What is Java?
Patch by Craig Andrews. Based on a patch by zhanhb. Coyote Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. Improve logging of Host validation failures. Based on a patch by Katya Stoycheva. Add the capability to generate a web-fragment. Ensure that all reads of the current thread's context class loader made by the UEL API and implementation are performed via a PrivilegedAction to ensure that a SecurityException is not triggered when running under a SecurityManager.
BodyContentImpl so a SecurityException is not thrown when running under a SecurityManger and additional permissions are not required in the catalina. This is a follow-up to the fix for Patch provided by Pavel Cibulka. Cluster Remove duplicate calls when creating a replicated session to reduce the time taken to create the session and thereby reduce the chances of a subsequent session update message being ignored because the session does not yet exist.
Clarify the meaning of the connector attribute minSpareThreads in the documentation web application. Tribes Ensure that the correct default value is returned when retrieve unset properties in McastService. Other Ensure that Apache Tomcat may be built from source with Java Remove references to javaw. Update the internal fork of Commons Pool 2 to dfef97b to pick up some bug fixes and enhancements.
Don't trigger the standard error page mechanism when the error has caused the connection to the client to be closed as no-one will ever see the error page. Patch provided by Masafumi Miura. This edge case meant that writing long streams of UTF-8 characters to the HTTP response that consisted almost entirely of surrogate pairs could result in one surrogate pair being dropped. Correctly list resources in JAR files when directories do not have dedicated entries. Patch provided by Meelis Müür. Coyote Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit.
Patch provided by usc. Jasper Update the Eclipse Compiler for Java to 4. The Early Access value of 1. Do not rely on hash codes to test instances of ValueExpressionImpl for equality. Patch provided by Mark Struberg.
Correct a regression in the fix for that didn't correctly handle a final empty message part in all circumstances when using PerMessageDeflate. Patch provided by Zemian Deng. This allows the maximum number of days for which rotated access logs should be retained before deletion to be defined.
When using the PersistentManager honor a value of -1 for minIdleSwap and do not swap out sessions to keep the number of active sessions under maxActive. Patch provided by Holger Sunke. Improve Javadoc for org. Constants and ensure that the constants are correctly used.
Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. Secondly, pushes must be sent in order of increasing stream ID.
These restriction were not being enforced leading to protocol errors at the client. Web applications Add document for FragmentationInterceptor.
Correct the Tomcat Setup documentation that incorrectly referred to Java 7 as the minimum version rather than Java 8. Other Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy. Add additional attributes to the Manager to provide control over which listeners are called when an attribute is added to the session when it has already been added under the same name.
This is to aid clustering scenarios where setAttribute is often called to signal that the attribute value has been mutated and needs to be replicated but it may not be required, or even desired, for the associated listeners to be triggered. The default behaviour has not been changed. Based on a patch provided by burka. Null container names are not allowed.
Fix programmatic login regression as the NonLoginAuthenticator has to be set for it to work if no login method is specified. Improve error message in catalina. Based on a suggestion from Mark Morschhaeuser. Patch provided by Kirill Romanov via Github.
Avoid ConcurrentModificationException when attempting to clean up application triggered RMI memory leaks on web application stop. Patch provided by Stefan Knoblich.
Follow up fix so that OpenSSL engine returns underflow when unwrapping if no bytes were produced and the input is empty. When deploying a web application via the manager application and a path is not explicitly specified, derive it from the provided deployment descriptor or, if that is not present, the WAR or DIR.
Add documentation for the Host Manager web application. Based on a suggestion from Muthukumar Marikani. Catalina Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation.
When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator , cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. Correctly apply security constraints mapped to the context root using a URL pattern of "".
This should not impact typical Tomcat users. It may impact users who use these classes directly in their own code. Patch submitted by Holger Sunke. The JSP specification explicitly states that the behaviour for this method is undefined for JSPs so this is a Tomcat specific behaviour. When closing a connection with an abnormal close, close the socket immediately rather than waiting for a close message from the client that may never arrive. Fix missing class from manager JSP error page.
