactor authenticators so that the session last accessed time is not updated if the cache attribute is set to false and FORM authentication is not being used. (markt)
update Modify the Default and WebDAV Servlets so that a 405 status code is returned for PUT and DELETE requests when disabled via the readonly initialisation parameter.
fix Align the contents of the Allow header with the response code for the Default and WebDAV Servlets. For any given resource a method that returns a 405 status code will not be listed in the Allow header and a method listed in the Allow header will not return a 405 status code. (markt)
fix Correct two failing tests from the Litmus test suite for WebDAV when copying/moving a file over a collection. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
fix If an unhandled exception occurs on a asynchronous thread started via AsyncContext.start(Runnable), process it using the standard error page mechanism. (markt)
code Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
fix Fix to avoid the possibility of long poll times for individual pollers when using multiple pollers with APR. (markt)
fix Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt)
add Include file names in error messages if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt)
fix Improvements to varargs handling in the Java UEL implementation. (markt)
fix 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt)
fix 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt)
fix 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt)
fix Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group members. This avoids a SEVERE log message every time the check is performed when the host associated with a group member is not powered on. (markt)
fix 55969: Tighten up the security of the Apache Tomcat installation created by the Windows installer. Change the default shutdown port used by the Windows installer from 8005 to -1 (disabled). Limit access to the chosen installation directory to local administrators, Local System and Local Service. (markt)
add 59871: Add a property (timeFormat) to JULI's OneLineFormatter to enable the format of the time stamp used in log messages to be configured. (markt)
fix 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
fix When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
fix Use the test command to check for terminal availability rather than the tty command since the tty based test fails on non-English locales. Patch provided by Radosław Józwik. (markt)
update Update JUnit to version 4.12. (markt)
update Update optional WSDL dependency to 1.6.3. (markt)
update Update Checkstyle to version 8.22. (markt)
update 63310: Update to Commons Daemon 1.2.0. This provides improved support for Java 11. This also changes the user configured by the Windows installer for the Windows service from Local System to the lower privileged Local Service. (markt)
Tomcat 7.0.94 (markt)released 2019-04-12
add 63206: Add a new attribute to Context - createUploadTargets which, if true enables Tomcat to create the temporary upload location used by a Servlet if the location specified by the Servlet does not already exist. The default value is false. (markt)
fix 63213: Ensure the correct escaping of group names when searching for nested groups when the JNDIRealm is configured with roleNested set to true. (markt)
fix 63235: Refactor Charset cache to reduce start time. (markt)
fix 63236: Use String.intern() as suggested by Phillip Webb to reduce memory wasted due to String duplication. This changes saves ~245k when starting a clean installation. With additional thanks to YourKit Java profiler for helping to track down the wasted memory and the root causes. (markt)
fix 63246: Fix a potential NullPointerException when calling AsyncContext.dispatch(). (markt)
fix 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
fix 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
fix 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
fix When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
fix 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
fix Ensure that the JarScanner correctly tests whether JARs found on the class path should be skipped when running on Java 9 or later. (markt)
fix 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
fix 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
fix 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
fix Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt)
code Use constants for SSI encoding values. (markt)
add When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
add When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
update Change the default for the enableCmdLineArguments parameter of the CGI servlet from true to false as additional hardening against CVE-2019-0232. (markt)
fix 63194: Fix failing unit test so TLS1.3 client authentication tests work correctly when using Java 11 onwards and the APR/Native connector. (markt)
add 63205: Add a work-around for a known JRE KeyStore loading bug. (markt)
add Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
add Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)
Web applications
fix 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
fix 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)
code Copy Apache Commons DBCP 1.4 and Apache Commons Pool 1.5.7 source code into the Tomcat 7.0.x tree to enable additional fixes to be pulled in. (markt)
fix Update the copy of Apache Commons DBCP 1.4.x and Apache Commons pool 1.5.x to the latest source code as of 2019-03-15 to pick up multiple bug fixes including 58338. (markt)
code Update the copy of Apache Commons Pool to 1.6.x to pick up the generics changes. (markt)
add Add JDBC 4.1 support to the default database connection pool provided by Tomcat. (markt)
update Switch from Checkstyle to the JRE6 backport and update to version 8.17. This allows Tomcat 7 to use the newer configuration format (required by Gump that uses the latest Checkstyle snapshot) while still building with Java 6. (markt)
Tomcat 7.0.93 (violetagg)released 2019-02-21
fix 54741: Add a new method, Tomcat.addWebapp(String,URL), that allows a web application to be deployed from a URL when using Tomcat in embedded mode. (markt)
add 62897: Provide a property (clearReferencesThreadLocals) on the standard Context implementation that enables the check for memory leaks via ThreadLocals to be disabled because this check depends on the use of an API that has been deprecated in later versions of Java. (markt)
fix 62978: Update the RemoteIpValve to handle multiple values in the x-forwarded-proto header. Patch provided by Tom Groot. (markt)
fix Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
