Changelog

in development Tomcat 11.0.0-M3 (markt)

General

  • Update: Increase the minimum supported Java version to Java 17. Note that Jakarta EE 11 permits a minimum Java version of 21. The minimum Java version for Tomcat 11 may be increased to Java 21 before the first stable release. (markt)

Catalina

  • Fix: Allow a Valve to access cookies from a request that cannot be mapped to a Context. (markt)
  • Add: Implement the new Servlet API methods for setting character encodings that accept Charset objects. (markt)
  • Update: The default HEAD response no longer includes some HTTP header fields where the value is determined only while generating the content as per section 9.3.2 of RFC 9110. (markt)
  • Fix: 66438: Correct names of Jakarta modules in JPMS metadata. (markt)
  • Update: Switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. (markt)
  • Fix: Switch to using LongAdder rather than AtomicInteger to track request count and error count for servlets. (markt)
  • Fix: Implement the clarification from the Jakarta Servlet project that Servlets mapped to the context root should be mapped for requests to the context root with or without the trailing /. (markt)
  • Fix: Implement the clarification from the Jakarta Servlet project that calling ServletOutputStream.close() on a stream in non-blocking mode returns immediately with the stream effectively closed and any data remaining to be written is written in the background by the container. (markt)
  • Fix: Avoid possible ISE when scanning from bad JAR URLs, to restore the previous behavior following the removal of Java 9+ reflection code which caught the ISE. (remm)
  • Fix: Refactor uses of String.replaceAll() to use String.replace() where regular expressions where not being used. Pull request #581 provided by Andrei Briukhov. (markt)

Coyote

  • Add: Log basic information for each configured TLS certificate when Tomcat starts. (markt)
  • Fix: 66442: When an HTTP/2 response must not include a body, ensure that the end of stream flag is set on the headers frame and that no data frame is sent. (markt)

Jasper

  • Fix: 66419: Fix calls from expression language to a method that accepts varargs when only one argument was passed. (markt)
  • Fix: 66441: Make imports of static fields in JSPs visible to any EL expressions used on the page. (markt)

Other

  • Update: Update BND to 6.4.0. (markt)
  • Update: Remove support for starting Tomcat under a SecurityManager. (markt)
  • Add: Improvements to Chinese translations. (lihan)
  • Add: Improvements to French translations. (remm)
  • Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  • Add: Improvements to Korean translations. (woonsan)

not released Tomcat 11.0.0-M2 (markt)

Catalina

  • Add: Update the ServletInputStream and ServletOuputStream classes in the Servlet API to align with the recent updates in the Jakarta Servlet specification to support reading and writing with ByteBuffers. The changes also clarified various aspects of the Servlet non-blocking API. (markt)
  • Fix: 66388: Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path. (markt)
  • Fix: 66392: Change the default value of AccessLogValve's file encoding to UTF-8 and update documentation. (lihan)
  • Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation. (lihan)
  • Fix: Remove JAX-RPC support which was removed from the Jakarta EE platform for Jakarta EE 9. (markt)

Coyote

  • Fix: Update Cookie parsing and handling to treat the quotes in a quoted cookie value as part of the value as required by RFC 6265 and explicitly clarified in RFC 6265bis. (markt)
  • Add: Add an RFC 8941 structured field parser. (markt)
  • Add: Add a parser for the priority HTTP header field defined in RFC 9218. (markt)
  • Fix: When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
  • Fix: 66385: Correct a bug in HTTP/2 where a non-blocking read for a new frame with the NIO2 connector was incorrectly made using the read timeout leading to unexpected stream closure. (markt)

Jasper

  • Fix: 66370: Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance. (markt)
  • Add: Add support for specifying Java 21 (with the value 21) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

Other

  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.6. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, 6.7.1-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, 1.16-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to 34eb241 (2023-01-03, 2.0-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03, 2.10.0-SNAPSHOT). (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking. (markt)
  • Add: Improvements to Portuguese translations. Contributed by Guilherme Custódio. (markt)
  • Update: Update to the Eclipse JDT compiler 4.26. (markt)
  • Update: Update Checkstyle to 10.6.0. (markt)
  • Update: Update Unboundid to 6.0.7. (markt)
  • Update: Update SpotBugs to 4.7.3. (markt)

2022-12-05 Tomcat 11.0.0-M1 (markt)

General

  • Code: This release contains all of the changes up to and including those in Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)

