| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| |
| <!-- DTD is used to validate changelog structure at build time. BZ 64931. --> |
| |
| <!ELEMENT document (project?, properties, body)> |
| <!ATTLIST document url CDATA #REQUIRED> |
| |
| <!-- body and title are used both in project.xml and in this document --> |
| <!ELEMENT body ANY> |
| <!ELEMENT title (#PCDATA)> |
| |
| <!-- Elements of project.xml --> |
| <!ELEMENT project (title, logo, body)> |
| <!ATTLIST project name CDATA #REQUIRED> |
| <!ATTLIST project href CDATA #REQUIRED> |
| |
| <!ELEMENT logo (#PCDATA)> |
| <!ATTLIST logo href CDATA #REQUIRED> |
| |
| <!ELEMENT menu (item+)> |
| <!ATTLIST menu name CDATA #REQUIRED> |
| |
| <!ELEMENT item EMPTY> |
| <!ATTLIST item name CDATA #REQUIRED> |
| <!ATTLIST item href CDATA #REQUIRED> |
| |
| <!-- Elements of this document --> |
| <!ELEMENT properties (author*, title, no-comments) > |
| <!ELEMENT author (#PCDATA)> |
| <!ATTLIST author email CDATA #IMPLIED> |
| <!ELEMENT no-comments EMPTY> |
| |
| <!ELEMENT section (subsection)*> |
| <!ATTLIST section name CDATA #REQUIRED> |
| <!ATTLIST section rtext CDATA #IMPLIED> |
| |
| <!ELEMENT subsection (changelog+)> |
| <!ATTLIST subsection name CDATA #REQUIRED> |
| |
| <!ELEMENT changelog (add|update|fix|scode|docs|design)*> |
| <!ELEMENT add ANY> |
| <!ELEMENT update ANY> |
| <!ELEMENT fix ANY> |
| <!ELEMENT scode ANY> |
| <!ELEMENT docs ANY> |
| <!ELEMENT design ANY> |
| |
| <!ELEMENT bug (#PCDATA)> |
| <!ELEMENT rev (#PCDATA)> |
| <!ELEMENT pr (#PCDATA)> |
| |
| <!-- Random HTML markup tags. Add more here as needed. --> |
| <!ELEMENT a (#PCDATA)> |
| <!ATTLIST a href CDATA #REQUIRED> |
| <!ATTLIST a rel CDATA #IMPLIED> |
| |
| <!ELEMENT b (#PCDATA)> |
| <!ELEMENT code (#PCDATA)> |
| <!ELEMENT em (#PCDATA)> |
| <!ELEMENT strong (#PCDATA)> |
| <!ELEMENT tt (#PCDATA)> |
| ]> |
| <?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?> |
| <document url="changelog.html"> |
| |
| &project; |
| |
| <properties> |
| <title>Changelog</title> |
| <no-comments /> |
| </properties> |
| |
| <body> |
| <!-- |
| Subsection ordering: |
| General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications, |
| Extras, Tribes, jdbc-pool, Other |
| |
| Item Ordering: |
| |
| Fixes having an issue number are sorted by their number, ascending. |
| |
| There is no ordering by add/update/fix/scode/docs/design. |
| |
| Other fixed issues are added to the end of the list, chronologically. |
| They eventually become mixed with the numbered issues (i.e., numbered |
| issues do not "pop up" wrt. others). |
| --> |
| <section name="Tomcat 10.1.0-M17 (markt)" rtext=""> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>66104</bug>: Avoid error message by not trying to clean up old |
| files from the logging directory before the directory has been created. |
| Based on <pr>521</pr> by HanLi. (markt) |
| </fix> |
| <update> |
| Update the Jakarta Common Annotations API to 2.1.1. This deprecates the |
| <code>ManagedBean</code> annotation which will be removed in a future |
| release. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Provide dedicated loggers |
| (<code>org.apache.tomcat.util.net.NioEndpoint.handshake</code> / |
| <code>org.apache.tomcat.util.net.Nio2Endpoint.handshake</code>) for TLS |
| handshake failures. (markt) |
| </add> |
| <add> |
| Enable the use of the FIPS provider for TLS enabled Connectors when |
| using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. |
| (markt) |
| </add> |
| <scode> |
| Remove the <code>jmvRoute</code> system property used to configure a |
| default value for the <code>jmvRoute</code> attribute of an Engine. |
| (markt) |
| </scode> |
| <update> |
| Update experimental Panama modules with support for OpenSSL 3.0+. |
| OpenSSL 1.1 remains supported. (remm) |
| </update> |
| <fix> |
| Correct a regression in the refactoring to support experimentation with |
| project Loom that broke HTTP/2 support if async IO was disabled. (markt) |
| </fix> |
| <fix> |
| Fix duplicate Poller registration with HTTP/2, NIO and async IO that |
| could cause HTTP/2 connections to unexpectedly fail. (markt) |
| </fix> |
| <update> |
| Refactor Panama module to better take advantage of the Panama preview |
| API updates and fixes. Improves memory session usage and avoids some |
| allocations. Review from Maurizio Cimadamore. (remm) |
| </update> |
| <update> |
| Update the minimum recommended version of the Tomcat Native Library to |
| 2.0.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <add> |
| Add support for specifying Java 19 (with the value <code>19</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an Eclipse JDT compiler version that does not support these values, |
| a warning will be logged and the default will used. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <update> |
| Remove configuration settings related to the restriction on WebSocket |
| endpoint deployment that was removed in version 2.1 of the |
| specification. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Documentation. <bug>62245</bug>: Include <code>contextXsltFile</code> |
| when discussing options for configuring directory listings. (markt) |
| </fix> |
| <fix> |
| Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the |
| Form authentication example. (markt) |
| </fix> |
| <fix> |
| Documentation. Expand the description of the <code>useSendfile</code> |
| attribute for HTTP/2 and reference the possibility of file locking when |
| using this feature on Windows operating systems. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update to bnd 6.3.1. (markt) |
| </update> |
| <update> |
| The minimum Ant version required to build Tomcat 10.1.x is now 1.10.2. |
| (markt) |
| </update> |
| <add> |
| Add additional automation to the build process to reduce the number of |
| manual steps that release managers must perform. (schultz) |
| </add> |
| <add> |
| Implement support for reproducible builds. Reproducible builds are |
| independent of operating system but require the same Ant version and |
| same JDK (vendor and version) to be used as associated version |
| information is embedded in a number of build outputs such as JAR file |
| manifests. (markt) |
| </add> |
| <update> |
| Update the minimum supported version of Tomcat Native to 1.2.34 to allow |
| the removal of the deprecated Java API associated with features that |
| will be removed in Tomcat Native 2.0.x. (markt) |
| </update> |
| <fix> |
| Remove and/or update references to the removed |
| <code>org.apache.tomcat.util.threads.res</code> package. The |
| <code>LocalStrings*.properties</code> files in that package were moved |
| to <code>org.apache.tomcat.util.threads</code> package for consistency |
| with the rest of the Tomcat code base. (markt) |
| </fix> |
| <fix> |
| <bug>66134</bug>: The NSIS based Tomcat installer for Windows now |
| correctly handles the combination of <code>TomcatAdminRoles</code> |
| defined in a configuration file and selecting the Manager and/or |
| Host Manager web applications in the installer's GUI. (markt) |
| </fix> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.27. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.5.3. (remm) |
| </update> |
| <update> |
| Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.1. |
| (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 2.0.1 to |
| pick up the Windows binaries built with with OpenSSL 3.0.5. (markt) |
| </update> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed tak7iji. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M16 (markt)" rtext="2022-06-09"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Update the memory leak protection code to support stopping application |
| created executor threads when running on Java 19 and later. (markt) |
| </fix> |
| <fix> |
| Improve the error message if a required <code>--add-opens</code> option |
| is missing. (markt) |
| </fix> |
| <fix> |
| Disable the memory leak correction code enabled by the Context attribute |
| <code>clearReferencesObjectStreamClassCaches</code> when running on a |
| JRE that includes a fix for the underlying memory leak. (markt) |
| </fix> |
| <fix> |
| <pr>515</pr>: Avoid deadlock on startup with some utility executor |
| configurations. Submitted by Han Li. (remm) |
| </fix> |
| <fix> |
| <bug>66068</bug>: Ensure that the changes made to a request by the |
| <code>RemoteIPValve</code> persist after the request is put into |
| asynchronous mode. (markt) |
| </fix> |
| <add> |
| Include the major version in the recommended version used for Tomcat |
| Native with the <code>AprLifecycleListener</code>. (markt) |
| </add> |
| <scode> |
| Remove the reporting of the unused APR feature flags. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Additional fix for <bug>65118</bug>. Fix a potential |
| <code>NullPointerException</code> when pruning closed HTTP/2 streams |
| from the connection. (markt) |
| </fix> |
| <scode> |
| Refactor synchronization blocks locking on <code>SocketWrapper</code> to |
| use <code>ReentrantLock</code> to support users wishing to experiment |
| with project Loom. (markt) |
| </scode> |
| <fix> |
