Flexibel und schneller als Konkurrenten wie Lighttpd, Nginx und Apache soll der freie Webserver Cherokee sein, der in der Version 1.0 veröffentlicht wurde.
Mit der Veröffentlichung von Cherokee 1.0 will das Cherokee-Projekt eine echte Alternative zu Apache, Lighttpd und Nginx anbieten. Der freie Webserver unterstützt unter anderem FastCGI, SCGI, CGI, SSI, TLS und SSL, virtuelle Hosts, Authentifizierung, On-the-Fly-Encoding und Apache-kompatible Logfiles.
Die von den Entwicklern veröffentlichten Benchmarks sollen belegen, dass Cherokee schneller ist als Apache, Lighttpd und Nginx und bei gleicher Hardware mehr gleichzeitige Anfragen verarbeiten kann als die drei Konkurrenten.
(http://scr3.golem.de/screenshots/1005/Cherokee/thumb480/admin_index.png)
Cherokee ist bereits Bestandteil der meisten Linux-Distributionen, läuft auch unter Mac OS X, FreeBSD und Solaris. Wizards sollen helfen, den Webserver zu konfigurieren und beispielsweise Python, PHP, Anti Hot Linking, PHPmyAdmin, Joomla oder Audio- und Videostreaming einzurichten. Die Version 1.0 wartet mit einer vollständig überarbeiten Administrationsoberfläche auf, die Arbeitsschritte vereinfachen soll. Die gesamte Konfiguration und Verwaltung des Webservers kann über diese Admin-Oberfläche abgewickelt werden.
Cherokee 1.0 steht unter der GPL v2 und kann ab sofort unter cherokee-project.com heruntergeladen werden.
Quelle : www.golem.de
Die Entwickler der Webserver-Software Monkey http Daemon haben zwei kritische Schwachstellen bereinigt.
Version 0.10.3 bessert zwei als kritisch eingestufte Sicherheitslücken aus. Diese erlauben es Angreifern, den Daemon zum Absturz zu bringen (DoS). Der Dank für die Entdeckung der Schwachstellen geht an Rodrigo Escobar von DcLabs Security Group.
Monkey http Daemon ist ein schneller und leichtgewichtiger Webserver für Linux. Die Software wurde mit dem Ziel geschaffen, sehr skalierbar zu sein und dabei wenig Speicher und CPU-Power zu brauchen. Monkey http Daemon können sie als Quellcode im Download-Bereich der Projektseite herunterladen (http://www.monkey-project.com/downloads).
Quelle : www.tecchannel.de
Das Apache Tomcat Team hat die sofortige Verfügbarkeit der Version 6.0.32 angekündigt.
Apache Tomcat 6.0.32 ist laut Ankündigung der Entwickler hauptsächlich eine Wartungs-Ausgabe, die Sicherheitslücken und Fehler ausbessert. Die Herausgeber raten allen Anwendern älterer Versionen zu einem Upgrade.
Sie finden weitere Details im offiziellen Changelog (http://tomcat.apache.org/tomcat-6.0-doc/changelog.html). Herunterladen können Sie die neueste Version aus dem Download-Bereich (http://tomcat.apache.org/download-60.cgi) der Projektseite. Wer ein Upgrade von Tomcat 5.5 erwägt, findet hier eine Migrations-Anleitung (http://tomcat.apache.org/migration.html).
Quelle : www.tecchannel.de
Die Apache Software Foundation hat genau zum 17. Geburtstag des Webservers, der den Grundstein der Organisation legte, in Version 2.4 mit zahlreichen Neuerungen veröffentlicht.
(http://www.pro-linux.de/images/NB3/imgdb/n_apache-logo.jpg)
Apache stammt noch aus der Frühzeit des Web, als es nur wenige Clients und noch weniger Server gab. Er entstand 1995 als Fork des Webservers NCSA httpd, der am National Center for Supercomputing Applications (NCSA) der USA entwickelt wurde. Als die Entwicklung zum Stillstand kam, nachdem der ursprüngliche Entwickler Rob McCool das NCSA verlassen hatte, bildete sich eine Gemeinschaft von Entwicklern, die online zusammenarbeiteten, um die Software zu verbessern. Die ersten Mitglieder dieser sich selbst als »Apache Group« bezeichnenden Gemeinschaft waren Brian Behlendorf, Roy Fielding, Rob Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert Thau und Andrew Wilson. Daraus entstand im März 1999 die Apache Software Foundation (ASF), die sich um die Entwicklung von Apache und einer Reihe weiterer Projekte kümmert. Zu den weiteren Aufgaben der gemeinnützigen Organisation gehören der rechtliche Schutz aller Projekte und Mitarbeiter, der Schutz der Marke »Apache« und die Pflege der mittlerweile weit verbreiteten Apache-Lizenz.
Noch vor zwei Jahren wurde die Zahl der Webpräsenzen, die mit Apache ausgeliefert werden, auf 112 Millionen geschätzt. Jetzt sind es nach Angaben der ASF fast 400 Millionen. Der größte Teil davon dürfte mit Apache 2.2 bedient werden, der vor über sechs Jahren veröffentlicht wurde. Die Ausgereiftheit des Servers sorgt für relativ lange Entwicklungszyklen, so war Apache 2.4 schon vor fast einem Jahr im Wesentichen fertig.
Apache 2.4 (https://blogs.apache.org/foundation/entry/the_apache_software_foundation_celebrates) bietet höhere Leistung als Apache 2.2, da die Entwickler den Speicherbedarf und den Ressourcenbedarf gesenkt und gleichzeitig die Parallelität erhöht haben. Ein- und Ausgaben können zudem asynchron ausgeführt werden. Zu den weiteren Neuerungen zählen eine dynamische Konfiguration von Reverse-Proxys, mehr Granularität beim Einstellen von Timeouts und Ressourcenbegrenzungen und bessere Anpassbarkeit der Caches an hohe Lasten oder Proxy-Aufgaben. Der erweiterbare Server wurde zudem um eine große Zahl von Modulen ergänzt. Darunter befindet sich erweiterte Proxy-Module, ein Sitzungsmodul, ein Lua-Modul, ein Modul zur Bandbreitenbegrenzung und diverse Filtermodule. Eine Liste aller neuen Funktionen ist in einer Übersicht (https://httpd.apache.org/docs/2.4/new_features_2_4.html) verfügbar. Die Webseite httpd.apache.org enthält Download-Möglichkeiten sowie umfassende Dokumentation.
Quelle : www.pro-linux.de/
Die Apache Deltacloud, ein Top-Level-Projekt der Apache Software Foundation, ist in der Version 1.0 erschienen. Mit Hilfe von Apache Deltacloud lassen sich
Infrastructure-as-a-Service-Clouds (IaaS) von unterschiedlichen Herstellern über ein einheitliches API ansprechen.
Das Deltacloud-Projekt wurde im September 2009 von Red Hat ins Leben gerufen und im Jahr 2011 an die Apache Software Foundation übergeben. Die in Ruby entwickelte Software steht seitdem unter der Apache-2-Lizenz zur freien Verfügung. Die Inbetriebnahme der neuen Version 1.0 erklärt die zugehörige Installationsanleitung.
Deltacloud unterstützt eine große Zahl an Cloud-Anbietern und Cloud-Instrastruktur-Lösungen (Stacks), neben Amazon EC2, IBM SBC, VMware vSphere, Rackspace und Red Hats RHEV-M auch bekannte Open-Source-Lösungen wie Eucalytpus, OpenNebula und OpenStack. Unter den Neuerungen ist vor allem das EC2-Frontend zu nennen, das die API von Amazons Elastic Compute Cloud zur Verfügung stellt. So ist es möglich, für EC2 geschriebene Anwendungen einfach auf eine andere Cloud-Infrastruktur zu portieren.
Apache Delta-Cloud selbst stellt drei verschiedene APIs zur Verfügung, mit denen sich alle relevanten Cloud-Backends ansprechen lassen. Neben der Deltacloud-eigenen REST-API gibt es ein Frontend für das von der Distributed Management Task Force entwickelte Cloud Infrastructure Management Interface sowie das erwähnte EC2-kompatible API.
Quelle: www.pro-linux.de
(http://static.gulli.com/media/2012/09/thumbs/370/apache.jpg)
Der Do-not-Tracker-Header des Internet Explorers 10 wird durch einen Patch des Apache-Webservers völlig ignoriert. Der Programmierer Roy T. Fielding hatte sich für Änderung des Quellcodes entschieden, da Microsoft mit seiner Vorkonfiguration des DNT-Wertes gegen den neuen offenen Standard verstoße. Im Netz sorgt der Patch allerdings für ernste Diskussionen.