code 62986: Refactor the code that performs class scanning during web application start to make integration simpler for downstream users. Based on a patch provided by rmannibucau. (markt)
fix Implement the requirements of section 8.2.2 2c of the Servlet specification and prevent a web application from deploying if it has fragments with duplicate names and is configured to use relative ordering of fragments. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.19. (markt)
fix Ensure that the ServletOutputStream implementation is consistent with the requirements of asynchronous I/O and that all of the write methods use a single write rather than multiple writes. (markt)
fix Correct the Javadoc for Context.getDocBase() and Context.setDocBase() and remove text that indicates that a URL may be used for the docBase as this has not been the case for quite some time. (markt)
add Ensure that Tomcat is fully terminated when running as a service. (markt)
fix 63003: Extend the unloadDelay attribute on a Context to include in-flight asynchronous requests. (markt)
add 63026: Add a new attribute, forceDnHexEscape, to the JNDIRealm that forces escaping in the String representation of a distinguished name to use the \nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the \nn form is used. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.21. (markt)
update Simplify the value of jarsToSkip property in file for tomcat-i18n jar files. Use prefix pattern instead of listing each language. (kkolinko)
fix 57974: Ensure implementation of Session.getOpenSessions() returns correct value for both client-side and server-side calls. (markt)
fix 63019: Use payload remaining bytes rather than limit when writing. Submitted by Benoit Courtilly. (remm)
fix When running under a SecurityManager, ensure that the ServiceLoader look-up for the default javax.websocket.server.ServerEndpointConfig.Configurator implementation completes correctly rather than silently using the hard-coded fall-back. (markt)
fix Ensure that the network connection is closed if the client receives an I/O error trying to communicate with the server. (markt)
fix Ignore synthetic methods when scanning POJO methods. (markt)
fix Implement the requirements of section 5.2.1 of the WebSocket 1.1 specification and ensure that if the deployment of one Endpoint fails, no Endpoints are deployed for that web application. (markt)
fix Implement the requirements of section 4.3 of the WebSocket 1.1 specification and ensure that the deployment of an Endpoint fails if @PathParam is used with an invalid parameter type. (markt)
fix Ensure a DeploymentException rather than an IllegalArgumentException is thrown if a method annotated with @OnMessage does not conform to the requirements set out in the Javadoc. (markt)
fix Improve algorithm that determines if two @OnMessage annotations have been added for the same message type. Prior to this change some matches were missed. (markt)
code Remove the STREAMS_DROP_EMPTY_MESSAGES system property that was introduced to work-around four failing TCK tests. An alternative solution has been implemented. Sending messages via getSendStream() and getSendWriter() will now only result in messages on the wire if data is written to the OutputStream or Writer. Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream() or getSendWriter(). (markt)
Web applications
fix 63103: Remove the unused source.jsp file and associated tag from the examples web application as it is no longer used. (markt)
fix 63143: Ensure that the Manager web application respects the language preferences of the user as configured in the browser when the language of the default system locale is not English. (markt)
fix Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. (kkolinko)
fix Fix messages used by Manager and Host Manager web applications. Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. (kkolinko)
fix Do not add CSRF nonce parameter and suppress Referer header for external links in Manager and Host Manager web applications. (kkolinko)
fix Prevent an error when running in a Cygwin shell and the JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.19 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. (markt)
fix Correct AsyncFileHandler to FileHandler in (huxing)
update Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt)
fix Enable compilation and test execution with Java 11. Note that the deprecated class org.apache.catalina.util.Base64 will be excluded from the build in this case as it depends on JRE classes that have been removed in Java 11 onwards. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.04. (markt)
add Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)
Tomcat 7.0.92 (violetagg)released 2018-11-15
fix Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
fix Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
fix 62788: Add explicit logging configuration to write log files using UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt)
fix 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
fix 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
add Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
add 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
fix Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
fix 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)
add Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
fix 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt)
add 62748: Add TLS 1.3 support for the APR/Native connector. (schultz/markt)
fix 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
fix 62674: Correct a regression in the stand-alone JSP compiler utility, JspC, caused by the fix for 53492, that caused the JSP compiler to hang. (markt)
fix 62721: Correct generation of web.xml header when using JspC. (markt)
fix Fix a regression in the TLD whitespace parsing fix that broke parsing when whitespace was present between the method name and the parameters. (markt)
fix 62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt)
fix 62808: Fix a regression in the TLD whitespace parsing fix that broke parsing when new lines were present in the method signature. (markt)
fix 62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)
Web applications
fix 62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt)
fix 62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt)
fix Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)
Tomcat 7.0.91 (violetagg)released 2018-09-19
add 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
fix Ensure that the HTTP Vary header is set correctly when using the CORS filter and improve the cacheability of requests that pass through the COPRS filter. (markt)
fix 62527: Revert restriction of JNDI to the java: namespace. (remm)
add Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported. Use this new class when reporting multiple container (e.g. web application) failures during start. (markt)
fix Correctly decode URL paths (+ should not be decoded to a space in the path) in the RequestDispatcher and the web application class loader. (markt)
add 62559: Add jaxb-*.jar to the list of JARs ignored by StandardJarScanner. (markt)
add 62560: Add oraclepki.jar to the list of JARs ignored by StandardJarScanner. (markt)
add 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat fails to start. (markt)
code Remove ServletException from declaration of Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by Tzafrir. (markt)
fix Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
code Simplify construction of appName from container name in JAASRealm. (fschumacher)
fix Improve the handling of path parameters when working with RequestDispatcher objects. (markt)
fix 62664: Process requests with content type multipart/form-data to servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
fix 62669: When using the SSIFilter and a resource does not specify a content type, do not force the content type to application/x-octet-stream. (markt)
fix When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt)
fix Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases. (markt)
fix 62526: Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string. Note that Java 6 does not support PKCS12 key stores configured to use a store password of the empty string. (markt)
fix 62670: Adjust the memory leak protection for the DriverManager so that JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via the service loader mechanism when the protection is enabled. (markt)
fix 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
fix 53011: When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. (markt)
add 53492: Make the Java file generation process multi-threaded. By default, one thread will be used per core. Based on a patch by Dan Fabulich. (markt)
fix 62603: Fix a potential race condition when development mode is disabled and background compilation checks are enabled. It was possible that some updates would not take effect and/or ClassNotFoundExceptions would occur. (markt)
fix Correct the JSP version in the X-PoweredBy HTTP header generated when the xpoweredBy option is enabled. (markt)
fix 62662: Fix the corruption of web.xml output during JSP compilation caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)
fix Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)
fix 62596: Remove the limit on the size of the initial HTTP upgrade request used to establish the web socket connection. (markt)
Web applications
add 62558: Add Russian translations for the Manager and Host Manager web applications. Based on a patch by Ivan Krasnov. (markt)
add 62561: Add advanced class loader configuration information regarding the use of the Server and Shared class loaders to the documentation web application. (markt)
add Expand the information in the documentation web application regarding the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. (markt)
fix 62652: Make it clearer that the version of DBCP that is packaged in Tomcat 7.0.x is DBCP 1. (markt)
add 62666: Expand internationalisation support in the Manager application to include the server status page and provide Russian translations in addition to English. Patch provided by Artem Chebykin. (markt)
fix 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
fix Ensures that the specified rxBufSize is correctly set to receiver buffer size. (kfujino)
fix Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
fix Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. (markt)
Tomcat 7.0.90 (violetagg)released 2018-07-06
fix 62498: Correct a regression in the fix for CVE-2017-12617 that caused request failures for some requests when using the VirtualDirContext. (markt)
fix Delete reference to removed class that prevented Tomcat from starting when running under a security manager. (markt)
Tomcat 7.0.89 (violetagg)not released
fix JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt)
fix Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt)
add 51953: Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges are defined using CIDR notation. Based on a patch by Francis Galiegue. (markt)
fix 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)
fix Make all loggers associated with Tomcat provided Filters non-static to ensure that log messages are not lost when a web application is reloaded. (markt)
fix Correct the manifest for the annotations-api.jar. The JAR implements the Common Annotations API 1.1 and the manifest should reflect that. (markt)
fix Switch to non-static loggers where there is a possibility of a logger becoming associated with a web application class loader causing log messages to be lost if the web application is stopped. (markt)
add 62389: Add the IPv6 loopback address to the default internalProxies regular expression. Patch by Craig Andrews. (markt)
fix In the RemoteIpValve and RemoteIpFilter, correctly handle the case when the request passes through one or more trustedProxies but no internalProxies. Based on a patch by zhanhb. (markt)
fix Correct the logic in MBeanFactory.removeConnector() to ensure that the correct Connector is removed when there are multiple Connectors using different addresses but the same port. (markt)
fix Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)
fix 62476: Use GMT timezone for the value of Expires header as required by HTTP specification (RFC 7231, 7234). (kkolinko)
fix Log an error message if the AJP connector detects that the reverse proxy is sending AJP messages that are too large for the configured packetSize. (markt)
fix 62371: Improve logging of Host validation failures. (markt)
fix Correctly handle a digest authorization header when the user name contains an escaped character. (markt)
fix Correctly handle a digest authorization header when one of the hex field values ends the header with in an invalid character. (markt)
fix Update web.xml, web-fragment.xml and web.xml extracts generated by JspC to use the Servlet 3.0 version of the relevant schemas. (markt)
fix Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do not contain leading zeros in the IPv4 part. Based on a patch by Katya Stoycheva. (markt)
fix 62080: Ensure that all reads of the current thread's context class loader made by the UEL API and implementation are performed via a PrivilegedAction to ensure that a SecurityException is not triggered when running under a SecurityManager. (mark)
fix When decoding of path parameter failed, make sure to throw DecodeException instead of throwing ArrayIndexOutOfBoundsException. (kfujino)
