| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| |
| <!-- DTD is used to validate changelog structure at build time. BZ 64931. --> |
| |
| <!ELEMENT document (project?, properties, body)> |
| <!ATTLIST document url CDATA #REQUIRED> |
| |
| <!-- body and title are used both in project.xml and in this document --> |
| <!ELEMENT body ANY> |
| <!ELEMENT title (#PCDATA)> |
| |
| <!-- Elements of project.xml --> |
| <!ELEMENT project (title, logo, body)> |
| <!ATTLIST project name CDATA #REQUIRED> |
| <!ATTLIST project href CDATA #REQUIRED> |
| |
| <!ELEMENT logo (#PCDATA)> |
| <!ATTLIST logo href CDATA #REQUIRED> |
| |
| <!ELEMENT menu (item+)> |
| <!ATTLIST menu name CDATA #REQUIRED> |
| |
| <!ELEMENT item EMPTY> |
| <!ATTLIST item name CDATA #REQUIRED> |
| <!ATTLIST item href CDATA #REQUIRED> |
| |
| <!-- Elements of this document --> |
| <!ELEMENT properties (author*, title, no-comments) > |
| <!ELEMENT author (#PCDATA)> |
| <!ATTLIST author email CDATA #IMPLIED> |
| <!ELEMENT no-comments EMPTY> |
| |
| <!ELEMENT section (subsection)*> |
| <!ATTLIST section name CDATA #REQUIRED> |
| <!ATTLIST section rtext CDATA #IMPLIED> |
| |
| <!ELEMENT subsection (changelog+)> |
| <!ATTLIST subsection name CDATA #REQUIRED> |
| |
| <!ELEMENT changelog (add|update|fix|scode|docs|design)*> |
| <!ELEMENT add ANY> |
| <!ELEMENT update ANY> |
| <!ELEMENT fix ANY> |
| <!ELEMENT scode ANY> |
| <!ELEMENT docs ANY> |
| <!ELEMENT design ANY> |
| |
| <!ELEMENT bug (#PCDATA)> |
| <!ELEMENT rev (#PCDATA)> |
| <!ELEMENT pr (#PCDATA)> |
| |
| <!-- Random HTML markup tags. Add more here as needed. --> |
| <!ELEMENT a (#PCDATA)> |
| <!ATTLIST a href CDATA #REQUIRED> |
| <!ATTLIST a rel CDATA #IMPLIED> |
| |
| <!ELEMENT b (#PCDATA)> |
| <!ELEMENT code (#PCDATA)> |
| <!ELEMENT em (#PCDATA)> |
| <!ELEMENT strong (#PCDATA)> |
| <!ELEMENT tt (#PCDATA)> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix/scode/docs/design. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues (i.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 11.0.0-M20 (markt)" rtext="in development"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Deprecate and remove <code>sessionCounter</code> (replaced by the |
| addition of the active session count and the expired session count, |
| as a reasonable approximation) and <code>duplicates</code> (which |
| does not represent a possible event in current implementations) |
| statistics from the session manager. (remm) |
| </update> |
| <fix> |
| <bug>68890</bug> Align output encoding of JSPs in the Manager webapp |
| with the XML declarations in those same files. (schultz) |
| </fix> |
| <fix> |
| Update Basic authentication to implement the requirements of RFC 7617 |
| including the removal of the <code>trimCredentials</code> setting which |
| is now hard-coded to <code>false</code>. (markt) |
| </fix> |
| <add> |
| Small performance optimization when logging cookies with no values. |
| (schultz) |
| </add> |
| <fix> |
| Correct error handling for asynchronous requests. If the application |
| performs an dispatch during <code>AsyncListener.onError()</code> the |
| dispatch is now performed rather than completing the request using the |
| error page mechanism. (markt) |
| </fix> |
| <add> |
| Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable |
| style. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add OpenSSL FFM classes to <code>tomcat-embed-core.jar</code>. (remm) |
| </fix> |
| <fix> |
| Align non-secure and secure writes with NIO and skip the write attempt |
| when there are no bytes to be written. (markt) |
| </fix> |
| <fix> |
| Allow any positive value for <code>socket.unlockTimeout</code>. If a |
| negative or zero value is configured, the default of <code>250ms</code> |
| will be used. (mark) |
| </fix> |
| <fix> |
| Reduce the time spent waiting for the connector to unlock. The previous |
| default of 10s was noticeably too long for cases where the unlock has |
| failed. The wait time is now 100ms plus twice |
| <code>socket.unlockTimeout</code>. (markt) |
| </fix> |
| <fix> |
| Ensure that the <code>onAllDataRead()</code> event is triggered when the |
| request body uses chunked encoding and is read using non-blocking IO. |
| (markt) |
| </fix> |
| <fix> |
| <bug>68934</bug>: Add debug logging in the latch object when exceeding |
| <code>maxConnections</code>. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Switch to using the Base64 encoder and decoder provided by the JRE |
| rather than the version provided by Commons Codec. This removes the |
| internal fork of Commons Codec. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M19 (remm)" rtext="2024-04-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Add <code>highConcurrencyStatus</code> attribute to the |
| <code>SemaphoreValve</code> to optionally allow the valve to return an |
| error status code to the client when a permit cannot be acquired from |
| the semaphore. (remm) |
| </update> |
| <add> |
| Add checking of the "age" of the running Tomcat instance since its |
| build-date to the SecurityListener, and log a warning if the server |
| is old. (schultz) |
| </add> |
| <fix> |
| When using the <code>AsyncContext</code>, throw an |
| <code>IllegalStateException</code>, rather than allowing an |
| <code>NullPointerException</code>, if an attempt is made to use the |
| <code>AsyncContext</code> after it has been recycled. (markt) |
| </fix> |
| <add> |
| Add a default implementation for <code>HttpSession.getAccessor()</code> |
| to align with the Servlet 6.1 API. (markt) |
| </add> |
| <add> |
| Add the Jakarta EE 11 XML schemas and update Tomcat and included web |
| applications to use them. (markt) |
| </add> |
| <fix> |
| Change the thread-safety mechanism for protecting StandardServer.services |
| from a simple synchronized lock to a ReentrantReadWriteLock to allow |
| multiple readers to operate simultaneously. Based upon a suggestion by |
| Markus Wolfe. (schultz) |
| </fix> |
| <fix> |
| Improve Service connectors, Container children and Service executors |
| access sync using a ReentrantReadWriteLock. (remm) |
| </fix> |
| <fix> |
| Improve handling of integer overflow if an attempt is made to upload a |
| file via the Servlet API and the file is larger than |
| <code>Integer.MAX_VALUE</code>. (markt) |
| </fix> |
| <fix> |
| <bug>68862</bug>: Handle possible response commit when processing read |
| errors. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Add <code>threadsMaxIdleTime</code> attribute to the endpoint, |
| to allow configuring the amount of time before an internal executor |
| will scale back to the configured <code>minSpareThreads</code> size. |
| (remm) |
| </fix> |
| <update> |
| Adjust the <code>Set-Cookie</code> header generated by the |
| <code>Rfc6265CookieProcessor</code> so that attributes with a value of |
| the empty string will be output as bare attribute names without an |
| equals sign or value. This will simplify future support for similar new |
| attributes by removing the need for special handling. (markt) |
| </update> |
| <scode> |
| Refactor the internal representation of the <code>HttpOnly</code> and |
| <code>Secure</code> attributes to use the empty string as the value for |
| consistency with the recent changes to <code>Set-Cookie</code> header |
| generation. (markt) |
| </scode> |
| <fix> |
| Do not generate the <code>Max-Age</code> attribute for |
| <code>Set-Cookie</code> headers associated with cookies that have been |
| configured with a <code>Max-Age</code> value of zero as RFC 6265 does |
| not permit a value of zero in this case. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the support for user provided |
| <code>SSLContext</code> instances that broke the |
| <code>org.apache.catalina.security.TLSCertificateReloadListener</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Handle the case where the JSP engine forwards a request/response to a |
| Servlet that uses an <code>OutputStream</code> rather than a |
| <code>Writer</code>. This was triggering an |
| <code>IllegalStateException</code> on code paths where there was a |
| subsequent attempt to obtain a <code>Writer</code>. (markt) |
| </fix> |
| <fix> |
| Correctly handle the case where a tag library is packaged in a JAR file |
| and the web application is deployed as a WAR file rather than an |
| unpacked directory. (markt) |
| </fix> |
| <fix> |
| Prevent the web application's ClassLoader from being pinned by the JSP |
| compiler if an application uses a custom XMLInputFactory. Based upon a |
| suggestion from Simon Niederberger. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update Checkstyle to 10.14.1. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons BCEL to 6.8.2. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons Codec to 1.16.1. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (remm) |
| </add> |
| <add> |
| Improvements to Chinese translations by leeyazhou. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M18 (markt)" rtext="2024-03-14"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Reduce the minimum supported Java version to Java 17. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Minor performance improvement for building filter chains. Based on |