Der "Do-not-Track"-Header (DNT) soll Internetnutzern künftig die Möglichkeit bieten, ihre Aktionen im Netz ohne ein Tracking der Seiteninhaber durchführen zu können. Besonders Marketingabteilungen speichern gerne individuelle Verhaltensmuster ihrer Besucher, um daraufhin individuelle Werbung einblenden zu lassen. Da dieses Vorgehen nicht jedem Internetnutzer recht ist, kann er in aktuellen Browsern optional einen DNT mit dem Wert 1 senden. Dies äußert gegenüber jeder Internetseite den Wunsch, nicht „getrackt“ zu werden.
Voraussetzung für den Erfolg dieses Prinzip ist selbstverständlich, dass sich auch die jeweiligen Seitenbetreiber an den offenen Standard halten. Kritiker sind allerdings der Meinung, dass Microsoft mit seinem neuen Internet Explorer 10 diesen Prozess behindere. Denn das Programm stellt bereits im Rahmen seiner Standardkonfiguration den DNT-Wert auf 1. Dies widerspricht allerdings der Regel, dass der Do-not-Tracker-Header nur auf ausdrücklichen Wunsch des Nutzers gesendet werden darf. Experten vermuten, dass Marketing-Verantwortliche den DNT schlichtweg ignorieren, wenn ihn ohnehin ein Großteil der Internetnutzer versendet.
Aus diesem Grund ergriff der Adobe-Mitarbeiter Roy T. Fielding die Initiative und veröffentlichte einen Patch für den freien Webserver Apache. Dieser soll den DNT-Wert jedes Internet Explorer schlichtweg völlig ignorieren. Damit sind auch Nutzer des Browsers, die sich ausdrücklich mehr Privatsphäre wünschen, außen vor.
Allein in den Kommentaren der Plattform Github äußern nun etliche Nutzer herbe Kritik an dem veröffentlichten Patch. Unter anderem wirft man Fielding, der zudem auch beim W3C tätig ist vor, dass er seine Macht zur Durchsetzung eigener Vorlieben missbrauche. Auch rechtliche Probleme sind denkbar. Schließlich könnten sich Nutzer beschweren, die den DNT im Internet Explorer tatsächlich bewusst auf 1 gesetzt haben. Weiter steht die dritte Regel des DNT-Standards, auf die sich der Programmierer beruft ohnehin erst seit dem 7. September fest. Bislang handelt es sich zudem nur um einen inoffiziellen „Editor Draft“, was Fieldings handeln ebenfalls in Frage stellt.
Microsoft hat sich zu den neusten Entwicklungen des Streits noch nicht geäußert. Da der amerikanische Konzern für sein Verhalten ursprünglich sogar von der EU-Komission gelobt wurde, könnte sich die Auseinandersetzung durchaus weiter hochschaukeln.
Quelle : www.gulli.com
Changelog
Catalina:
Add: 49785: Enable StartTLS connections for JNDIRealm.
Fix: When docBase refers internal war and unpackWARs is set to false, avoid registration of the invalid redeploy resource that has been added ".war" extension in duplicate.
Fix: If WAR exists, it is not necessary to trigger a reload when adding a Directory.
Fix: 55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8.
Fix: 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist.
Fix: When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads.
Fix: 57601: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by the Default servlet.
Fix: 57602: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by a servlet that extends HttpServlet.
Fix: 57621: When an async request completes, ensure that any remaining request body data is swallowed.
Fix: 57637: Do not create unnecessary sessions when using PersistentValve.
Fix: 57645: Correct a regression in the fix for 57190 that incorrectly required the path passed to ServletContext.getContext(String) to be an exact match to a path to an existing context.
Fix: Make sure that unpackWAR attribute of Context is handled correctly in HostConfig.
Fix: When deploying a WAR file that contains a context.xml file and unpackWARs is false ignore any context.xml file that may exist in an expanded directory associated with the WAR.
Fix: 57675: Correctly quote strings when using the extended access log.
Add: Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running. Tomcat does this by adding a META-INF/war-tracking file to the expanded directory and setting the last modified time of this file to the last modified time of the WAR. If Tomcat detects a modified WAR via this mechanism the web application will be redeployed (i.e. the expanded directory will be removed and the modified WAR expanded in its place).
Fix: 57704: Fix potential NPEs during web application start/stop when org.apache.tomcat.InstanceManager is not initialized.
Add: Use the simplified digest output for digest.bat|sh when generating digests with no salt and a single iteration to make it easier to use with DIGEST authentication.
Fix: Add support for LAST_ACCESS_AT_START system property to SingleSignOn.
Code: Refactor Authenticator implementations to reduce code duplication.
Fix: 57724: Handle the case in the CORS filter where a user agent includes an origin header for a non-CORS request.
Fix: When searching for SCIs o.a.catalina.Context.getParentClassLoader will be used instead of java.lang.ClassLoader.getParent. Thus one can provide the correct parent class loader when running embedded Tomcat in other environments such as OSGi.
Fix: 57743: Fix a locked file / resource leak issue when a JAR is accessed just before or during web application undeploy.
Coyote:
Add: 57540: Make TLS/SSL protocol available in a new request attribute (org.apache.tomcat.util.net.secure_protocol_version). (Note that AJP connectors will require mod_jk 1.2.41 or later, or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy to send the AJP_SSL_PROTOCOL request attribute to Tomcat.)
Fix: Fix a cipher ordering issue when using the OpenSSL syntax for JSSE cipher configuration to ensure that ephemeral ECDH with AES is preferred to ephemeral ECDH with anything else.
Fix: 57570: Make the processing of trailer headers with chunked input optional and disabled by default.
Fix: 57592: Correctly handle the case where an AsyncContext is used for non-blocking I/O and is completed during a write operation.
Fix: 57638: Avoid an IllegalArgumentException when an AJP request body chunk larger than the socket read buffer is being read. This typically requires a larger than default AJP packetSize.
Fix: 57674: Avoid a BufferOverflowException when an AJP response body chunk larger than the socket write buffer is being written. This typically requires a larger than default AJP packetSize.
Update: Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 branch.
Fix: Numerous fixes to the APR/native connector to improve robustness.
Fix: Stop caching and re-using SocketWrapper instances. With the introduction of upgrade and non-blocking I/O, I/O can occur on non-container threads. This makes it nearly impossible to track whether a SocketWrapper is still being references or not. making re-use a risky proposition.
Code: Refactor Connector authentication (only used by AJP) into a separate method.
Add: 57708: Implement a new feature for AJP connectors - Tomcat Authorization. If the new tomcatAuthorization attribute is set to true (it is disabled by default) Tomcat will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user.
Fix: Fix an issue that meant that any pipe-lined data read by Tomcat before an asynchronous request completed was lost during the completion of the asynchronous request. This mean that the pipe-lined request(s) would be lost and/or corrupted.
Update: Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33.
Jasper:
Fix: 57135: Package imports via javax.el.ImportHandler should only import public, concrete classes.
Fix: 57583: Cache 'Not Found' results in javax.el.ImportHandler.resolveClass() to save repeated attempts to load classes that are known not to exist to improve performance.
Fix: 57626: Correct a regression introduced in the 8.0.16 fix for ensuring Jars were closed after use, that broke recompilation of modified JSPs that depended on a tag file packaged in a Jar.
Fix: 57627: Correctly determine last modified times for dependencies when a tag file packaged in a JAR depends on a tag file packaged in a second JAR.
Fix: 57647: Ensure INFO message is logged when scanning jars for TLDs if the scan does not find a TLD in any jar. Previously a message would only be logged if a TLD was not found in all scanned jars.
Update: 57662: Update all references to the ECJ compiler to version 4.4.2.
Cluster:
Fix: Remove unnecessary method that always returns true. The domain filtering works on DomainFilterInterceptor.
WebSocket:
Fix: Correct a bug in the permessage-deflate implementation that meant that the incorrect op-codes were used if an uncompressed message was converted into more than one compressed message.
Add: 57676: List conflicting WebSocket endpoint classes when there is a path conflict.
Web applications:
Fix: 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy.
Fix: 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch provided by Phil Steitz.
Fix: Remove incorrect note from context configuration page in the documentation web application that stated WAR files located outside the appBase were never unpacked.
Fix: 57683: Ensure that if a client aborts their connection to the stock ticker example (the only way a client can disconnect), the example continues to work for existing and new clients.
Fix: Make it clear that when using digested passwords with DIGEST authentication that no salt and only a single iteration must be used when generating the digest.
Update: Update examples to use Apache Standard Taglib 1.2.5.