| <bug>66076</bug>: When using TLS with non-blocking writes and the NIO |
| connector, ensure that flushing the buffers attempts to empty all of the |
| output buffers. (markt) |
| </fix> |
| <fix> |
| <bug>66084</bug>: Correctly calculate bytes written to a response. Pull |
| request <pr>516</pr> provided by aooohan HanLi. (markt) |
| </fix> |
| <add> |
| Correct a regression in the support added for encrypted PKCS#1 formatted |
| private keys in the previous release that broke support for unencrypted |
| PKCS#1 formatted private keys. (jfclere/markt) |
| </add> |
| <update> |
| Remove support for NPN when using the Tomcat Native Connector as NPN was |
| never standardised and browser support for NPN was removed several years |
| ago. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| Update XML schema used for generated web fragments to use the Servlet |
| 6.0 web fragment schema. (markt) |
| </fix> |
| <fix> |
| Update the XML schema used by the web fragment defined for the Jasper EL |
| JAR to use the Servlet 6.0 web fragment schema. (markt) |
| </fix> |
| <fix> |
| Update <code>ImportHandler</code> optimisation for new classes |
| introduced in Java 19. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web Socket"> |
| <changelog> |
| <fix> |
| Update the XML schema used by the web fragment defined for the WebSocket |
| JAR to use the Servlet 6.0 web fragment schema. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>66064</bug>: Update the building page in the documentation web |
| application to reflect changes in required Java version and source |
| repository. (markt) |
| </fix> |
| <fix> |
| Documentation. Make the description of the HTTP/1.1 configuration |
| attributes that control the maximum allowed HTTP header size more |
| specific. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| Increase the default buffer size for replication messages from 43800 to |
| 65536 bytes. This is expected to improve performance for large messages |
| when running on Linux based systems. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by Shirayuking and |
| tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Chinese translations contributed by Dingzi2012. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M15 (markt)" rtext="2022-05-16"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| <bug>65853</bug>: Refactor the <code>CsrfPreventionFilter</code> to make |
| it easier for sub-classes to modify the nonce generation and storage. |
| Based on suggestions by Marvin Fröhlich. (markt) |
| </scode> |
| <fix> |
| <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when |
| <code>boundOnInit</code> is used on a connector, during the check |
| for client certificate authentication availability. (remm) |
| </fix> |
| <fix> |
| <bug>66009</bug>: Use <code>getSubjectX500Principal().toString()</code> |
| rather than <code>getSubjectX500Principal().getName(...)</code> to |
| retrieve a certificate DN, to match the output of the deprecated |
| <code>getSubjectDN().getName()</code> that was used previously. (remm) |
| </fix> |
| <add> |
| Revert the change in 10.1.0-M11 that added a mapping of |
| <code>Shift_JIS</code> for the <code>ja</code> locale to the default |
| mappings used by <code>ServletResponse.setLocale()</code> as it |
| caused regressions for applications using UTF-8. (markt) |
| </add> |
| <add> |
| Provide a property source that sources values from Kubernetes service |
| bindings. Pull request <pr>512</pr> provided by Sumit Kulhadia and |
| Gareth Evans. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| <pr>501</pr>: Add new <code>maxHttpRequestHeaderSize</code> and |
| <code>maxHttpResponseHeaderSize</code> attributes which allow setting |
| the maximum HTTP header sizes independently. If not specified, the |
| value of the <code>maxHttpHeaderSize</code> connector attribute will |
| be used. Submitted by Zhongming Hua. (remm) |
| </add> |
| <fix> |
| The root cause of the Linux kernel duplicate accept bug has been |
| identified along with the version of the kernel that includes the fix. |
| The error message displayed when this bug occurs has been updated to |
| reflect this new information and to advise users to update to a version |
| of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for |
| the research into this issue. (markt) |
| </fix> |
| <scode> |
| Remove the custom UTF-8 decoder that was introduced to work around |
| various UTF-8 decoding bugs in Java. These issues were fixed in early |
| Java 8 releases. Now the minimum Java version is 11, we can be sure that |
| Tomcat will not be running on a JRE where these issues are present. |
| (markt) |
| </scode> |
| <fix> |
| <bug>66023</bug>: Improve the fix for <bug>65726</bug> and support HTTP |
| upgrade with a request body for a wider set of use cases. (markt) |
| </fix> |
| <fix> |
| <bug>66035</bug>: Add NULL check on the SSL session reference in the |
| Panama code before accessing the session id and creation time. (remm) |
| </fix> |
| <add> |
| Add support for encrypted PKCS#1 formatted private keys when configuring |
| the internal, in memory key store. Based on <pr>511</pr>. |
| (jfclere/markt) |
| </add> |
| <fix> |
| Remove the <code>prestartminSpareThreads</code> attribute of the |
| <code>StandardThreadExecutor</code> since all core threads are always |
| started by default making this attribute meaningless. Pull request |
| <pr>510</pr> provided by Aooohan. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| To align with the JSP 3.1 specification, make the |
| <code>jsp:plugin</code> action a NO-OP. No HTML will be generated as a |
| result the <code>jsp:plugin</code> action being included in a JSP. This |
| is be because the associated HTML elements are no longer supported by |
| any major browser. (markt) |
| </update> |
| <fix> |
| <bug>66031</bug>: Fix NPE when using a custom JspFactory. Patch by |
| Jean-Louis Monteiro. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Webapps"> |
| <changelog> |
| <fix> |
| <bug>66008</bug>: In the documentation web application, clarify the |
| recommendation for the use the <code>trimSpaces</code> option for Jasper |
| in production environments. (markt) |
| </fix> |
| <fix> |
| Update the documentation web application to state that the |
| <code>EncryptInterceptor</code> does not provide sufficient protection |
| to run Tomcat clustering over an untrusted network. This is |
| CVE-2022-29885. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to Chinese translations contributed by shawn. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to German translations contributed by Thomas Hoffmann. |
| (markt) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by Shirayuking. |
| (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <update> |
| Update to Commons Daemon 1.3.1. This fixes a known regression in 1.3.0 |
| when configuring the Windows service with custom scripts as described in |
| <bug>66055</bug>. (markt) |
| </update> |
| <update> |
| Update to JSign 4.1. (markt) |
| </update> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.33 to |
| pick up Windows binaries built with OpenSSL 1.1.1o.(markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M14 (markt)" rtext="2022-04-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <bug>65736</bug>: Disable the <code>forceString</code> option for the |
| JNDI <code>BeanFactory</code> and replace it with an automatic search |
| for an alternative setter with the same name that accepts a |
| <code>String</code>. This is a security hardening measure. (markt) |
| </fix> |
| <add> |
| Remove the <code>WebappClassLoaderBase.getResources()</code> method as |
| it is not used and if something accidently exposes the class loader |
| this method can be used to gain access to Tomcat internals. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M13 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was |
| renamed for Jakarta EE 10) including the implementation of the new |
| methods on <code>AuthConfigFactory</code>. (markt) |
| </scode> |
| <scode> |
| Harden the CredentialHandler implementations by switching to a |
| constant-time implementation for credential comparisons. (schultz/markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Use a constant for the default TLS cipher suite. This will allow |
| skipping setting it in some cases (for example, it does not make |
| sense for OpenSSL TLS 1.3). (remm) |
| </fix> |
| <fix> |
| <pr>487</pr>: Improve logging of unknown settings frames. Pull request |
| by Thomas Hoffmann. (remm) |
| </fix> |
| <add> |
| <bug>65975</bug>: Add a warning if a TLS virtual host is configured with |
| optional certificate authentication and the containing connector is also |
| configured to support HTTP/2 as HTTP/2 does not permit optional |
| certificate authentication. (markt) |
| </add> |
| <add> |
| <bug>65975</bug>: Add a warning if a TLS virtual host is configured for |
| TLS 1.3 with a JSSE implementation and a web application is configured |
| for <code>CLIENT-CERT</code> authentication. <code>CLIENT-CERT</code> |
| authentication requires post-handshake authentication (PHA) when used |
| with TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA. |
