This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit a223293bbc16fa93bdbd6ba2373111c5c19c1e51
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Aug 15 12:33:55 2024 +0100
Prep changelog for 12.0.x
---
webapps/docs/changelog.xml | 2751 +-------------------------------------------
1 file changed, 9 insertions(+), 2742 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e8778baac5..bcd5a4398b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,15 @@
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
-<section name="Tomcat 11.0.0-M25 (markt)" rtext="in development">
+<section name="Tomcat 12.0.0-M1 (markt)" rtext="in development">
+ <subsection name="General">
+ <changelog>
+ <scode>
+ This release contains all of the changes up to and including those in
+ Apache Tomcat 11.0.0-M24 plus the additional changes listed below.
(markt)
+ </scode>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<fix>
@@ -174,2747 +182,6 @@
</changelog>
</subsection>
</section>
-<section name="Tomcat 11.0.0-M24 (markt)" rtext="release in progress">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>69234</bug>: Fix a regression caused by the refactoring to use
- <code>java.net.URI</code> rather than <code>java.net.URL</code> that
- broke support for parallel deployment with WAR files. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct regressions in the refactoring that added recycling of the
- coyote request and response to the HTTP/2 processing. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M23 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- Add support for RFC 8297 (Early Hints). Applications can use this
- feature by casting the <code>HttpServletResponse</code> to
- <code>org.apache.catalina.connector.Reponse</code> and then calling the
- method <code>void sendEarlyHints()</code>. This method will be added to
- the Servlet API (removing the need for the cast) in Servlet 6.2
onwards.
- (markt)
- </add>
- <fix>
- <bug>69214</bug>: Do not reject a CORS request that uses POST but does
- not include a <code>content-type</code> header. Tomcat now correctly
- processes this as a simple CORS request. Based on a patch suggested by
- thebluemountain. (markt)
- </fix>
- <fix>
- Refactor <code>SpnegoAuthenticator</code> so it uses
- <code>Subject.callAs()</code> rather than <code>Subject.doAs()</code>
- when the available. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- Add FFM compatibility methods for LibreSSL support. Renegotiation is
- not supported at the moment. (remm)
- </update>
- <update>
- Add <code>org.apache.tomcat.util.openssl.LIBRARY_NAME</code> (specifies
- the name of the library to load) and
- <code>org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY</code>
- (set to <code>true</code> to use <code>System.loadLibrary</code> rather
- than the FFM library loading code) to configure the OpenSSL library
- loading using FFM. (remm)
- </update>
- <update>
- Add FFM compatibility methods for BoringSSL support. Renegotiation is
- not supported in many cases. (remm)
- </update>
- <fix>
- Ensure that HTTP/2 stream input buffers are only created when there is
a
- request body to be read. (markt)
- </fix>
- <scode>
- Refactor creation of HttpParser instances from the Processor level to
- the Protocol level since the parser configuration depends on the
- protocol and the parser is, otherwise, stateless. (markt)
- </scode>
- <add>
- Align HTTP/2 with HTTP/1.1 and recycle the container internal request
- and response processing objects by default. This behaviour can be
- controlled via the new <code>discardRequestsAndResponses</code>
- attribute on the HTTP/2 upgrade protocol. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>69206</bug>: Ensure statements returned from
<code>Statement</code>
- methods <code>executeQuery()</code>, <code>getResultSet()</code> and
- <code>getGeneratedKeys()</code> are correctly wrapped before being
- returned to the caller. Based on pull request <pr>742</pr> provided by
- Michael Clarke.
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Fix packaging regression with missing osgi information following
- addition of the <code>test-only</code> build target. (remm)
- </fix>
- <update>
- Update Tomcat Native to 2.0.8. (markt)
- </update>
- <update>
- Update Byte Buddy to 1.14.18. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M22 (markt)" rtext="2024-07-05">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Allow <code>JAASRealm</code> to use the configuration source to load a
- configured <code>configFile</code>, for easier use with testing. (remm)
- </fix>
- <fix>
- Fix a potential <code>NullPointerException</code> in classes that
extend
- <code>ServletResponse</code> when
- <code>setCharacterEncoding(Charset)</code> is called with
- <code>null</code>. (markt)
- </fix>
- <fix>
- Add missing algorithm callback to the <code>JAASCallbackHandler</code>.
- (remm)
- </fix>
- <fix>
- Add the OpenSSL version number on the APR and OpenSSL status classes.
- (remm)
- </fix>
- <fix>
- <bug>69131</bug>: Expand the implementation of the <code>filter</code>
- value of the Authenticator attribute <code>allowCorsPreflight</code>,
so
- that it applies to all requests that match the configured URL patterns
- for the CORS filter, rather than only applying if the CORS filter is
- mapped to <code>/*</code>. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Improve the algorithm used to identify the IP address to use to unlock
- the acceptor thread when a Connector is listening on all local
- addresses. Interfaces that are configured for point to point
connections
- or are not currently up are now skipped. (markt)
- </fix>
- <fix>
- Clean and log OpenSSL errors before processing of OpenSSL conf commands
- in the FFM code. (remm)
- </fix>
- <fix>
- <bug>69121</bug>: Ensure that the <code>onComplete()</code> event is
- triggered if <code>AsyncListener.onError()</code> dispatches to a
target
- that throws an exception. (markt)
- </fix>
- <fix>
- Following the trailer header field refactoring, <code>-1</code> is no
- longer an allowed value for <code>maxTrailerSize</code>. Adjust
- documentation accordingly. (remm)
- </fix>
- <update>
- Move OpenSSL support using FFM to a separate JAR named
- <code>tomcat-coyote-ffm.jar</code> that advertises Java 22 in its
- manifest. (remm)
- </update>
- <fix>
- Fix search for OpenSSL library for FFM on Mac OS so that
- <code>java.library.path</code> is searched. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Update the optimisation in <code>jakarta.el.ImportHandler</code> so it
- is aware of new classes added to the <code>java.lang</code> package in
- Java 23. (markt)
- </fix>
- <fix>
- Ensure that an exception in <code>toString()</code> still results in an
- <code>ELException</code> when an object is coerced to a String using
- <code>ExpressionFactory.coerceToType()</code>. (markt)
- </fix>
- <add>
- Add support for specifying Java 24 (with the value <code>24</code>) as
- the compiler source and/or compiler target for JSP compilation. If used
- with an Eclipse JDT compiler version that does not support these
values,
- a warning will be logged and the default will used.
- (markt)
- </add>
- <fix>
- <bug>69135</bug>: When using include directives in a tag file packaged
- in a JAR file, ensure that context relative includes are processed
- correctly. (markt)
- </fix>
- <fix>
- <bug>69135</bug>: When using include directives in a tag file packaged
- in a JAR file, ensure that file relative includes are processed
- correctly. (markt)
- </fix>
- <fix>
- <bug>69135</bug>: When using include directives in a tag file packaged
- in a JAR file, ensure that file relative includes are are not permitted
- to access files outside of the <code>/META_INF/tags/</code> directory
- nor outside of the JAR file. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Fix status servlet detailed view of the connectors when using automatic
- port. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Add <code>test-only</code> build target to allow running only the
- testsuite, supporting Java versions down to the minimum supported
- to run Tomcat. (rjung)
- </update>
- <update>
- Update to the Eclipse JDT compiler 4.32. (markt)
- </update>
- <update>
- Update UnboundID to 7.0.1. (markt)
- </update>
- <update>
- Update to SpotBugs 4.8.6. (markt)
- </update>
- <update>
- Remove cglib dependency as it is not required by the version of
EasyMock
- used by the unit tests. (markt)
- </update>
- <update>
- Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
- 1.14.17. (markt)
- </update>
- <add>
- Improvements to Czech translations by Vladimír Chlup. (markt)
- </add>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- <add>
- Improvements to Chinese translations by fangzheng. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M21 (markt)" rtext="2024-06-18">
- <subsection name="Catalina">
- <changelog>
- <add>
- Add support for shallow copies when using WebDAV. (markt)
- </add>
- <scode>
- Remove the <code>WebdavFixFilter</code> as it is no longer required.