Add MBean for StatementCache. Catalina Correct a regression in the previous fix for that meant that any call to addHeader would have been replaced with a call to setHeader for all requests mapped to the AddDefaultCharsetFilter. Add a new system property org. Document the new JvmOptions9 command line parameter for tomcat9. Patch provided by Dmitri Blinov.
Extend the AddDefaultCharsetFilter to add a character set when the content type is set via setHeader or addHeader as well as when it is set via setContentType. For any given resource a method that returns a status code will not be listed in the Allow header and a method listed in the Allow header will not return a status code.
The exception will be made available to the application via the asynchronous error handling mechanism. Patch submitted by Evgenij Ryazanov. Fix connectionLimitLatch counting when closing an already closed socket. Based on a patch by Ryan Fong. Allow a call to AsyncContext. Patch provided by Ricardo Martin Camarero. In particular, the calling of a varargs method with no parameters now works correctly. Based on a patch by Nitkalya Ing Wiriyanuparb. Fix prototype mode used to compile tags.
Add the ability to trigger a reloading of TLS host configuration certificate and key files, server. Expose the currently in use certificate chain and list of trusted certificates for all virtual hosts configured using the JSSE style keystore TLS configuration via the Manager web application. Prevent ConcurrentModificationException when running the asynchronous stock ticker in the examples web application.
Prevent NullPointerException and other errors if the stock ticker example is running when the examples web application is stopped. Clarify the meaning of the allowLinking option in the documentation web application.
Prevent NullPointerException n when using the statement cache of connection that has been closed. Other Add an additional system property for the system property replacement. They are now only copied to the bin directory for the release target. Patch provided by isapir.
Based on a patch by Pavan Kumar. Patch provided by Lazar. Correctly handle the case when AuthConfigFactoryImpl.
Avoid a potential SecurityException when using the NIO2 connector and a new thread is added to the pool. Correct a further regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password.
This fixes PKCS11 key store handling with multiple keys selected with an alias. Avoid a possible ConcurrentModificationException when working with the streams associated with a connection. Improve performance of NIO connector when clients leave large time gaps between network packets. Patch provided by Zilong Song. Invalid expressions in attribute values or template text should trigger a translation compile time error, not a run time error.
Add support for authentication in the websocket client. Patch submitted by J Fernandez. Add XML filtering for the status servlet output where needed. Tribes Fix incorrect behavior that attempts to resend channel messages more than the actual setting value of maxRetryAttempts. When running on Java 9, any such attempted use of the endorsed directory mechanism will trigger an error and Tomcat will fail to start. When using the Windows installer, check if the requested service name already exists and, if it does, prompt the user to select an alternative service name.
Patch provided by Ralph Plawetzki. Update the Windows installer to search the new as of Java 9 registry locations when looking for a JRE. Remove outdated SSL information from the Security documentation. Catalina Use the correct path when loading the JVM logging. The checks were being performed elsewhere but adding them to the resource handling ensures that the checks are always performed. Correct typos in Spanish translation. Exclude test files in unusual encodings and markdown files intended for display in GitHub from RAT analysis.
Patch provided by Chris Thistlethwaite. Add the ability to make changes to the TLS configuration of a connector at runtime without having to restart the Connector. This check is optional but enabled by default.
It may be disabled with the allowHostHeaderMismatch attribute of the Connector. Correct a further regression in the fix to enable the use of Java key stores that contain multiple keys that do not all have the same password.
The regression broke support for some FIPS compliant key stores. Correctly handle invocations of methods defined in the PooledConnection interface when using pooled XA connections. Patch provided by Nils Winkler. Other Update fix for so that values less than zero are accepted instead of throwing a NegativeArraySizeException. Add the ability to set environment variables for individual CGI scripts.
