Changelog

Tomcat 8.5.54 (markt)

Catalina

  • Fix: Ensure all URL patterns provided via web.xml are %nn decoded consistently using the encoding of the web.xml file where specified and UTF-8 where no explicit encoding is specified. (markt)
  • Update: Allow a comma separated list of class names for the org.apache.tomcat.util.digester.PROPERTY_SOURCE system property. (remm)
  • Fix: 64149: Avoid NPE when using the access log valve without a pattern. (remm)
  • Fix: 64226: Reset timezone after parsing a date since the date format is reused. Test case submitted by Gary Thomas. (remm)
  • Fix: 64247: Using a wildcard for jarsToSkip should not override a possibly present jarsToScan. Based on code submitted by Iridias. (remm)
  • Fix: 64265: Fix ETag comparison performed by the default servlet. The default servlet always uses weak comparison. (markt)
  • Fix: Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann. (markt)

Coyote

  • Add: When configuring an HTTP Connector, warn if the encoding specified for URIEncoding is not a superset of US-ASCII as required by RFC7230. (markt)
  • Fix: 64240: Ensure that HTTP/0.9 requests that contain additional data on the request line after the URI are treated consistently. Such requests will now always be treated as HTTP/1.1. (markt)
  • Add: Expose the HTTP/2 connection ID and stream ID to applications via the request attributes org.apache.coyote.connectionID and org.apache.coyote.streamID respectively. (markt)
  • Add: Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences. (markt)
  • Add: Expose the associated HttpServletRequest to the CookieProcessor when generating a cookie header so the header can be tailored based on the properties of the request, such as the user agent, if required. Based on a patch by Lazar Kirchev. (markt)

Jasper

  • Add: Add support for specifying Java 14 (with the value 14) and Java 15 (with the value 15) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. (markt)

Cluster

  • Code: Refactor the creation of DeltaRequest objects to make it simpler to use custom implementations. Based on a pull request provided by Thomas Stock. (markt)

Web applications

  • Fix: Correct the documentation web application to remove references to the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system property changing how the sequence %5c is interpretted in a URI. (markt)

Other

  • Add: Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. Contribution provided by Tom Bens. (remm)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contribution provided by Lee Yazhou. (markt)
  • Fix: 64270: Set the documented default umask of 0027 when using jsvc via daemon.sh and allow the umask used to be configured via the UMASK environment variable as it is when using catalina.sh. (markt)
  • Fix: Depreacted the LOGGING_CONFIG environment variable and replace it with the CATALINA_LOGGING_CONFIG environment variable to avoid clashes with other components that use LOGGING_CONFIG. (markt)

2020-03-16 Tomcat 8.5.53 (markt)

Coyote

  • Fix: 64210: Correct a regression in the improvements to HTTP header validation that caused requests to be incorrectly treated as invalid if a CRLF sequence was split between TCP packets. Improve validation of request lines, including for HTTP/0.9 requests. (markt)

Other

  • Fix: 64206: Correct a regression introduced in 8.5.51 that meant that the HTTP port specified when using the Windows Installer was ignored and 8080 was always used. (markt)

not released Tomcat 8.5.52 (markt)

Catalina

  • Fix: Store config compatibility with HostWebXmlCacheCleaner listener. (remm)
  • Fix: Modify the RewriteValve to use ServletRequest.getServerName() to populate the HTTP_HOST variable rather than extracting it from the Host header as this allows HTTP/2 to be supported. (markt)
  • Code: Remove PushBuilder from the deprecated Servlet 4 Preview API. Users still depending on this feature should ideally upgrade to Tomcat 9.0.x. If upgrade is not possible, application code should cast to the internal Tomcat implementation classes. (markt)
  • Fix: Switch Tomcat embedded to loading MIME type mappings from a property file generated from the default web.xml so the MIME type mappings are consistent regardless of how Tomcat is started. (markt)
  • Fix: Missing store config attributes for Resources elements. (remm)
  • Fix: 64153: Ensure that the parent for the web application class loader is set consistently. (markt)
  • Fix: 64166: Ensure that the names returned by HttpServletResponse.getHeaderNames() are unique. (markt)
  • Code: Rename org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource to org.apache.tomcat.util.digester.EnvironmentPropertySource. The old class is still available but deprecated. Patch provided by Bernd Bohmann. (markt)
  • Add: Add new attribute persistAuthentication to both StandardManager and PersistentManager to support authentication persistence. Patch provided by Carsten Klein. (markt)
  • Fix: 64184: Avoid repeated log messages if a MemoryUserDatabase is configured but the specified configuration file is missing. (markt)
  • Add: 64189: Expose the web application version String as a ServletContext attribute named org.apache.catalina.webappVersion. (markt)