- (markt)
- </scode>
- <fix>
- <bug>69066</bug>: Fix regression in SPNEGO authenticator when
- processing Base64. Submitted by Daniel Lyko. (remm)
- </fix>
- <add>
- Add <code>RealmBase.getPrincipal(GSSName, GSSCredential,
GSSContext)</code>
- for retrieving extended/additional information from an established
- GSS context. (michaelo)
- </add>
- <fix>
- Correct a regression in the fix for <bug>68721</bug> that caused some
- instances of <code>LinkageError</code> to be reported as
- <code>ClassNotFoundException</code>. (markt)
- </fix>
- <fix>
- Ensure that static resources deployed via a JAR file remain accessible
- when the context is configured to use a bloom filter. Based on pull
- request <pr>730</pr> provided by bergander. (markt)
- </fix>
- <add>
- Introduce reference counting so the <code>AprLifecycleListener</code>
- is more robust. This particularly targets more complex embedded
- configurations with multiple server instances with independent
- lifecycles where more than one server instance requires the
- <code>AprLifecycleListener</code>. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer,
- and use ERR_error_string_n instead. (remm)
- </fix>
- <fix>
- Fix a crash on Windows setting CA certificate on null path.
- (remm)
- </fix>
- <fix>
- <bug>69068</bug>: Ensure read timouts are triggered for asynchronous,
- non-blocking reads when using HTTP/2. (markt)
- </fix>
- <update>
- <bug>69133</bug>: Add task queue size configuration on the
- <code>Connector</code> element, similar to the <code>Executor</code>
- element, for consistency. (remm)
- </update>
- <fix>
- Make counting of active HTTP/2 streams per connection more robust.
- (markt)
- </fix>
- <add>
- Add support for TLS 1.3 client initiated re-keying. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>68546</bug>: Small additional optimisation for initial loading of
- Servlet code generated for JSPs. Based on a suggestion by Dan
Armstrong.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Add the ability to set a sub-title for the Manager web application main
- page. This is intended to allow users with lots of instances to easily
- distinguish them. Based on pull request <pr>724</pr> by Simon Arame.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Revert Derby to 10.16.1.1 as that is the latest version of Derby that
- runs on Java 17. (markt)
- </update>
- <update>
- Update to Commons Daemon 1.4.0. (markt)
- </update>
- <update>
- Update to Jakarta Annotations API 3.0. (markt)
- </update>
- <update>
- Update to Jakarta Authentication API 3.1. (markt)
- </update>
- <update>
- Update to Objenesis 3.4. (markt)
- </update>
- <update>
- Update to Checkstyle 10.17.0. (markt)
- </update>
- <update>
- Update to SpotBugs 4.8.5. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M20 (markt)" rtext="2024-05-08">
- <subsection name="Catalina">
- <changelog>
- <update>
- Deprecate and remove <code>sessionCounter</code> (replaced by the
- addition of the active session count and the expired session count,
- as a reasonable approximation) and <code>duplicates</code> (which
- does not represent a possible event in current implementations)
- statistics from the session manager. (remm)
- </update>
- <fix>
- <bug>68890</bug> Align output encoding of JSPs in the Manager webapp
- with the XML declarations in those same files. (schultz)
- </fix>
- <fix>
- Update Basic authentication to implement the requirements of RFC 7617
- including the removal of the <code>trimCredentials</code> setting which
- is now hard-coded to <code>false</code>. (markt)
- </fix>
- <add>
- Small performance optimization when logging cookies with no values.
- (schultz)
- </add>
- <fix>
- Correct error handling for asynchronous requests. If the application
- performs an dispatch during <code>AsyncListener.onError()</code> the
- dispatch is now performed rather than completing the request using the
- error page mechanism. (markt)
- </fix>
- <add>
- Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a
customizable
- style. (schultz)
- </add>
- <add>
- Add more timescale options to AccessLogValve and
ExtendedAccessLogValve.
- Allow timescales to apply to "time-taken" token in
ExtendedAccessLogValve.
- (schultz)
- </add>
- <fix>
- Fix WebDAV lock null (locks for non existing resources) thread safety
- and removal. (remm)
- </fix>
- <fix>
- Add periodic checking for WebDAV locks expiration. (remm)
- </fix>
- <fix>
- Extend <code>Asn1Parser</code> to parse <code>UTF8String</code>s.
- (michaelo)
- </fix>
- <fix>
- Remove MBean metadata for attibutes that have been removed. Based on
- pull request <pr>719</pr> by Shawn Q. (markt)
- </fix>
- <scode>
- Remove duplicate ID check from <code>Manager.rotateSessionId()</code>.
- (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Add OpenSSL FFM classes to <code>tomcat-embed-core.jar</code>. (remm)
- </fix>
- <fix>
- Align non-secure and secure writes with NIO and skip the write attempt
- when there are no bytes to be written. (markt)
- </fix>
- <fix>
- Allow any positive value for <code>socket.unlockTimeout</code>. If a
- negative or zero value is configured, the default of <code>250ms</code>
- will be used. (mark)
- </fix>
- <fix>
- Reduce the time spent waiting for the connector to unlock. The previous
- default of 10s was noticeably too long for cases where the unlock has
- failed. The wait time is now 100ms plus twice
- <code>socket.unlockTimeout</code>. (markt)
- </fix>
- <fix>
- Ensure that the <code>onAllDataRead()</code> event is triggered when
the
- request body uses chunked encoding and is read using non-blocking IO.