| (markt) |
| </add> |
| <fix> |
| Improve the recycling of Processor objects to make it more robust. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>65959</bug>: Serialize Function as String[] rather Class[]. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>65947</bug>: Correct the name of HTTP/1.1 configuration property |
| (<code>maxHttpHeaderSize</code>) that is inherited by the HTTP/2 upgrade |
| protocol. Thanks to Thomas Hoffmann. (markt) |
| </fix> |
| <fix> |
| <bug>65952</bug>: Align <code>--add-opens</code> configuration for jsvc |
| with the current Tomcat scripts. (markt) |
| </fix> |
| <fix> |
| Correct the AJP and HTTP/1.1 Connector configuration pages in the |
| documentation web application to show which attributes are applicable to |
| all Connectors and which are implementation specific. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Correct a spelling mistake in the German translations. Thanks to Thomas |
| Hoffmann. (markt) |
| </fix> |
| <fix> |
| <bug>65951</bug>: Use the <code>tomcat.output</code> property for OSGi |
| bundle manifest paths. (isapir) |
| </fix> |
| <update> |
| Update to Commons Daemon 1.3.0. (markt) |
| </update> |
| <update> |
| Update to Checkstyle 10.0. (markt) |
| </update> |
| <update> |
| Update to SpotBugs 4.6.0. (markt) |
| </update> |
| <add> |
| Expand the <code>spotbugs</code> Ant task to also cover test code. |
| (markt) |
| </add> |
| <update> |
| Update to bnd 6.2.0. (markt) |
| </update> |
| <update> |
| Remove OSGi annotations dependency as it is no longer required with bnd |
| 6.2.0. (markt) |
| </update> |
| <update> |
| Update to the Eclipse JDT compiler 4.23. (markt) |
| </update> |
| <scode> |
| Refactor the resource files for the Apache Tomcat installer for Windows |
| so that all the resource files are located in a single directory in the |
| source tree. (markt) |
| </scode> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.32 to |
| pick up Windows binaries built with OpenSSL 1.1.1n.(markt) |
| </update> |
| <add> |
| Improvements to Chinese translations contributed by 15625988003. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by tak7iji. (markt) |
| </add> |
| <add> |
| Expand coverage of translations for <code>jakarta.el</code> package. |
| Based on <pr>488</pr> from Volodymyr Siedlecki. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M12 (markt)" rtext="2022-03-14"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| <pr>477</pr>: Update the default list of JARs to skip to include the |
| Apache Log4j JAR for Jakarta EE platforms. Pull request by Michael |
| Seele. (markt) |
| </fix> |
| <fix> |
| <bug>65921</bug>: The <code>type</code> substitution flag for the |
| rewrite valve should set the content type for the response, not the |
| request. (markt) |
| </fix> |
| <fix> |
| <pr>479</pr>: Enable the rewrite valve to redirect requests when the |
| original request cannot be mapped to a context. This typically happens |
| when no ROOT context is defined. Pull request by elkman. (markt) |
| </fix> |
| <fix> |
| <bug>65940</bug>: Fix <code>NullPointerException</code> if an exception |
| occurs during the destruction of a Servlet. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Fix regression introduced with <bug>65757</bug> bugfix which better |
| identified non request threads but which introduced a similar problem |
| when user code was doing sequential operations in a single thread. |
| Test case code submitted by Istvan Szekely. (remm) |
| </fix> |
| <fix> |
| Fix potential thread-safety issue that could cause HTTP/1.1 request |
| processing to wait, and potentially timeout, waiting for additional |
| data when the full request has been received. (markt) |
| </fix> |
| <fix> |
| Throw <code>IOException</code> rather than |
| <code>IllegalStateException</code> when the application attempts to |
| write to an HTTP/2 stream after the client has closed the stream. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| When resolving methods in EL expressions that use beans and/or static |
| fields, ensure that any custom type conversion is considered when |
| identifying the method to call. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Correct the name of the <code>value</code> attribute in the new |
| documentation of <code>OpenSSLConfCmd</code> elements. (rjung) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Fix typo in JPMS substitution configuration for WebSocket client module. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M11 (markt)" rtext="2022-02-28"> |
| <subsection name="Catalina"> |
| <changelog> |
| <add> |
| Add <code>ha-api-*.jar</code> and <code>jaxws-rt-*.jar</code> to the |
| list of JARs to skip when scanning for TLDs, web fragments and |
| annotations. (michaelo) |
| </add> |
| <add> |
| Expand the default mappings used by |
| <code>ServletResponse.setLocale()</code> to include a mapping from the |
| <code>ja</code> locale to the <code>Shift_JIS</code> encoding. (markt) |
| </add> |
| <fix> |
| <bug>65806</bug>: Improve the handling of session ID generation when the |
| default algorithm for <code>SecureRandom</code> (<code>SHA1PRNG</code>) |
| is not supported by the configured providers as will be the case for a |
| FIPS compliant configuration. (markt) |
| </fix> |
| <add> |
| <pr>463</pr>: Add support for additional user attributes to |
| <code>TomcatPrincipal</code> and <code>GenericPrincipal</code>. |
| Patch provided by Carsten Klein. (michaelo) |
| </add> |
| <fix> |
| <pr>464</pr>: Fall back to the class loader used to load JULI when the |
| thread context class loader is not set. In a normal Tomcat |
| configuration, this will be the system class loader. Based on a pull |
| request by jackshirazi. (markt) |
| </fix> |
| <fix> |
| <pr>469</pr>: Include the Jakarata Annotations API in the classes that |
| Tomcat will not load from web applications. Pull request provided by |
| ppkarwasz. (markt) |
| </fix> |
| <fix> |
| Fix a potential <code>StringIndexOutOfBoundsException</code> exception |
| when generating a WebDAV multi-status response after an error during a |
| copy or delete. Report the paths relative to the server root for any |
| resources with an error. (markt) |
| </fix> |
| <fix> |
| Improve the format of WebDAV XML responses to make them easier for |
| humans to read. The change ensures that there is always a line break |
| before starting a new element. (markt) |
| </fix> |
| <fix> |
| Improve validation of the <code>Destination</code> header for WebDAV |
| <code>MOVE</code> and <code>COPY</code> requests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>65454</bug> that meant that |
| <code>minSpareThreads</code> and <code>maxThreads</code> settings were |
| ignored when the Connector used an internal executor. (markt) |
| </fix> |
| <fix> |
| <bug>65776</bug>: Improve the detection of the Linux duplicate accept |
| bug and reduce (hopefully avoid) instances of false positives. (markt) |
| </fix> |
| <fix> |
| <bug>65848</bug>: Revert the change that attempted to align the |
| behaviour of client certificate authentication with NIO or NIO2 with |
| OpenSSL for TLS between MacOS and Linux/Windows as the root cause was |
| traced to configuration differences. (markt) |
| </fix> |
| <fix> |
| <pr>467</pr>: When system time moves backwards (e.g. after clock |
| correction), ensure that the cached formatted current date used for |
| HTTP headers tracks this change. Pull request provided by zhenguoli. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <pr>474</pr>: Prevent a tag file from corrupting the ELContext of the |
| calling page. Pull request provided by Dmitri Blinov. (markt) |
| </fix> |
| <fix> |
| Minor optimisation of serialization for <code>FunctionMapperImpl</code> |
| in response to pull request <pr>476</pr>. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove the applet example from the example web application as applets |
| are no longer supported in any major browser. (markt) |
| </fix> |
| <scode> |
| Refactor a small number of pages in the examples web application to |
| avoid an issue with reproducible builds due to differences in file |
| ordering across different operating systems with Ant's zip task. (markt) |
| </scode> |
| <fix> |
| Better documentation for the <code>protocol</code> attribute of the |
| <code>JNDIRealm</code>. (markt) |
| </fix> |
| <fix> |
| Clarify the settings described in the documentation web application to |
| configure a cluster using static membership. (markt) |
| </fix> |
| <add> |
| Add information on the <code>OpenSSLConf</code> and |
| <code>OpenSSLConfCmd</code> elements to the HTTP SSL configuration page |
| in the documentation web applications. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="jdbc-pool"> |
| <changelog> |
| <scode> |
| Use LF line endings for text files in JARs to support reproducible |
| builds across different operating systems. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <scode> |
| Use LF line endings for text files in JARs to support reproducible |
| builds across different operating systems. (markt) |
| </scode> |
| <fix> |