Based on a patch by jm When running under a SecurityManager, do not print a warning about not being able to read a logging configuration file when that file does not exist. Note that the default configuration does not change the existing behaviour. When using the CGI servlet, make the generation of command line arguments from the query string as per section 4. This corrects a potential regression in the fix for with an alternative solution that adds the JarEntry objects normally skipped by a JarInputStream only if those entries exist.
Coyote The minimum required Tomcat Native version has been increased to 1. This enables TLS connections to close cleanly. In this case the client certificate without the chain will be presented to the application. Fix default key alias algorithm.
Correct a regression in the fix to enable the use of Java key stores that contained multiple keys that did not all have the same password. The regression broke support for any key store that did not store keys in PKCS 8 format such as hardware key stores and Windows key stores. Reduce the number of packets used to send WebSocket messages by not flushing between the header and the payload when the two are written together. When using the permessage-deflate extension, correctly handle the sending of empty messages after non-empty messages to avoid the IllegalArgumentException.
Web applications Show connector cipher list in the manager web application in the correct cipher order. Tribes To avoid unexpected session timeout notification from backup session, update the access time when receiving the map member notification message. Ensure that failed queries are logged if the SlowQueryReport interceptor is configured to do so and the connection has been abandoned.
Patch provided by Craig Webb. Ensure that transaction of idle connection has terminated when the testWhileIdle is set to true and defaultAutoCommit is set to false. Patch provided by WangZheng. Replace a Unix style comment in the DOS bat file catalina. Update to Commons Daemon 1. Catalina Correct multiple regressions in the fix for that could corrupt static content served by the DefaultServlet. Patch provided by Jonathan Horowitz. Ensure to explicitly signal an empty request body for HTTP responses.
Additional fix to r Based on a patch provided by Alexandr Saperov. Add a server listener that can be used to do system property replacement from the property source configured in the digester.
Ensure that files are closed after detecting encoding of JSPs so that files do not remain locked by the file system. Add support to the WebSocket client for following redirects when attempting to establish a WebSocket connection. Patch provided by J Fernandez. Catalina Performance improvements for service loader look-ups and look-ups of other class loader resources when the web application is deployed in a packed WAR file.
Add warn message when Digester. Based on patches by Peter Maloney and Felix Schumacher. Web applications Correct the documentation for how StandardRoot is configured. Fix corruption of UTF encoded source files in released source distributions.
When log rotation is disabled only one separator will be used when generating the log file name. For example if the prefix is catalina. Patch provided by Katya Stoycheva.
Correct a regression in the refactoring to use Charset rather than String to store request character encoding that prevented getReader throwing an UnsupportedEncodingException if the user agent specifies an unsupported character encoding. Coyote Enable TLS connectors to use Java key stores that contain multiple keys where each key has a separate password. Based on a patch by Frank Taffelt. Add the ability to set the defaults used by the Windows installer from a configuration file.
Patch provided by Sandra Madden. Improve the Default Servlet's handling of static files when the file encoding is not compatible with the required response encoding. Remove deleted attribute servlets from the Context MBean description. Patch provided by Alexis Hassler. The thread that cleans the log files is marked as daemon thread. Correct a regression in 9. Coyote Restore the ability to configure support for SSLv3.
Enabling this protocol will trigger a warning in the logs since it is known to be insecure. This significantly reduces the memory footprint of Jasper in development mode, provides a small performance improvement for error page generation and enables source quotes to continue to be provided after a Tomcat restart. Web applications Remove references to the Loader attribute searchExternalFirst from the documentation since the attribute is no longer supported.
Based on a patch by Christian Stöber. Patch provided by Igal Sapir. Other Restore the local definition of the web service annotations since the JRE provided versions are deprecated and Java 9 does not provide them by default.
Add the option to specify an alternative file name for the catalina. Also document that relative, as well as absolute, URLs are permitted. Respect the documentation statements that allow using the platform default secure random for session id generation. CORS filter should set Vary header in response.