- (markt)
- </fix>
- <fix>
- <bug>68934</bug>: Add debug logging in the latch object when exceeding
- <code>maxConnections</code>. (remm)
- </fix>
- <fix>
- Refactor trailer field handling to use a <code>MimeHeaders</code>
- instance to store trailer fields. (markt)
- </fix>
- <fix>
- Ensure that multiple instances of the same trailer field are handled
- correctly. (markt)
- </fix>
- <fix>
- Fix non-blocking reads of chunked request bodies. (markt)
- </fix>
- <scode>
- Refactor HTTP header parsing to use common parsing code. (markt)
- </scode>
- <fix>
- When an invalid HTTP response header was dropped, an off-by-one error
- meant that the first header in the response was also dropped. Fix based
- on pull request <pr>710</pr> by foremans. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Add support for specifying Java 23 (with the value <code>23</code>) as
- the compiler source and/or compiler target for JSP compilation. If used
- with an Eclipse JDT compiler version that does not support these
values,
- a warning will be logged and the default will used.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>68884</bug>: Reduce the write timeout when writing WebSocket close
- messages for abnormal closes. The timeout defaults to 50 milliseconds
- and may be controlled using the
-
<code>org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT</code>
- property in the user properties collection associated with the
WebSocket
- session. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Examples: Improve performance of WebSocket chat application when
- multiple clients disconnect at the same time. (markt)
- </fix>
- <update>
- Examples: Increase the number of previous messages displayed when using
- the WebSocket chat application. (markt)
- </update>
- <fix>
- Examples: Improve performance of WebSocket snake application when
- multiple clients disconnect at the same time. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Switch to using the Base64 encoder and decoder provided by the JRE
- rather than the version provided by Commons Codec. This removes the
- internal fork of Commons Codec. (markt)
- </update>
- <update>
- Update to the Eclipse JDT compiler 4.31. (markt)
- </update>
- <update>
- Update NSIS to 3.10. (mark0t)
- </update>
- <update>
- Update UnboundID to 7.0.0. (markt)
- </update>
- <update>
- Update Checkstyle to 10.16.0. (markt)
- </update>
- <update>
- Update JaCoCo to 0.8.12. (markt)
- </update>
- <update>
- Update SpotBugs to 4.8.4. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
- </update>
- <add>
- Improvements to Japanese translations by tak7iji. (remm)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M19 (remm)" rtext="2024-04-16">
- <subsection name="Catalina">
- <changelog>
- <update>
- Add <code>highConcurrencyStatus</code> attribute to the
- <code>SemaphoreValve</code> to optionally allow the valve to return an
- error status code to the client when a permit cannot be acquired from
- the semaphore. (remm)
- </update>
- <add>
- Add checking of the "age" of the running Tomcat instance since its
- build-date to the SecurityListener, and log a warning if the server
- is old. (schultz)
- </add>
- <fix>
- When using the <code>AsyncContext</code>, throw an
- <code>IllegalStateException</code>, rather than allowing an
- <code>NullPointerException</code>, if an attempt is made to use the
- <code>AsyncContext</code> after it has been recycled. (markt)
- </fix>
- <add>
- Add a default implementation for <code>HttpSession.getAccessor()</code>
- to align with the Servlet 6.1 API. (markt)
- </add>
- <add>
- Add the Jakarta EE 11 XML schemas and update Tomcat and included web
- applications to use them. (markt)
- </add>
- <fix>
- Change the thread-safety mechanism for protecting
StandardServer.services
- from a simple synchronized lock to a ReentrantReadWriteLock to allow
- multiple readers to operate simultaneously. Based upon a suggestion by
- Markus Wolfe. (schultz)
- </fix>
- <fix>
- Improve Service connectors, Container children and Service executors
- access sync using a ReentrantReadWriteLock. (remm)
- </fix>
- <fix>
- Improve handling of integer overflow if an attempt is made to upload a
- file via the Servlet API and the file is larger than
- <code>Integer.MAX_VALUE</code>. (markt)
- </fix>
- <fix>
- <bug>68862</bug>: Handle possible response commit when processing read
- errors. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Add <code>threadsMaxIdleTime</code> attribute to the endpoint,
- to allow configuring the amount of time before an internal executor
- will scale back to the configured <code>minSpareThreads</code> size.
- (remm)
- </fix>
- <update>
- Adjust the <code>Set-Cookie</code> header generated by the
- <code>Rfc6265CookieProcessor</code> so that attributes with a value of
- the empty string will be output as bare attribute names without an
- equals sign or value. This will simplify future support for similar new
- attributes by removing the need for special handling. (markt)
- </update>
- <scode>
- Refactor the internal representation of the <code>HttpOnly</code> and
- <code>Secure</code> attributes to use the empty string as the value for
- consistency with the recent changes to <code>Set-Cookie</code> header
- generation. (markt)
- </scode>
- <fix>
- Do not generate the <code>Max-Age</code> attribute for
- <code>Set-Cookie</code> headers associated with cookies that have been
- configured with a <code>Max-Age</code> value of zero as RFC 6265 does
- not permit a value of zero in this case. (markt)
- </fix>
- <fix>
- Correct a regression in the support for user provided
- <code>SSLContext</code> instances that broke the
- <code>org.apache.catalina.security.TLSCertificateReloadListener</code>.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Handle the case where the JSP engine forwards a request/response to a
- Servlet that uses an <code>OutputStream</code> rather than a
- <code>Writer</code>. This was triggering an
- <code>IllegalStateException</code> on code paths where there was a
- subsequent attempt to obtain a <code>Writer</code>. (markt)
- </fix>
- <fix>
- Correctly handle the case where a tag library is packaged in a JAR file
- and the web application is deployed as a WAR file rather than an
- unpacked directory. (markt)
- </fix>
- <fix>
- Prevent the web application's ClassLoader from being pinned by the JSP
- compiler if an application uses a custom XMLInputFactory. Based upon a
- suggestion from Simon Niederberger. (schultz)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update Checkstyle to 10.14.1. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (remm)
- </add>
- <add>
- Improvements to Chinese translations by leeyazhou. (remm)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M18 (markt)" rtext="2024-03-14">
- <subsection name="General">
- <changelog>
- <update>
- Reduce the minimum supported Java version to Java 17. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <fix>
- Minor performance improvement for building filter chains. Based on
- ideas from pull request <pr>702</pr> by Luke Miao. (remm)
- </fix>
- <fix>
- Align error handling for <code>Writer</code> and
- <code>OutputStream</code>. Ensure use of either once the response has
- been recycled triggers a <code>NullPointerException</code> provided
that
- <code>discardFacades</code> is configured with the default value of
- <code>true</code>. (markt)
- </fix>
- <fix>
- <bug>68692</bug>: The standard thread pool implementations that are
- configured using the <code>Executor</code> element now implement
- <code>ExecutorService</code> for better support NIO2. The
- <code>org.apache.catalina.Executor</code> interface now extends
- <code>ExecutorService</code>. (remm)
- </fix>
- <fix>
- <bug>68495</bug>: When restoring a saved POST request after a
successful
- FORM authentication, ensure that neither the URI, the query string nor
- the protocol are corrupted when restoring the request body. (markt)
- </fix>
- <fix>
- After forwarding a request, attempt to unwrap the response in order to
- suspend it, instead of simply closing it if it was wrapped. Add a new
- <code>suspendWrappedResponseAfterForward</code> boolean attribute on
- <code>Context</code> to control the bahavior, defaulting to
- <code>true</code>. (remm)
- </fix>
- <fix>
- <bug>68721</bug>: Workaround a possible cause of duplicate class
- definitions when using <code>ClassFileTransformer</code>s and the
- transformation of a class also triggers the loading of the same class.
