Tomcat 9

Tomcat 9 9.0.13

No permission to download
  • 58590: Add the ability for a UserDatabase to monitor the backing XML file for changes and reload the source file if a change in the last modified time is detected. This is enabled by default meaning that changes to $CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the file is saved. (markt)
  • 61171: Add the portOffset attribute to the Server element which is added to the configured shutdown and Connector ports. Based on a patch by Marek Czernek. (markt)
  • 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
  • 62687: Expose content length information for resources when using a compressed war. (remm)
  • 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
  • Add rewrite flags output when getting the rewrite configuration back. (remm)
  • Add missing qsdiscard flag to the rewrite flags as a cleaner way to discard the query string. (remm)
  • 62755: Add ability to opt out of adding the default web.xml config when embedding Tomcat and adding a context via addWebapp(). CallsetAddDefaultWebXmlToWebapp(false) to prevent the automatic config. (isapir)
  • Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
  • Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
  • 62803: Fix SSL connector configuration processing in storeconfig. (remm)
  • 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
  • 62802: Restore the appContextProtection attribute to the JreMemoryLeakPreventionListener as application code may still trigger this memory leak. (markt)
  • 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
  • Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
  • Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
  • 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
  • Refactor the Connector so that the port is obtained from the Endpoint rather than a local field that could end up out of sync. (markt)
  • Add EncryptInterceptor to the portfolio of available clustering interceptors. This adds symmetric encryption of session data to Tomcat clustering regardless of the type of cluster manager or membership being used. (schultz)
  • Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
  • 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)
  • Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
  • 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
  • Make PEM file parser a public utility class. (remm)
  • 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt)
  • 62748: Add TLS 1.3 support for the APR/Native connector and the NIO/NIO2 connector when using the OpenSSL backed JSSE implementation. (schultz/markt)
  • 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
  • Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. (markt)
  • Ensure open sockets etc. are cleaned up if the socket binding process fails. (markt)
  • 62871: Improve MBeans for Endpoint instances (type ThreadPool in JMX) by using explicit declaration of attributes and operations rather than relying on introspection. Add a new MBean to expose the Socketproperties values. (markt)
  • Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)
  • 62674: Correct a regression in the stand-alone JSP compiler utility, JspC, caused by the fix for 53492, that caused the JSP compiler to hang. (markt)
  • 62721: Correct generation of web.xml header when using JspC. (markt)
  • 62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt)
  • 62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)
Web applications
  • 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)
  • 62712: Correct NPE in Manager application when attempting to view configured certificates for an APR/native TLS connector. (markt)
  • 62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt)
  • 62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt)
  • Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)
  • Add setMembershipService method to the MembershipProvider. (kfujino)
  • Experimental Kubernetes aware cloud membership provider, based on code by Maxime Beck. Contains code derived from jgroups. (remm/kfujino)
  • Move the event notification ThreadPoolExecutor to MembershipProviderBase. (kfujino)
  • Even if all members have already disappeared and PING can not be sent, ensure that members will be expired. (kfujino)
  • Ensure that remove the member from suspect list when member added. (kfujino)
  • Port DBCP transaction synchronization registry fix (commit d49d45e). (remm)
  • Update the internal fork of Apache Commons Pool 2 to d4e0e88 (2018-09-12) to pick up some bug fixes and enhancements. (markt)
  • 62705: Added a fail fast check for minimum required Apache Ant version 1.9.8 when building Tomcat. (isapir)
  • Added ant target ide-intellij to create an IntelliJ IDEA project. (isapir)
  • Utility JSON parser generated from a public domain javacc grammar written by Robert Fischer. (remm)
  • Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)
  • 62263: Avoid a NullPointerException when the RemoteIpValve processes a request for which no Context can be found. (markt)
  • 62258: Don't trigger the standard error page mechanism when the error has caused the connection to the client to be closed as no-one will ever see the error page. (markt)
  • Register MBean when DataSource Resource type="javax.sql.XADataSource". Patch provided by Masafumi Miura. (csutherl)
  • Fix a rare edge case that is unlikely to occur in real usage. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. (markt)
  • Update the internal fork of Apache Commons BCEL to r1829827 to add early access Java 11 support to the annotation scanning code. (markt)
  • 62297: Enable the CrawlerSessionManagerValve to correctly handle bots that crawl multiple hosts and/or web applications when the Valve is configured on a Host or an Engine. (fschumacher)
  • 62309: Fix a SecurityException when using JASPIC under a SecurityManager when authentication is not mandatory. (markt)
  • 62329: Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. (markt)
  • Collapse multiple leading / characters to a single / in the return value of HttpServletRequest#getContextPath() to avoid issues if the value is used with HttpServletResponse#sendRedirect(). This behaviour is enabled by default and configurable via the new Context attribute allowMultipleLeadingForwardSlashInPath. (markt)
  • Improve handing of overflow in the UTF-8 decoder with supplementary characters. (markt)
  • Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. (markt)
  • Prevent unexpected TLS handshake failures caused by errors during a previous handshake that were not correctly cleaned-up when using the NIO or NIO2 connector with the OpenSSLImplementation. (markt)
  • 62273: Implement configuration options to work-around specification non-compliant user agents (including all the major browsers) that do not correctly %nn encode URI paths and query strings as required by RFC 7230 and RFC 3986. (markt)
  • Fix sync for NIO2 async IO blocking read/writes. (remm)
  • Update the Eclipse Compiler for Java to 4.7.3a. (markt)
  • Allow 9 to be used to specify Java 9 as the compiler source and/or compiler target for JSP compilation. The Early Access value of 1.9 is still supported. (markt)
  • Add support for specifing Java 10 (with the value 10) as the compiler source and/or compiler target for JSP compilation. (markt)
  • 62287: Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg. (markt)
  • 62301: Correct a regression in the fix for 61491 that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. (markt)
  • 62332: Ensure WebSocket connections are closed after an I/O error is experienced reading from the client. (markt)
  • Avoid warning when running under Cygwin when the JAVA_ENDORSED_DIRS environment variable is not set. Patch provided by Zemian Deng. (markt)