Extras:
Fix: 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server.
Tribes:
Fix: When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members.
Fix: Make sure that refuse the messages from a different domain in DomainFilterInterceptor.
Other:
Update: Update optional Checkstyle library to 6.4.1.
Fix: 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6.
Update: Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
http://httpd.apache.org/
Changelog
Catalina
Fix: 57736: Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted. (markt)
Fix: 57752: Exclude non-cached resources from the Cache statistics for resource lookups. Patch provided by Adam Mlodzinski. (markt)
Add: Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
Fix: 57556: Refine the previous fix fo rthis issue so that the real path returned only has a trialing separator if the requested path ended with /. (markt)
Fix: 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
Fix: Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
Fix: Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
Fix: 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
Fix: Fix wrong logger name of org.apache.catalina.webresources.StandardRoot. (kfujino)
Fix: 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
Fix: 57841: Improve error logging during web application start.
Fix: 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect().
Fix: 57863: Fix the RewriteMap support in RewriteValve that did not use the correct key value to look up entries.
Coyote:
Fix: 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API.
Code: Remove the experimental support for SPDY. No current user agent supports the version of SPDY that the experiment targetted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete.
Fix: Possible incomplete writes with SSL NIO2.
Fix: Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO differences between NIO and NIO2 that don't seem to be justified.
Fix: After some errors, the pending flags could remain set when using SSL NIO2.
Fix: 57833: When using JKS based keystores for NIO or NIO2, ensure that the key alias is always converted to lower caes since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M.
Fix: 57837: Add text/css to the default list of compressable MIME types.
Jasper:
Fix: 57845: Ensure that, if the same JSP is accessed directly and via a declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed.
Fix: 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message.
Cluster:
Fix: Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes.
Add: Add new attribute that send all actions for session across Tomcat cluster nodes.
Fix: Remove unused pathname attribute in mbean definition of BackupManager.
WebSocket:
Fix: 57761: Ensure that the opening HTTP request is correctly formatted when the WebSocket client connects to a server root.
Fix: 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped.
Fix: 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message.
Fix: Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste.
Fix: 57788: Avoid NPE when looking up a class hierarchy without finding anything.
Web applications:
Add: 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent.
Fix: 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura.
Tribes:
Fix: Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry.
Other:
Fix: Add missing pom for tomcat-storeconfig.
Update: Update optional Checkstyle library to 6.5.
Fix: 57707: Improve error message when trying to run a release build on a non-Windows platform and Wine is not available.
http://httpd.apache.org/
Changelog
http: Fix LimitRequestBody checks when there is no more bytes to read. [Michael Kaufmann ]
mod_alias: Revert expression parser support for Alias, ScriptAlias and Redirect due to a regression (introduced in 2.4.13, not released).
mod_reqtimeout: Don't let pipelining checks and keep-alive times interfere with the timeouts computed for subsequent requests. PR 56729. [Eric Covener, Yann Ylavic]
core: Avoid a possible truncation of the faulty header included in the HTML response when LimitRequestFieldSize is reached. [Yann Ylavic]
mod_ldap: In some case, LDAP_NO_SUCH_ATTRIBUTE could be returned instead of an error during a compare operation. [Eric Covener]
https://httpd.apache.org/
Changelog
Add: 58255: Document the Semaphore valve.
8.0.25:
Catalina:
Fix: Make the WAR manifest file available for WebResource instances from an unpacked WAR in the same way the manifest is available if the WAR is not unpacked. (markt)
Fix: Ensure that only /WEB-INF/classes/ and /WEB-INF/lib/ are excluded from the web resource caching. (Resources loaded from these locations are cached by the web application class loader.) (markt)
Add: 57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt)
Fix: 58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt)
Fix: 58086: Correct a regression in the fix for 58086 that incorrectly handled WAR URLs. (violetagg)
Fix: 58096: Classes loaded from /WEB-INF/classes/ should use that directory as their code base. (markt)
Fix: Fix possible resource leaks by closing streams properly. Issues reported by Coverity Scan. (violetagg)
Fix: 58116: Fix regression in the fix for 57281 that broke Comet support when running under a security manager. Based on a patch provided by Johno Crawford. (markt)
Fix: 58125: Avoid a possible ClassCircularityError when running under a security manager. (markt)
Fix: 58179: Fix a thread safety issues that could mean concurrent threads setting the same attribute on a ServletContext could both see null as the old value. (markt)
Fix: Allow web archives bigger than 2G to be deployed using ANT tasks. (violetagg)
Fix: 58192: Correct a regression in the previous fix for 58023. Ensure that classes are associated with their manifest even if the class file is first read (and cached) without the manifest. (markt)
Fix: Fix thread safety issue in the AsyncContext implementation that meant a sequence of start();dispatch(); calls using non-container threads could result in a previous dispatch interfering with a subsequent start. (markt)
Fix: 58228: Make behaviour of ServletContext.getResource() and ServletContext.getResourceAsStream() consistent with each other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH system property. (markt)
Fix: 58230: Fix input stream corruption if non-blocking I/O is used and the first read is made immediately after the switch to async mode rather than in response to onDataAvaiable() and that read does not read all the available data. (markt)
Fix: Ensure that log4javascript*.jar was not excluded from the standard JAR scanning by default. (markt)
Coyote:
Fix: 57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt)
Fix: Add text/javascript,application/javascript to the default list of compressable MIME types. (violetagg)
Fix: 58103: When pipelining requests, and the previous request was an async request, ensure that the socket is removed from the waiting requests so that the async timeout thread doesn't process it during the next request. (markt)
Fix: 58151: Correctly handle EOF in the AJP APR/native connector to prevent the connector entering a loop and generate excessive CPU load. (markt)
Fix: In the AJP and HTTP NIO connectors, ensure that the socket timeout is correctly set before adding the socket back to the poller for read. (markt)
Fix: 58157: Ensure that the handling of async timeouts does not result in an unnecessary dispatch to a container thread that could result in the current socket being added to the Poller multiple times with multiple attempts to process the same event for the same socket. (markt)
Fix: Correct a coupe of edge cases in RequestUtil.normalize(). (markt)
Jasper:
Fix: 58110: Like scriptlet sections, declaration sections of JSP pages have a one-to-one mapping of lines to the generated .java file. Use this information to provide more accurate error messages if a compilation error occurs in a declaration section. (markt)
Fix: 58119: When tags are compiled they must be placed in the org/apache/jsp/tag/web directory. Correct a regression in the fix for 52725. (violetagg)
Fix: Fix a resource leak in JspC identified by Eclipse. (markt)
Fix: 58178: Expressions in a tag file should use the tag file's PageContext rather than that of the containing page. (markt)
Fix: Following on from the fix for 58178, expressions in a tag file should use the tag file's imports rather than those of the containing page. (markt)
WebSocket:
Fix: 58166: Allow applications to send close codes in the range 3000-4999 inclusive. (markt)
Fix: 58232: Avoid possible NPE when adding endpoints programmatically to the javax.websocket.server.ServerContainer. Based on a patch provided by bastian.(violetagg)
Web applications:
Fix: Correct the incorrect document of QueryTimeoutInterceptor. The setting value is not in milliseconds but in seconds. (kfujino)
Fix: 58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt)
Fix: Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt)
jdbc-pool:
Fix: 58042: The default value of logFailed attribute of SlowQueryReport is changed to false so that the failed queries are not logged by default. (kfujino)
Fix: Fix potential NPE in QueryTimeoutInterceptor. (kfujino)
Fix: Add support for stopping the pool cleaner via JMX. (kfujino)
Fix: The fairness attribute and ignoreExceptionOnPreLoad attribute do not allow a change via JMX. (kfujino)
Fix: If the timeBetweenEvictionRunsMillis attribute is changed via jmx, it should restart the pool cleaner because this attribute affects the execution interval of the pool cleaner. (kfujino)
Fix: Eliminate the dependence on maxActive of busy queues and idle queue in order to enable the expansion of the pool size via JMX. (kfujino)
Other:
Update: Update optional Checkstyle library to 6.8.1. (kkolinko)
Fix: Update sample Eclipse IDE configuration to exclude test/webapp* and similar paths from compiler sourcepath. (kkolinko)