| ideas from <pr>702</pr> by Luke Miao. (remm) |
| </fix> |
| <fix> |
| Align error handling for <code>Writer</code> and |
| <code>OutputStream</code>. Ensure use of either once the response has |
| been recycled triggers a <code>NullPointerException</code> provided that |
| <code>discardFacades</code> is configured with the default value of |
| <code>true</code>. (markt) |
| </fix> |
| <fix> |
| <bug>68692</bug>: The standard thread pool implementations that are |
| configured using the <code>Executor</code> element now implement |
| <code>ExecutorService</code> for better support NIO2. The |
| <code>org.apache.catalina.Executor</code> interface now extends |
| <code>ExecutorService</code>. (remm) |
| </fix> |
| <fix> |
| <bug>68495</bug>: When restoring a saved POST request after a successful |
| FORM authentication, ensure that neither the URI, the query string nor |
| the protocol are corrupted when restoring the request body. (markt) |
| </fix> |
| <fix> |
| After forwarding a request, attempt to unwrap the response in order to |
| suspend it, instead of simply closing it if it was wrapped. Add a new |
| <code>suspendWrappedResponseAfterForward</code> boolean attribute on |
| <code>Context</code> to control the bahavior, defaulting to |
| <code>true</code>. (remm) |
| </fix> |
| <fix> |
| <bug>68721</bug>: Workaround a possible cause of duplicate class |
| definitions when using <code>ClassFileTransformer</code>s and the |
| transformation of a class also triggers the loading of the same class. |
| (markt) |
| </fix> |
| <fix> |
| The rewrite valve should not do a rewrite if the output is identical |
| to the input. (remm) |
| </fix> |
| <update> |
| Add a new <code>valveSkip</code> (or <code>VS</code>) rule flag to the |
| rewrite valve to allow skipping over the next valve in the Catalina |
| pipeline. (remm) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix bad symbol lookup use in the OpenSSL FFM code. (remm) |
| </fix> |
| <fix> |
| Improve the HTTP/2 stream prioritisation process. If a stream uses all |
| of the connection windows and still has content to write, it will now be |
| added to the backlog immediately rather than waiting until the write |
| attempt for the remaining content. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add method invocation support for <code>java.util.Optional</code> via |
| the <code>jakarta.el.OptionalELResolver</code> to Tomcat's |
| implementation of the Jakarta EL API to align with the latest proposals |
| for the Jakarta EL 6.0 API. The property support has also been refined |
| for greater consistency. (markt) |
| </add> |
| <update> |
| The defaults for <code>compilerSourceVM</code> and |
| <code>compilerTargetVM</code> have been updated to 17 to align with Java |
| 17 being the minimum Java version required for Tomcat 11. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| Avoid updating request count stats on async. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| <fix> |
| <bug>57130</bug>: Allow digest.(sh|bat) to accept password from a file |
| or stdin. (csutherl/schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M17 (markt)" rtext="2024-02-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Implement <code>HttpSession.getAccessor()</code> which provides a |
| mechanism for applications to interact with an <code>HttpSession</code> |
| outside the standard Servlet processing of an HTTP request. This is |
| expected to be especially useful with applications using the Jakarta |
| WebSocket API. (markt) |
| </add> |
| <fix> |
| Correct JPMS and OSGi meta-data for <code>tomcat-embed-core.jar</code> |
| by removing reference to <code>org.apache.catalina.ssi</code> package |
| that is no longer included in the JAR. Based on pull request |
| <pr>684</pr> by Jendrik Johannes. (markt) |
| </fix> |
| <fix> |
| Fix ServiceBindingPropertySource so that trailing <code>\r\n</code> |
| sequences are correctly removed from files containing property values |
| when configured to do so. Bug identified by Coverity Scan. (markt) |
| </fix> |
| <add> |
| Add improvements to the CSRF prevention filter including the ability |
| to skip adding nonces for resource name and subtree URL patterns. (schultz) |
| </add> |
| <fix> |
| Review usage of debug logging and downgrade trace or data dumping |
| operations from debug level to trace. (remm) |
| </fix> |
| <fix> |
| <bug>68089</bug>: Further improve the performance of request attribute |
| access for <code>ApplicationHttpRequest</code> and |
| <code>ApplicationRequest</code>. (markt) |
| </fix> |
| <fix> |
| <bug>68559</bug>: Allow asynchronous error handling to write to the |
| response after an error during asynchronous processing. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Setting a <code>null</code> value for a cookie attribute should remove |
| the attribute. (markt) |
| </fix> |
| <fix> |
| Optimize state handling for OpenSSL context callbacks with the FFM API. |
| (remm) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. Ensure that once a |
| connection is marked to be closed, further asynchronous processing |
| cannot change that. (markt) |
| </fix> |
| <fix> |
| Make asynchronous error handling more robust. Ensure that once the call |
| to <code>AsyncListener.onError()</code> has returned to the container, |
| only container threads can access the <code>AsyncContext</code>. This |
| protects against various race conditions that woudl otherwise occur if |
| application threads continued to access the <code>AsyncContext</code>. |
| </fix> |
| <fix> |
| Review usage of debug logging and downgrade trace or data dumping |
| operations from debug level to trace. In particular, most of the |
| HTTP/2 debug logging has been changed to trace level. (remm) |
| </fix> |
| <fix> |
| Add support for user provided <code>SSLContext</code> instances |
| configured on <code>SSLHostConfigCertificate</code> instances. Based on |
| pull request <pr>673</pr> provided by Hakan Altındağ. (markt) |
| </fix> |
| <fix> |
| Partial fix for <bug>68558</bug>: Cache the result of converting to |
| <code>String</code> for request URI, HTTP header names and the request |
| <code>Content-Type</code> value to improve performance by reducing |
| repeated <code>byte[]</code> to <code>String</code> conversions. (markt) |
| </fix> |
| <fix> |
| Improve error reporting to HTTP/2 clients for header processing errors |
| by reporting problems at the end of the frame where the error was |
| detected rather than at the end of the headers. (markt) |
| </fix> |
| <fix> |
| Remove the remaining reference to a stream once the stream has been |
| recycled. This makes the stream eligible for garbage collection earlier |
| and thereby improves scalability. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Additional fixes to correctly support <code>length</code> as a read-only |
| property of an array via the <code>ArrayELResolver</code>. (markt) |
| </fix> |
| <fix> |
| <bug>68546</bug>: Generate optimal size and types for JSP imports maps, |
| as suggested by John Engebretson. (remm) |
| </fix> |
| <fix> |
| Review usage of debug logging and downgrade trace or data dumping |
| operations from debug level to trace. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>66508</bug> that could cause an |
| <code>UpgradeProcessor</code> leak in some circumstances. (markt) |
| </fix> |
| <fix> |
| Review usage of debug logging and downgrade trace or data dumping |
| operations from debug level to trace. (remm) |
| </fix> |
| <fix> |
| Ensure that WebSocket connection closure completes if the connection is |
| closed when the server side has used the proprietary suspend/resume |
| feature to suspend the connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Add support for responses in JSON format from the examples application |
| RequestHeaderExample. (schultz) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct the remaining OSGi contract references in the manifest files to |
| refer to the Jakarta EE contract names rather than the Java EE contract |
| names. Based on pull request <pr>685</pr> provided by Paul A. Nicolucci. |
| (markt) |
| </fix> |
| <update> |
| Update Checkstyle to 10.13.0. (markt) |
| </update> |
| <update> |
| Update JSign to 6.0. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Migration Tool for Jakarta EE |
| to 1.0.7. (markt) |
| </update> |
| <update> |
| Update Tomcat Native to 2.0.7. (markt) |
| </update> |
| <update> |
| Add strings for debug level messages. (remm) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M16 (markt)" rtext="2024-01-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Allow alternate redirect status code for directory redirects issued by |
| the default servlet via the init param |
| <code>directoryRedirectStatusCode</code>. (funkman/markt) |
| </add> |
| <update> |
| <bug>68378</bug>: Align extension to MIME type mappings in the global |
| web.xml with those in httpd by adding |
| <code>application/vnd.geogebra.slides</code> for <code>ggs</code>, |