fix Enable host name verification when using TLS with the WebSocket client. (markt)
Web applications
62395: Clarify the meaning of the connector attribute minSpareThreads in the documentation web application. (markt)
fix When logValidationErrors is set to true, the connection validation error is logged as SEVERE instead of WARNING. (kfujino)
fix 62391: Remove references to javaw.exe as this file is not required by Tomcat and the references prevent the use of the Server JRE. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.17 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o. (markt)
add Implement checksum checks when downloading dependencies that are used to build Tomcat. (kkolinko)
Tomcat 7.0.88 (violetagg)released 2018-05-11
fix Treat the <mapped-name> element of a <env-entry> in web.xml in the same way as the mappedName element of the equivalent @Resource annotation. Both now attempt to set the mappedName property of the resource. (markt)
fix Correct the processing of resources with <injection-target>s defined in web.xml. First look for a match using JavaBean property names and then, only if a match is not found, look for a match using fields. (markt)
fix When restoring a saved request with a request body after FORM authentication, ensure that calls to the HttpServletRequest methods getRequestURI(), getQueryString() and getProtocol() are not corrupted by the processing of the saved request body. (markt)
fix Fix startup failure when running under SecurityManager, a regression from the fix for bug 62273. (kkolinko)
fix 62353: Correct a regression introduced in Tomcat 7.0.86. Restore the ability for Tomcat 7 to run on Java 6 where Common Annotations 1.0 is available. Document the requirement to use the Java endorsed mechanism to use Common Annotations 1.1. (markt)
code Refactor the org.apache.naming package to reduce duplicate code. Duplicate code identified by the Simian tool. (markt)
fix 50019: Add support for <lookup-name>. Based on a patch by Gurkan Erdogdu. (markt)
fix 60490: Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. (markt)
fix Relax Host validation by removing the requirement that the final component of a FQDN must be alphabetic. (markt)
add 50234: Add the capability to generate a web-fragment.xml file to JspC. (markt)
fix 62350: Refactor org.apache.jasper.runtime.BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina.policy file. This is a follow-up to the fix for 43925. (kkolinko/markt)
fix Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist. (markt)
fix Ensure that the correct default value is returned when retrieve unset properties in McastService. (kfujino)
fix Add a .gitattributes file to make sure that Git handles test data files for bug 52121 as binary. (kkolinko)
Tomcat 7.0.87 (violetagg)not released
fix 62316: Correct a regression in some refactoring that broke the default factory for JDBC datasources. (markt)
fix Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
fix Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
add Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
fix 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
add Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
fix Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
add Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
fix Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1 requests must include a Host header and any request that does not must be rejected with a 400 response. (markt)
fix Implement the requirements of RFC 7230 that any HTTP/1.1 request that specifies a host in the request line, must specify the same host in the Host header and that any such request that does not, must be rejected with a 400 response. This check is optional and disabled by default. It may be enabled with the allowHostHeaderMismatch attribute of the Connector. (markt)
fix Implement the requirements of RFC 7230 that any HTTP/1.1 request that contains multiple Host headers is rejected with a 400 response. (markt)
add 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
fix Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
fix Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
fix 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
fix 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
fix Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)
Tomcat 7.0.86 (violetagg)released 2018-04-13
fix 51195: Avoid a false positive report of a web application memory leak by clearing ObjectStreamClass$Caches of classes loaded by the web application when the web application is stopped. (markt)
fix 52688: Add support for the maxDays attribute to the AccessLogValve and ExtendedAccessLogValve. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined. (markt)
fix Prevent Tomcat from applying gzip compression to content that is already compressed with brotli compression. Based on a patch provided by burka. (markt)
fix 62090: Null container names are not allowed. (remm)
fix 62104: Fix programmatic login regression as the NonLoginAuthenticator has to be set for it to work (if no login method is specified). (remm)
fix 62117: Improve error message in when calling kill -0 <pid> fails. Based on a suggestion from Mark Morschhaeuser. (markt)
fix 62118: Correctly create a JNDI ServiceRef using the specified interface rather than the concrete type. Based on a suggestion by Ángel Álvarez Páscua. (markt)
fix Fix for RequestDumperFilter log attribute. Patch provided by Kirill Romanov via Github. (violetagg)
fix 62123: Avoid ConcurrentModificationException when attempting to clean up application triggered RMI memory leaks on web application stop. (markt)
fix 62168: When using the PersistentManager honor a value of -1 for minIdleSwap and do not swap out sessions to keep the number of active sessions under maxActive. Patch provided by Holger Sunke. (markt)
fix 62172: Improve Javadoc for org.apache.catalina.startup.Constants and ensure that the constants are correctly used. (markt)
fix 62175: Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. (fschumacher)
fix Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. (markt)
add 62224: Disable the forkJoinCommonPoolProtection of the JreMemoryLeakPreventionListener when running on Java 9 and above since the underlying JRE bug has been fixed. (markt)
fix 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
fix Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
Web applications
add Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response. Based on a suggestion from Muthukumar Marikani. (markt)
add Add document for FragmentationInterceptor. (kfujino)
add Document how the roles for an authenticated user are determined when the CombinedRealm is used. (markt)
fix Ensure that SQLWarning has been cleared when connection returns to the pool. (kfujino)