Update: Update package renamed Apache Commons Pool to Commons Pool 2.4.2. (markt)
Update: Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1. (markt)
Add: Support the use of the threads attribute on Ant's junit task. Note that using this with a value of greater than one will disbale Cobertura code coverage. (markt)
http://httpd.apache.org/
Changelog
Fix: 58187: Correct a regression in the fix for 57765 that meant that deployment of web applications deployed via the Manager application was delayed until the next execution of the automatic deployment background process. (markt)
Fix: 58284: Correctly implement session serialization so non-serializable attributes are skipped with a warning. Patch provided by Andrew Shore. (markt)
Fix: 58313: Fix concurrent access of encoders map when clearing encoders prior to switch to async. (markt)
Fix: 58320: Fix concurrent access of request attributes which is possible during asynchronous processing. (markt)
Fix: 58352: Always trigger a thread dump if Tomcat fails to stop gracefully from catalina.sh even if using -force. Patch provided by Alexandre Garnier. (markt)
Fix: 58368: Fix a rare data race in the code that obtains the ApplicationFilterFactory instance. (markt)
Fix: 58369: Fix a rare data race in the code that obtains the CookieProcessor for a StandardContext instance. (markt)
Fix: Ensure the JAASRealm uses the configured CredentialHandler. (markt)
Fix: 58372: Fix rare data races closed and suspended flags that could be triggered by async and/or comet processing. (markt)
Fix: 58373: Fix rare data race with the application event listeners for StandardContext. (markt)
Fix: 58374: Fix a rare data race in the AsyncContext implementation for access to the internal Tomcat request object to which it holds a reference. (markt)
Fix: 58380: Fix two rare data races in the standard session implementation on the flag that tracks if the session is new and on the field that tracks the maximum inactive period. (markt)
Fix: 58385: Fix a rare data race in the internal flag Tomcat uses to keep track of whether or not a request is being used for Comet processing. (markt)
Fix: 58394: Fix a rare data race in Mapper when adding or removing a host. (markt)
Fix: 58398: Fix a rare data race in LifecycleSupport. (markt)
Fix: 58412: Ensure that the AsyncFileHandler has the source class and method name available for logging. (fschumacher)
Fix: 58416: Correctly detect when a forced stop fails to stop Tomcat because the Tomcat process is waiting on some system call or is uninterruptible. (markt)
Fix: 58436: Fix some rare data races in JULI's ClassLoaderLogManager during shutdown. (markt)
Fix: 58845: Fix off-by one error in calculation of valid characters in a cookie domain. Patch provided by Thorsten Ehlers. (markt)
Coyote:
Fix: Correct some edge cases in RequestUtil.normalize(). (markt)
Fix: 58275: The IBM JREs accept cipher suite names starting with TLS_ or SSL_ but when listing the supported cipher suites only the SSL_ version is reported. This can break Tomcat's check that at least one requested cipher suite is supported. Tomcat now includes a work-around so either form of the cipher suite name can be used when running on an IBM JRE. (markt)
Fix: 58357: For reasons not currently understood when the APR/native connector is used with OpenSSL reads can return an error code when there is no apparent error. This was work-around for HTTP upgrade connections by treating this as EAGAIN. The same fix has now been applied to the standard HTTP connector. (markt)
Code: Minor clean-up in NIO2 SSL handshake code to address some theoretical concurrency issues. (markt)
Fix: 58367: Fix a rare data race in the code that obtains the reason phrase for a given HTTP response code. (markt)
Fix: 58370: Fix a rare data race in the connector shutdown code. (markt)
Fix: 58371: Fix a rare data race when accessing request URI in String form when switching from non-async to async due to early triggering of the gathering of request statistics. (markt)
Fix: 58375: Fix a rare data race on the internal flag Tomcat uses to mark a response as committed. (markt)
Fix: 58377: Fix a rare data race on the internal flag Tomcat uses to mark a request as using HTTP keep-alive when switching to asynchronous processing. (markt)
Fix: 58379: Fix a rare data race on the interal reference Tomcat retains to the socket when switching to asynchronous processing. (markt)
Fix: 58387: Fix a rare data race when closing Comet connections. (markt)
Fix: 58388: Fix a data race when determining if Comet processing is occurring on a container or non-container thread. (markt)
Fix: 58389: Fix a rare data race while shutting down the thread pools on Connector stop. (markt)
Code: Clean up use of error flag on socket wrapper prompted by 58390. (markt)
Code: Remove some unnecessary code from the NIO Poller and fix 58396 as a side-effect. (markt)
Fix: 57799: Remove useless sendfile check for NIO SSL. (remm)
Jasper:
Fix: 57136: Correct a regression in the previous fix for this issue. \${ should only an escape for ${ within an EL expression. Within a JSP page \$ should be an escape for $. The EL specification applies when parsing the expression delimited by ${ and }. Parsing of the delimiting ${ and } is the responsibility of the JSP specification. (markt)
Fix: 58296: Fix a memory leak in the JSP unloading feature that meant that using a value other than -1 for maxLoadedJsps triggered a memory leak once the limit was reached. (markt)
Fix: 58327: Cache the expression string for value expression literals since it is frequently used and may be expensive to evaluate. Patch provided by Andreas Kohn. (markt)
Fix: 58340: Improve error reporting for tag files packaged in JARs. (markt)
Fix: 58424: When parsing TLD files, allow whitespace around boolean configuration values. (schultz)
Fix: Fix a possible resource leak reported by coverity scan. (fschumacher)
Fix: 58427: Enforce the JSP specification defined limitations of which elements are allowed in an implicit.tld file. (markt)
Fix: 58444: Ensure that JSPs work with any custom base class that meets the requirements defined in the JSP specification without requiring that base class to implement Tomcat specific code. (markt)
Cluster:
Fix: Fix a default clusterListeners in SimpleTcpCluster. The optimal default value is different for each session manager. ClusterSessionListener is never used in BackupManager. (kfujino)
Fix: Correct log messages in case of using BackupManager. (kfujino)
WebSocket:
Fix: 58342: Fix a copy and paste error that meant MessageHandler removal could fail for binary and pong MessageHandlers. Patch provided by DJ. (markt)
Fix: Data races detected by RV-Predict, mostly caused by completion handlers running in separate threads. (markt)
Fix: 58414: Correctly handle sending zero length messages when using per message deflate. (markt)
Web applications:
Fix: Correct documentation for cluster-howto. (kfujino)
Fix: Add missing documentation for property alwaysAddExpires for the LegacyCookieProcessor. (markt)
Tribes:
Add: Add support for configurations of ChannelListener and MembershipListener in server.xml. (kfujino)
Fix: Correct log messages in case of using ReplicatedMap. (kfujino)
Fix: 58381: Fix a rare data race in the NioReceiver. (markt)
Fix: 58382: Fix multiple rare data races in the default membership implementation. (markt)
Fix: 58383: Fix a data race in SenderState. (markt)
Fix: 58386: Fix a data race in ObjectReader. (markt)
Fix: 58391: Fix multiple data races in NonBlockingCoordinator, most of which were associated with ensuring that log messages contained the correct information. (markt)
Fix: 58392: Fix a data race in DomainFilterInterceptor. (markt)
Fix: 58393: Fix a data race on the listener in McastService. (markt)
Fix: 58395: Fix multiple data races in MemberImpl that were likely to cause issues if certain properties were updated concurrently (such updates are unlikely in normal usage). (markt)
Code: Remove some unnecessary code from PooledParallelSender and fix 58397. (markt)
jdbc-pool:
Fix: Make sure the pool has been properly configured when attributes that related to the pool size are changed via JMX. (kfujino)
Other:
Fix: Ensure logging works for all tests in a class rather than just the first one executed. (markt)
Add: 58344: Add build properties to enable tests to be executed against alternative binaries. Based on a patch by Petr Sumbera. (markt)
http://httpd.apache.org/
Changelog
Catalina
Add: Add support for the custom classpath protocol in URLs. It an be used anywhere Tomcat accepts a URL for a configuration parameter. (markt)
Fix: 56777: Allow file based configuration resources (user database, certificate revocation lists, keystores an dtrust stores) to be configured using URLs as well as files. (markt)
Fix: Perform null-checking on input and stored credentials in all Realms before passing credentials off to CredentialHandlers for matching. (schultz)
Coyote
Update: Add the new ciphers from RFC6655 and RFC7251 to the OpenSSL to JSSE cipher mapping. (markt)
Update: Remove DES, RC2 and RC4 from DEFAULT for the OpenSSL to JSSE cipher mapping to align with the OpenSSL development branch. (markt)
Jasper
Fix: Improve the error message when JSP parser encounters an error parsing an attribute value. (markt)
Web applications
Update: 58474: Provide a reference to the differences between CATALINA_HOME and CATALINA_BASE in the sample application that is part of the documentation web application. (markt)
Extras
Fix: Ensure JULI adapters does not include the LogFactoryImpl class. Patch provided by Benjamin Gandon. (markt)
http://httpd.apache.org/
Changelog
Changes with Apache 2.4.18
*) mod_ssl: for all ssl_engine_vars.c lookups, fall back to master connection
if conn_rec itself holds no valid SSLConnRec*. Fixes PR58666.