| Fix dependencies for individual test targets in Ant build file. Based on |
| <pr>468</pr> provided by Totoo chenyonghui. (markt) |
| </fix> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.26. (remm) |
| </update> |
| <fix> |
| Revert the cherry-pick of JavaDoc fix from DBCP applied in 10.1.0.M9 |
| that broke the <code>DataSourceMXBean</code> by using a type that isn't |
| supported by MXBeans. (markt) |
| </fix> |
| <add> |
| Improvements to Chinese translations contributed by cloudgyb, totoo and |
| Chenyonghui1028. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to German translations contributed by Andreas Abraham. |
| (markt) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by tak7iji and |
| Shirayuking. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Spanish translations contributed by ceciliabarudi. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M10 (markt)" rtext="2022-01-20"> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a regression in the fix for <bug>65785</bug> that broke HTTP/2 |
| server push. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M9 (markt)" rtext="not released"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Add missing check in <code>SessionCookieConfig.setAttribute()</code> to |
| ensure that the method fails if called after the web application has |
| started. (markt) |
| </fix> |
| <fix> |
| Add additional locking to <code>DataSourceUserDatabase</code> to provide |
| improved protection for concurrent modifications. (markt) |
| </fix> |
| <fix> |
| Add recycling check in the input and output stream isReady to try to |
| give a more informative ISE when the facade has been recycled. (remm) |
| </fix> |
| <fix> |
| Make the calculation of the session storage location more robust when |
| using file based persistent storage. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>65726</bug>: Implement support for HTTP/1.1 upgrade when the |
| request includes a body. The maximum permitted size of the body is |
| controlled by <code>maxSavePostSize</code>. (markt) |
| </fix> |
| <fix> |
| Restore pre-starting of <code>minSpareThreads</code> lost in the fix for |
| <bug>65454</bug>. (markt) |
| </fix> |
| <fix> |
| Revert the previous fix for <bug>65714</bug> and implement a more |
| comprehensive fix. (markt) |
| </fix> |
| <fix> |
| Allow freeing up context on JVM shutdown in the OpenSSL Panama module |
| by properly using a shared scope. (remm) |
| </fix> |
| <fix> |
| <bug>65757</bug>: Missing initial IO listener notification on Servlet |
| container dispatch to another container thread. (remm) |
| </fix> |
| <fix> |
| Expand the fix for <bug>65757</bug> so that rather than just checking if |
| processing is happening on a container thread, the check is now if |
| processing is happening on the container thread currently allocated to |
| this request/response. (markt) |
| </fix> |
| <fix> |
| Improve the fix for RST frame ordering added in 10.1.0-M8 to avoid a |
| potential deadlock on some systems in non-default configurations. |
| (markt) |
| </fix> |
| <add> |
| <bug>65767</bug>: Add support for certificates that use keys encrypted |
| using PBES2. Based on a pull request provided by xiezhaokun. (markt) |
| </add> |
| <scode> |
| Refactor testing whether a String is a valid HTTP token. (markt) |
| </scode> |
| <fix> |
| <bug>65785</bug>: Perform additional validation of HTTP headers when |
| using HTTP/2. (markt) |
| </fix> |
| <fix> |
| When a Connector or Endpoint is paused, ensure that only new connections |
| and new requests on existing connections are stopped while allowing in |
| progress requests to run to completion. (markt) |
| </fix> |
| <fix> |
| Explicitly release ByteBuffer instances associated with pooled channels |
| when stopping the NioEndpoint and Nio2Endpoint. (markt) |
| </fix> |
| <fix> |
| Narrow the scope of the logging of invalid cookie headers to just the |
| invalid cookie rather than the whole cookie header. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>65724</bug>: Fix missing messages for some |
| <code>PropertyNotWritableException</code>s caused by a typo in the name |
| used for a resource string. (markt) |
| </fix> |
| <add> |
| Add support for specifying Java 18 (with the value <code>18</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an Eclipse JDT compiler version that does not support these values, |
| a warning will be logged and the default will used. |
| (markt) |
| </add> |
| <update> |
| To align with the JSP 3.1 specification that requires Java 11 as a |
| minimum, make the default JSP source version and target version Java 11. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Remove the <code>ALLOW_UNSUPPORTED_EXTENSIONS</code> system property. As |
| per RFC 6455, all extensions are optional. If an endpoint declares an |
| extension that isn't supported there is no need to trigger an error. The |
| extension can just be excluded from the result of the negotiation. |
| (markt) |
| </fix> |
| <fix> |
| Remove the <code>DISABLE_BUILTIN_EXTENSIONS</code>. It was added to |
| enable Tomcat to pass the WebSocket TCK but after updates to the TCK, it |
| is no longer required. (markt) |
| </fix> |
| <add> |
| Add support for POJO WebSocket endpoints to the programmatic upgrade |
| that allows applications to opt to upgrade an HTTP connection to |
| WebSocket. (markt) |
| </add> |
| <add> |
| Add support for the WebSocket 2.1 client-side API for configuring TLS |
| connection for wss client connections. (markt) |
| </add> |
| <fix> |
| <bug>65763</bug>: Improve handling of WebSocket connection close if a |
| message write times out before the message is fully written. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.25. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.5.0. (remm) |
| </update> |
| <add> |
| Improvements to Chinese translations contributed by zhnnn. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by Shirayuking, yoshy |
| and tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <add> |
| Improvements to Spanish translations contributed by Israel. (markt) |
| </add> |
| <update> |
| Update SpotBugs to 4.5.2. (markt) |
| </update> |
| <update> |
| Update to the Eclipse JDT compiler 4.22. (markt) |
| </update> |
| <update> |
| Update the NSIS installer to 3.08. (markt) |
| </update> |
| <update> |
| Update UnboundID to 6.0.3. (markt) |
| </update> |
| <update> |
| Update CheckStyle to 9.2.1. (markt) |
| </update> |
| <update> |
| Update BND to 6.1.0. (markt) |
| </update> |
| <update> |
| Update OSGI annotations to 1.1.1. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M8 (markt)" rtext="2021-12-08"> |
| <subsection name="Catalina"> |
| <changelog> |
| <update> |
| Log warning if a listener is not nested inside a Server element |
| although it must have been. (michaelo) |
| </update> |
| <fix> |
| Where the getter can be called safely, remove the checks for |
| <code>ServletContext</code> getters called from a |
| <code>contextInitialized()</code> method of a |
| <code>ServletContextListener</code> that was not defined in a |
| <code>web.xml</code> file, a <code>web-fragment.xml</code> file nor |
| annotated with <code>WebListener</code>. (markt) |
| </fix> |
| <fix> |
| Make SPNEGO authentication more robust for the case where the provided |
| credential has expired. (markt) |
| </fix> |
| <fix> |
| Limit cookie support to RFC 6265 to align with recent updates to the |
| Servlet specification. (markt) |
| </fix> |
| <fix> |
| <bug>65684</bug>: Fix a potential <code>NullPointerException</code> when |
| using JULI. (markt) |
| </fix> |
| <docs> |
| Document conditions under which the <code>AprLifecycleListener</code> |
| can be used to avoid JVM crashes. (michaelo) |
| </docs> |
| <fix> |
| Refactor the <code>AsyncFileHandler</code> to reduce the possibility of |
| log messages being lost on shutdown. (markt) |
| </fix> |
| <update> |
| Refactor the <code>AsyncFileHandler</code> to remove the need for the |
| <code>org.apache.juli.AsyncLoggerPollInterval</code>. If set, this |
| property now has no effect. (markt) |
| </update> |
| <add> |
| Add debug logging to the <code>RestCsrfPreventionFilter</code>. Based on |
| pull request <pr>452</pr> by Polina Georgieva. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <add> |
| Use implicit scopes in the OpenSSL Panama module to tie the cleanup of |
| OpenSSL memory to the Java GC. (remm) |
| </add> |
| <add> |
| Provide protection against a known <a |
| href="https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298">OS |
| bug</a> that causes the acceptor to report an incoming connection more |
| than once. (markt) |
| </add> |
| <fix> |
| Avoid unnecessary duplicate read registrations for blocking I/O with the |
| NIO connector. (markt) |
| </fix> |
| <fix> |
| <bug>65677</bug>: Improve exception handling for errors during HTTP/1.1 |
| reads with NIO2. (markt) |
| </fix> |
| <fix> |
| When an error occurs that triggers a stream reset, ensure that the first |
| <code>RST</code> frame sent to the client is the one associated with the |
| error that triggered the reset. (markt) |
| </fix> |
| <fix> |
| <bug>65714</bug>: Fix exceptions when the security manager is enabled |