- (markt)
- </fix>
- <fix>
- The rewrite valve should not do a rewrite if the output is identical
- to the input. (remm)
- </fix>
- <update>
- Add a new <code>valveSkip</code> (or <code>VS</code>) rule flag to the
- rewrite valve to allow skipping over the next valve in the Catalina
- pipeline. (remm)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix bad symbol lookup use in the OpenSSL FFM code. (remm)
- </fix>
- <fix>
- Improve the HTTP/2 stream prioritisation process. If a stream uses all
- of the connection windows and still has content to write, it will now
be
- added to the backlog immediately rather than waiting until the write
- attempt for the remaining content. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Add method invocation support for <code>java.util.Optional</code> via
- the <code>jakarta.el.OptionalELResolver</code> to Tomcat's
- implementation of the Jakarta EL API to align with the latest proposals
- for the Jakarta EL 6.0 API. The property support has also been refined
- for greater consistency. (markt)
- </add>
- <update>
- The defaults for <code>compilerSourceVM</code> and
- <code>compilerTargetVM</code> have been updated to 17 to align with
Java
- 17 being the minimum Java version required for Tomcat 11. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- Avoid updating request count stats on async. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- <fix>
- <bug>57130</bug>: Allow digest.(sh|bat) to accept password from a file
- or stdin. (csutherl/schultz)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M17 (markt)" rtext="2024-02-19">
- <subsection name="Catalina">
- <changelog>
- <add>
- Implement <code>HttpSession.getAccessor()</code> which provides a
- mechanism for applications to interact with an <code>HttpSession</code>
- outside the standard Servlet processing of an HTTP request. This is
- expected to be especially useful with applications using the Jakarta
- WebSocket API. (markt)
- </add>
- <fix>
- Correct JPMS and OSGi meta-data for <code>tomcat-embed-core.jar</code>
- by removing reference to <code>org.apache.catalina.ssi</code> package
- that is no longer included in the JAR. Based on pull request
- <pr>684</pr> by Jendrik Johannes. (markt)
- </fix>
- <fix>
- Fix ServiceBindingPropertySource so that trailing <code>\r\n</code>
- sequences are correctly removed from files containing property values
- when configured to do so. Bug identified by Coverity Scan. (markt)
- </fix>
- <add>
- Add improvements to the CSRF prevention filter including the ability
- to skip adding nonces for resource name and subtree URL patterns.
(schultz)
- </add>
- <fix>
- Review usage of debug logging and downgrade trace or data dumping
- operations from debug level to trace. (remm)
- </fix>
- <fix>
- <bug>68089</bug>: Further improve the performance of request attribute
- access for <code>ApplicationHttpRequest</code> and
- <code>ApplicationRequest</code>. (markt)
- </fix>
- <fix>
- <bug>68559</bug>: Allow asynchronous error handling to write to the
- response after an error during asynchronous processing. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Setting a <code>null</code> value for a cookie attribute should remove
- the attribute. (markt)
- </fix>
- <fix>
- Optimize state handling for OpenSSL context callbacks with the FFM API.
- (remm)
- </fix>
- <fix>
- Make asynchronous error handling more robust. Ensure that once a
- connection is marked to be closed, further asynchronous processing
- cannot change that. (markt)
- </fix>
- <fix>
- Make asynchronous error handling more robust. Ensure that once the call
- to <code>AsyncListener.onError()</code> has returned to the container,
- only container threads can access the <code>AsyncContext</code>. This
- protects against various race conditions that would otherwise occur if
- application threads continued to access the <code>AsyncContext</code>.
- </fix>
- <fix>
- Review usage of debug logging and downgrade trace or data dumping
- operations from debug level to trace. In particular, most of the
- HTTP/2 debug logging has been changed to trace level. (remm)
- </fix>
- <fix>
- Add support for user provided <code>SSLContext</code> instances
- configured on <code>SSLHostConfigCertificate</code> instances. Based on
- pull request <pr>673</pr> provided by Hakan Altındağ. (markt)
- </fix>
- <fix>
- Partial fix for <bug>68558</bug>: Cache the result of converting to
- <code>String</code> for request URI, HTTP header names and the request
- <code>Content-Type</code> value to improve performance by reducing
- repeated <code>byte[]</code> to <code>String</code> conversions.
(markt)
- </fix>
- <fix>
- Improve error reporting to HTTP/2 clients for header processing errors
- by reporting problems at the end of the frame where the error was
- detected rather than at the end of the headers. (markt)
- </fix>
- <fix>
- Remove the remaining reference to a stream once the stream has been
- recycled. This makes the stream eligible for garbage collection earlier
- and thereby improves scalability. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Additional fixes to correctly support <code>length</code> as a
read-only
- property of an array via the <code>ArrayELResolver</code>. (markt)
- </fix>
- <fix>
- <bug>68546</bug>: Generate optimal size and types for JSP imports maps,
- as suggested by John Engebretson. (remm)
- </fix>
- <fix>
- Review usage of debug logging and downgrade trace or data dumping
- operations from debug level to trace. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Correct a regression in the fix for <bug>66508</bug> that could cause
an
- <code>UpgradeProcessor</code> leak in some circumstances. (markt)
- </fix>
- <fix>
- Review usage of debug logging and downgrade trace or data dumping
- operations from debug level to trace. (remm)
- </fix>
- <fix>
- Ensure that WebSocket connection closure completes if the connection is
- closed when the server side has used the proprietary suspend/resume
- feature to suspend the connection. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Add support for responses in JSON format from the examples application
- RequestHeaderExample. (schultz)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Correct the remaining OSGi contract references in the manifest files to
- refer to the Jakarta EE contract names rather than the Java EE contract
- names. Based on pull request <pr>685</pr> provided by Paul A.
Nicolucci.
- (markt)
- </fix>
- <update>
- Update Checkstyle to 10.13.0. (markt)
- </update>
- <update>
- Update JSign to 6.0. (markt)
- </update>
- <update>
- Update the packaged version of the Tomcat Migration Tool for Jakarta EE
- to 1.0.7. (markt)
- </update>
- <update>
- Update Tomcat Native to 2.0.7. (markt)
- </update>
- <update>
- Add strings for debug level messages. (remm)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M16 (markt)" rtext="2024-01-09">
- <subsection name="Catalina">
- <changelog>
- <add>
- Allow alternate redirect status code for directory redirects issued by
- the default servlet via the init param
- <code>directoryRedirectStatusCode</code>. (funkman/markt)
- </add>
- <update>
- <bug>68378</bug>: Align extension to MIME type mappings in the global
- web.xml with those in httpd by adding
- <code>application/vnd.geogebra.slides</code> for <code>ggs</code>,
- <code>text/javascript</code> for <code>mjs</code> and
- <code>audio/ogg</code> for opus. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Refactor the <code>VirtualThreadExecutor</code> so that it can be used
- by the NIO2 connector which was using platform threads even when
- configured to use virtual threads. (markt)
- </fix>
- <fix>
- Correct a regression in the fix for <bug>67675</bug> that broke TLS key
- file parsing for PKCS#8 format keys that do not specify an explicit
- pseudo-random function and rely on the default. This typically affects
- keys generated by OpenSSL 1.0.2. (markt)
- </fix>
- <fix>
- Allow multiple operations with the same name on introspected mbeans,
- fixing a regression caused by the introduction of a second
- <code>addSslHostConfig</code> method. (remm)
- </fix>
- <fix>
- Relax the check that the HTTP Host header is consistent with the host
- used in the request line, if any, to make the check case insensitive
- since host names are case insensitive. (markt)
- </fix>
- <add>
- <bug>68348</bug>: Add support for the partitioned attribute for cookies
- including session cookies. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- The defaults for <code>compilerSourceVM</code> and
- <code>compilerTargetVM</code> have been updated to 21 to align with
Java
- 21 being the minimum Java version required for Tomcat 11. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- <bug>68035</bug>: Additional fix to the Manager application to enable
- the deployment of a web application located in a Host's
- <code>appBase</code> where the web application is specified by a bare
- (no path) WAR or directory name as shown in the documentation. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update to the Eclipse JDT compiler 4.30. (markt)
- </update>
- <update>
- Update Checkstyle to 10.12.7. (markt)
- </update>
- <update>
- Update SpotBugs to 4.8.3. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M15 (markt)" rtext="2023-12-12">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Background processes should not be run concurrently with lifecycle
- operations of a container. (remm)
- </fix>
- <add>
- Add support for the
<code>jakarta.servlet.request.secure_protocol</code>
- request attribute that has been added in Jakarta Servlet 6.1. This
- replaces the now deprecated Tomcat specific request attribute
- <code>org.apache.tomcat.util.net.secure_protocol_version</code>.