[Stefan Eissing]
*) mod_http2: connection level window for flow control is set to protocol
maximum of 2GB-1, preventing window exhaustion when sending data on many
streams with higher cumulative window size.
Reducing write frequency unless push promises need to be flushed.
[Stefan Eissing]
*) mod_http2: required minimum version of libnghttp2 is 1.2.1
[Stefan Eissing]
*) mod_proxy_fdpass: Fix AH01153 error when using the default configuration.
In earlier version of httpd, you can explicitelly set the 'flusher' parameter
to 'flush' as a workaround. (i.e. flusher=flush)
Add documentation for the 'flusher' parameter when defining a proxy worker.
[Christophe Jaillet]
*) mod_ssl: For the "SSLStaplingReturnResponderErrors off" case, make sure
to only staple responses with certificate status "good". [Kaspar Brand]
*) mod_http2: new directive 'H2PushPriority' to allow priority specifications
on server pushed streams according to their content-type.
[Stefan Eissing]
*) mod_http2: fixes crash on connection abort for a busy connection.
fixes crash on a request that did not produce any response.
[Stefan Eissing]
*) mod_http2: trailers are sent after reponse body if set in request_rec
trailers_out before the end-of-request bucket is sent through the
output filters. [Stefan Eissing]
*) mod_http2: incoming trailers (headers after request body) are properly
forwarded to the processing engine. [Stefan Eissing]
*) mod_http2: new directive 'H2Push' to en-/disable HTTP/2 server
pushes a server/virtual host. Pushes are initiated by the presence
of 'Link:' headers with relation 'preload' on a response. [Stefan Eissing]
*) mod_http2: write performance of http2 improved for larger resources,
especially static files. [Stefan Eissing]
*) core: if the first HTTP/1.1 request on a connection goes to a server that
prefers different protocols, these protocols are announced in a Upgrade:
header on the response, mentioning the preferred protocols.
[Stefan Eissing]
*) mod_http2: new directives 'H2TLSWarmUpSize' and 'H2TLSCoolDownSecs'
to control TLS record sizes during connection lifetime.
[Stefan Eissing]
*) mod_http2: new directive 'H2ModernTLSOnly' to enforce security
requirements of RFC 7540 on TLS connections. [Stefan Eissing]
*) core: add ap_get_protocol_upgrades() to retrieve the list of protocols
that a client could possibly upgrade to. Use in first request on a
connection to announce protocol choices. [Stefan Eissing]
*) mod_http2: reworked deallocation on connection shutdown and worker
abort. Separate parent pool for all workers. worker threads are joined
on planned worker shutdown. [Yann Ylavic, Stefan Eissing]
*) mod_ssl: when receiving requests for other virtual hosts than the handshake
server, the SSL parameters are checked for equality. With equal
configuration, requests are passed for processing. Any change will trigger
the old behaviour of "421 Misdirected Request".
SSL now remembers the cipher suite that was used for the last handshake.
This is compared against for any vhost/directory cipher specification.
Detailed examination of renegotiation is only done when these do not
match.
Renegotiation is 403ed when a master connection is present. Exact reason
is given additionally in a request note. [Stefan Eissing]
*) core: Fix scoreboard crash (SIGBUS) on hardware requiring strict 64bit
alignment (SPARC64, PPC64). [Yann Ylavic]
*) mod_cache: Accept HT (Horizontal Tab) when parsing cache related header
fields as described in RFC7230. [Christophe Jaillet]
*) core/util_script: making REDIRECT_URL a full URL is now opt-in
via new 'QualifyRedirectURL' directive.
*) core: Limit to ten the number of tolerated empty lines between request,
and consume them before the pipelining check to avoid possible response
delay when reading the next request without flushing. [Yann Ylavic]
*) mod_ssl: Extend expression parser registration to support ssl variables
in any expression using mod_rewrite syntax "%{SSL:VARNAME}" or function
syntax "ssl(VARNAME)". [Rainer Jung]
Download : Klick (http://www.apache.org/dist/httpd/httpd-2.4.18.tar.gz)
https://httpd.apache.org/
Changelog
Catalina:
Fix: Ensure that /WEB-INF/classes is never processed as a web fragment. (markt)
Update: Switch default connector when native is installed. Unless configured otherwise, the NIO endpoint will be used by default. If SSL is configured, OpenSSL will be used rather than JSSE. (remm)
Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
Add: Add JASPIC (JSR-196) support. (markt)
Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
Fix: Refactor the web.xml parsing so a new parser is created every time the web application starts rather than creating and caching the parser when the Context is created. This enables the parser to take account of modified Context configuration parameters and reduces (slightly) the memory footprint of a running Tomcat instance. (markt)
Update: Switch to the web application class loader to the ParallelWebappClassLoader by default. (markt)
Fix: 57809: Remove the custom context attribute that held the effective web.xml. Components needing access to configuration information may access it via the Servlet API. (markt)
Fix: Refactor JAR scanning to reduce memory footprint. (markt)
Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
Fix: Add socket properties support to storeconfig. (remm)
Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
Add: Implement the proposed Servlet 4.0 API to provide mapping type information for the current request. (markt)
Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
Add: 59017: Make the pre-compressed file support in the Default Servlet generic so any compression may be used rather than just gzip. Patch provided by Mikko Tiihonen. (markt)
Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
Fix: 59150: Add an additional flag on APR listener to allow disabling automatic use of OpenSSL. (remm)
Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
Coyote:
Fix: Handle the case in the NIO2 connector where the required TLS buffer sizes increase after the connection has been initiated. (markt/remm)
Fix: Bad processing of handshake errors in NIO2. (remm)
Fix: Use JSSE session configuration options with OpenSSL. (remm)
Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
Fix: 59081: Retain the user defined cipher order when defining ciphers. (markt)
Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
Jasper:
Update: Update to the Eclipse JDT Compiler 4.5.1. (markt)
Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
WebSocket:
Fix: Fix a timing issue on session close that could result in an exception being thrown for an incomplete message even through the message was completed. (markt)
Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
Web applications:
Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
Fix: 48674: Implement an option within the Host Manager web application to persist the current configuration. Based on a patch by Coty Sutherland. (markt)
Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
Add: The Manager and Host Manager applications are now only accessible via localhost by default. (markt)
Tribes:
Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
Other:
Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
Update: Modify the default tomcat-user
https://tomcat.apache.org/
Changelog
Catalina
Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
Code: Remove unnecessary code. There is no support for context level cluster. (kfujino)
Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
Fix: Fix the type of InstanceManager attribute of mbean definition of StandardContext. (kfujino)
Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
Fix: 57809: Deprecate the custom context attribute org.apache.tomcat.util.scan.MergedWebXml which will be removed in Tomcat 9. (markt)
Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
Fix: Storeconfig handling of alternate cookie processors. (markt/remm)
Fix: Storeconfig handling for socket properties. (remm)
Add: Log a warning message if a user tries to configure the default session timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval() method. (markt)
Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
Coyote
Fix: 58646: Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. (markt)
Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
Fix: 59081: Retain the user defined cipher order when defining ciphers using the OpenSSL format. (markt)
Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
Add: Add support for additional OpenSSL cipher aliases from OpenSSL master when specifying ciphers using the OpenSSL syntax. (markt)
Jasper
Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
Update: 58111: Update to the Eclipse JDT Compiler 4.5. (markt)
Add: Add Java 9 support for JSPs. (markt)
WebSocket
Fix: 59014: Ensure that a WebSocket close message can be sent after a close message has been received. (markt)
Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
Fix: 59189: Explicitly release the native memory held by the Inflater and Deflater when using PerMessageDeflate and the WebSocket session ends. Based on a patch by Henrik Olsson. (markt)
Web applications
Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
Fix: Fix a potenital indefinite wait in the Comet Chat servlet in the examples web application. (markt)
Tribes
Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
Other
Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
Update: Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)
https://tomcat.apache.org/
Changelog
Coyote:
Fix: Check that threadPriority values used in AbstractProtocol are valid. (fschumacher)
Apache Tomcat 8.5.7
Catalina:
Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and AJP/1.3 connectors can be created. (markt)
Fix: Include the Context name in the log message when an item cannot be added to the cache. (markt)
Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
Fix: When calling getResourceAsStream() on a directory, ensure that null is returned. (markt)
Fix: 60161: Allow creating subcategories of the container logger, and use it for the rewrite valve. (remm)
Fix: Correctly test for control characters when reading the provided shutdown password. (markt)
Fix: 60297: Simplify connector creation in embedded mode. (remm)
Fix: Refactor creation of containers in embedded mode for more consistency and flexibility. (remm)
Add: Introduce new methods read(ByteBuffer)/ write(ByteBuffer) in o.a.catalina.connector.CoyoteInputStream/ o.a.catalina.connector.CoyoteOutputStream. (violetagg)
Fix: When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote:
Fix: Correct the HPACK header table size configuration that transposed the client and server table sizes when creating the encoder and decoder. (markt)