fix Ensure that parameters have been cleared when PreparedStatement and/or CallableStatement are cached. (kfujino)
fix Enable PoolCleaner to be started even if validationQuery is not set. (kfujino)
update Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy. (markt)
fix 62164: Switch the build script to use TLS for downloads from SourceForge and Maven Central to avoid failures due to HTTP to HTTPS redirects. (markt)
Tomcat 7.0.85 (violetagg)released 2018-02-13
fix Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. (markt)
fix Avoid duplicate load attempts if one has been made already. (remm)
fix Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. (remm)
fix 58143: Fix calling classloading transformers broken in 7.0.70 by the fix for 59619. This was observed when using Spring weaving. (rjung)
fix 62000: When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. (markt)
fix 62036: When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator, cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt)
fix 62067: Correctly apply security constraints mapped to the context root using a URL pattern of "". (markt)
fix When using Tomcat embedded, only perform Authenticator configuration once during web application start. (markt)
fix Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. (markt)
fix Minor optimization when calling class transformers. (rjung)
Web applications
add 48672: Add documentation for the Host Manager web application. Patch provided by Marek Czernek. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.03. (kkolinko)
Tomcat 7.0.84 (violetagg)released 2018-01-24
fix 47214: Use a loop to preload anonymous inner classes when running under a SecurityManager, to be safe for future changes in the code or using a different compiler. (kkolinko)
add 57619: Implement a small optimisation to how JAR URLs are processed to reduce the storage of duplicate String objects in memory. Patch provided by Dmitri Blinov. (markt)
add 61810: Support configure the interval to keep all jars open if no jar is accessed, a non-positive interval indicates keeping jars always open. (huxing)
fix 61886: Pre-load additional classes to prevent SecurityExceptions if the first request received when running under a SecurityManager is an asynchronous Servlet. (markt)
fix 61916: Extend the AddDefaultCharsetFilter to add a character set when the content type is set via setHeader() or addHeader() as well as when it is set via setContentType(). (markt)
fix 61999: maxSavePostSize set to 0 should disable saving POST data during authentication. (remm)
fix 61886: Log errors on non-container threads at DEBUG rather than INFO. The exception will be made available to the application via the asynchronous error handling mechanism. (markt)
fix 61993: Improve handling for ByteChunk and CharChunk instances that grow close to the maximum size allowed by the JRE. (markt)
add 43925: Add a new system property (org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE) to control the size of the buffer used by Jasper when buffering tag bodies. (markt)
Web applications
add 61223: Add the mbeans-descriptors.dtd file to the custom MBean documentation so users have a reference to use when constructing mbeans-descriptors.xml files for custom components. (markt)
fix Partial fix for 61886. Ensure that multiple threads do not attempt to complete the AsyncContext if an I/O error occurs in the stock ticker example Servlet. (markt)
fix 61886: Prevent ConcurrentModificationException when running the asynchronous stock ticker in the examples web application. (markt)
fix 61886: Prevent NullPointerException and other errors if the stock ticker example is running when the examples web application is stopped. (markt)
fix 61910: Clarify the meaning of the allowLinking option in the documentation web application. (markt)
add Add OCSP configuration information to the SSL How-To. Patch provided by Marek Czernek. (markt)
fix 62006: Document the new JvmOptions9 command line parameter for tomcat7.exe. (markt)
fix 61312: Prevent NullPointerException when using the statement cache of connection that has been closed. (kfujino)
update Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23) to pick up some code clean-up. (markt)
update Update the internal fork of Commons Codec to r1817136 to pick up some code clean-up. (markt)
fix The native source bundles (for Commons Daemon and Tomcat Native) are no longer copied to the bin directory for the deploy target. They are now only copied to the bin directory for the release target. (markt)
Tomcat 7.0.83 (violetagg)not released
add When running under Java 9 or later, and the urlCacheProtection option of the JreMemoryLeakPreventionListener is enabled, use the API added in Java 9 to only disable the caching for JAR URL connections. (markt)
fix 61581: Fix possible SecurityException when using the APR/native connector with a SecurityManager. (markt)
fix 61597: Extend the StandardJarScanner to scan JARs on the module path when running on Java 9 and class path scanning is enabled. (markt)
fix Fix the JMX descriptor for Wrapper.findInitParameter(). (rjung)
fix 61601: Add support for multi-release JARs in JAR scanning and web application class loading. (markt)
fix Revert the change from 7.0.80 that called ServletResponse.setLocale() if the Content-Language HTTP header was set directly. (markt)
add Provide the SessionInitializerFilter that can be used to ensure that an HTTP session exists when initiating a WebSocket connection. Patch provided by isapir. (markt)
fix Avoid a possible NullPointerException when timing out AsyncContext instances during shut down. (markt)
fix 57870: When running on Java 7 or later, take advantage of the new syncFlush parameter when constructing a GZIPOutputStream rather than using the custom FlushableGZIPOutputStream implementation as a work-around. (markt)
fix 61736: Improve performance of NIO connector when clients leave large time gaps between network packets. Patch provided by Zilong Song. (markt)
add Enable Jasper to compile JSPs for Java 9. In addition to configuring the JSP servlet with for Java 9 via the compilerSourceVM and compilerTargetVM, it is necessary to replace ecj-4.4.2.jar with a more recent version that supports Java 9. (markt)
fix 61816: Invalid expressions in attribute values or template text should trigger a translation (compile time) error, not a run time error. (markt)
fix 61604: Add support for authentication in the websocket client. Patch submitted by J Fernandez. (remm)
Web applications
fix 61603: Add XML filtering for the status servlet output where needed. (remm)
fix Correct the description of how the CGI servlet maps a request to a script in the CGI How-To. (markt)