| <code>text/javascript</code> for <code>mjs</code> and |
| <code>audio/ogg</code> for opus. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Refactor the <code>VirtualThreadExecutor</code> so that it can be used |
| by the NIO2 connector which was using platform threads even when |
| configured to use virtual threads. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>67675</bug> that broke TLS key |
| file parsing for PKCS#8 format keys that do not specify an explicit |
| pseudo-random function and rely on the default. This typically affects |
| keys generated by OpenSSL 1.0.2. (markt) |
| </fix> |
| <fix> |
| Allow multiple operations with the same name on introspected mbeans, |
| fixing a regression caused by the introduction of a second |
| <code>addSslHostConfig</code> method. (remm) |
| </fix> |
| <fix> |
| Relax the check that the HTTP Host header is consistent with the host |
| used in the request line, if any, to make the check case insensitive |
| since host names are case insensitive. (markt) |
| </fix> |
| <add> |
| <bug>68348</bug>: Add support for the partitioned attribute for cookies |
| including session cookies. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| The defaults for <code>compilerSourceVM</code> and |
| <code>compilerTargetVM</code> have been updated to 21 to align with Java |
| 21 being the minimum Java version required for Tomcat 11. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| <bug>68035</bug>: Additional fix to the Manager application to enable |
| the deployment of a web application located in a Host's |
| <code>appBase</code> where the web application is specified by a bare |
| (no path) WAR or directory name as shown in the documentation. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to the Eclipse JDT compiler 4.30. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.12.7. (markt) |
| </update> |
| <update> |
| Update SpotBugs to 4.8.3. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M15 (markt)" rtext="2023-12-12"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Background processes should not be run concurrently with lifecycle |
| operations of a container. (remm) |
| </fix> |
| <add> |
| Add support for the <code>jakarta.servlet.request.secure_protocol</code> |
| request attribute that has been added in Jakarta Servlet 6.1. This |
| replaces the now deprecated Tomcat specific request attribute |
| <code>org.apache.tomcat.util.net.secure_protocol_version</code>. (markt) |
| </add> |
| <add> |
| Align behaviour with the latest addition to the Servlet 6.1 |
| specification that requires that all HTTP error dispatches use the GET |
| method. (markt) |
| </add> |
| <fix> |
| Correct unintended escaping of XML in some WebDAV responses. The XML |
| list of support locks when provided in response to a PROPFIND request |
| was incorrectly XML escaped. (markt) |
| </fix> |
| <fix> |
| <bug>68227</bug>: Ensure that <code>AsyncListener.onComplete()</code> is |
| called if <code>AsyncListener.onError()</code> calls |
| <code>AsyncContext.dispatch()</code>. (markt) |
| </fix> |
| <fix> |
| <bug>68228</bug>: Use a 408 status code if a read timeout occurs during |
| HTTP request processing. Includes a test case based on code provided by |
| adwsingh. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Use Java code to load certificate chain when using OpenSSL through |
| the FFM API. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| <bug>68119</bug>: Refactor the <code>CompositeELResolver</code> to |
| improve performance during type conversion operations. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web Applications"> |
| <changelog> |
| <fix> |
| Examples. Improve the error handling so snakes associated with a user |
| that drops from the network are removed from the game. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 4.0.1. (remm) |
| </update> |
| <fix> |
| <bug>68124</bug>: Migrate sample.war from javax to jakarta. (lihan) |
| </fix> |
| <update> |
| Update UnboundID to 6.0.11. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.12.5. (markt) |
| </update> |
| <update> |
| Update SpotBugs to 4.8.2. (markt) |
| </update> |
| <update> |
| Update Derby to 10.17.1. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Brazilian Portuguese translations by John William |
| Vicente. (markt) |
| </add> |
| <add> |
| Improvements to Russian translations by usmazat and remm. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M14 (markt)" rtext="2023-11-15"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>67667</bug>: <code>TLSCertificateReloadListener</code> prints |
| unreadable rendering of <code>X509Certificate#getNotAfter()</code>. |
| (michaelo) |
| </fix> |
| <update> |
| The status servlet included in the manager webapp can now output |
| statistics as JSON, using the <code>JSON=true</code> URL parameter. |
| (remm) |
| </update> |
| <update> |
| Optionally allow ServiceBindingPropertySource to trim a trailing newline |
| from a file containing a property-value. (schultz) |
| </update> |
| <update> |
| Use Files.move instead of File.renameTo in the FarmWebDeployer to |
| support a broader range of environments, and to give better information |
| in the event of a failure. (schultz) |
| </update> |
| <fix> |
| <bug>67793</bug>: Ensure the original session timeout is restored after |
| FORM authentication if the user refreshes a page during the FORM |
| authentication process. Based on a suggestion by Mircea Butmalai. |
| (markt) |
| </fix> |
| <update> |
| <bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string |
| representation of ASN.1 OIDs. (michaelo) |
| </update> |
| <fix> |
| <bug>66875</bug>: Ensure that setting the request attribute |
| <code>jakarta.servlet.error.exception</code> is not sufficient to |
| trigger error handling for the current request and response. (markt) |
| </fix> |
| <fix> |
| <bug>68054</bug>: Avoid some file canonicalization calls introduced |
| by the fix for <bug>65433</bug>. (remm) |
| </fix> |
| <fix> |
| <bug>68089</bug>: Improve performance of request attribute access for |
| <code>ApplicationHttpRequest</code> and <code>ApplicationRequest</code>. |
| (markt) |
| </fix> |
| <fix> |
| Use a 400 status code to report an error due to a bad request (e.g. an |
| invalid trailer header) rather than a 500 status code. (markt) |
| </fix> |
| <fix> |
| Ensure that an <code>IOException</code> during the reading of the |
| request triggers always error handling, regardless of whether the |
| application swallows the exception. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <bug>66670</bug>: Add <code>SSLHostConfig#certificateKeyPasswordFile</code> and |
| <code>SSLHostConfig#certificateKeystorePasswordFile</code>. (michaelo) |
| </add> |
| <add> |
| When calling |
| <code>SSLHostConfigCertificate.setCertificateKeystore(ks)</code>, |
| automatically call |
| <code>setCertificateKeystoreType(ks.getType())</code>. (markt) |
| </add> |
| <add> |
| Add OpenSSL integration using the FFM API rather than Tomcat Native. |
| OpenSSL support may be enabled by adding the |
| <code>org.apache.catalina.core.OpenSSLLifecycleListener</code> |
| listener on the <code>Server</code> element when using Java 22 |
| (starting with preview build 20) or later. (remm) |
| </add> |
| <fix> |
| <bug>67628</bug>: Clarify how the <code>ciphers</code> attribute of the |
| <code>SSLHostConfig</code> is used. (markt) |
| </fix> |
| <fix> |
| <bug>67666</bug>: Ensure TLS connectors using PEM files either work with |
| the <code>TLSCertificateReloadListener</code> or, in the rare case that |
| they do not, log a warning on Connector start. (markt) |
| </fix> |
| <fix> |
| <bug>67675</bug>: Support a wider range of KDF and ciphers for PEM files |
| than the combinations supported by the JVM by default. Specifically, |
| support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) |
| </fix> |
| <fix> |
| <bug>67927</bug>: Reloading TLS configuration can cause the Connector to |
| refuse new connections or the JVM to crash. (markt) |
| </fix> |
| <fix> |
| <bug>67938</bug>: Correct handling of large TLS client hello messages |
| that were causing the TLS handshake to fail. (markt) |
| </fix> |
| <fix> |
| <bug>68026</bug>: Convert selected <code>MessageByte</code> values to |
| String when first accessed to speed up subsequent accesses and reduce |
| garbage collection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for Records to expression language. (markt) |
| </add> |
| <fix> |
| <bug>68068</bug>: Performance improvement for EL. Based on a suggestion |
| by John Engebretson. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct missing metadata in the MANIFEST of the for WebSocket client API |
| JAR file. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>68035</bug>: Correct a regression in the fix for <bug>56248</bug> |
| that prevented deployment via the Manager of a WAR or directory that was |
| already present in the <code>appBase</code> or a context file that was |
| already present in the <code>xmlBase</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| <bug>67538</bug>: Make use of Ant's <code><javaversion /></code> task |