| and the first request received after starting is an HTTP request to a |
| TLS enabled NIO2 connector. (markt) |
| </fix> |
| <add> |
| Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way |
| on MacOS as it does on Linux and Windows when no trusted certificate |
| authorities are configured and reject all client certificates. (markt) |
| </add> |
| <fix> |
| Avoid a potential deadlock during the concurrent processing of incoming |
| HTTP/2 frames for a stream and that stream being reset. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <add> |
| Update the WebSocket API packaging to remove the copy of the client API |
| from the server API and replace it with a dependency on the client API. |
| This aligns Tomcat with changes in the WebSocket 2.1 specification. |
| (markt) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M7 (markt)" rtext="2021-11-15"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Refactor <code>HttpServlet</code> so the default <code>doHead()</code> |
| implementation now calls <code>doGet()</code> and relies on the |
| container to ensure that the response body is not sent. The previous |
| behaviour (wrapping the response) may be enabled per Servlet by setting |
| the <code>jakarta.servlet.http.legacyDoHead</code> Servlet |
| initialisation parameter to <code>true</code>. This aligns Tomcat with |
| recent changes updates for Servlet 6.0 in the Jakarta Servlet |
| specification project. (markt) |
| </scode> |
| <add> |
| Add support for setting generic attributes for session cookies. This |
| aligns Apache Tomcat with recent changes in the Jakarta Servlet |
| specification project. (markt) |
| </add> |
| <fix> |
| Do not add a trailing <code>/</code> to a request URI during |
| canonicalization. (markt) |
| </fix> |
| <fix> |
| Invalid byte sequences (typically in %nn form) in a request URi that are |
| not valid for the given URI encoding now trigger a 400 response. (markt) |
| </fix> |
| <fix> |
| Ensure that a request URI starts with a <code>/</code>. (markt) |
| </fix> |
| <add> |
| Add a new Connector option, <code>rejectSuspiciousURIs</code> that will |
| causes 'suspicious' (see the Servlet 6.0 specification) URIs to be |
| rejected with a 400 response. (markt) |
| </add> |
| <fix> |
| Improve robustness of JNDIRealm for exceptions occurring when getting |
| the connection. Also add missing close when running into issues |
| getting the passord of a user. (remm) |
| </fix> |
| <docs> |
| Add Javadoc comment which listeners must be nested whithin |
| <code>Server</code> elements only. (michaelo) |
| </docs> |
| <add> |
| Add support for custom caching strategies for web application resources. |
| This initial implementation allows control over whether or not a |
| resource is cached. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <scode> |
| Improve performance of Connector shutdown - primarily to reduce the time |
| it takes to run the test suite. (markt) |
| </scode> |
| <add> |
| <pr>457</pr>: Add a <code>toString()</code> method to |
| <code>MimeHeader</code> to aid debugging. (dblevins) |
| </add> |
| <add> |
| Add experimental OpenSSL support through the Panama API incubating in |
| Java 17, with support for OpenSSL 1.1+. This no longer requires |
| tomcat-native or APR. Please refer to the <code>openssl-java17</code> |
| module for more details. (remm) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <update> |
| Regenerate the EL parser using JavaCC 7.0.10. (markt) |
| </update> |
| <fix> |
| Fix a bug that prevented the EL parser correctly parsing a literal Map |
| that used variables rather than literals for both keys and values. |
| (markt) |
| </fix> |
| <update> |
| Ensure that the <code>getType()</code> method of any |
| <code>ELResolver</code> implementation returns <code>null</code> if |
| either the <code>ELResolver</code> or the resolved property is read-only |
| to align Tomcat with recent updates in the Jakarta EL specification |
| project. (markt) |
| </update> |
| <fix> |
| Implement an alternative solution to support the JSP page directive |
| attribute <code>isThreadSafe</code> now that the |
| <code>SingleThreadModel</code> interface has been removed from the |
| Servlet API. The new approach synchronizes the <code>service()</code> |
| method. |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <update> |
| Add a new method<code> |
| ServerEndpointConfig.Configurator.getContainerDefaultConfigurator() |
| </code>to align with recent updates in the WebSocket specification |
| project. (markt) |
| </update> |
| <update> |
| Add a new method <code>ServerContainer.upgradeHttpToWebSocket()</code> |
| to align with recent updates in the WebSocket specification project. |
| (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <fix> |
| <pr>454</pr>: Differentiate warning messages in |
| <code>KubernetesMembershipProvider</code> so that the missing attribute |
| is clear to the user. PR provided by Hal Deadman. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Switch from Cobertura to JaCoCo for code coverage as Cobertura does not |
| support code coverage for code compiled for Java 11 onwards. It also |
| removes the need to use a single thread to run the tests. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M6 (markt)" rtext="2021-10-01"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Provide the DataSource in the constructor of |
| <code>DataSourceUserDatabase</code>, since it is always global. (remm) |
| </fix> |
| <fix> |
| Fix delete then create object manipulations with |
| <code>DataSourceUserDatabase</code>. (remm) |
| </fix> |
| <update> |
| Remove all deprecated code from the Servlet API to align Tomcat with |
| recent changes in the Jakarta Servlet specification project. (markt) |
| </update> |
| <add> |
| Add the currently available Jakarta EE 10 schemas from the Jakarta EE |
| schema project. (markt) |
| </add> |
| <add> |
| Implement the new connection ID and request ID API for Servlet 6.0. |
| (markt) |
| </add> |
| <fix> |
| <bug>65553</bug>: Implement a work-around for a |
| <a href="https://bugs.openjdk.java.net/browse/JDK-8273874">JRE bug</a> |
| that can trigger a memory leak when using the JNDI realm. (markt) |
| </fix> |
| <fix> |
| <bug>65586</bug>: Fix the bloom filter used to improve performance of |
| archive file look ups in the web resources implementation so it works |
| correctly for directory lookups whether or not the provided directory |
| name includes the trailing <code>/</code>. (markt) |
| </fix> |
| <fix> |
| <pr>451</pr>: Improve the usefulness of the thread name cache used in |
| JULI. Pull request provided by t-gergely. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>65563</bug>: Correct parsing of HTTP <code>Content-Range</code> |
| headers. Tomcat was incorrectly requiring an <code>=</code> character |
| after <code>bytes</code>. Fix based on pull request <pr>449</pr> by |
| Thierry Guérin. (markt) |
| </fix> |
| <fix> |
| Correct a potential <code>StackOverflowException</code> with HTTP/2 and |
| sendfile. (markt) |
| </fix> |
| <fix> |
| Further improvements in the management of the connection flow control |
| window. This addresses various bugs that caused streams to incorrectly |
| report that they had timed out waiting for an allocation from the |
| connection flow control window. (markt) |
| </fix> |
| <fix> |
| <bug>65577</bug>: Fix a <code>AccessControlException</code> reporting |
| when running an NIO2 connector with TLS enabled. (markt) |
| </fix> |
| <update> |
| Reclassify TLS ciphers that use AESCCM8 as medium security rather than |
| high security to align with recent changes in OpenSSL. (markt) |
| </update> |
| <fix> |
| Fix an issue that caused some Servlet non-blocking API reads of the HTTP |
| request body to incorrectly use blocking IO. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| Deprecate <code>ELResolver.getFeatureDescriptors</code> to align Tomcat |
| with recent updates in the Jakarta EL specification project. (markt) |
| </scode> |
| <add> |
| Add support for default methods to <code>BeanRELResolver</code> to align |
| Tomcat with recent updates in the Jakarta EL specification project. |
| (markt) |
| </add> |
| <add> |
| Add support for <code>MethodReference</code> and the associated getter |
| on <code>MethodExpression</code> to align Tomcat with recent updates in |
| the Jakarta EL specification project. (markt) |
| </add> |
| <add> |
| Refactor <code>ScopedAttributeELResolver</code> to separate out the |
| functionality that is unrelated to scoped attributes into two new |
| resolvers: <code>ImportELResolver</code> and |
| <code>NotFoundELResolver</code>. This aligns Tomcat with recent updates |
| to the Jakarta Server Pages specification. (markt) |
| </add> |
| <fix> |
| Fix the implementation of <code>MethodExpression.getMethodInfo()</code> |
| so that it returns the expected value rather than failing when the |
| method expression is defined with the parameter values in the expression |
| rather than the types being passed explicitly to |
| <code>ExpressionFactory.createMethodExpression()</code>. (markt) |
| </fix> |
| <add> |