Fix: Don't continue to process an HTTP/2 stream if it is reset during header parsing. (markt)
Fix: HTTP/2 uses separate headers for each Cookie. As required by RFC 7540, merge these into a single Cookie header before processing continues. (markt)
Fix: Align the HTTP/2 implementation with the HTTP/1.1 implementation and return a 500 response when an unhandled exception occurs during request processing. (markt)
Fix: Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
Add: Add checks around the handling of HTTP/2 pseudo headers. (markt)
Add: Add support for trailer headers to the HTTP/2 implementation. (markt)
Fix: 60232: When processing headers for an HTTP/2 stream, ensure that the read buffer is large enough for the header being processed. (markt)
Add: Add configuration options to the HTTP/2 implementation to control the maximum number of headers allowed, the maximum size of headers allowed, the maximum number of trailer headers allowed, the maximum size of trailer headers allowed and the maximum number of cookies allowed. (markt)
Fix: Correctly differentiate between sending and receiving a reset frame when tracking the state of an HTTP/2 stream. (markt)
Fix: 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
Fix: If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
Fix: Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
Add: Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Jasper:
Update: Update to the Eclipse JDT Compiler 4.6.1. (markt)
Web applications:
Add: Add HTTP/2 configuration information to the documentation web application. (markt)
Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
Fix: Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
Tribes:
Fix: When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
Other:
Add: Add the JASPIC API jar to the Maven Central publication script. (markt)
Fix: Remove classes from tomcat-util-scan.jar that are duplicates of those in tomcat-util.jar. (markt)
https://tomcat.apache.org/
Changelog
Catalina:
Add: Extend the JreMemoryLeakPreventionListener to provide protection against ForkJoinPool.commonPool() related memory leaks. (markt)
Coyote:
Fix: Ensure UpgradeProcessor instances associated with closed connections are removed from the map of current connections to Processors. (markt)
Fix: Remove a workaround for a problem previously reported with WebSocket, TLS and APR that treated some error conditions as not errors. The original problem cannot be reproduced with the current code and the work-around is now causing problems. (markt)
Jasper:
Fix: 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
Fix: Revert use of try/finally for simple tags. (remm)
WebSocket:
Fix: Prevent potential processing loop on unexpected WebSocket connection closure. (markt)
jdbc-pool
Add: Enable reset the statistics without restarting the pool. (kfujino)
Other
Update: Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
Fix: Spelling corrections provided by Josh Soref. (violetagg)
https://tomcat.apache.org/
Changelog
Tomcat 7.0.85 (violetagg)
Catalina
fix Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. (markt)
fix Avoid duplicate load attempts if one has been made already. (remm)
fix Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. (remm)
fix 58143: Fix calling classloading transformers broken in 7.0.70 by the fix for 59619. This was observed when using Spring weaving. (rjung)
fix 62000: When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. (markt)
fix 62036: When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator, cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt)
fix 62067: Correctly apply security constraints mapped to the context root using a URL pattern of "". (markt)
fix When using Tomcat embedded, only perform Authenticator configuration once during web application start. (markt)
fix Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently. (markt)
fix Minor optimization when calling class tranformers. (rjung)
Web applications
add 48672: Add documentation for the Host Manager web application. Patch provided by Marek Czernek. (markt)
Other
update Update the NSIS Installer used to build the Windows installer to version 3.03. (kkolinko)
https://tomcat.apache.org/
Changelog
Catalina:
Fix: 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
Fix: Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
Fix: Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
Add: Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
Fix: 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
Fix: 62309: Fix a SecurityException when using JASPIC under a SecurityManager when authentication is not mandatory. (markt)
Fix: 62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
Add: Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
Fix: Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
Coyote:
Fix: Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
Fix: Prevent unexpected TLS handshake failures caused by errors during a previous handshake that were not correctly cleaned-up when using the NIO or NIO2 connector with the OpenSSLImplementation. (markt)
Add: Enable strict validation of the provided host name and port for all connectors. Requests with invalid host names and/or ports will be rejected with a 400 response. (markt)
Add: 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
Jasper:
Enable ECJ version 4.7 and later to be used as a drop in replacement for the ECJ version that ships with Apache Tomcat. (markt)
Fix: Enable Java 10 to be specified as a JSP source and/or target if a newer ECJ version is used. (markt)
Fix: 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
WebSocket:
62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
Fix: 62332: Ensure WebSocket connections are closed after an I/O error is experienced reading from the client. (markt)
Other:
Fix: Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)
https://tomcat.apache.org/
Changelog
Catalina
Fix: 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
Add: 62258: Don't trigger the standard error page mechanism when the error has caused the connection to the client to be closed as no-one will ever see the error page. (markt)
Fix: Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
Fix: Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
Add: Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
Fix: 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
Fix: 62309: Fix a SecurityException when using JASPIC under a SecurityManager when authentication is not mandatory. (markt)
Fix: 62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
Add: Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
Fix: Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
Coyote
Fix: Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
Fix: Prevent unexpected TLS handshake failures caused by errors during a previous handshake that were not correctly cleaned-up when using the NIO or NIO2 connector with the OpenSSLImplementation. (markt)
Add: 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
Fix: Fix sync for NIO2 async IO blocking read/writes. (remm)
Jasper
Update: Update the Eclipse Compiler for Java to 4.7.3a. (markt)
Update: Allow 9 to be used to specify Java 9 as the compiler source and/or compiler target for JSP compilation. The Early Access value of 1.9 is still supported. (markt)
Add: Add support for specifing Java 10 (with the value 10) as the compiler source and/or compiler target for JSP compilation. (markt)
Fix: 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
WebSocket
Fix: 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
Fix: 62332: Ensure WebSocket connections are closed after an I/O error is experienced reading from the client. (markt)
Other
Fix: Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)
https://tomcat.apache.org/
Changelog
Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges are defined using CIDR notation. Based on a patch by Francis Galiegue.
Use NIO2 API for websockets writes.
Update the packaged version of the Tomcat Native Library to 1.2.17 to pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o.
Correct a regression in the Host validation by removing the requirement that the final component of a FQDN must be alphabetic.
https://tomcat.apache.org/
Release Notes
Apache Tomcat Version 9.0.14
Release Notes
=========
CONTENTS:
=========
* Dependency Changes
* API Stability
* Bundled APIs
* Web application reloading and static fields in shared libraries
* Security manager URLs
* Symlinking static resources
* Viewing the Tomcat Change Log
* Cryptographic software notice
* When all else fails
===================
Dependency Changes:
===================
Tomcat 9.0 is designed to run on Java SE 8 and later.
==============
API Stability:
==============
The public interfaces for the following classes are fixed and will not be
changed at all during the remaining lifetime of the 9.x series:
- All classes in the javax namespace
The public interfaces for the following classes may be added to in order to
resolve bugs and/or add new features. No existing interface method will be
removed or changed although it may be deprecated.
- org.apache.catalina.* (excluding sub-packages)
Note: As Tomcat 9 matures, the above list will be added to. The list is not
considered complete at this time.
The remaining classes are considered part of the Tomcat internals and may change
without notice between point releases.
=============
Bundled APIs:
=============
A standard installation of Tomcat 9.0 makes all of the following APIs available
for use by web applications (by placing them in "lib"):
* annotations-api.jar (Annotations package)
* catalina.jar (Tomcat Catalina implementation)
* catalina-ant.jar (Tomcat Catalina Ant tasks)
* catalina-ha.jar (High availability package)
* catalina-storeconfig.jar (Generation of XML configuration from current state)
* catalina-tribes.jar (Group communication)
* ecj-4.9.jar (Eclipse JDT Java compiler)
* el-api.jar (EL 3.0 API)
* jasper.jar (Jasper 2 Compiler and Runtime)
* jasper-el.jar (Jasper 2 EL implementation)
* jsp-api.jar (JSP 2.3 API)
* servlet-api.jar (Servlet 4.0 API)
* tomcat-api.jar (Interfaces shared by Catalina and Jasper)
* tomcat-coyote.jar (Tomcat connectors and utility classes)
* tomcat-dbcp.jar (package renamed database connection pool based on Commons DBCP 2)
* tomcat-jdbc.jar (Tomcat's database connection pooling solution)
* tomcat-jni.jar (Interface to the native component of the APR/native connector)
* tomcat-util.jar (Various utilities)
* tomcat-websocket.jar (WebSocket 1.1 implementation)
* websocket-api.jar (WebSocket 1.1 API)
You can make additional APIs available to all of your web applications by
putting unpacked classes into a "classes" directory (not created by default),
or by placing them in JAR files in the "lib" directory.