Catalina

  • Fix: 66175: Change the default character set used by the BasicAuthenticator from ISO-8859-1 to UTF-8. (markt)
  • Add: 66209: Add a configuration option to allow bloom filters used to index JAR files to be retained for the lifetime of the web application. Prior to this addition, the indexes were always flushed by the periodic calls to WebResourceRoot.gc(). As part of this addition, configuration of archive indexing moves from Context to WebResourceRoot. Based on a patch provided by Rahul Jaisimha. (markt)
  • Fix: 66330: Correct a regression introduced when fixing 62897 that meant any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context was ignored and the default was always used. (markt)
  • Fix: 66331: Fix a regression in refactoring for Stack on the SystemLogHandler which caught incorrect exception. (lihan)
  • Fix: 66338: Fix a regression that caused a nuance in refactoring for ErrorReportValve. (lihan)
  • Fix: Escape values used to construct output for the JsonErrorReportValve to ensure that it always outputs valid JSON. (markt)
  • Fix: Correct the default implementation of HttpServletRequest.isTrailerFieldsReady() to return true so it is consistent with the default implementation of HttpServletRequest.getTrailerFields() and with the Servlet API provided by the Jakarta EE project. (markt)
  • Fix: Refactor WebappLoader so it only has a runtime dependency on the migration tool for Jakarta EE if configured to use the converter as classes are loaded. (markt)
  • Fix: Improve the behavior of the credential handler attribute that is set in the Servlet context so that it actually reflects what is used during authentication. (remm)
  • Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
  • Add: Add support for the new attribute for error dispatches jakarta.servlet.error.query_string. (markt)
  • Update: Update ignoreAnnotation attribute on Context to dissociate it from metadata-complete. (remm)

Coyote

  • Fix: Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day, month and year components to be compliant with RFC 6265. (markt)
  • Add: Include the name of the current stream state in the error message when a stream is cancelled due to an attempt to write to the stream when it is in a state that does not permit writes. (markt)
  • Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do so and remove checks for this return value. Based on #562 by tianshuang. (markt)
  • Code: Remove unnecessary code that exposed the asyncTimeout to components that never used it. (markt)
  • Fix: Ensure that all MessageBytes conversions to byte arrays are valid for the configured character set and throw an exception if not. (markt)
  • Fix: When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection. (markt)

Jasper

  • Fix: 66294: Make the use of a privileged block to obtain the thread context class loader added to address 62080 optional and disabled by default. This is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property. (markt)
  • Fix: 66317: Fix for Lambda coercion security manager missing privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
  • Fix: 66325: Fix concurrency issue in evaluation of expression language containing lambda expressions. (markt)
  • Add: Update the ErrorData class in the JSP API to align with the recent changes in the Jakarta Pages specification to support the new error dispatch attribute jakarta.servlet.error.query_string.

Web applications

  • Fix: 66348: Update the JARs listed in the class loader documentation and note which ones are optional. (markt)
  • Fix: Documentation. Replace references in the application developer's guide to CVS with more general references to a source code control system. (markt)

jdbc-pool

  • Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566 provided by John Neffenger. (markt)

Other

  • Update: Update to Commons Daemon 1.3.3. (markt)
  • Fix: 66323: Move module start up parameters from JDK_JAVA_OPTIONS to JAVA_OPTS now that the minimum Java version is 11 and these options are always required. (markt)
  • Add: Improvements to Chinese translations. Contributed by DigitalCat and lihan. (markt)
  • Add: Improvements to French translations. Contributed by Mathieu Bouchard. (markt)
  • Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji. (markt)
  • Add: Improvements to Korean translations. (markt)
  • Add: Improvements to Spanish translations. (markt)
  • Fix: Correct a regression in the removal of the APR connector that broke Graal native image support. Pull request #564 provided by Sébastien Deleuze. (markt)
  • Update: Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
  • Update: Update the packaged version of the Apache Tomcat Migration Tool for Jakarta EE to 1.0.5. (markt)
  • Code: Refactor code base to replace use of URL constructors. While they are deprecated in Java 20 onwards, the reasons for deprecation are valid for all versions so move away from them now. (markt)
  • Code: Refine the Tomcat native image metadata to avoid including unintended non-Tomcat resources. Pull request #569 provided by Sébastien Deleuze. (markt)
  • Update: Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28, 6.7.0-RC1). (markt)
  • Update: Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29, 1.16-SNAPSHOT). (markt)
  • Update: Update the internal fork of Apache Commons FileUpload to aa8eff6 (2022-11-29, 2.0-SNAPSHOT). (markt)