fix Fix incorrect behavior that attempts to resend channel messages more than the actual setting value of maxRetryAttempts. (kfujino)
fix Ensure that the remaining Sender can send channel messages by avoiding unintended ChannelException caused by comparing the number of failed members and the number of remaining Senders. (kfujino)
fix Ensure that remaining SelectionKeys that were not handled by throwing a ChannelException during SelectionKey processing are handled. (kfujino)
fix Improve the fix for 61439 and exclude the JPA, JAX-WS and EJB annotations completely from the Tomcat distributions. (markt)
fix Improve handling of endorsed directories. The endorsed directory mechanism will only be used if the JAVA_ENDORSED_DIRS system property is explicitly set or if $CATALINA_HOME/endorsed exists. When running on Java 9, any such attempted use of the endorsed directory mechanism will trigger an error and Tomcat will fail to start. (rjung)
code Refactoring in preparation for Java 9. Refactor to avoid using some methods that will be deprecated in Java 9 onwards. (markt)
add 51496: When using the Windows installer, check if the requested service name already exists and, if it does, prompt the user to select an alternative service name. Patch provided by Ralph Plawetzki. (markt)
fix Add necessary Java 9 configuration options to the startup scripts to prevent warnings being generated on web application stop. (markt)
fix 61590: Enable service.bat to recognise when JAVA_HOME is configured for a Java 9 JDK. (markt)
fix 61598: Update the Windows installer to search the new (as of Java 9) registry locations when looking for a JRE. (markt)
add Add generation of a SHA-512 hash for release artifacts to the build script. (markt)
fix 61658: Update MIME mappings for fonts to use font/* as per RFC8081. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.16 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2m. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.02.1. (kkolinko)
update Update the Windows installer to use "The Apache Software Foundation" as the Publisher when Tomcat is displayed in the list of installed applications in Microsoft Windows. (kkolinko)
fix 61803: Remove outdated SSL information from the Security documentation. (remm)
Tomcat 7.0.82 (violetagg)released 2017-10-03
fix 61210: When running under a SecurityManager, do not print a warning about not being able to read a logging configuration file when that file does not exist. (markt)
add 61280: Add RFC 7617 support to the BasicAuthenticator. Note that the default configuration does not change the existing behaviour. (markt)
fix 61452: Fix a copy paste error that caused an UnsupportedEncodingException when using WebDAV. (markt)
fix Correct regression in 7.0.80 that broke the use of relative paths with the extraResourcePaths attribute of a VirtualDirContext. (markt)
add 61489: When using the CGI servlet, make the generation of command line arguments from the query string (as per section 4.4 of RFC 3875) optional. The feature is enabled by default for consistency with previous releases. Based on a patch by jm009. (markt)
fix Correct a regression in 7.0.80 and 7.0.81 that wrapped the DirContext that represented the web application in a ProxyDirContext twice rather than just once. (markt)
fix 61542: Fix CVE-2017-12617 and prevent JSPs from being uploaded via a specially crafted request when HTTP PUT was enabled. (markt)
fix Use the correct path when loading the JVM file for Java 9. (rjung)
fix 61554: Exclude test files in unusual encodings and markdown files intended for display in GitHub from RAT analysis. Patch provided by Chris Thistlethwaite. (markt)
fix 48655: Enable Tomcat to shutdown cleanly when using sendfile, the APR/native connector and a multi-part download is in progress. (markt)
fix 58244: Handle the case when OpenSSL resumes a TLS session using a ticket and the full client certificate chain is not available. In this case the client certificate without the chain will be presented to the application. (markt)
fix Fix random SocketTimeoutExceptions when reading the request InputStream. Based on a patch by Peter Major. (markt)
fix 60900: Avoid a NullPointerException in the APR Poller if a connection is closed at the same time as new data arrives on that connection. (markt)
add Add an option to reject requests that contain HTTP headers with invalid (non-token) header names with a 400 response. (markt)
fix 61491: When using the permessage-deflate extension, correctly handle the sending of empty messages after non-empty messages to avoid the IllegalArgumentException. (markt)
fix To avoid unexpected session timeout notification from backup session, update the access time when receiving the map member notification message. (kfujino)
fix Add member info to the log message when the failure detection check fails in TcpFailureDetector. (kfujino)
fix Avoid Ping timeout until the added map member by receiving MSG_START message is completely started. (kfujino)
fix When sending a channel message, make sure that the Sender has connected. (kfujino)
fix Correct the backup node selection logic that node 0 is returned twice consecutively. (kfujino)
fix Fix race condition of responseMap in RpcChannel. (kfujino)
fix 61391: Ensure that failed queries are logged if the SlowQueryReport interceptor is configured to do so and the connection has been abandoned. Patch provided by Craig Webb. (markt)
fix 61425: Ensure that transaction of idle connection has terminated when the testWhileIdle is set to true and defaultAutoCommit is set to false. Patch provided by WangZheng. (kfujino)
fix 61545: Correctly handle invocations of methods defined in the PooledConnection interface when using pooled XA connections. Patch provided by Nils Winkler. (markt)
fix 61439: Remove the Java Annotation API classes from tomcat-embed-core.jar and package them in a separate JAR in the embedded distribution to provide end users with greater flexibility to handle potential conflicts with the JRE and/or other JARs. (markt)
fix 61441: Improve the detection of JAVA_HOME by the script when running on a platform where Java has been installed from an RPM. (rjung)
update Update the packaged version of the Tomcat Native Library to 1.2.14 to pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL 1.0.2l. (markt)
fix Update fix for 59904 so that values less than zero are accepted instead of throwing a NegativeArraySizeException. (remm)
fix 61563: Correct typos in Spanish translation. Patch provided by Gonzalo Vásquez. (csutherl)
Tomcat 7.0.81 (violetagg)released 2017-08-16
fix Correct regression in 7.0.80 that broke WebDAV. (markt)
Tomcat 7.0.80 (violetagg)not released
fix 56785: Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. (markt)