To override the XML parser implementation or interfaces, use the appropriate
feature for your JVM. For Java <= 8 use the endorsed standards override
feature. The default configuration defines JARs located in "endorsed" as endorsed.
For Java 9+ use the upgradeable modules feature.
================================================================
Web application reloading and static fields in shared libraries:
================================================================
Some shared libraries (many are part of the JDK) keep references to objects
instantiated by the web application. To avoid class loading related problems
(ClassCastExceptions, messages indicating that the classloader
is stopped, etc.), the shared libraries state should be reinitialized.
Something which might help is to avoid putting classes which would be
referenced by a shared static field in the web application classloader,
and putting them in the shared classloader instead (JARs should be put in the
"lib" folder, and classes should be put in the "classes" folder).
======================
Security manager URLs:
======================
In order to grant security permissions to JARs located inside the
web application repository, use URLs of of the following format
in your policy file:
file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar
============================
Symlinking static resources:
============================
By default, Unix symlinks will not work when used in a web application to link
resources located outside the web application root directory.
This behavior is optional, and the "allowLinking" flag may be used to disable
the check.
==============================
Viewing the Tomcat Change Log:
==============================
The full change log is available from https://tomcat.apache.org and is also
included in the documentation web application.
=============================
Cryptographic software notice
=============================
This distribution includes cryptographic software. The country in
which you currently reside may have restrictions on the import,
possession, use, and/or re-export to another country, of
encryption software. BEFORE using any encryption software, please
check your country's laws, regulations and policies concerning the
import, possession, or use, and re-export of encryption software, to
see if this is permitted. See <http://www.wassenaar.org/> for more
information.
The U.S. Government Department of Commerce, Bureau of Industry and
Security (BIS), has classified this software as Export Commodity
Control Number (ECCN) 5D002.C.1, which includes information security
software using or performing cryptographic functions with asymmetric
algorithms. The form and manner of this Apache Software Foundation
distribution makes it eligible for export under the License Exception
ENC Technology Software Unrestricted (TSU) exception (see the BIS
Export Administration Regulations, Section 740.13) for both object
code and source code.
The following provides more details on the included cryptographic
software:
- Tomcat includes code designed to work with JSSE
- Tomcat includes code designed to work with OpenSSL
https://tomcat.apache.org/
Changelog
Catalina:
fix 54741: Add a new method, Tomcat.addWebapp(String,URL), that allows a web application to be deployed from a URL when using Tomcat in embedded mode. (markt)
add 62897: Provide a property (clearReferencesThreadLocals) on the standard Context implementation that enables the check for memory leaks via ThreadLocals to be disabled because this check depends on the use of an API that has been deprecated in later versions of Java. (markt)
fix 62978: Update the RemoteIpValve to handle multiple values in the x-forwarded-proto header. Patch provided by Tom Groot. (markt)
fix Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
code 62986: Refactor the code that performs class scanning during web application start to make integration simpler for downstream users. Based on a patch provided by rmannibucau. (markt)
fix Implement the requirements of section 8.2.2 2c of the Servlet specification and prevent a web application from deploying if it has fragments with duplicate names and is configured to use relative ordering of fragments. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.19. (markt)
fix Ensure that the ServletOutputStream implementation is consistent with the requirements of asynchronous I/O and that all of the write methods use a single write rather than multiple writes. (markt)
fix Correct the Javadoc for Context.getDocBase() and Context.setDocBase() and remove text that indicates that a URL may be used for the docBase as this has not been the case for quite some time. (markt)
add Ensure that Tomcat is fully terminated when running as a service. (markt)
fix 63003: Extend the unloadDelay attribute on a Context to include in-flight asynchronous requests. (markt)
add 63026: Add a new attribute, forceDnHexEscape, to the JNDIRealm that forces escaping in the String representation of a distinguished name to use the nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the nn form is used. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.21. (markt)
update Simplify the value of jarsToSkip property in catalina.properties file for tomcat-i18n jar files. Use prefix pattern instead of listing each language. (kkolinko)
WebSocket:
fix 57974: Ensure implementation of Session.getOpenSessions() returns correct value for both client-side and server-side calls. (markt)
fix 63019: Use payload remaining bytes rather than limit when writing. Submitted by Benoit Courtilly. (remm)
fix When running under a SecurityManager, ensure that the ServiceLoader look-up for the default javax.websocket.server.ServerEndpointConfig.Configurator implementation completes correctly rather than silently using the hard-coded fall-back. (markt)
fix Ensure that the network connection is closed if the client receives an I/O error trying to communicate with the server. (markt)
fix Ignore synthetic methods when scanning POJO methods. (markt)
fix Implement the requirements of section 5.2.1 of the WebSocket 1.1 specification and ensure that if the deployment of one Endpoint fails, no Endpoints are deployed for that web application. (markt)
fix Implement the requirements of section 4.3 of the WebSocket 1.1 specification and ensure that the deployment of an Endpoint fails if @PathParam is used with an invalid parameter type. (markt)
fix Ensure a DeploymentException rather than an IllegalArgumentException is thrown if a method annotated with @OnMessage does not conform to the requirements set out in the Javadoc. (markt)
fix Improve algorithm that determines if two @OnMessage annotations have been added for the same message type. Prior to this change some matches were missed. (markt)
code Remove the STREAMS_DROP_EMPTY_MESSAGES system property that was introduced to work-around four failing TCK tests. An alternative solution has been implemented. Sending messages via getSendStream() and getSendWriter() will now only result in messages on the wire if data is written to the OutputStream or Writer. Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream() or getSendWriter(). (markt)
Web applications:
fix 63103: Remove the unused source.jsp file and associated tag from the examples web application as it is no longer used. (markt)
fix 63143: Ensure that the Manager web application respects the language preferences of the user as configured in the browser when the language of the default system locale is not English. (markt)
fix Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. (kkolinko)
fix Fix messages used by Manager and Host Manager web applications. Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. (kkolinko)
fix Do not add CSRF nonce parameter and suppress Referer header for external links in Manager and Host Manager web applications. (kkolinko)
Other:
fix Prevent an error when running in a Cygwin shell and the JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.19 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. (markt)
fix Correct AsyncFileHandler to FileHandler in logging.properties. (huxing)
update Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt)
fix Enable compilation and test execution with Java 11. Note that the deprecated class org.apache.catalina.util.Base64 will be excluded from the build in this case as it depends on JRE classes that have been removed in Java 11 onwards. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.04. (markt)
add Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)
https://tomcat.apache.org/
Changelog
Catalina:
Fix: Minor HTTP/2 push fixes. (remm)
Fix: Refactor how cookies are transferred from the base request to a PushBuilder so that they are accessible, and may be edited, via the standard PushBuilder methods for working with HTTP headers. (markt)
Add: Refactor error handling to enable errors that occur before processing is passed to the application to be handled by the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. (markt)
Add: Pass 404 errors triggered by a missing ROOT web application to the container error handling to generate the response body. (markt)
Add: Pass 400 errors triggered by invalid request targets to the container error handling to generate the response body. (markt)
Add: Pass errors triggered by invalid requests or unavailable services to the application provided error handling and/or the container provided error handling (ErrorReportValve) as appropriate. (markt)
Code: Refactor the MBean implementations for the internal Tomcat components to reduce code duplication. (markt)
Update: Simplify the value of jarsToSkip property in catalina.properties file for tomcat-i18n jar files. Use prefix pattern instead of listing each language. (kkolinko)
Fix: Restore the getter and setter for the access log valve attribute maxLogMessageBufferSize that were accidentally removed. (markt)
Add: 63206: Add a new attribute to Context - createUploadTargets which, if true enables Tomcat to create the temporary upload location used by a Servlet if the location specified by the Servlet does not already exist. The deafult value is false. (markt)
Fix: 63210: Ensure that the Apache Commons DBCP 2 based default connection pool is correctly shutdown when it is no longer required. This ensures that a non-daemon thread is not left running that will prevent Tomcat from shutting down cleanly. (markt)
Fix: 63213: Ensure the correct escaping of group names when searching for nested groups when the JNDIRealm is configured with roleNested set to true. (markt)
Fix: 63236: Use String.intern() as suggested by Phillip Webb to reduce memory wasted due to String duplication. This changes saves ~245k when starting a clean installation. With additional thanks to YourKit Java profiler for helping to track down the wasted memory and the root causes. (markt)