Submitted by Rick Riemer. By default the log files will be kept 90 days as configured in logging. Based on a patch by Lucas Ventura Carro. Do not use '[' and ']' symbols around substituted text fragments when generating the default error pages. Patch provided by Katya Todorova. Allow the Manager and Host Manager web applications to start by default when running under a security manager.
This was accomplished by adding a custom permission, org. Polish the javadoc for o. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address. Based on a patch provided by Tetradeus.
Log a warning message rather than an information message if it takes more than ms to initialised a SecureRandom instance for a web application to use to generate session identifiers. Patch provided by Piotr Chlebda. When an asynchronous request is dispatched via AsyncContext.
Ensure that the charset name used in the Content-Type header has exactly the same form as that provided by the application. This reverts a behavioural change in 9. M21 that caused problems for some clients. Explicitly signal an empty request body for HTTP responses.
Improve error message when JSP compiler configuration options are not valid. Extend Jasper's timeSpaces option to add support for single which replaces template text that consists entirely of whitespace with a single space character.
Based on a patch by Meetesh Karia. When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. TagLibraryInfo uri and j. TagLibraryInfo prefix fields should not be final. Correct a regression in the previous fix for that could trigger a deadlock depending on the locking strategy employed by the client code.
Web applications Better document the meaning of the trimSpaces option for Jasper. Clarify the code comments in the rewrite valve to make clear that there are no plans to provide proxy support for this valve since Tomcat does not have proxy capabilities. Document the altDDName attribute for the Context element. Issue reported via comments. Add missing Documented annotation to annotations in the annotations API.
General Allow to exclude JUnit test classes using the build property test. Catalina Review those places where Tomcat re-encodes a URI or URI component and ensure that that correct encoding path differs from query string is applied and that the encoding is applied consistently.
Add MIME mapping for woff2 fonts in the default web. Patch provided by Justin Williamson. Coyote When a TrustManager is configured that does not support certificateVerificationDepth only log a warning about that lack of support when certificateVerificationDepth has been explicitly set. Extend the fix for large headers to push requests.
Jasper When no BOM is present and an encoding is detected, do not skip the bytes used to detect the encoding since they are not part of a BOM.
Ensure that once the class is resolved by javax. ImportHandler resolveClass it will be cached with the proper name. AsyncChannelWrapperSecure are correctly reset even if some exceptions occurred during processing. Tribes Add features to get the statistics of the thread pool of the Receiver component and MessageDispatchInterceptor. These statistics information can be acquired via JMX.
Other Modify the Ant build script used to publish to a Maven repository so that it no longer requires artifacts to be GPG signed. Catalina Update the Servlet 4.
Refactor code so that explicitly referenced inner classes are given explicit names rather than being anonymous. Log a message that lists the components in the processing chain that do not support async processing when a call to ServletRequest. Since the class is used extensively in error handling, it is prudent to pre-load it to avoid any failure to load this class masking the true problem during error handling.
WriteListener registered then a call to javax. ReadListener registered then a call to javax. Improve the handling of access to properties defined by interfaces when a BeanELResolver is used under a SecurityManager. Correctly escape single quotes when used in i18n messages. Based on a patch by Michael Osipov. Refactor to avoid using some methods that will be deprecated in Java 9 onwards.
Ensure that Set-Cookie headers generated by the RfcCookieProcessor are aligned with the specification. Patch provided by Jim Griswold. Fix a NullPointerException when obtaining a RequestDispatcher for a request that will not have any pathInfo associated with it. This was a regression in the changes in 9.
M18 for the Servlet 4. Based on a patch by Didier Gutacker. Patch by Michael Osipov. Correctly spell compressible when used in configuration attributes and internal code. Fix sendfile processing error that could lead to subsequent requests experiencing an IllegalStateException. Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression.
Patch provided by Daniel Gray. Implement equals and hashCode in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. Refactor RealmBase for better code re-use when implementing Realms that use a custom Principal.