Coyote

  • Fix: When the NIO or APR/native connectors were configured with useAsyncIO="true" and a zero length read or write was performed, the read/write would time out rather than return immediately. (markt)
  • Fix: 64141: If using a CA certificate, remove a default value for the truststore file when not using a JSSE configuration. (remm)
  • Fix: Improve robustness of OpenSSLEngine shutdown. Based on code submitted by Manuel Dominguez Sarmiento. (remm)
  • Fix: Add the TLS request attributes used by IIS to the attributes that an AJP Connector will always accept. (markt)
  • Fix: A zero length AJP secret will now behave as if it has not been specified. (remm)
  • Fix: 64188: If an error occurs while committing or flushing the response when using a multiplexing protocol like HTTP/2 that requires the channel to be closed but not the connection, just close the channel and allow the other channels using the connection to continue. Based on a suggestion from Alejandro Anadon. (markt)
  • Fix: Correct the semantics of getEnableSessionCreation and setEnableSessionCreation for OpenSSLEngine. Pull request provided by Alexander Scheel. (markt)
  • Fix: Allow async requests to complete cleanly when the Connector is paused before complete() is called on a container thread. (markt)

Jasper

  • Code: Parameterize JSP version and API class names in localization messages to allow simpler re-use between major versions. (markt)
  • Fix: Ensure that TLD files listed in the jsp-config section of web.xml that are registered in the uriTldResourcePathMap with the URI specified in web.xml are also registered with the URI in the TLD file if it is different. Patch provided by Markus Lottmann. (markt)

Web applications

  • Add: Expand the documentation for the address attribute of the AJP Connector and document that the AJP Connector also supports the ipv6v6only attribute with the APR/Native implementation. (markt)

Other

  • Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contribution provided by BoltzmannWxd. (markt)
  • Add: Expand the coverage of the Korean translations provided with Apache Tomcat. Contributions provided by B. Cansmile Cha. (markt)
  • Add: 64190: Add support for specifying milliseconds (using S, SS or SSS) in the timestamp used by JULI's OneLineFormatter. (markt)

2020-02-11 Tomcat 8.5.51 (markt)

Catalina

  • Code: Remove part of the deprecated Servlet 4 Preview API. Users still depending on this feature should ideally upgrade to Tomcat 9.0.x. If upgrade is not possible, application code should cast to the internal Tomcat implementation classes. (markt)
  • Update: Do not store username and password as session notes during authentication if they are not needed. (kkolinko)
  • Fix: Avoid useless environment restore when not using GSSCredential in JNDIRealm. (remm)
  • Fix: 58577: Respect the argument-count when searching for MBean operations to invoke via the JMXProxyServlet. (schultz)
  • Add: 62755: Add ability to opt out of adding the default web.xml config when embedding Tomcat and adding a context via addWebapp(). Call setAddDefaultWebXmlToWebapp(false) to prevent the automatic config. (isapir/markt)
  • Update: 63691: Skip all jar and directory scanning when the wildcard pattern "*" or "*.jar" is set or added to tomcat.util.scan.StandardJarScanFilter.jarsToSkip. (isapir)
  • Fix: 64005: Correct a regression in the static resource caching changes introduced in 8.5.28. Avoid a NullPointerException when working with the URL provided for the root of a packed WAR. (markt)
  • Fix: 64008: Clarify/expand the Javadoc for the Tomcat#addWebapp() and related methods. (markt)
  • Code: Deprecate the JmxRemoteLifecycleListener as the features it provides are now available in the remote JMX capability included with the JRE. This listener will be removed in Tomcat 10 and may be removed from Tomcat 8.5.x some time after 2020-12-31. (markt)
  • Fix: 64011: JNDIRealm no longer authenticates to LDAP. (michaelo)
  • Fix: 64021: Ensure that container provided SCIs are always loaded before application provided SCIs. Note that where both the container and the application provide the same SCI, it is the application provided SCI that will be used. (markt)
  • Fix: SCI definitions from JARs unpacked into WEB-INF/classes are now handled consistently and will always be found irrespective of whether the web application defines a JAR ordering or not. (markt)
  • Fix: 64023: Skip null-valued session attributes when deserializing sessions. (schultz)
  • Fix: Do not throw a NullPointerException when an MBean or operation cannot be found by the JMXProxyServlet. (schultz)
  • Update: 64067: Allow more than one parameter when defining RewriteMaps. (fschumacher)
  • Fix: 64074: InputStreams for directories obtained from resource URLs now return a directory listing consistent with the behaviour of FileURLConnection. In addition to restoring the behaviour that was lost as a result of the introduction of CachedResourceURLConnection, it expands the feature to include packedWARs and to take account of resource JARs. (markt)
  • Update: Refactor recycle facade system property into a new connector attribute named discardFacades. (remm)
  • Fix: 64089: Add ${...} property replacement support to XML external entity definitions. (markt)