Fix: 63246: Fix a potential NullPointerException when calling AsyncContext.dispatch(). (markt)
Coyote:
Fix: Ensure that the toString(), toBytes() and toChars() methods of MessageBytes behave consistently and do not throw a NullPointerException both on newly created objects and immediately after a call to recycle(). This should not impact typical Tomcat users. It may impact users who use these classes directly in their own code. (markt)
Fix: When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname and port from the HTTP/1.1 Host header of the upgraded request are made available via the standard methods ServletRequest.getServerName() and ServletRequest.getServerPort(). (markt)
Fix: Make PEM file parser a public utility class. (remm)
Fix: Refactor the APR/Native endpoint TLS configuration code to enable JSSE style configuration - including JKS keystores - to be used with the APR/Native connector. (markt)
Add: With the TLS configuration refactoring, the configuration attributes sessionCacheSize and sessionTimeout are no longer limited to JSSE implementations. They may now be used with OpenSSL implementations as well. (markt)
Fix: Refactor NIO2 read pending strategy for the classic IO API. (remm)
Fix: 63182: Avoid extra read notifications for HTTP/1.1 with NIO2 when using asynchronous threads. (remm)
Add: 63205: Add a work-around for a known JRE KeyStore loading bug. (markt)
Update: Sync with NIO2 async API from Tomcat 9 branch. (remm)
Fix: NIO2 should try to use SocketTimeoutException everywhere rather than a mix of it and InterruptedByTimeout. (remm)
Fix: Correct an error in the request validation that meant that HTTP/2 push requests always resulted in a 400 response. (markt)
Fix: 63223: Correctly account for push requests when tracking currently active HTTP/2 streams. (markt)
Fix: Verify HTTP/2 stream is still writable before assuming a timeout occurred. (remm)
Fix: Avoid some overflow cases with OpenSSL to improve efficiency, as the OpenSSL engine has an internal buffer. (remm)
Fix: Harmonize HTTP/1.1 NIO2 keepalive code. (remm)
WebSocket:
Code: Remove the STREAMS_DROP_EMPTY_MESSAGES system property that was introduced to work-around four failing TCK tests. An alternative solution has been implemented. Sending messages via getSendStream() and getSendWriter() will now only result in messages on the wire if data is written to the OutputStream or Writer. Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream() or getSendWriter(). (markt)
Web applications:
Fix: Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. (kkolinko)
Fix: Fix messages used by Manager and Host Manager web applications. Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. (kkolinko)
Fix: Do not add CSRF nonce parameter and suppress Referer header for external links in Manager and Host Manager web applications. (kkolinko)
Tribes:
Fix: Ensure that members registered in the addSuspects list are static members. (kfujino)
Other:
Add: Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)
Fix: 63041: Revert the changes for 53930 that added support for the CATALINA_OUT_CMD environment variable as they prevented correct operation with systemd configurations that did not explicitly specify a PID file. (markt)
https://tomcat.apache.org/
Changelog
Catalina:
Fix: Fix wrong JMX registration regression in 9.0.18. (remm)
Coyote:
Update: Add vectoring for NIO in the base and SSL channels. (remm)
Add: Add asynchronous IO from NIO2 to the NIO connector, with support for the async IO implementations for HTTP/2 and Websockets. The useAsyncIO boolean attribute on the Connector element allows enabling use of the asynchronous IO API. (remm)
Other:
Fix: Ensure that the correct files are included in the source distribution for javacc based parsers depending on whether jjtree is used or not. (markt)
Fix: Ensure that text files in the source distribution have the correct line endings for the target platform. (markt)
https://tomcat.apache.org/
Changelog
7.0.94
Fix for CVE-2019-0232, an RCE vulnerability on Windows
Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
Update Tomcat's packaged-renamed copy of Apache Commons DBCP to the latest DBCP 1.4.x and Pool 1.6.x source (as of 2019-03-15) to pick up various bug fixes
9.0.20 / 8.5.41
The useAsyncIO boolean attribute on the Connector element value now defaults to true.
Stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character.
Various HTTP/2 improvements and stability fixes.
https://tomcat.apache.org/
Changelog
9.0.27
The Apache Tomcat Project is proud to announce the release of version 9.0.27 of Apache Tomcat. The notable changes compared to 9.0.26 include:
Update to Commons Daemon 1.2.2 to pick up the fix for a regression in Commons Daemon 1.2.0 and 1.2.1 that triggered a crash on startup when running on a Windows OS that had not been fully updated.
Fix some edge cases with NIO2 and TLS that could cause a request to hang.
Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23 that could occur when HTTP/2 or WebSocket was used.
8.5.47
The Apache Tomcat Project is proud to announce the release of version 8.5.47 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.46 include:
Update to Commons Daemon 1.2.2 to pick up the fix for a regression in Commons Daemon 1.2.0 and 1.2.1 that triggered a crash on startup when running on a Windows OS that had not been fully updated.
Fix some edge cases with NIO2 and TLS that could cause a request to hang.
https://tomcat.apache.org/
Changelog
Catalina
add 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
add 63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
fix 63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a default port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
fix 63950: Fix timing issue in TestAsyncContextStateChanges test that caused it to hang indefinitely. (markt)
fix 63982: CombinedRealm makes assumptions about principal implementation (michaelo)
code Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
fix Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)
update Do not store username and password as session notes during authentication if they are not needed. (kkolinko)
Coyote
fix 63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 connectors via the new Connector attribute noCompressionStrongETag. (markt)
WebSocket
fix Ensure a very unlikely concurrency issue is avoided when writing WebSocket messages. (markt)
Web applications
add Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)
Other
fix Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
add Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
add Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. (markt)
add Expand the coverage of the French translations provided with Apache Tomcat. (remm)
add Expand the coverage of the Japanese translations provided with Apache Tomcat. (markt)
add Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
add Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
add Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
add Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
add Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
https://tomcat.apache.org/
Changelog
Catalina:
Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix extraction of JAR name in some cases in StandardJarScanner. Submitted by Lynx. (remm)
Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Web applications:
Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt)
Other:
Improvements to Korean translations.
Improvements to Russian translations.
Improvements to Chinese translations.
Improvements to Japanese translations.
Update the packaged version of the Tomcat Native Library to 1.2.28.
https://tomcat.apache.org/
Changelog
Catalina:
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)
Fix: 65251: Correct a regression introduced in 8.5.64 that meant that the auto-deployment process may attempt a second, concurrent deployment of a web application that is being deployed by the Manager resulting in one of the deployments failing and errors being reported. (markt)
Coyote:
Fix: Ensure that all HTTP requests that contain an invalid character in the protocol component of the request line are rejected with a 400 response rather than some requests being rejected with a 505 response. (markt)
Fix: When generating the error message for an HTTP request with an invalid request line, ensure that all the available data is included in the error message. (markt)
Fix: 65272: Restore the optional HTTP feature that allows LF to be treated as a line terminator for the request line and/or HTTP headers lines as well as the standard CRLF. This behaviour was previously removed as a side-effect of the fix for CVE-2020-1935. (markt)
Jasper:
Code: Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt)
Update: <servlet> entries in web.xml that include a <jsp-file> element and a negative <load-no-startup> element that is not the default value of -1 will no longer be loaded at start-up. This makes it possible to define a <jsp-file> that will not be loaded at start-up. (markt)
Fix: Allow the JSP configuration option useInstanceManagerForTags to be used with Tags that are implemented as inner classes. (markt)
WebSocket:
Code: Refactor the way Tomcat passes path parameters to POJO end points to simplify the code. (markt)
Fix: 65262: Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible. (markt)
Web applications:
Fix: 65235: Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt)
Fix: 65265: Avoid getting the boot classpath when it is not available in the Manager diagnostics. (remm)
Other:
Update: Update the packaged version of the Tomcat Native Library to 1.2.28. (markt)
Fix: Move SystemPropertySource to be a regular class to allow more precise configuration if needed. The system property source will still always be enabled. (remm)
Add: Improvements to Chinese translations. Provided by bytesgo. (mark)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
What's new in Apache Tomcat 9.0.46
The Apache Tomcat Project is proud to announce the release of version 9.0.46 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.45 include:
Ensure the correct escaping of attribute values and search filters in the JNDIRealm.
HandlesTypes should include classes that use the specified annotation types on fields or methods.
Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible.
New in Apache Tomcat 10.0.6
Ensure the correct escaping of attribute values and search filters in the JNDIRealm.
HandlesTypes should include classes that use the specified annotation types on fields or methods.
Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible.
https://tomcat.apache.org/