(markt)
- </add>
- <add>
- Align behaviour with the latest addition to the Servlet 6.1
- specification that requires that all HTTP error dispatches use the GET
- method. (markt)
- </add>
- <fix>
- Correct unintended escaping of XML in some WebDAV responses. The XML
- list of support locks when provided in response to a PROPFIND request
- was incorrectly XML escaped. (markt)
- </fix>
- <fix>
- <bug>68227</bug>: Ensure that <code>AsyncListener.onComplete()</code>
is
- called if <code>AsyncListener.onError()</code> calls
- <code>AsyncContext.dispatch()</code>. (markt)
- </fix>
- <fix>
- <bug>68228</bug>: Use a 408 status code if a read timeout occurs during
- HTTP request processing. Includes a test case based on code provided by
- adwsingh. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Use Java code to load certificate chain when using OpenSSL through
- the FFM API. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <scode>
- <bug>68119</bug>: Refactor the <code>CompositeELResolver</code> to
- improve performance during type conversion operations. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- Examples. Improve the error handling so snakes associated with a user
- that drops from the network are removed from the game. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the OWB module to Apache OpenWebBeans 4.0.1. (remm)
- </update>
- <fix>
- <bug>68124</bug>: Migrate sample.war from javax to jakarta. (lihan)
- </fix>
- <update>
- Update UnboundID to 6.0.11. (markt)
- </update>
- <update>
- Update Checkstyle to 10.12.5. (markt)
- </update>
- <update>
- Update SpotBugs to 4.8.2. (markt)
- </update>
- <update>
- Update Derby to 10.17.1. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- <add>
- Improvements to Brazilian Portuguese translations by John William
- Vicente. (markt)
- </add>
- <add>
- Improvements to Russian translations by usmazat and remm. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M14 (markt)" rtext="2023-11-15">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>67667</bug>: <code>TLSCertificateReloadListener</code> prints
- unreadable rendering of <code>X509Certificate#getNotAfter()</code>.
- (michaelo)
- </fix>
- <update>
- The status servlet included in the manager webapp can now output
- statistics as JSON, using the <code>JSON=true</code> URL parameter.
- (remm)
- </update>
- <update>
- Optionally allow ServiceBindingPropertySource to trim a trailing
newline
- from a file containing a property-value. (schultz)
- </update>
- <update>
- Use Files.move instead of File.renameTo in the FarmWebDeployer to
- support a broader range of environments, and to give better information
- in the event of a failure. (schultz)
- </update>
- <fix>
- <bug>67793</bug>: Ensure the original session timeout is restored after
- FORM authentication if the user refreshes a page during the FORM
- authentication process. Based on a suggestion by Mircea Butmalai.
- (markt)
- </fix>
- <update>
- <bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string
- representation of ASN.1 OIDs. (michaelo)
- </update>
- <fix>
- <bug>66875</bug>: Ensure that setting the request attribute
- <code>jakarta.servlet.error.exception</code> is not sufficient to
- trigger error handling for the current request and response. (markt)
- </fix>
- <fix>
- <bug>68054</bug>: Avoid some file canonicalization calls introduced
- by the fix for <bug>65433</bug>. (remm)
- </fix>
- <fix>
- <bug>68089</bug>: Improve performance of request attribute access for
- <code>ApplicationHttpRequest</code> and
<code>ApplicationRequest</code>.
- (markt)
- </fix>
- <fix>
- Use a 400 status code to report an error due to a bad request (e.g. an
- invalid trailer header) rather than a 500 status code. (markt)
- </fix>
- <fix>
- Ensure that an <code>IOException</code> during the reading of the
- request triggers always error handling, regardless of whether the
- application swallows the exception. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- <bug>66670</bug>: Add
<code>SSLHostConfig#certificateKeyPasswordFile</code> and
- <code>SSLHostConfig#certificateKeystorePasswordFile</code>. (michaelo)
- </add>
- <add>
- When calling
- <code>SSLHostConfigCertificate.setCertificateKeystore(ks)</code>,
- automatically call
- <code>setCertificateKeystoreType(ks.getType())</code>. (markt)
- </add>
- <add>
- Add OpenSSL integration using the FFM API rather than Tomcat Native.
- OpenSSL support may be enabled by adding the
- <code>org.apache.catalina.core.OpenSSLLifecycleListener</code>
- listener on the <code>Server</code> element when using Java 22
- (starting with preview build 20) or later. (remm)
- </add>
- <fix>
- <bug>67628</bug>: Clarify how the <code>ciphers</code> attribute of the
- <code>SSLHostConfig</code> is used. (markt)
- </fix>
- <fix>
- <bug>67666</bug>: Ensure TLS connectors using PEM files either work
with
- the <code>TLSCertificateReloadListener</code> or, in the rare case that
- they do not, log a warning on Connector start. (markt)
- </fix>
- <fix>
- <bug>67675</bug>: Support a wider range of KDF and ciphers for PEM
files
- than the combinations supported by the JVM by default. Specifically,
- support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
- </fix>
- <fix>
- <bug>67927</bug>: Reloading TLS configuration can cause the Connector
to
- refuse new connections or the JVM to crash. (markt)
- </fix>
- <fix>
- <bug>67938</bug>: Correct handling of large TLS client hello messages
- that were causing the TLS handshake to fail. (markt)
- </fix>
- <fix>
- <bug>68026</bug>: Convert selected <code>MessageByte</code> values to
- String when first accessed to speed up subsequent accesses and reduce
- garbage collection. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Add support for Records to expression language. (markt)
- </add>
- <fix>
- <bug>68068</bug>: Performance improvement for EL. Based on a suggestion
- by John Engebretson. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Correct missing metadata in the MANIFEST of the for WebSocket client
API
- JAR file. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>68035</bug>: Correct a regression in the fix for <bug>56248</bug>
- that prevented deployment via the Manager of a WAR or directory that
was
- already present in the <code>appBase</code> or a context file that was
- already present in the <code>xmlBase</code>. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- <bug>67538</bug>: Make use of Ant's <code><javaversion /></code>
task
- to enfore the mininum Java build version. (michaelo)
- </add>
- <update>
- Update Checkstyle to 10.12.4. (markt)
- </update>
- <update>
- Update JaCoCo to 0.8.11. (markt)
- </update>
- <update>
- Update SpotBugs to 4.8.0. (markt)
- </update>
- <update>
- Update BND to 7.0.0. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M13 (markt)" rtext="2023-10-14">
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>67670</bug>: Fix regression with HTTP compression after code
- refactoring. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>67664</bug>: Correct a regression in the clean-up of unnecessary
- use of fully qualified class names in 11.0.0-M12 that broke the
- jdbc-pool. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M12 (markt)" rtext="2023-10-10">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>65770</bug>: Provide a lifecycle listener that will automatically
- reload TLS configurations a set time before the certificate is due to
- expire. This is intended to be used with third-party tools that
- regularly renew TLS certificates. (markt)
- </add>
- <fix>
- Fix handling of an error reading a context descriptor on deployment.