| to enfore the mininum Java build version. (michaelo) |
| </add> |
| <update> |
| Update Checkstyle to 10.12.4. (markt) |
| </update> |
| <update> |
| Update JaCoCo to 0.8.11. (markt) |
| </update> |
| <update> |
| Update SpotBugs to 4.8.0. (markt) |
| </update> |
| <update> |
| Update BND to 7.0.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M13 (markt)" rtext="2023-10-14"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>67670</bug>: Fix regression with HTTP compression after code |
| refactoring. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>67664</bug>: Correct a regression in the clean-up of unnecessary |
| use of fully qualified class names in 11.0.0-M12 that broke the |
| jdbc-pool. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M12 (markt)" rtext="2023-10-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>65770</bug>: Provide a lifecycle listener that will automatically |
| reload TLS configurations a set time before the certificate is due to |
| expire. This is intended to be used with third-party tools that |
| regularly renew TLS certificates. (markt) |
| </add> |
| <fix> |
| Fix handling of an error reading a context descriptor on deployment. |
| (remm) |
| </fix> |
| <fix> |
| Fix rewrite rule qsd (query string discard) being ignored if qsa was |
| also use, while it should instead take precedence. (remm) |
| </fix> |
| <fix> |
| <bug>67472</bug>: Send fewer CORS-related headers when CORS is not |
| actually being engaged. (schultz) |
| </fix> |
| <add> |
| Improve handling of failures within <code>recycle()</code> methods. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>67198</bug>: Ensure that the AJP connector attribute |
| <code>tomcatAuthorization</code> takes precedence over the |
| <code>tomcatAuthentication</code> attribute when processing an |
| <code>auth_type</code> attribute received from a proxy server. (markt) |
| </fix> |
| <fix> |
| <bug>67235</bug>: Fix a <code>NullPointerException</code> when an |
| <code>AsyncListener</code> handles an error with a dispatch rather than |
| a complete. (markt) |
| </fix> |
| <fix> |
| When an error occurs during asynchronous processing, ensure that the |
| error handling process is only triggered once per asynchronous cycle. |
| (markt) |
| </fix> |
| <fix> |
| Fix logic issue trying to match no argument method in IntropectionUtil. |
| (remm) |
| </fix> |
| <fix> |
| Improve thread safety around readNotify and writeNotify in the NIO2 |
| endpoint. (remm) |
| </fix> |
| <fix> |
| Avoid rare thread safety issue accessing message digest map. (remm) |
| </fix> |
| <fix> |
| Improve statistics collection for upgraded connections under load. |
| (remm) |
| </fix> |
| <update> |
| <code>PushBuilder</code> has been deprecated in line with the changes |
| for the Servlet 6.1 specification. It will be replaced in a future |
| Tomcat 11 milestone with support for 103 early hints. (markt) |
| </update> |
| <update> |
| Remove support for HTTP/2 server push. Calls to |
| <code>newPushBuilder()</code> will always return <code>null</code>. |
| (markt) |
| </update> |
| <fix> |
| Align validation of HTTP trailer fields with standard fields. (markt) |
| </fix> |
| <fix> |
| Improvements to HTTP/2 overhead protection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>67080</bug>: Improve performance of EL expressions in JSPs that use |
| implicit objects. Based on suggestions by John Engebretson, Anurag Dubey |
| and Christopher Schultz. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the internal fork of Apache Commons FileUpload to 7a8c324 |
| (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x |
| branch requiring additional Commons IO dependencies, Tomcat has switched |
| to tracking the 1.x branch. (markt) |
| </update> |
| <add> |
| Add the <code>Bundle-License</code> header to the JAR manifest for all |
| Tomcat JARs. (markt) |
| </add> |
| <update> |
| Update to the Eclipse JDT compiler 4.29. (markt) |
| </update> |
| <update> |
| Update UnboundID to 6.0.10. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.12.3. (markt) |
| </update> |
| <update> |
| Update Tomcat Native to 2.0.6. (markt) |
| </update> |
| <update> |
| Update Commons Pool to 2.12.0. (markt) |
| </update> |
| <fix> |
| <bug>67611</bug>: Correct the download link in BUILDING.txt. (lihan) |
| </fix> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Russian translations by usmazat. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M11 (markt)" rtext="2023-08-25"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| If an application or library sets both a non-500 error code and the |
| <code>jakarta.servlet.error.exception</code> request attribute, use the |
| provided error code during error page processing rather than assuming an |
| error code of 500. (markt) |
| </fix> |
| <fix> |
| Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes |
| and KiB for 1024 bytes rather than MB and kB. (martk) |
| </fix> |
| <add> |
| Update the HTTP parameter handling to align with the changes in the |
| Jakarta Servlet 6.1 API Javadoc for the <code>ServletRequest</code> |
| methods used to obtain request parameters. Invalid parameters and/or |
| exceeding parameter size and/or quantity limits now trigger |
| exceptions. As a consequence, the <code>FailedRequestFilter</code> has |
| been removed. (markt) |
| </add> |
| <fix> |
| Avoid protocol relative redirects in FORM authentication. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Documentation. Update documentation to use MiB for 1024 * 1024 bytes and |
| KiB for 1024 bytes rather than MB and kB. (martk) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to Chinese translations. (lihan) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations by tak7iji. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M10 (markt)" rtext="2023-08-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Fix potential database connection leaks in |
| <code>DataSourceUserDatabase</code> identified by Coverity Scan. (markt) |
| </fix> |
| <fix> |
| Make parsing of <code>ExtendedAccessLogValve</code> patterns more |
| robust. (markt) |
| </fix> |
| <fix> |
| Fix failure trying to persist configuration for an internal credential |
| handler. (remm) |
| </fix> |
| <fix> |
| <bug>66680</bug>: When serializing a session during the session |
| presistence process, do not log a warning that null Principals are not |
| serializable. Pull request <pr>638</pr> provided by tsryo. (markt) |
| </fix> |
| <fix> |
| <bug>66822</bug>: Use the same naming format in log messages for |
| Connector instances as the associated ProtocolHandler instance. (markt) |
| </fix> |
| <fix> |
| The parts count should also lower the actual |
| <code>maxParameterCount</code> used for parsing parameters if parts are |
| parsed first. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Refactor blocking reads and writes for the NIO connector to remove |
| code paths that could allow a notification from the Poller to be missed |
| resuting in a timeout rather than the expected read or write. (markt) |
| </fix> |
| <fix> |
| Refactor waiting for an HTTP/2 stream or connection window update to |
| handle spurious wake-ups during the wait. (markt) |
| </fix> |
| <update> |
| Improve extensibility of endpoints for socket channel creation and TLS. |
| Pull request <pr>639</pr> provided by Marco Fargetta. (remm) |
| </update> |
| <fix> |
| Correct a regression introduced in 11.0.0-M9 and use the correct |
| constant when constructing the default value for the |
| <code>certificateKeystoreFile</code> attribute of an |
| <code>SSLHostConfigCertificate</code> instance. (markt) |
| </fix> |
| <scode> |
| Refactor HTTP/2 implementation to reduce pinning when using virtual |
| threads. (markt) |
| </scode> |
| <fix> |
| Pass through ciphers referring to an OpenSSL profile, such as |
| <code>PROFILE=SYSTEM</code> instead of producing an error trying to |
| parse it. (remm) |
| </fix> |
| <fix> |
| <bug>66841</bug>: Ensure that <code>AsyncListener.onError()</code> is |
| called after an error during asynchronous processing with HTTP/2. |
| (markt) |
| </fix> |
| <fix> |
| <bug>66842</bug>: When using asynchronous I/O (the default), include |
| DATA frames when calculating the HTTP/2 overhead count to ensure that |
| connections are not prematurely terminated. (markt) |
| </fix> |
| <fix> |
| Correct a race condition that could cause spurious RST messages to be |
| sent after the response had been written to an HTTP/2 stream. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>66681</bug>: Fix a <code>NullPointerException</code> when flushing |
| batched messages with compression enabled using |
| <code>permessage-deflate</code>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| Fix the <code>releaseIdleCounter</code> does not increment when testAllIdle |
| releases them. Pull request <pr>241</pr> provided by Arun Chaitanya Miriappalli |
| (lihan) |
| </fix> |
| <fix> |
| Fix the <code>ConnectionState</code> state will be inconsistent with actual |