Various formatting and layout improvements for the ErrorReportValve. Patch provided by Michael Osipov. Remove the reason phrase when sending a response status for consistency with other response status lines. Improve performance of DefaultServlet when sendfile feature is disabled on connector. Patch provided by Aaron Anderson. When startStopThreads is 1 or a special value that is equivalent to 1 then rather than using an ExecutorService to start the children of the current component, the children will be started on the current thread.
Remove final marker from CorsFilter to enable sub-classing. Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed event was not being fired and an entry wasn't being made in the access logs. Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext. Make the separator Tomcat uses in the Tomcat specific war: URL protocol customizable via a system property.
The separator is equivalent to the use of the! Note that the Servlet 4. Correct a bug in the handling of JARs in unpacked WARs that meant multiple attempts to read the same entry from a JAR in succession would fail for the second and subsequent attempts.
Ensure that the Map returned by ServletRequest. Based on a patch provided by woosan. Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. The expectation is that configuration will be performed via a JSSE provider specific mechanisms. Expose a protected getter and setter for NioEndpoint.
Jasper Follow up to the fix for Correct a regression in the XML encoding detection refactoring carried out for 9. M16 that incorrectly always used the detected BOM encoding in preference to any encoding specified in the prolog. Patch provided by Svetlin Zarev. Other Spelling corrections provided by Josh Soref. Update all unit tests that test the HTTP status line to check for the required space after the status code. Coyote Ensure UpgradeProcessor instances associated with closed connections are removed from the map of current connections to Processors.
The original problem cannot be reproduced with the current code and the work-around is now causing problems. Follow up fix using a better variable name for the tag reuse flag. WebSocket Prevent potential processing loop on unexpected WebSocket connection closure.
Handle the case where the stored user credential uses a different key length than the length currently configured for the CredentialHandler. Based on a patch by Niklas Holm. Fix thread safety issue with RMI cleanup code. In particular, don't use PKCS12 as a default trust store type. Better document how the default trust store type is selected for a TLS virtual host.
Once a new size has been agreed for the dynamic HPACK table, the next header block must begin with a dynamic table update. WebSocket Correctly handle blocking WebSocket writes when the write times out just before the write is attempted.
Based upon a patch by Michael Osipov. Correct the format of the sample ISO date used to report the build date for the documentation. Other Increment version due a local build configuration error with 9. M14 that wasn't caught until after digital signing had been completed Signing requires unique names so a new tag was required. Add an available flag to realms, to indicate the state, or the realm backend.
Update lockout realm to only register auth failures if the realm is available. Stop creating a default connector on start in embedded mode. Dispose of the GSS credential once it is no longer required. Provide a standard toString implementation for components that implement Contained.
Correct the javadoc for o. The default value is different for the different implementations. Duplicate code identified by the Simian tool. When expanding the buffer used for reading the request body, ensure the read position will be restored to the original one.
Implement support in the RewriteValve for symbolic names to specify the redirect code to use when returning a redirect response to the user agent. In the RewriteValve write empty capture groups as the empty string rather than as "null" when generating the re-written URL.
Ensure the response headers' buffer limit is reset to the capacity of this buffer when IOException occurs while writing the headers to the socket. Implement a more sophisticated pruning algorithm for removing closed streams from the priority tree to ensure that the tree does not grow too large.
This method returns null if no resource exists at the specified path. Meta-information such as content length and content type that is available via getResource method is lost when using this method. This method is different from java. This method allows servlet containers to make a resource available to a servlet from any location, without using a class loader. A RequestDispatcher object can be used to forward a request to the resource or to include the resource in a response.
The resource can be dynamic or static. Use getContext to obtain a RequestDispatcher for resources in foreign contexts. This method returns null if the ServletContext cannot return a RequestDispatcher. Servlets and JSP pages also may be given names via server administration or via a web application deployment descriptor.
A servlet instance can determine its name using ServletConfig getServletName. This method returns null if the ServletContext cannot return a RequestDispatcher for any reason. The name and type of the servlet log file is specific to the servlet container.