| Add support for a new page/tag directive <code>errorOnELNotFound</code> |
| that can be used to trigger an identifier if an EL expression in a |
| page/tag contains an identifier that cannot be resolved. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| The internal upgrade handler should close the associated |
| <code>WebConnection</code> on destroy. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <update> |
| Update the web applications that are included with Apache Tomcat to use |
| the Jakarta EE 10 schema for web.xml. (markt) |
| </update> |
| <fix> |
| Clarify the JASPIC configuration options in the documentation web |
| application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| <bug>65585</bug>: Update obsolete comments at the start of the |
| <code>build.properties.default</code> file. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M5 (markt)" rtext="2021-09-10"> |
| <subsection name="Catalina"> |
| <changelog> |
| <fix> |
| Enable Tomcat to start if an (old) XML parser is configured that does |
| not support <code>allow-java-encodings</code>. A warning will be logged |
| if such an XML parser is detected. (markt) |
| </fix> |
| <fix> |
| Change the behaviour of custom error pages. If an error occurs after the |
| response is committed, once the custom error page content has been added |
| to the response the connection is now closed immediately rather than |
| closed cleanly. i.e. the last chunk that marks the end of the response |
| body is no longer sent. This acts as an additional signal to the client |
| that the request experienced an error. (markt) |
| </fix> |
| <fix> |
| <bug>65479</bug>: When handling requests using JASPIC authentication, |
| ensure that <code>PasswordValidationCallback.getResult()</code> returns |
| the result of the password validation rather than always returning |
| <code>false</code>. Fixed via pull request <pr>438</pr> provided by |
| Robert Rodewald. (markt) |
| </fix> |
| <update> |
| Improve the reusability of the <code>UserDatabase</code> by adding |
| intermediate concrete implementation classes and allowing to do |
| partial database updates on <code>save</code>. (remm) |
| </update> |
| <scode> |
| Refactor the authenticators to delegate the check for preemptive |
| authentication to the individual authenticators where an authentication |
| scheme specific check can be performed. Based on pull request |
| <pr>444</pr> by Robert Rodewald. (markt) |
| </scode> |
| <add> |
| Add a <code>UserDatabase</code> implementation as a superset of the |
| <code>DataSourceRealm</code> functionality. (remm) |
| </add> |
| <fix> |
| Make sure the dynamic Principal returned by |
| <code>UserDatabaseRealm</code> stays up to date with the database |
| contents, and add an option to have it be static, similar to the other |
| realms. (remm) |
| </fix> |
| <add> |
| Add <code>derby-*.jar</code> to the list of JARs to skip when scanning |
| for TLDs, web fragments and annotations. (markt) |
| </add> |
| <fix> |
| <pr>447</pr>. Correct JPMS metadata for catalina.jar. Pull request |
| provided by Hui Wang. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| Correct a logic error that meant setting |
| <code>certificateKeystoreFile</code> to <code>NONE</code> did not have |
| the expected effect. <code>NONE</code> was incorrectly treated as a file |
| path. Patch provided by Mikael Sterner. (markt) |
| </fix> |
| <scode> |
| Remove the deprecated APR/Native connector which includes the HTTP APR |
| and the AJP APR connector. Also remove the Java interfaces to the |
| APR/Native library that are not used by the OpenSSL integration for the |
| NIO and NIO2 connectors. (markt) |
| </scode> |
| <scode> |
| Refactor the JSSE/OpenSSL integration to avoid the use of |
| <code>finalize()</code>. (markt) |
| </scode> |
| <fix> |
| <bug>65505</bug>: When an HTTP header value is removed, ensure that the |
| order of the remaining header values is unchanged. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>65506</bug>: Fix write timeout check that was using the read |
| timeout value. Patch submitted by Gustavo Mahlow. (remm) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Remove unnecessary Context settings from the examples web application. |
| (markt) |
| </fix> |
| <fix> |
| Document default value for <code>unpackWARs</code> and related clean-up. |
| Pull request <pr>439</pr> provided by Robert Rodewald. (markt) |
| </fix> |
| <fix> |
| Clarify the documentation of the <code>compressionMinSize</code> and |
| <code>compressibleMimeType</code> HTTP <code>Connector</code> |
| attributes. Pull request <pr>442</pr> provided by crisgeek. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Tribes"> |
| <changelog> |
| <scode> |
| Refactor the <code>ParallelNioSender</code> to avoid the use of |
| <code>finalize()</code>. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <fix> |
| Fix failing build when building on non-English locales. Pull request |
| <pr>441</pr> provided by Dachuan J. (markt) |
| </fix> |
| <update> |
| Update to JSign version 4.0 to enable code signing without the need for |
| the installation of additional client tools. (markt) |
| </update> |
| <update> |
| Add Apache Derby 10.15.2.0 to the testsuite dependencies, for JDBC |
| and DataSource testing. (remm) |
| </update> |
| <add> |
| Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01, |
| 6.6.0-SNAPSHOT). Code clean-up only. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01, |
| 1.16-SNAPSHOT). Minor refactoring. (markt) |
| </add> |
| <add> |
| <bug>65661</bug>: Update the internal fork of Apache Commons FileUpload |
| to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As |
| a result of Commons File Upload now using |
| <code>java.nio.file.Files</code>, applications using multi-part uploads |
| need to ensure that the JVM is configured with sufficient direct memory |
| to store all in progress multi-part uploads. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17). |
| Improvements, code clean-up and refactoring. (markt) |
| </add> |
| <add> |
| Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03). |
| Improvements, code clean-up and refactoring. (markt) |
| </add> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.31 to |
| pick up Windows binaries built with OpenSSL 1.1.1l.(markt) |
| </update> |
| <update> |
| Switch to the CDN as the primary download location for ASF dependencies. |
| (markt) |
| </update> |
| <add> |
| Improvements to Chinese translations contributed by syseal, wolibo, |
| ZhangJieWen and DigitalFatCat. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M4 (markt)" rtext="2021-08-06"> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3 |
| that caused all WebSocket end points to fail to register. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M3 (markt)" rtext="not released"> |
| <subsection name="General"> |
| <changelog> |
| <update> |
| Update the minimum required Java version to Java 11. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Incremented the supported Jakarta Servlet version to 6.0 to align with |
| the current development branch of the Jakarta Servlet specification. |
| Plans have changed and the next iteration of the Servlet specification |
| will be 6.0 rather than 5.1. (markt) |
| </scode> |
| <fix> |
| <bug>65411</bug>: Always close the connection when an uncaught |
| <code>NamingException</code> occurs to avoid connection locking. |
| Submitted by Ole Ostergaard. (remm) |
| </fix> |
| <fix> |
| <bug>65433</bug>: Correct a regression in the fix for <bug>65397</bug> |
| where a <code>StringIndexOutOfBoundsException</code> could be triggered |
| if the canonical path of the target of a symlink was shorter than the |
| canonical path of the directory in which the symlink had been created. |
| Patch provided by Cedomir Igaly. (markt) |
| </fix> |
| <add> |
| <bug>65443</bug>: Refactor the <code>CorsFilter</code> to make it easier |
| to extend. (markt) |
| </add> |
| <fix> |
| To avoid unnecessary cache revalidation, do not add an HTTP |
| <code>Expires</code> header when setting adding an HTTP header of |
| <code>CacheControl: private</code>. (markt) |
| </fix> |
| <scode> |
| Refactor JULI's custom <code>LogManager</code>, the |
| web application class loader implementation, the web resources |
| implementation, the <code>JreLeakPreventionListener</code> |
| implementation and the <code>StandardJarScanner</code> implementation to |
| remove Java 8 specific code now that the minimum Java version has been |
| increased to 11. (markt) |
| </scode> |
| <scode> |
| Remove all references to the endorsed standards override feature and the |
| specifying of optional packages (extensions) in the manifest as these |
| are not supported in Java 11. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| When writing an HTTP/2 response via sendfile (only enabled when |
| <code>useAsyncIO</code> is true) the connection flow control window was |
| sometimes ignored leading to various error conditions. sendfile now |
| checks both the stream and connection flow control windows before |
| writing. (markt) |
| </fix> |
| <add> |
| Add debug logging for writing an HTTP/2 response via sendfile. (markt) |