| state on the connection when an exception occurs while writing. Pull request |
| <pr>643</pr> provided by Wenjun Xiao. (lihan) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update NSIS to 3.0.9. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.12.2. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations. Contributed by tak7iji and |
| Shirayuking. (markt) |
| </add> |
| <fix> |
| <bug>66829</bug>: Fix quoting so users can use the <code>_RUNJAVA</code> |
| environment variable as intended on Windows when the path to the Java |
| executable contains spaces. (markt) |
| </fix> |
| <fix> |
| <bug>66834</bug>: Correct the OSGi contract references in the manifest |
| files to refer to the Jakarta EE contract names rather than the Java EE |
| contract names. (markt) |
| </fix> |
| <update> |
| Update Tomcat Native to 2.0.5. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M9 (markt)" rtext="2023-07-10"> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct properties for JSign dependency. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M8 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| <bug>59232</bug>: Add |
| <code>org.apache.catalina.core.ContextNamingInfoListener</code>, |
| a listener which creates context naming information environment entries. |
| (michaelo) |
| </add> |
| <add> |
| <bug>66665</bug>: Add |
| <code>org.apache.catalina.core.PropertiesRoleMappingListener</code>, |
| a listener which populates the context's role mapping from a properties |
| file. (michaelo) |
| </add> |
| <fix> |
| Fix an edge case where intra-web application symlinks would be followed |
| if the web applications were deliberately crafted to allow it even when |
| <code>allowLinking</code> was set to <code>false</code>. (markt) |
| </fix> |
| <update> |
| Add utlity config file resource lookup on <code>Context</code> to allow |
| looking up resources from the webapp (prefixed with |
| <code>webapp:</code>) and make the resource lookup API more visible. |
| (remm) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>66627</bug>: Restore the documented behaviour of |
| <code>MessageBytes.getType()</code> that it returns the type of the |
| original content rather than reflecting the most recent conversion. |
| (markt) |
| </fix> |
| <fix> |
| <bug>66635</bug>: Correct certificate logging on start-up so it |
| differentiates between keystore based keys/certificates and PEM file |
| based keys/certificates and logs the relevant information for each. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add <code>java.util.Optional</code> support via the |
| <code>jakarta.el.OptionalELResolver</code> to Tomcat's implementation |
| of the Jakarta EL API to align with the latest proposals for the Jakarta |
| EL 6.0 API. (markt) |
| </add> |
| <add> |
| Add support for specifying Java 22 (with the value <code>22</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an Eclipse JDT compiler version that does not support these values, |
| a warning will be logged and the default will used. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Improve handling of error conditions for the WebSocket server, |
| particularly during Tomcat shutdown. (markt) |
| </fix> |
| <fix> |
| Correct a regression in the fix for <bug>66574</bug> that meant the |
| WebSocket session could return false for <code>onOpen()</code> before |
| the <code>onClose()</code> event had been completed. (markt) |
| </fix> |
| <add> |
| Update the WebSocket API provided by Tomcat to align with the latest |
| proposals from the Jakarta WebSocket project and make the WebSocket |
| <code>Session</code> instance available via <code>SendResult</code>. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <add> |
| Documentation. Expand the security guidance to cover the embedded use |
| case and add notes on the uses made of the <code>java.io.tmpdir</code> |
| system property. (markt) |
| </add> |
| <fix> |
| <bug>66662</bug>: Documentation. Fix a typo in the name of the |
| <strong>algorithms</strong> attribute in the configuration section for |
| the Digest authentication valve. Pull request <pr>629</pr> provided by |
| gohilmca. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Include the Windows specific binary distributions in the files uploaded |
| to Maven Central. (markt) |
| </add> |
| <update> |
| Remove support for running Tomcat on 32-bit Windows operating systems as |
| Java 21 is not available for that platform. (markt) |
| </update> |
| <add> |
| Improvements to Japanese translations. Contributed by tak7iji. (markt) |
| </add> |
| <update> |
| Update to the Eclipse JDT compiler 4.28. (markt) |
| </update> |
| <update> |
| Update UnboundID to 6.0.9. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.12.1. (markt) |
| </update> |
| <update> |
| Update BND to 6.4.1. (markt) |
| </update> |
| <update> |
| Update JSign to 5.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M7 (markt)" rtext="2023-06-08"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Increase the minimum supported Java version to Java 21. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Move the management of the utility executor from the |
| <code>init()</code>/<code>destroy()</code> methods of components to the |
| <code>start()</code>/<code>stop()</code> methods. (markt) |
| </scode> |
| <add> |
| Add RateLimitFilter which can be used to mitigate DoS and Brute Force |
| attacks. (isapir) |
| </add> |
| <scode> |
| Remove support for using the <code>^</code> character to separate the |
| WAR file and WAR contents in Tomcat's custom WAR URL handler. The |
| current default separator character of <code>*</code> remains unchanged. |
| (markt) |
| </scode> |
| <add> |
| Add <code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>, |
| a virtual thread based executor that may be used with one or more |
| Connectors to process requests received by those Connectors using |
| virtual threads. (markt) |
| </add> |
| <fix> |
| <bug>66513</bug>: Add a per session Semaphore to the |
| <code>PersistentValve</code> that ensures that, within a single Tomcat |
| instance, there is no more than one concurrent request per session. Also |
| expand the debug logging to include whether a request bypasses the Valve |
| and the reason if a request fails to obtain the per session Semaphore. |
| (markt) |
| </fix> |
| <fix> |
| <bug>66609</bug>: Ensure that the default servlet correctly escapes |
| file names in directory listings when using XML output. Based on pull |
| request <pr>621</pr> by Alex Kachanov. (markt) |
| </fix> |
| <add> |
| <bug>66618</bug>: Add a numeric last modified field to the XML directory |
| listings produced by the default servlet to enable sorting in the XSLT. |
| Pull request <pr>622</pr> by Alex Kachanov. (markt) |
| </add> |
| <fix> |
| <bug>66621</bug>: Attempts to lock a collection with WebDAV may |
| incorrectly fail if a child collection has an expired lock. (markt) |
| </fix> |
| <fix> |
| <bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting |
| from the <code>HttpHeaderSecurityFilter</code> as support for the |
| associated HTTP header has been removed from all major browsers. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO |
| on call SwallowedDataFramePayload. Pull request #619 by |
| ledefe. (lihan) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Commons Daemon 1.3.4. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <update> |
| Update Checkstyle to 10.12.0. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Apache Tomcat Native Library to 2.0.4 |
| to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M6 (markt)" rtext="2023-05-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>66567</bug>: Fix missing <code>IllegalArgumentException</code> |
| after the Tomcat code was converted to using URI instead of URL. (remm) |
| </fix> |
| <fix> |
| Escape timestamp output in <code>AccessLogValve</code> if a |
| <code>SimpleDateFormat</code> is used which contains verbatim |
| characters that need escaping. (rjung) |
| </fix> |
| <update> |
| Change output of vertical tab in <code>AccessLogValve</code> from |
| <code>\v</code> to <code>\u000b</code>. (rjung) |
| </update> |
| <update> |
| Improve performance of escaping in <code>AccessLogValve</code> |
| roughly by a factor of two. (rjung) |
| </update> |
| <update> |
| Improve <code>JsonAccessLogValve</code>: support more patterns |
| like for headers and attributes. Those will be logged as sub objects. |
| (rjung) |
| </update> |
| <fix> |
| <pr>613</pr>: Fix possible partial corrupted file copies when using |
| file locking protection or the manager servlet. Submitted |
| by Jack Shirazi. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add support for a new character set, <code>gb18030-2022</code> - |
| introduced in Java 21, to the character set caching mechanism. (markt) |
| </add> |
| <fix> |
| Fix an edge case in HTTP header parsing and ensure that HTTP headers |
| without names are treated as invalid. (markt) |
| </fix> |
| <update> |
| Remove support for the HTTP Connector settings |
| <code>rejectIllegalHeader</code> and |
| <code>allowHostHeaderMismatch</code>. These are now hard-coded to the |