- (remm)
- </fix>
- <fix>
- Fix rewrite rule qsd (query string discard) being ignored if qsa was
- also use, while it should instead take precedence. (remm)
- </fix>
- <fix>
- <bug>67472</bug>: Send fewer CORS-related headers when CORS is not
- actually being engaged. (schultz)
- </fix>
- <add>
- Improve handling of failures within <code>recycle()</code> methods.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>67198</bug>: Ensure that the AJP connector attribute
- <code>tomcatAuthorization</code> takes precedence over the
- <code>tomcatAuthentication</code> attribute when processing an
- <code>auth_type</code> attribute received from a proxy server. (markt)
- </fix>
- <fix>
- <bug>67235</bug>: Fix a <code>NullPointerException</code> when an
- <code>AsyncListener</code> handles an error with a dispatch rather than
- a complete. (markt)
- </fix>
- <fix>
- When an error occurs during asynchronous processing, ensure that the
- error handling process is only triggered once per asynchronous cycle.
- (markt)
- </fix>
- <fix>
- Fix logic issue trying to match no argument method in IntropectionUtil.
- (remm)
- </fix>
- <fix>
- Improve thread safety around readNotify and writeNotify in the NIO2
- endpoint. (remm)
- </fix>
- <fix>
- Avoid rare thread safety issue accessing message digest map. (remm)
- </fix>
- <fix>
- Improve statistics collection for upgraded connections under load.
- (remm)
- </fix>
- <update>
- <code>PushBuilder</code> has been deprecated in line with the changes
- for the Servlet 6.1 specification. It will be replaced in a future
- Tomcat 11 milestone with support for 103 early hints. (markt)
- </update>
- <update>
- Remove support for HTTP/2 server push. Calls to
- <code>newPushBuilder()</code> will always return <code>null</code>.
- (markt)
- </update>
- <fix>
- Align validation of HTTP trailer fields with standard fields. (markt)
- </fix>
- <fix>
- Improvements to HTTP/2 overhead protection. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>67080</bug>: Improve performance of EL expressions in JSPs that
use
- implicit objects. Based on suggestions by John Engebretson, Anurag
Dubey
- and Christopher Schultz. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the internal fork of Apache Commons FileUpload to 7a8c324
- (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
- branch requiring additional Commons IO dependencies, Tomcat has
switched
- to tracking the 1.x branch. (markt)
- </update>
- <add>
- Add the <code>Bundle-License</code> header to the JAR manifest for all
- Tomcat JARs. (markt)
- </add>
- <update>
- Update to the Eclipse JDT compiler 4.29. (markt)
- </update>
- <update>
- Update UnboundID to 6.0.10. (markt)
- </update>
- <update>
- Update Checkstyle to 10.12.3. (markt)
- </update>
- <update>
- Update Tomcat Native to 2.0.6. (markt)
- </update>
- <update>
- Update Commons Pool to 2.12.0. (markt)
- </update>
- <fix>
- <bug>67611</bug>: Correct the download link in BUILDING.txt. (lihan)
- </fix>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- <add>
- Improvements to Russian translations by usmazat. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M11 (markt)" rtext="2023-08-25">
- <subsection name="Catalina">
- <changelog>
- <fix>
- If an application or library sets both a non-500 error code and the
- <code>jakarta.servlet.error.exception</code> request attribute, use the
- provided error code during error page processing rather than assuming
an
- error code of 500. (markt)
- </fix>
- <fix>
- Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
- and KiB for 1024 bytes rather than MB and kB. (martk)
- </fix>
- <add>
- Update the HTTP parameter handling to align with the changes in the
- Jakarta Servlet 6.1 API Javadoc for the <code>ServletRequest</code>
- methods used to obtain request parameters. Invalid parameters and/or
- exceeding parameter size and/or quantity limits now trigger
- exceptions. As a consequence, the <code>FailedRequestFilter</code> has
- been removed. (markt)
- </add>
- <fix>
- Avoid protocol relative redirects in FORM authentication. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Documentation. Update documentation to use MiB for 1024 * 1024 bytes
and
- KiB for 1024 bytes rather than MB and kB. (martk)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Improvements to Chinese translations. (lihan)
- </add>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations by tak7iji. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M10 (markt)" rtext="2023-08-14">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Fix potential database connection leaks in
- <code>DataSourceUserDatabase</code> identified by Coverity Scan.
(markt)
- </fix>
- <fix>
- Make parsing of <code>ExtendedAccessLogValve</code> patterns more
- robust. (markt)
- </fix>
- <fix>
- Fix failure trying to persist configuration for an internal credential
- handler. (remm)
- </fix>
- <fix>
- <bug>66680</bug>: When serializing a session during the session
- presistence process, do not log a warning that null Principals are not
- serializable. Pull request <pr>638</pr> provided by tsryo. (markt)
- </fix>
- <fix>
- <bug>66822</bug>: Use the same naming format in log messages for
- Connector instances as the associated ProtocolHandler instance. (markt)
- </fix>
- <fix>
- The parts count should also lower the actual
- <code>maxParameterCount</code> used for parsing parameters if parts are
- parsed first. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Refactor blocking reads and writes for the NIO connector to remove
- code paths that could allow a notification from the Poller to be missed
- resuting in a timeout rather than the expected read or write. (markt)
- </fix>
- <fix>
- Refactor waiting for an HTTP/2 stream or connection window update to
- handle spurious wake-ups during the wait. (markt)
- </fix>
- <update>
- Improve extensibility of endpoints for socket channel creation and TLS.
- Pull request <pr>639</pr> provided by Marco Fargetta. (remm)
- </update>
- <fix>
- Correct a regression introduced in 11.0.0-M9 and use the correct
- constant when constructing the default value for the
- <code>certificateKeystoreFile</code> attribute of an
- <code>SSLHostConfigCertificate</code> instance. (markt)
- </fix>
- <scode>
- Refactor HTTP/2 implementation to reduce pinning when using virtual
- threads. (markt)
- </scode>
- <fix>
- Pass through ciphers referring to an OpenSSL profile, such as
- <code>PROFILE=SYSTEM</code> instead of producing an error trying to
- parse it. (remm)
- </fix>
- <fix>
- <bug>66841</bug>: Ensure that <code>AsyncListener.onError()</code> is
- called after an error during asynchronous processing with HTTP/2.
- (markt)
- </fix>
- <fix>
- <bug>66842</bug>: When using asynchronous I/O (the default), include
- DATA frames when calculating the HTTP/2 overhead count to ensure that
- connections are not prematurely terminated. (markt)
- </fix>
- <fix>
- Correct a race condition that could cause spurious RST messages to be
- sent after the response had been written to an HTTP/2 stream. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>66681</bug>: Fix a <code>NullPointerException</code> when flushing
- batched messages with compression enabled using
- <code>permessage-deflate</code>. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Fix the <code>releaseIdleCounter</code> does not increment when
testAllIdle
- releases them. Pull request <pr>241</pr> provided by Arun Chaitanya
Miriappalli
- (lihan)
- </fix>
- <fix>
- Fix the <code>ConnectionState</code> state will be inconsistent with
actual
- state on the connection when an exception occurs while writing. Pull
request
- <pr>643</pr> provided by Wenjun Xiao. (lihan)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update NSIS to 3.09. (markt)
- </update>
- <update>
- Update Checkstyle to 10.12.2. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations. Contributed by tak7iji and
- Shirayuking. (markt)
- </add>
- <fix>
- <bug>66829</bug>: Fix quoting so users can use the
<code>_RUNJAVA</code>
- environment variable as intended on Windows when the path to the Java
- executable contains spaces. (markt)
- </fix>
- <fix>
- <bug>66834</bug>: Correct the OSGi contract references in the manifest
- files to refer to the Jakarta EE contract names rather than the Java EE
- contract names. (markt)
- </fix>
- <update>
- Update Tomcat Native to 2.0.5. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M9 (markt)" rtext="2023-07-10">
- <subsection name="Other">
- <changelog>
- <fix>
- Correct properties for JSign dependency. (rjung)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M8 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>59232</bug>: Add
- <code>org.apache.catalina.core.ContextNamingInfoListener</code>,
- a listener which creates context naming information environment
entries.