fix Additional permission for deleting files is granted to JULI as it is required by FileHandler when running under a Security Manager. The thread that cleans the log files is marked as daemon thread. (violetagg)
fix 61229: Correct a regression in 7.0.78 that broke WebDAV handling for resources with names that included a & character. (markt)
add If the Content-Language HTTP header is set directly, attempt to determine the Locale from the header value and call ServletResponse.setLocale() with the derived Locale. (markt)
fix 61232: When log rotation is disabled only one separator will be used when generating the log file name. For example if the prefix is catalina. and the suffix is .log then the log file name will be catalina.log instead of catalina..log. Patch provided by Katya Stoycheva. (violetagg)
fix 61253: Add warn message when Digester.updateAttributes throws an exception instead of ignoring it. (csutherl)
fix 61313: Make the read timeout configurable in the JNDIRealm and ensure that a read timeout will result in an attempt to fail over to the alternateURL. Based on patches by Peter Maloney and Felix Schumacher. (markt)
fix 61086: Ensure to explicitly signal an empty request body for HTTP 205 responses. Additional fix to r1795278. Based on a patch provided by Alexandr Saperov. (violetagg)
fix 61322: Correct two regressions caused by the fix for 60319 when using BIO with an external Executor. Firstly, use the maxThreads setting from the Executor as the default for maxConnections if none is specified. Secondly, use maxThreads from the Executor when calculating the point at which to disable keep-alive. (markt)
add Add additional logging to record problems that occur while waiting for the NIO pollers to stop during the Connector stop process. (markt)
fix Prevent exceptions being thrown during normal shutdown of NIO connections. This enables TLS connections to close cleanly. (markt)
add 53031: Add support for the fork option when compiling JSPs with the Jasper Ant task and javac. (markt)
add 57767: Add support to the WebSocket client for following redirects when attempting to establish a WebSocket connection. Patch provided by J Fernandez. (markt)
add 52791: Add the ability to set the defaults used by the Windows installer from a configuration file. Patch provided by Sandra Madden. (markt)
Tomcat 7.0.79 (violetagg)released 2017-07-01
fix 61101: CORS filter should set Vary header in response. Submitted by Rick Riemer. (remm)
add 61105: Add a new JULI FileHandler configuration for specifying the maximum number of days to keep the log files. (violetagg)
fix Improve the SSLValve so it is able to handle client certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
fix 61154: Allow the Manager and Host Manager web applications to start by default when running under a security manager. This was accomplished by adding a custom permission,, that permits an application to use a META-INF/context.xml file and then granting that permission to the Manager and Host Manager. (markt)
fix 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch provided by peterhansson_se. (violetagg)
add A new configuration property crawlerIps is added to the o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address. Based on a patch provided by Tetradeus. (violetagg)
fix 61180: Log a warning message rather than an information message if it takes more than 100ms to initialised a SecureRandom instance for a web application to use to generate session identifiers. Patch provided by Piotr Chlebda. (markt)
fix 61185: When an asynchronous request is dispatched via AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request matches that of the original request. (markt)
fix 61201: Ensure that the SCRIPT_NAME environment variable for CGI executables is populated in a consistent way regardless of how the CGI servlet is mapped to a request. (markt)
fix 61215: Correctly define addConnectorPort and invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the org.apache.catalina.valves package so that the attributes are accessible via JMX. (markt)
fix 61086: Explicitly signal an empty request body for HTTP 205 responses. (markt)
fix Revert a change introduced in the fix for bug 60718 that changed the status code recorded in the access log when the client dropped the connection from 200 to 500. (markt)
fix Make asynchronous error handling more robust. In particular ensure that onError() is called for any registered AsyncListeners after an I/O error on a non-container thread. (markt)
fix 44787: Improve error message when JSP compiler configuration options are not valid. (markt)
fix Correct the log message when a MessageHandler for PongMessage does not implement MessageHandler.Whole. (rjung)
fix Improve thread-safety of Futures used to report the result of sending WebSocket messages. (markt)
fix 61183: Correct a regression in the previous fix for 58624 that could trigger a deadlock depending on the locking strategy employed by the client code. (markt)
Web applications
fix Better document the meaning of the trimSpaces option for Jasper. (markt)
fix 61150: Configure the Manager and Host-Manager web applications to permit serialization and deserialization of CRSFPreventionFilter related session objects to avoid warning messages and/or stack traces on web application stop and/or start when running under a security manager. (markt)
add Add JMX support for Tribes components. (kfujino)
add 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks used to communicate with the Manager application. (markt)
fix 45879: Add the RELEASE-NOTES file to the root of the installation created by the Tomcat installer for Windows to make it easier for users to identify the installed Tomcat version. (markt)
fix 61076: Document the altDDName attribute for the Context element. (markt)
fix 61145: Add missing @Documented annotation to annotations in the annotations API. Patch provided by Katya Todorova. (markt)
fix 61146: Add missing lookup() method to @EJB annotation in the annotations API. Patch provided by Katya Todorova. (markt)
fix Correct typo in Context Container Configuration Reference. Patch provided by Katya Todorova. (violetagg)
Tomcat 7.0.78 (violetagg)released 2017-05-16
add Allow to exclude JUnit test classes using the build property test.exclude and document the property in BUILDING.txt. (rjung)
fix Review those places where Tomcat re-encodes a URI or URI component and ensure that the correct encoding (path differs from query string) is applied and that the encoding is applied consistently. (markt)
fix Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not. (markt)
fix Ensure that when the Default or WebDAV servlets process an error dispatch that the error resource is processed via the doGet() method irrespective of the method used for the original request that triggered the error. (markt)