The name and type of the servlet log file is specific to the servlet container, usually an event log. The real path returned will be in a form appropriate to the computer and operating system on which the servlet container is running, including the proper path separators. This method returns null if the servlet container is unable to translate the given virtual path to a real path.
String getServerInfo Returns the name and version of the servlet container on which the servlet is running. This method can make available configuration information useful to an entire web application. For example, it can provide a webmaster's email address or the name of a system that holds critical data. An attribute allows a servlet container to give the servlet additional information not already provided by this interface.
See your server documentation for information about its attributes. A list of supported attributes can be retrieved using getAttributeNames. The attribute is returned as a java. Object or some subclass. Attribute names should follow the same convention as package names. Use the getAttribute java. String method with an attribute name to get the value of an attribute.
String setAttribute void setAttribute java. If the name specified is already used for an attribute, this method will replace the attribute with the new to the new attribute. If listeners are configured on the ServletContext the container notifies them accordingly. If a null value is passed, the effect is the same as calling removeAttribute.
After removal, subsequent calls to getAttribute java. String to retrieve the attribute's value will return null. String getServletContextName Returns the name of this web application corresponding to this ServletContext as specified in the deployment descriptor for this web application by the display-name element.
The name of the web application or null if no name has been declared in the deployment descriptor. The registered servlet may be further configured via the returned ServletRegistration object.
The specified className will be loaded using the classloader associated with the application represented by this ServletContext. If this ServletContext already contains a preliminary ServletRegistration for a servlet with the given servletName , it will be completed by assigning the given className to it and returned.
This method introspects the class with the given className for the ServletSecurity , MultipartConfig , javax. RunAs , and javax. In addition, this method supports resource injection if the class with the given className represents a Managed Bean. If this ServletContext already contains a preliminary ServletRegistration for a servlet with the given servletName , it will be completed by assigning the class name of the given servlet instance to it and returned. If this ServletContext already contains a preliminary ServletRegistration for a servlet with the given servletName , it will be completed by assigning the name of the given servletClass to it and returned.
In addition, this method supports resource injection if the given servletClass represents a Managed Bean. The returned Servlet instance may be further customized before it is registered with this ServletContext via a call to addServlet String,Servlet. The given Servlet class must define a zero argument constructor, which is used to instantiate it. This method introspects the given clazz for the following annotations: ServletSecurity , MultipartConfig , javax.
In addition, this method supports resource injection if the given clazz represents a Managed Bean. ServletException - if the given clazz fails to be instantiated UnsupportedOperationException - if this ServletContext was passed to the ServletContextListener contextInitialized method of a ServletContextListener that was neither declared in web. The returned Map includes the ServletRegistration objects corresponding to all declared and annotated servlets, as well as the ServletRegistration objects corresponding to all servlets that have been added via one of the addServlet methods.
If permitted, any changes to the returned Map must not affect this ServletContext. Map of the complete and preliminary ServletRegistration objects corresponding to all servlets currently registered with this ServletContext Throws: The registered filter may be further configured via the returned FilterRegistration object. If this ServletContext already contains a preliminary FilterRegistration for a filter with the given filterName , it will be completed by assigning the given className to it and returned.
This method supports resource injection if the class with the given className represents a Managed Bean.
If this ServletContext already contains a preliminary FilterRegistration for a filter with the given filterName , it will be completed by assigning the class name of the given filter instance to it and returned. If this ServletContext already contains a preliminary FilterRegistration for a filter with the given filterName , it will be completed by assigning the name of the given filterClass to it and returned. This method supports resource injection if the given filterClass represents a Managed Bean.
The returned Filter instance may be further customized before it is registered with this ServletContext via a call to addFilter String,Filter. The given Filter class must define a zero argument constructor, which is used to instantiate it. This method supports resource injection if the given clazz represents a Managed Bean.
The returned Map includes the FilterRegistration objects corresponding to all declared and annotated filters, as well as the FilterRegistration objects corresponding to all filters that have been added via one of the addFilter methods.