- (michaelo)
- </add>
- <add>
- <bug>66665</bug>: Add
- <code>org.apache.catalina.core.PropertiesRoleMappingListener</code>,
- a listener which populates the context's role mapping from a properties
- file. (michaelo)
- </add>
- <fix>
- Fix an edge case where intra-web application symlinks would be followed
- if the web applications were deliberately crafted to allow it even when
- <code>allowLinking</code> was set to <code>false</code>. (markt)
- </fix>
- <update>
- Add utlity config file resource lookup on <code>Context</code> to allow
- looking up resources from the webapp (prefixed with
- <code>webapp:</code>) and make the resource lookup API more visible.
- (remm)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>66627</bug>: Restore the documented behaviour of
- <code>MessageBytes.getType()</code> that it returns the type of the
- original content rather than reflecting the most recent conversion.
- (markt)
- </fix>
- <fix>
- <bug>66635</bug>: Correct certificate logging on start-up so it
- differentiates between keystore based keys/certificates and PEM file
- based keys/certificates and logs the relevant information for each.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Add <code>java.util.Optional</code> support via the
- <code>jakarta.el.OptionalELResolver</code> to Tomcat's implementation
- of the Jakarta EL API to align with the latest proposals for the
Jakarta
- EL 6.0 API. (markt)
- </add>
- <add>
- Add support for specifying Java 22 (with the value <code>22</code>) as
- the compiler source and/or compiler target for JSP compilation. If used
- with an Eclipse JDT compiler version that does not support these
values,
- a warning will be logged and the default will used.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Improve handling of error conditions for the WebSocket server,
- particularly during Tomcat shutdown. (markt)
- </fix>
- <fix>
- Correct a regression in the fix for <bug>66574</bug> that meant the
- WebSocket session could return false for <code>onOpen()</code> before
- the <code>onClose()</code> event had been completed. (markt)
- </fix>
- <add>
- Update the WebSocket API provided by Tomcat to align with the latest
- proposals from the Jakarta WebSocket project and make the WebSocket
- <code>Session</code> instance available via <code>SendResult</code>.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Documentation. Expand the security guidance to cover the embedded use
- case and add notes on the uses made of the <code>java.io.tmpdir</code>
- system property. (markt)
- </add>
- <fix>
- <bug>66662</bug>: Documentation. Fix a typo in the name of the
- <strong>algorithms</strong> attribute in the configuration section for
- the Digest authentication valve. Pull request <pr>629</pr> provided by
- gohilmca. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Include the Windows specific binary distributions in the files uploaded
- to Maven Central. (markt)
- </add>
- <update>
- Remove support for running Tomcat on 32-bit Windows operating systems
as
- Java 21 is not available for that platform. (markt)
- </update>
- <add>
- Improvements to Japanese translations. Contributed by tak7iji. (markt)
- </add>
- <update>
- Update to the Eclipse JDT compiler 4.28. (markt)
- </update>
- <update>
- Update UnboundID to 6.0.9. (markt)
- </update>
- <update>
- Update Checkstyle to 10.12.1. (markt)
- </update>
- <update>
- Update BND to 6.4.1. (markt)
- </update>
- <update>
- Update JSign to 5.0. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M7 (markt)" rtext="2023-06-08">
- <subsection name="General">
- <changelog>
- <update>
- Increase the minimum supported Java version to Java 21. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <scode>
- Move the management of the utility executor from the
- <code>init()</code>/<code>destroy()</code> methods of components to the
- <code>start()</code>/<code>stop()</code> methods. (markt)
- </scode>
- <add>
- Add RateLimitFilter which can be used to mitigate DoS and Brute Force
- attacks. (isapir)
- </add>
- <scode>
- Remove support for using the <code>^</code> character to separate the
- WAR file and WAR contents in Tomcat's custom WAR URL handler. The
- current default separator character of <code>*</code> remains
unchanged.
- (markt)
- </scode>
- <add>
- Add
<code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>,
- a virtual thread based executor that may be used with one or more
- Connectors to process requests received by those Connectors using
- virtual threads. (markt)
- </add>
- <fix>
- <bug>66513</bug>: Add a per session Semaphore to the
- <code>PersistentValve</code> that ensures that, within a single Tomcat
- instance, there is no more than one concurrent request per session.
Also
- expand the debug logging to include whether a request bypasses the
Valve
- and the reason if a request fails to obtain the per session Semaphore.
- (markt)
- </fix>
- <fix>
- <bug>66609</bug>: Ensure that the default servlet correctly escapes
- file names in directory listings when using XML output. Based on pull
- request <pr>621</pr> by Alex Kachanov. (markt)
- </fix>
- <add>
- <bug>66618</bug>: Add a numeric last modified field to the XML directory
- listings produced by the default servlet to enable sorting in the XSLT.
- Pull request <pr>622</pr> by Alex Kachanov. (markt)
- </add>
- <fix>
- <bug>66621</bug>: Attempts to lock a collection with WebDAV may
- incorrectly fail if a child collection has an expired lock. (markt)
- </fix>
- <fix>
- <bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting
- from the <code>HttpHeaderSecurityFilter</code> as support for the
- associated HTTP header has been removed from all major browsers.
(markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO
- on call SwallowedDataFramePayload. Pull request #619 by
- ledefe. (lihan)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update to Commons Daemon 1.3.4. (markt)
- </update>
- <add>
- Improvements to French translations. (remm)
- </add>
- <update>
- Update Checkstyle to 10.12.0. (markt)
- </update>
- <update>
- Update the packaged version of the Apache Tomcat Native Library to
2.0.4
- to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M6 (markt)" rtext="2023-05-09">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>66567</bug>: Fix missing <code>IllegalArgumentException</code>
- after the Tomcat code was converted to using URI instead of URL. (remm)
- </fix>
- <fix>
- Escape timestamp output in <code>AccessLogValve</code> if a
- <code>SimpleDateFormat</code> is used which contains verbatim
- characters that need escaping. (rjung)
- </fix>
- <update>
- Change output of vertical tab in <code>AccessLogValve</code> from
- <code>\v</code> to <code>\u000b</code>. (rjung)
- </update>
- <update>
- Improve performance of escaping in <code>AccessLogValve</code>
- roughly by a factor of two. (rjung)
- </update>
- <update>
- Improve <code>JsonAccessLogValve</code>: support more patterns
- like for headers and attributes. Those will be logged as sub objects.