| previous defaults. (markt) |
| </update> |
| <fix> |
| <bug>66591</bug>: Fix a regression introduced in the fix for |
| <bug>66512</bug> that meant that an AJP Send Headers was not sent for |
| responses where no HTTP headers were set. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>66582</bug>: Account for EL having stricter requirements for static |
| imports than JSPs when adding JSP static imports to the EL context. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>66574</bug>: Refactor WebSocket session close to remove the lock on |
| the <code>SocketWrapper</code> which was a potential cause of deadlocks |
| if the application code used simulated blocking. (markt) |
| </fix> |
| <fix> |
| <bug>66575</bug>: Avoid unchecked use of the backing array of a |
| buffer provided by the user in the compression transformation. (remm) |
| </fix> |
| <fix> |
| Improve exception handling when flushing batched messages during |
| WebSocket session close. (markt) |
| </fix> |
| <fix> |
| <bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it |
| with the current defaults for AsynchronousChannelGroup. Pull request |
| <pr>612</pr> by Matthew Painter. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Chinese translations. (lihan) |
| </add> |
| <update> |
| Update Checkstyle to 10.10.0. (markt) |
| </update> |
| <update> |
| Update Jacoco to 0.8.10. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Migration Tool for Jakarta EE |
| to 1.0.7. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M5 (markt)" rtext="2023-04-19"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add a <code>doPatch</code> method to <code>HttpServlet</code> to provide |
| support for the HTTP <code>PATCH</code> method as defined in RFC 5789. |
| This is one of the changes in the Servlet 6.1 API. (markt) |
| </add> |
| <fix> |
| <bug>65995</bug>: Implement RFC 9239 and use |
| <code>text/javascript</code> as the media type for JavaScript rather |
| than <code>application/javascript</code>. (markt) |
| </fix> |
| <scode> |
| Tomcat no longer sets the <code>java.protocol.handler.pkgs</code> system |
| property when starting. Users are now free to configure this property if |
| they wish. (markt) |
| </scode> |
| <add> |
| Add an access log valve that uses a json format. Based on pull request |
| <pr>539</pr> provided by Thomas Meyer. (remm) |
| </add> |
| <add> |
| Harden the FORM authentication process against DoS attacks by using a |
| reduced session timeout if the FORM authentication process creates a |
| session. The duration of this timeout is configured by the |
| <code>authenticationSessionTimeout</code> attribute of the FORM |
| authenticator. (markt) |
| </add> |
| <add> |
| Implement the new Servlet API methods that provide additional control |
| when sending a redirect to the client. (markt) |
| </add> |
| <add> |
| Update Digest authentication support to align with RFC 7616. This adds a |
| new configuration attribute, <code>algorithms</code>, to the |
| <code>DigestAuthenticator</code> with a default of |
| <code>SHA-256,MD5</code>. (markt) |
| </add> |
| <update> |
| Reduce the default value of <code>maxParameterCount</code> from 10,000 |
| to 1,000. (markt) |
| </update> |
| <fix> |
| <bug>66527</bug>: Correct the Javadoc for the |
| <code>Tomcat.addWebapp()</code> methods that incorrectly stated that the |
| <code>docBase</code> parameter could be a relative path. (markt) |
| </fix> |
| <fix> |
| <bug>66524</bug> Correct eviction ordering in WebResource cache to |
| be LRU as intended. (schultz) |
| </fix> |
| <update> |
| Add support code for custom user attributes in <code>RealmBase</code>. |
| Based on code from <pr>473</pr> by Carsten Klein. (remm) |
| </update> |
| <fix> |
| Expand the set of HTTP request headers considered sensitive that should |
| be skipped when generating a response to a <code>TRACE</code> request. |
| This aligns with the current draft of the Servlet 6.1 specification. |
| (markt) |
| </fix> |
| <fix> |
| <bug>66541</bug>: Improve handling for cached resources for resources |
| that use custom URL schemes. The scheme specific <code>equals()</code> |
| and <code>hashCode()</code> algorithms, if present, will now be used for |
| URLs for these resources. This addresses a potential performance issue |
| with some OSGi custom URL schemes that can trigger potentially slow DNS |
| lookups in some configurations. Based on a patch provided by Tom |
| Whitmore. (markt) |
| </fix> |
| <fix> |
| When using a custom session manager deployed as part of the web |
| application, avoid <code>ClassNotFoundException</code>s when validating |
| session IDs extracted from requests. (markt) |
| </fix> |
| <fix> |
| <bug>66543</bug>: Give <code>StandardContext#fireRequestDestroyEvent</code> |
| its own log message. (fschumacher) |
| </fix> |
| <fix> |
| <bug>66554</bug>: Initialize Random during server initialization to |
| avoid possible JVM thread creation in the webapp context on some |
| platforms. (remm) |
| </fix> |
| <update> |
| Make the server utility executor available to webapps using a Servlet |
| context attribute named |
| <code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| JSON filter should support specific escaping for common special |
| characters as defined in RFC 8259. Based on code submitted by |
| Thomas Meyer. (remm) |
| </fix> |
| <fix> |
| <bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for compressed |
| HTTP responses) when used with direct buffers. Patch suggested by Arjen |
| Poutsma. (markt) |
| </fix> |
| <fix> |
| <bug>66512</bug>: Align AJP handling of invalid HTTP response headers |
| (they are now removed from the response) with HTTP. (markt) |
| </fix> |
| <fix> |
| <bug>66530</bug>: Correct a regression in the fix for bug |
| <bug>66442</bug> that meant that streams without a response body did not |
| decrement the active stream count when completing leading to |
| <code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections. |
| (markt) |
| </fix> |
| <fix> |
| Remove use of deprecated classes in the <code>javax.security.cert</code> |
| package. Pull request <pr>608</pr> provided by Eirik Bjorsnos. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Fix bug that meant some instances of coercing a |
| <code>LambdaExpression</code> to a functional interface invocation |
| failed. (markt) |
| </fix> |
| <fix> |
| <bug>66536</bug>: Fix parsing of tag files that meant that tag |
| directives could be ignored for some tag files. (markt) |
| </fix> |
| <add> |
| Align the EL implementation with the latest changes to the Jakarta EL |
| specification and add support for the length attribute to the |
| <code>ArrayELResolver</code>. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Cluster"> |
| <changelog> |
| <fix> |
| <bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of |
| <code>FarmWarDeployer</code> to be the maximum time allowed between |
| receiving parts of a transferred file before the transfer is cancelled |
| and the associated resources cleaned-up. A new warning message will be |
| logged if the file transfer is cancelled. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for |
| a timeout before sending the close frame if an I/O error occurs during a |
| write. (markt) |
| </fix> |
| <fix> |
| <bug>66548</bug>: Expand the validation of the value of the |
| <code>Sec-Websocket-Key</code> header in the HTTP upgrade request that |
| initiates a WebSocket connection. The value is not decoded but it is |
| checked for the correct length and that only valid characters from the |
| base64 alphabet are used. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>66542</bug>: Documentation. Update the JNDI documentation to |
| replace references to JavaMail with references to Jakarta Mail. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations. Contributed by Shirayuking and |
| tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Chinese translations. Contributed by totoo. (markt) |
| </add> |
| <scode> |
| Refactor code using <code>MD5Encoder</code> to use |
| <code>HexUtils.toHexString()</code>. (markt) |
| </scode> |
| <fix> |
| <bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed |
| to the jvm in <code>catalina.sh</code> when calling <code>version</code>. |
| Patch suggested by Eric Hamilton. (lihan) |
| </fix> |
| <update> |
| Update the internal fork of Commons DBCP to f131286 (2023-03-08, |
| 2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2. |
| (markt) |
| </update> |
| <fix> |
| Improve the error messages if <code>JRE_HOME</code> or |
| <code>JAVA_HOME</code> are not set correctly. On windows, align the |
| handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the |
| start-up scripts and the service install script. (markt) |
| </fix> |
| <update> |
| Update to the Eclipse JDT compiler 4.27. (markt) |
| </update> |
| <update> |
| Update UnboundID to 6.0.8. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.9.3. (markt) |
| </update> |
| <update> |
| Update Jacoco to 0.8.9. (markt) |
| </update> |
| <fix> |
| Enhance PEMFile to load from an InputStream. Patch provided by |