| </add> |
| <fix> |
| Correct bugs in the HTTP/2 connection flow control management that meant |
| it was possible for a connection to stall waiting for a connection flow |
| control window update that had already arrived. Any streams on that |
| connection that were trying to write when this happened would time out. |
| (markt) |
| </fix> |
| <fix> |
| <bug>65448</bug>: When using TLS with NIO, it was possible for a |
| blocking response write to hang just before the final TLS packet |
| associated with the response until the connection timed out at which |
| point the final packet would be sent and the connection closed. (markt) |
| </fix> |
| <fix> |
| <bug>65454</bug>: Fix a race condition that could result in a delay to |
| a new request. The new request could be queued to wait for an existing |
| request to finish processing rather than the thread pool creating a new |
| thread to process the new request. (markt) |
| </fix> |
| <fix> |
| <bug>65460</bug>: Correct a regression introduced in the previous |
| release in the change to reduce the number of small HTTP/2 window |
| updates sent for streams. A logic error meant that small window updates |
| for the connection were dropped. This meant that the connection flow |
| window slowly reduced over time until nothing could be sent. (markt) |
| </fix> |
| <fix> |
| Remove NIO workarounds and code that is no longer needed with Java 11. |
| (remm) |
| </fix> |
| <scode> |
| Refactor the endpoints to remove Java 8 specific code now that the |
| minimum Java version has been increased to 11. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| Add additional generics to the EL API to align with the latest changes |
| in the EL specification project. (markt) |
| </scode> |
| <add> |
| Enable EL lambda expressions to be coerced to functional interfaces. |
| This is an implementation of a proposed extension to the Jakarta |
| Expression Language specification. (markt) |
| </add> |
| <scode> |
| Refactor the EL API and implementation to remove Java 8 specific code |
| now that the minimum Java version has been increased to 11. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Refactor the WebSocket implementation to remove Java 8 specific code now |
| that the minimum Java version has been increased to 11. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>65404</bug>: Correct a regression in the fix for <bug>63362</bug> |
| that caused the server status page in the Manager web application to be |
| truncated if HTTP upgrade was used such as when starting a WebSocket |
| connection. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to Chinese translations contributed by ZhangJieWen and |
| chengzheyan. (markt) |
| </add> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Japanese translations contributed by tak7iji. (markt) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <fix> |
| Use of GraalVM native images no longer automatically disables JMX |
| support. JMX support may still be disabled by calling |
| <code>org.apache.tomcat.util.modeler.Registry.disableRegistry()</code>. |
| (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M2 (markt)" rtext="2021-07-02"> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Refactor the <code>RemoteIpValve</code> to use the common utility method |
| for list to comma separated string conversion. (markt) |
| </scode> |
| <scode> |
| Refactor <code>JNDIRealm$JNDIConnection</code> so its fields are |
| accessible to sub-classes of <code>JNDIRealm</code>. (markt) |
| </scode> |
| <fix> |
| Fix serialization warnings in <code>UserDatabasePrincipal</code> |
| reported by SpotBugs. (markt) |
| </fix> |
| <fix> |
| <bug>65397</bug>: Calls to |
| <code>ServletContext.getResourcePaths()</code> no longer include |
| symbolic links in the results unless <code>allowLinking</code> has been |
| set to <code>true</code>. If a resource is skipped because of this |
| change, a warning will be logged as this typically indicates a |
| configuration issue. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>65368</bug>: Improve handling of clean closes of inbound TLS |
| connections. Treat them the same way as clean closes of non-TLS |
| connections rather than as unknown errors. (markt) |
| </fix> |
| <fix> |
| Modify the HTTP/2 connector not to sent small updates for stream flow |
| control windows to the user agent as, depending on how the user agent is |
| written, this may trigger small writes from the user agent that in turn |
| trigger the overhead protection. Small updates for stream flow control |
| windows are now combined with subsequent flow control window updates for |
| that stream to ensure that all stream flow control window updates sent |
| from Tomcat are larger than <code>overheadWindowUpdateThreshold</code>. |
| (markt) |
| </fix> |
| <add> |
| Add additional debug logging to track the current state of the HTTP/2 |
| overhead count that Tomcat uses to detect and close potentially |
| malicious connections. (markt) |
| </add> |
| <update> |
| Many HTTP/2 requests from browsers will trigger one overhead frame and |
| one non-overhead frame. Change the overhead calculation so that a |
| non-overhead frame reduces the current overhead count by 2 rather than |
| 1. This means that, over time, the overhead count for a well-behaved |
| connection will trend downwards. (markt) |
| </update> |
| <update> |
| Change the initial HTTP/2 overhead count from <code>-10</code> to |
| <code>-10 * overheadCountFactor</code>. This means that, regardless of |
| the value chosen for <code>overheadCountFactor</code>, when a connection |
| opens 10 overhead frames in a row will be required to trigger the |
| overhead protection. (markt) |
| </update> |
| <update> |
| Increase the default <code>overheadCountFactor</code> from |
| <code>1</code> to <code>10</code> and change the reduction in overhead |
| count for a non-overhead frame from <code>-2</code> to <code>-20</code>. |
| This allows for a larger range (0-20) to be used for |
| <code>overheadCountFactor</code> providing for finer-grained control. |
| (markt) |
| </update> |
| <fix> |
| Modify the parsing of HTTP header values that use the |
| <code>1#token</code> to ignore empty elements as per RFC 7230 section 7 |
| instead of treating the presence of empty elements as an error. (markt) |
| </fix> |
| <fix> |
| Expand the unit tests for <code>HttpServlet.doHead()</code> and correct |
| the flushing of the response buffer. The buffer used to behave as if it |
| was one byte smaller than the configured size. The buffer was flushed |
| (and the response committed if required) when the buffer was full. The |
| buffer is now flushed (and the response committed if required) if the |
| buffer is full and there is more data to write. (markt) |
| </fix> |
| <fix> |
| Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the |
| same connection could hang and eventually timeout when async IO was |
| enabled (it is enabled by default). (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <fix> |
| <bug>65387</bug>: Correct a regression in the fix for <bug>65124</bug> |
| and restore the local definition of <code>out</code> for tags that |
| implement <code>TryCatchFinally</code>. (markt) |
| </fix> |
| <fix> |
| <bug>65390</bug>: Correct a regression in the fix for <bug>65124</bug> |
| and restore code that was removed in error leading to JSP compilation |
| failures in some circumstances. (markt) |
| </fix> |
| <update> |
| Update to the Eclipse JDT compiler 4.20. (markt) |
| </update> |
| <add> |
| Add support for specifying Java 17 (with the value <code>17</code>) as |
| the compiler source and/or compiler target for JSP compilation. If used |
| with an Eclipse JDT compiler version that does not support these values, |
| a warning will be logged and the latest supported version will used. |
| (markt) |
| </add> |
| <fix> |
| <bug>65377</bug>: Update the Java code generation for JSPs not to use |
| the boxed primitive constructors as they have been deprecated in Java 9 |
| and marked for future removal in Java 16. <code>valueOf()</code> is now |
| used instead. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <scode> |
| Refactor the <code>DigestAuthenticator</code> to reuse a shared |
| <code>SecureRandom</code> instance rather than create a new one to |
| generate the <code>cnonce</code> if required. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| <bug>65385</bug>: Correct the link in the documentation web application |
| the Maven Central repository. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Use JSign to integrate the build script with the code signing service to |
| enable release builds to be created on Linux as well as Windows. (markt) |
| </add> |
| <update> |
| Update the OWB module to Apache OpenWebBeans 2.0.23. (remm) |
| </update> |
| <update> |
| Update the CXF module to Apache CXF 3.4.4. (remm) |
| </update> |
| <fix> |
| <bug>65369</bug> / <pr>422</pr>: Add the additional |
| <code>--add-opens=...</code> options required for running Tomcat on Java |
| 16 onwards to the <code>service.bat</code> script to align it with the |
| other start-up scripts. PR provided by MCMicS. (markt) |