fix If a static custom error page is specified that does not exist or cannot be read, ensure that the intended error status is returned rather than a 404. (markt)
fix When the WebDAV servlet is configured and an error dispatch is made to a custom error page located below WEB-INF, ensure that the target error page is displayed rather than a 404 response. (markt)
add 61047: Add MIME mapping for woff2 fonts in the default web.xml. Patch provided by Justin Williamson. (violetagg)
fix Correct the logic that selects the encoding to use to decode the query string in the SSIServletExternalResolver so that the useBodyEncodingForURI attribute of the Connector is correctly taken into account. (markt)
fix 61072: Respect the documentation statements that allow using the platform default secure random for session id generation. (remm)
fix Correct the javadoc for o.a.c.connector.CoyoteAdapter#parseSessionCookiesId. Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
fix 60925: Improve the handling of access to properties defined by interfaces when a BeanELResolver is used under a SecurityManager. (markt)
fix 61003: Ensure the flags for reading/writing in o.a.t.websocket.AsyncChannelWrapperSecure are correctly reset even if some exceptions occurred during processing. (markt/violetagg)
Web applications
add Document the property test.excludePerformance in BUILDING.txt. (rjung)
add Add documents for maxIdleTime attribute to Channel Receiver docs. (kfujino)
code Refactor the creating a constructor for a proxy class to reduce duplicate code. (kfujino)
fix In StatementFacade, the method call on the statements that have been closed throw SQLException rather than NullPointerException. (kfujino)
fix Correct comments about Java 8 in Jre8Compat. Patch provided by fibbers via Github. (violetagg)
fix 60932: Correctly escape single quotes when used in i18n messages. Based on a patch by Michael Osipov. (markt)
Tomcat 7.0.77 (violetagg)released 2017-04-02
add 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
fix 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
fix When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
fix 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
fix Improve sendfile handling when requests are pipelined. (markt)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
fix 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
fix 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Tomcat 7.0.76 (markt)released 2017-03-16
code Make it easier for sub-classes of Tomcat to modify the default web.xml settings by over-riding getDefaultWebXmlListener(). Patch provided by Aaron Anderson. (markt)
fix Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
code 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
fix 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
fix 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
fix 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
fix 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
fix 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
fix Ensure request and response facades are used when firing application listeners. (markt/remm)
fix When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
fix Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
add 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
fix Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
add Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
fix 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
fix 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
fix Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
fix 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
fix 60620: Fix configuration of Eclipse projects, broken by introduction of SafeForkJoinWorkerThreadFactory helper class. This class cannot be built with Java 6. (kkolinko)
update Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
add 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 7.0.75 (violetagg)released 2017-01-24
add Make the accessTimeout configurable in BackupManager. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
fix Ensure the ASF logo image is correctly displayed in docs and host-manager applications. (violetagg)
Tomcat 7.0.74 (violetagg)not released
add 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP status codes recognised by Tomcat. (markt)
fix Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
fix 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
fix 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
fix 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
code 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
fix 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
update Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options. (markt)
fix 60513: Fix thread safety issue with RMI cleanup code. (remm)
add 60620: Extend the JreMemoryLeakPreventionListener to provide protection against ForkJoinPool.commonPool() related memory leaks. (markt)
fix Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as or ::. (markt)
fix Ensure sendfile is enabled by default for APR. (markt)
fix Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. (violetagg)
fix Improve the logic that selects an address to use to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of or ::. (markt)
fix 60409: When unable to complete sendfile request, ensure the Processor will be added to the cache only once. (markt/violetagg)
add 44294: Add support for varargs in UEL expressions. (markt)
fix 60356: Fix pre-compilation of JSPs that depend on nested tag files packaged in a JAR. (markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via (violetagg)
add In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions.
fix Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
add Add log message that PING message has received beyond the timeout period. (kfujino)
fix When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership. (kfujino)
fix 60437: Avoid possible handshake overflows in the websocket client. (remm)
add 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount. (kfujino)
fix 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
fix 60398: Fix testcase of TestSlowQueryReport. (kfujino)
add Enable reset the statistics without restarting the pool. (kfujino)
fix 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
add New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
update Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions.
fix Spelling corrections provided by Josh Soref. (violetagg)
Tomcat 7.0.73 (violetagg)released 2016-11-14
fix 60117: Ensure that the name of LogLevel is localized when usin