| Romain Manni-Bucau. (schultz) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M4 (markt)" rtext="2023-03-06"> |
| <subsection name="General"> |
| <changelog> |
| <fix> |
| Fix a bug that memory allocation is larger than limit in |
| <code>SynchronizedStack</code> to reduce memory footprint. (lihan) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add support for <code>txt:</code> and <code>rnd:</code> rewrite map |
| types from mod_rewrite. Based on a pull request <pr>591</pr> |
| provided by Dimitrios Soumis. (remm) |
| </add> |
| <update> |
| Provide a more appropriate response (501 rather than 400) when rejecting |
| an HTTP request using the CONNECT method. (markt) |
| </update> |
| <fix> |
| <bug>66491</bug>: Revert the switch to using the ServiceLoader mechanism |
| to load the custom URL protocol handlers that Tomcat uses. The original |
| system property based approach has been restored. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Add a check for the validity of the scheme pseudo-header in HTTP/2. |
| (markt) |
| </add> |
| <fix> |
| <bug>66482</bug>: Restore inline state after async operation in NIO2, |
| to account the fact that unexpected exceptions are sometimes thrown |
| by the implementation. Patch submitted by zhougang. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Provide an implementation of the sub-set of JavaBeans support that does |
| not depend on the <code>java.beans</code> package. This for use by |
| Expression Language when the <code>java.desktop</code> module (which is |
| where the <code>java.beans</code> package resides) is not available. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M3 (markt)" rtext="2023-02-23"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Increase the minimum supported Java version to Java 17. Note that |
| Jakarta EE 11 permits a minimum Java version of 21. The minimum Java |
| version for Tomcat 11 may be increased to Java 21 before the first |
| stable release. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Allow a Valve to access cookies from a request that cannot be mapped to |
| a Context. (markt) |
| </fix> |
| <add> |
| Implement the new Servlet API methods for setting character encodings |
| that accept <code>Charset</code> objects. (markt) |
| </add> |
| <update> |
| The default HEAD response no longer includes some HTTP header fields |
| where the value is determined only while generating the content as per |
| section 9.3.2 of RFC 9110. (markt) |
| </update> |
| <fix> |
| <bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata. |
| (markt) |
| </fix> |
| <update> |
| Switch to using the ServiceLoader mechanism to load the custom URL |
| protocol handlers that Tomcat uses. (markt) |
| </update> |
| <fix> |
| Switch to using <code>LongAdder</code> rather than |
| <code>AtomicInteger</code> to track request count and error count for |
| servlets. (markt) |
| </fix> |
| <fix> |
| Implement the clarification from the Jakarta Servlet project that |
| Servlets mapped to the context root should be mapped for requests to the |
| context root with or without the trailing <code>/</code>. (markt) |
| </fix> |
| <fix> |
| Implement the clarification from the Jakarta Servlet project that |
| calling <code>ServletOutputStream.close()</code> on a stream in |
| non-blocking mode returns immediately with the stream effectively closed |
| and any data remaining to be written is written in the background by the |
| container. (markt) |
| </fix> |
| <fix> |
| Avoid possible ISE when scanning from bad JAR URLs, to restore the |
| previous behavior following the removal of Java 9+ reflection code which |
| caught the ISE. (remm) |
| </fix> |
| <fix> |
| Refactor uses of <code>String.replaceAll()</code> to use |
| <code>String.replace()</code> where regular expressions where not being |
| used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt) |
| </fix> |
| <add> |
| Add error report valve that allows redirecting to of proxying from an |
| external web server. Based on code and ideas from pull request |
| <pr>506</pr> provided by Max Fortun. (remm) |
| </add> |
| <add> |
| <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598 |
| (100.64.0.0/10) to the regular expression used to identify internal |
| proxies for the <code>RemoteIpFilter</code> and |
| <code>RemoteIpValve</code>. (markt) |
| </add> |
| <fix> |
| <bug>66471</bug>: Fix JSessionId secure attribute missing When |
| <code>RemoteIpFilter</code> determines that this request was submitted |
| via a secure channel. (lihan) |
| </fix> |
| <add> |
| Add the additional HTTP status code constants to |
| <code>HttpServletResponse</code> defined by the Jakarta Servlet project |
| for the Servlet 6.1 API. (markt) |
| </add> |
| <fix> |
| Implement the clarification from the Jakarta Servlet project that |
| calling one of the <code>HttpServletResponse</code> methods for setting |
| HTTP header values with <code>null</code> as the new header value |
| removes any existing header of that name. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Log basic information for each configured TLS certificate when Tomcat |
| starts. (markt) |
| </add> |
| <fix> |
| <bug>66442</bug>: When an HTTP/2 response must not include a body, |
| ensure that the end of stream flag is set on the headers frame and that |
| no data frame is sent. (markt) |
| </fix> |
| <fix> |
| Fix a bug that prevented HTTP/2 connections from timing out when using |
| a Connector configured with <code>useAsyncIO=true</code> (the default). |
| (markt) |
| </fix> |
| <add> |
| Provided dedicated loggers |
| (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> / |
| <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for |
| logging of configured TLS certificates. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>66419</bug>: Fix calls from expression language to a method that |
| accepts varargs when only one argument was passed. (markt) |
| </fix> |
| <fix> |
| <bug>66441</bug>: Make imports of static fields in JSPs visible to any |
| EL expressions used on the page. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>66429</bug>: Documentation. Limit access to the documentation web |
| application to localhost by default. (markt) |
| </fix> |
| <fix> |
| <bug>66429</bug>: Examples. Limit access to the examples web application |
| to localhost by default. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update BND to 6.4.0. (markt) |
| </update> |
| <update> |
| Remove support for starting Tomcat under a SecurityManager. (markt) |
| </update> |
| <add> |
| Improvements to Chinese translations. (lihan) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations. Contributed by tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <update> |
| Update the packaged version of the Apache Tomcat Native Library to 2.0.3 |
| to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M2 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Update the <code>ServletInputStream</code> and |
| <code>ServletOuputStream</code> classes in the Servlet API to align with |
| the recent updates in the Jakarta Servlet specification to support |
| reading and writing with <code>ByteBuffer</code>s. The changes also |
| clarified various aspects of the Servlet non-blocking API. (markt) |
| </add> |
| <fix> |
| <bug>66388</bug>: Correct a regression in the refactoring that replaced |
| the use of the <code>URL</code> constructors. The regression broke |
| lookups for resources that contained one or more characters in their |
| name that required escaping when used in a URI path. (markt) |
| </fix> |
| <fix> |
| <bug>66392</bug>: Change the default value of <code>AccessLogValve</code>'s |
| file encoding to UTF-8 and update documentation. (lihan) |
| </fix> |
| <fix> |
| <bug>66393</bug>: Align <code>ExtendedAccessLogValve</code>'s x-P(XXX) with the |
| documentation. (lihan) |
| </fix> |
| <fix> |
| Remove JAX-RPC support which was removed from the Jakarta EE platform |
| for Jakarta EE 9. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Update Cookie parsing and handling to treat the quotes in a quoted |
| cookie value as part of the value as required by RFC 6265 and explicitly |
| clarified in RFC 6265bis. (markt) |
| </fix> |
| <add> |
| Add an RFC 8941 structured field parser. (markt) |
| </add> |
| <add> |
| Add a parser for the <code>priority</code> HTTP header field defined in |
| RFC 9218. (markt) |
| </add> |
| <fix> |
| When resetting an HTTP/2 stream because the final response has been |
| generated before the request has been fully read, use the HTTP/2 error |
| code <code>NO_ERROR</code> so that client does not discard the response. |
| Based on a suggestion by Lorenzo Dalla Vecchia. (markt) |
| </fix> |
| <fix> |
| <bug>66385</bug>: Correct a bug in HTTP/2 where a non-blocking read for |
| a new frame with the NIO2 connector was incorrectly made using the read |
| timeout leading to unexpected stream closure. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>66370</bug>: Change the default of the |
| <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system |