| </fix> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <update> |
| Update JUnit to version 4.13.2. (markt) |
| </update> |
| <update> |
| Update EasyMock to 4.3. (markt) |
| </update> |
| <update> |
| Update Objenesis to 3.2. (markt) |
| </update> |
| <update> |
| Update UnboundID to 6.0.0. (markt) |
| </update> |
| <update> |
| Update CheckStyle to 8.43. (markt) |
| </update> |
| <update> |
| Update SpotBugs to 4.2.3. (markt) |
| </update> |
| <update> |
| Update OSGi annotations to 1.1.0. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| <section name="Tomcat 10.1.0-M1 (markt)" rtext="2021-06-15"> |
| <subsection name="General"> |
| <changelog> |
| <scode> |
| This release contains all of the changes up to and including those in |
| Apache Tomcat 10.0.6 plus the additional changes listed below. (markt) |
| </scode> |
| <scode> |
| Remove code previously marked for removal in Tomcat 10.1.x. (markt) |
| </scode> |
| </changelog> |
| </subsection> |
| <subsection name="Catalina"> |
| <changelog> |
| <scode> |
| Incremented the supported Jakarta Servlet version to 5.1 to align with |
| the current development branch of the Jakarta Servlet specification. |
| (markt) |
| </scode> |
| <fix> |
| <bug>65301</bug>: <code>RemoteIpValve</code> will now avoid getting |
| the local host name when it is not needed. (remm) |
| </fix> |
| <fix> |
| <bug>65308</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code> |
| is given. (fschumacher) |
| </fix> |
| <add> |
| <pr>412</pr>: Add commented out, sample users for the Tomcat Manager app |
| to the default <code>tomcat-users.xml</code> file. Based on a PR by |
| Arnaud Dagnelies. (markt) |
| </add> |
| <add> |
| <pr>418</pr>: Add a new option, <code>pass-through</code>, to the |
| default servlet's <code>useBomIfPresent</code> initialization parameter |
| that causes the default servlet to leave any BOM in place when |
| processing a static file and not to use the BOM to determine the |
| encoding of the file. Based on a pull request by Jean-Louis Monteiro. |
| (markt) |
| </add> |
| <fix> |
| <pr>419</pr>: When processing POST requests of type |
| <code>multipart/form-data</code> for parts without a filename that are |
| added to the parameter map in String form, check the size of the part |
| before attempting conversion to String. Pull request provided by |
| tianshuang. (markt) |
| </fix> |
| <add> |
| Implement the new <code>Cookie</code> methods |
| <code>setAttribute()</code>, <code>getAttribute()</code> and |
| <code>getAttributes()</code> introduced in Servlet 6.0. (markt) |
| </add> |
| <fix> |
| AprLifecycleListener does not show dev version suffix for libtcnative |
| and libapr. (michaelo) |
| </fix> |
| <update> |
| Refactor principal handling in <code>UserDatabaseRealm</code> using |
| an inner class that extends <code>GenericPrincipal</code>. (remm) |
| </update> |
| <fix> |
| Enable the default <code>doHead()</code> implementation in |
| <code>HttpServlet</code> to correctly handle responses where the content |
| length needs to be represented as a long since it is larger than the |
| maximum value that can be represented by an int. (markt) |
| </fix> |
| <fix> |
| Avoid synchronization on roles verification for the memory |
| <code>UserDatabase</code>. (remm) |
| </fix> |
| <fix> |
| Fix the default <code>doHead()</code> implementation in |
| <code>HttpServlet</code> to correctly handle responses where the Servlet |
| calls <code>ServletResponse.reset()</code> and/or |
| <code>ServletResponse.resetBuffer()</code>. (markt) |
| </fix> |
| <fix> |
| Fix the default <code>doHead()</code> implementation in |
| <code>HttpServlet</code> to correctly handle responses generated using |
| the Servlet non-blocking API. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Coyote"> |
| <changelog> |
| <fix> |
| <bug>65303</bug>: Fix a possible <code>NullPointerException</code> if |
| an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on |
| a pushed HTTP/2 stream. (markt) |
| </fix> |
| <update> |
| Simplify AprEndpoint socket bind for all platforms. (michaelo) |
| </update> |
| <fix> |
| <bug>65340</bug>: Add missing check for a negative return value for |
| <code>Hpack.decodeInteger</code> in the <code>HpackDecoder</code>, |
| which could cause a <code>NegativeArraySizeException</code> exception. |
| Submitted by Thomas, and verified the fix is present in the donated |
| hpack code in a further update. (remm) |
| </fix> |
| <add> |
| Add debug logging for HTTP/2 HPACK header decoding. (markt) |
| </add> |
| <fix> |
| Correct parsing of HTTP headers consisting of a list of tokens so that a |
| header with an empty token is treated consistently regardless of whether |
| the empty token is at the start, middle or end of the list of tokens. |
| (markt) |
| </fix> |
| <fix> |
| Remove support for the <code>identity</code> transfer encoding. The |
| inclusion of this encoding in RFC 2616 was an error that was corrected |
| in 2001. Requests using this transfer encoding will now receive a 501 |
| response. (markt) |
| </fix> |
| <fix> |
| Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1 |
| clients. (markt) |
| </fix> |
| <fix> |
| Ensure that if the transfer encoding header contains the |
| <code>chunked</code>, that the <code>chunked</code> encoding is the |
| final encoding listed. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Jasper"> |
| <changelog> |
| <scode> |
| Incremented the supported Jakarta Expression Language version to 5.0 to |
| align with the current development branch of the Jakarta Expression |
| Language specification. (markt) |
| </scode> |
| <scode> |
| Review code used to generate Java source from JSPs and tags and remove |
| code found to be unnecessary. (markt) |
| </scode> |
| <scode> |
| Refactor use of internal <code>ChildInfo</code> class to use compile |
| time type checking rather than run time type checking. (markt) |
| </scode> |
| <fix> |
| <bug>65124</bug>: Partial fix. When generating Java source code to call |
| a tag handler, only define the local variable <code>JspWriter out</code> |
| when it is going to be used. (markt) |
| </fix> |
| <scode> |
| Add generics to the EL 5.0 API to align with the current EL 5.0 |
| development branch. (markt) |
| </scode> |
| <update> |
| Update the <code>web-fragment.xml</code> included in |
| <code>jasper.jar</code> and <code>jasper-el.jar</code> to use the |
| Servlet 5.0 schema. (markt) |
| </update> |
| <fix> |
| Update JspC to generate <code>web.xml</code> and |
| <code>web-fragment.xml</code> files using Servlet 5.0 schemas. (markt) |
| </fix> |
| <scode> |
| Remove the deprecated method |
| <code>MethodExpression.isParmetersProvided()</code> from the EL API to |
| align with the current EL 5.0 development branch. (markt) |
| </scode> |
| <fix> |
| <bug>65358</bug>: Improve expression language method matching for |
| methods with varargs. Where multiple methods may match the provided |
| parameters, the method that requires the fewest varargs is preferred. |
| (markt) |
| </fix> |
| <add> |
| <bug>65332</bug>: Add a commented out section in |
| <code>catalina.policy</code> that provides the necessary permissions to |
| compile JSPs with javac when running on Java 9 onwards with a security |
| manager. It is commented out as it will cause errors if used with |
| earlier Java versions. (markt) |
| </add> |
| </changelog> |
| </subsection> |
| <subsection name="WebSocket"> |
| <changelog> |
| <fix> |
| <bug>65317</bug>: When using <code>permessage-deflate</code>, the |
| WebSocket connection was incorrectly closed if the uncompressed payload |
| size was an exact multiple of 8192. Based on a patch provided by Saksham |
| Verma. (markt) |
| </fix> |
| <update> |
| Update the <code>web-fragment.xml</code> included in |
| <code>tomcat-websocket.jar</code> to use the Servlet 5.0 schema. (markt) |
| </update> |
| <fix> |
| <bug>65342</bug>: Correct a regression introduced with the fix for |
| <bug>65262</bug> that meant Tomcat's WebSocket implementation would only |
| work with Tomcat's implementation of the Jakarta WebSocket API. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Web applications"> |
| <changelog> |
| <fix> |
| Improve the description of the <code>maxConnections</code> and |
| <code>acceptCount</code> attributes in the Connector section of the |
| documentation web application. (markt) |
| </fix> |
| </changelog> |
| </subsection> |
| <subsection name="Other"> |
| <changelog> |
| <add> |
| Improvements to French translations. (remm) |
| </add> |
| <add> |
| Improvements to Korean translations. (woonsan) |
| </add> |
| <fix> |
| <bug>65362</bug>: Correct a regression in the previous release. The |
| change to create OSGi <code>Require-Capability</code> sections in |
| manifests for Jakarta API JARs manually rather than with bnd annotations |
| did not add the necessary manual entries to the embedded JARs. (markt) |
| </fix> |
| <update> |
| Update the packaged version of the Tomcat Native Library to 1.2.30. Also |
| update the minimum recommended version to 1.2.30. (markt) |
| </update> |
| </changelog> |
| </subsection> |
| </section> |
| </body> |
| </document> |
| |
| |