| property to <code>true</code> unless the EL library is running on Tomcat |
| in which case the default remains <code>false</code> as the EL library |
| is already called from within a privileged block and skipping the |
| unnecessary privileged block improves performance. (markt) |
| </fix> |
| <add> |
| Add support for specifying Java 21 (with the value <code>21</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an Eclipse JDT compiler version that does not support these values, |
| a warning will be logged and the default will used. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the packaged version of the Apache Tomcat Migration Tool for |
| Jakarta EE to 1.0.6. (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03, |
| 6.7.1-SNAPSHOT). (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03, |
| 1.16-SNAPSHOT). (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons FileUpload to 34eb241 |
| (2023-01-03, 2.0-SNAPSHOT). (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03, |
| 2.10.0-SNAPSHOT). (markt) |
| </update> |
| <add> |
| Improvements to Japanese translations. Contributed by Shirayuking. |
| (markt) |
| </add> |
| <add> |
| Improvements to Portuguese translations. Contributed by Guilherme |
| Custódio. (markt) |
| </add> |
| <update> |
| Update to the Eclipse JDT compiler 4.26. (markt) |
| </update> |
| <update> |
| Update Checkstyle to 10.6.0. (markt) |
| </update> |
| <update> |
| Update Unboundid to 6.0.7. (markt) |
| </update> |
| <update> |
| Update SpotBugs to 4.7.3. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 11.0.0-M1 (markt)" rtext="2022-12-05"> |
| <subsection name="General"> |
| <changelog> |
| <scode> |
| This release contains all of the changes up to and including those in |
| Apache Tomcat 10.1.1 plus the additional changes listed below. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>66175</bug>: Change the default character set used by the |
| <code>BasicAuthenticator</code> from ISO-8859-1 to UTF-8. (markt) |
| </fix> |
| <add> |
| <bug>66209</bug>: Add a configuration option to allow bloom filters used |
| to index JAR files to be retained for the lifetime of the web |
| application. Prior to this addition, the indexes were always flushed by |
| the periodic calls to <code>WebResourceRoot.gc()</code>. As part of this |
| addition, configuration of archive indexing moves from |
| <code>Context</code> to <code>WebResourceRoot</code>. Based on a patch |
| provided by Rahul Jaisimha. (markt) |
| </add> |
| <fix> |
| <bug>66330</bug>: Correct a regression introduced when fixing |
| <bug>62897</bug> that meant any value configured for |
| <code>skipMemoryLeakChecksOnJvmShutdown</code> on the |
| <code>Context</code> was ignored and the default was always used. |
| (markt) |
| </fix> |
| <fix> |
| <bug>66331</bug>: Fix a regression in refactoring for <code>Stack</code> |
| on the <code>SystemLogHandler</code> which caught incorrect exception. |
| (lihan) |
| </fix> |
| <fix> |
| <bug>66338</bug>: Fix a regression that caused a nuance in refactoring |
| for <code>ErrorReportValve</code>. (lihan) |
| </fix> |
| <fix> |
| Escape values used to construct output for the |
| <code>JsonErrorReportValve</code> to ensure that it always outputs valid |
| JSON. (markt) |
| </fix> |
| <fix> |
| Correct the default implementation of |
| <code>HttpServletRequest.isTrailerFieldsReady()</code> to return |
| <code>true</code> so it is consistent with the default implementation of |
| <code>HttpServletRequest.getTrailerFields()</code> and with the Servlet |
| API provided by the Jakarta EE project. (markt) |
| </fix> |
| <fix> |
| Refactor <code>WebappLoader</code> so it only has a runtime dependency |
| on the migration tool for Jakarta EE if configured to use the converter |
| as classes are loaded. (markt) |
| </fix> |
| <fix> |
| Improve the behavior of the credential handler attribute that is set in |
| the Servlet context so that it actually reflects what is used during |
| authentication. (remm) |
| </fix> |
| <fix> |
| <bug>66359</bug>: Update javadoc for RemoteIpValve and RemoteIpFilter with |
| correct <code>protocolHeader</code> default value of "X-Forwarded-Proto". |
| (lihan) |
| </fix> |
| <add> |
| Add support for the new attribute for error dispatches |
| <code>jakarta.servlet.error.query_string</code>. (markt) |
| </add> |
| <update> |
| Update <code>ignoreAnnotation</code> attribute on <code>Context</code> |
| to dissociate it from <code>metadata-complete</code>. (remm) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct the date format used with the expires attribute of HTTP cookies. |
| A single space rather than a single dash should be used to separate the |
| day, month and year components to be compliant with RFC 6265. (markt) |
| </fix> |
| <add> |
| Include the name of the current stream state in the error message when a |
| stream is cancelled due to an attempt to write to the stream when it is |
| in a state that does not permit writes. (markt) |
| </add> |
| <scode> |
| NIO writes never return -1 so refactor <code>CLOSED_NIO_CHANNEL</code> |
| not to do so and remove checks for this return value. Based on |
| <pr>562</pr> by tianshuang. (markt) |
| </scode> |
| <scode> |
| Remove unnecessary code that exposed the <code>asyncTimeout</code> to |
| components that never used it. (markt) |
| </scode> |
| <fix> |
| Ensure that all <code>MessageBytes</code> conversions to byte arrays are |
| valid for the configured character set and throw an exception if not. |
| (markt) |
| </fix> |
| <fix> |
| When an HTTP/2 stream was reset, the current active stream count was not |
| reduced. If enough resets occurred on a connection, the current active |
| stream count limit was reached and no new streams could be created on |
| that connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>66294</bug>: Make the use of a privileged block to obtain the |
| thread context class loader added to address <bug>62080</bug> optional |
| and disabled by default. This is now controlled by the |
| <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system |
| property. (markt) |
| </fix> |
| <fix> |
| <bug>66317</bug>: Fix for Lambda coercion security manager missing |
| privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan) |
| </fix> |
| <fix> |
| <bug>66325</bug>: Fix concurrency issue in evaluation of expression |
| language containing lambda expressions. (markt) |
| </fix> |
| <add> |
| Update the <code>ErrorData</code> class in the JSP API to align with the |
| recent changes in the Jakarta Pages specification to support the new |
| error dispatch attribute |
| <code>jakarta.servlet.error.query_string</code>. |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>66348</bug>: Update the JARs listed in the class loader |
| documentation and note which ones are optional. (markt) |
| </fix> |
| <fix> |
| Documentation. Replace references in the application developer's guide |
| to CVS with more general references to a source code control system. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <fix> |
| <bug>66346</bug>: Ensure all JDBC pool JARs are reproducible. Pull |
| request <pr>566</pr> provided by John Neffenger. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to Commons Daemon 1.3.3. (markt) |
| </update> |
| <fix> |
| <bug>66323</bug>: Move module start up parameters from |
| <code>JDK_JAVA_OPTIONS</code> to <code>JAVA_OPTS</code> now that the |
| minimum Java version is 11 and these options are always required. |
| (markt) |
| </fix> |
| <add> |
| Improvements to Chinese translations. Contributed by DigitalCat and |
| lihan. (markt) |
| </add> |
| <add> |
| Improvements to French translations. Contributed by Mathieu Bouchard. |
| (markt) |
| </add> |
| <add> |
| Improvements to Japanese translations. Contributed by Shirayuking and |
| tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (markt) |
| </add> |
| <add> |
| Improvements to Spanish translations. (markt) |
| </add> |
| <fix> |
| Correct a regression in the removal of the APR connector that broke |
| Graal native image support. Pull request <pr>564</pr> provided by |
| Sébastien Deleuze. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Apache Tomcat Native Library to 2.0.2 |
| to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Apache Tomcat Migration Tool for |
| Jakarta EE to 1.0.5. (markt) |
| </update> |
| <scode> |
| Refactor code base to replace use of URL constructors. While they are |
| deprecated in Java 20 onwards, the reasons for deprecation are valid for |
| all versions so move away from them now. (markt) |
| </scode> |
| <scode> |
| Refine the Tomcat native image metadata to avoid including unintended |
| non-Tomcat resources. Pull request <pr>569</pr> provided by Sébastien |
| Deleuze. (markt) |
| </scode> |
| <update> |
| Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28, |
| 6.7.0-RC1). (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29, |
| 1.16-SNAPSHOT). (markt) |
| </update> |
| <update> |
| Update the internal fork of Apache Commons FileUpload to aa8eff6 |
| (2022-11-29, 2.0-SNAPSHOT). (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |
| |