- (rjung)
- </update>
- <fix>
- <pr>613</pr>: Fix possible partial corrupted file copies when using
- file locking protection or the manager servlet. Submitted
- by Jack Shirazi. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Add support for a new character set, <code>gb18030-2022</code> -
- introduced in Java 21, to the character set caching mechanism. (markt)
- </add>
- <fix>
- Fix an edge case in HTTP header parsing and ensure that HTTP headers
- without names are treated as invalid. (markt)
- </fix>
- <update>
- Remove support for the HTTP Connector settings
- <code>rejectIllegalHeader</code> and
- <code>allowHostHeaderMismatch</code>. These are now hard-coded to the
- previous defaults. (markt)
- </update>
- <fix>
- <bug>66591</bug>: Fix a regression introduced in the fix for
- <bug>66512</bug> that meant that an AJP Send Headers was not sent for
- responses where no HTTP headers were set. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>66582</bug>: Account for EL having stricter requirements for
static
- imports than JSPs when adding JSP static imports to the EL context.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>66574</bug>: Refactor WebSocket session close to remove the lock
on
- the <code>SocketWrapper</code> which was a potential cause of deadlocks
- if the application code used simulated blocking. (markt)
- </fix>
- <fix>
- <bug>66575</bug>: Avoid unchecked use of the backing array of a
- buffer provided by the user in the compression transformation. (remm)
- </fix>
- <fix>
- Improve exception handling when flushing batched messages during
- WebSocket session close. (markt)
- </fix>
- <fix>
- <bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it
- with the current defaults for AsynchronousChannelGroup. Pull request
- <pr>612</pr> by Matthew Painter. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Chinese translations. (lihan)
- </add>
- <update>
- Update Checkstyle to 10.10.0. (markt)
- </update>
- <update>
- Update Jacoco to 0.8.10. (markt)
- </update>
- <update>
- Update the packaged version of the Tomcat Migration Tool for Jakarta EE
- to 1.0.7. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M5 (markt)" rtext="2023-04-19">
- <subsection name="Catalina">
- <changelog>
- <add>
- Add a <code>doPatch</code> method to <code>HttpServlet</code> to
provide
- support for the HTTP <code>PATCH</code> method as defined in RFC 5789.
- This is one of the changes in the Servlet 6.1 API. (markt)
- </add>
- <fix>
- <bug>65995</bug>: Implement RFC 9239 and use
- <code>text/javascript</code> as the media type for JavaScript rather
- than <code>application/javascript</code>. (markt)
- </fix>
- <scode>
- Tomcat no longer sets the <code>java.protocol.handler.pkgs</code>
system
- property when starting. Users are now free to configure this property
if
- they wish. (markt)
- </scode>
- <add>
- Add an access log valve that uses a json format. Based on pull request
- <pr>539</pr> provided by Thomas Meyer. (remm)
- </add>
- <add>
- Harden the FORM authentication process against DoS attacks by using a
- reduced session timeout if the FORM authentication process creates a
- session. The duration of this timeout is configured by the
- <code>authenticationSessionTimeout</code> attribute of the FORM
- authenticator. (markt)
- </add>
- <add>
- Implement the new Servlet API methods that provide additional control
- when sending a redirect to the client. (markt)
- </add>
- <add>
- Update Digest authentication support to align with RFC 7616. This adds
a
- new configuration attribute, <code>algorithms</code>, to the
- <code>DigestAuthenticator</code> with a default of
- <code>SHA-256,MD5</code>. (markt)
- </add>
- <update>
- Reduce the default value of <code>maxParameterCount</code> from 10,000
- to 1,000. (markt)
- </update>
- <fix>
- <bug>66527</bug>: Correct the Javadoc for the
- <code>Tomcat.addWebapp()</code> methods that incorrectly stated that
the
- <code>docBase</code> parameter could be a relative path. (markt)
- </fix>
- <fix>
- <bug>66524</bug> Correct eviction ordering in WebResource cache to
- be LRU as intended. (schultz)
- </fix>
- <update>
- Add support code for custom user attributes in <code>RealmBase</code>.
- Based on code from <pr>473</pr> by Carsten Klein. (remm)
- </update>
- <fix>
- Expand the set of HTTP request headers considered sensitive that should
- be skipped when generating a response to a <code>TRACE</code> request.
- This aligns with the current draft of the Servlet 6.1 specification.
- (markt)
- </fix>
- <fix>
- <bug>66541</bug>: Improve handling for cached resources for resources
- that use custom URL schemes. The scheme specific <code>equals()</code>
- and <code>hashCode()</code> algorithms, if present, will now be used
for
- URLs for these resources. This addresses a potential performance issue
- with some OSGi custom URL schemes that can trigger potentially slow DNS
- lookups in some configurations. Based on a patch provided by Tom
- Whitmore. (markt)
- </fix>
- <fix>
- When using a custom session manager deployed as part of the web
- application, avoid <code>ClassNotFoundException</code>s when validating
- session IDs extracted from requests. (markt)
- </fix>
- <fix>
- <bug>66543</bug>: Give
<code>StandardContext#fireRequestDestroyEvent</code>
- its own log message. (fschumacher)
- </fix>
- <fix>
- <bug>66554</bug>: Initialize Random during server initialization to
- avoid possible JVM thread creation in the webapp context on some
- platforms. (remm)
- </fix>
- <update>
- Make the server utility executor available to webapps using a Servlet
- context attribute named
-
<code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- JSON filter should support specific escaping for common special
- characters as defined in RFC 8259. Based on code submitted by
- Thomas Meyer. (remm)
- </fix>
- <fix>
- <bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for
compressed
- HTTP responses) when used with direct buffers. Patch suggested by Arjen
- Poutsma. (markt)
- </fix>
- <fix>
- <bug>66512</bug>: Align AJP handling of invalid HTTP response headers
- (they are now removed from the response) with HTTP. (markt)
- </fix>
- <fix>
- <bug>66530</bug>: Correct a regression in the fix for bug
- <bug>66442</bug> that meant that streams without a response body did
not
- decrement the active stream count when completing leading to
- <code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections.
- (markt)
- </fix>
- <fix>
- Remove use of deprecated classes in the
<code>javax.security.cert</code>
- package. Pull request <pr>608</pr> provided by Eirik Bjorsnos. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Fix bug that meant some instances of coercing a
- <code>LambdaExpression</code> to a functional interface invocation
- failed. (markt)
- </fix>
- <fix>
- <bug>66536</bug>: Fix parsing of tag files that meant that tag
- directives could be ignored for some tag files. (markt)
- </fix>
- <add>
- Align the EL implementation with the latest changes to the Jakarta EL
- specification and add support for the length attribute to the
- <code>ArrayELResolver</code>. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- <bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of
- <code>FarmWarDeployer</code> to be the maximum time allowed between
- receiving parts of a transferred file before the transfer is cancelled
- and the associated resources cleaned-up. A new warning message will be
- logged if the file transfer is cancelled. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for
- a timeout before sending the close frame if an I/O error occurs during
a
- write. (markt)
- </fix>
- <fix>
- <bug>66548</bug>: Expand the validation of the value of the
- <code>Sec-Websocket-Key</code> header in the HTTP upgrade request that
- initiates a WebSocket connection. The value is not decoded but it is
- checked for the correct length and that only valid characters from the
- base64 alphabet are used. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>66542</bug>: Documentation. Update the JNDI documentation to
- replace references to JavaMail with references to Jakarta Mail. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations. Contributed by Shirayuking and
- tak7iji. (markt)
- </add>
- <add>
- Improvements to Chinese translations. Contributed by totoo. (markt)
- </add>
- <scode>
- Refactor code using <code>MD5Encoder</code> to use
- <code>HexUtils.toHexString()</code>. (markt)
- </scode>
- <fix>
- <bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed
- to the jvm in <code>catalina.sh</code> when calling
<code>version</code>.
- Patch suggested by Eric Hamilton. (lihan)
- </fix>
- <update>
- Update the internal fork of Commons DBCP to f131286 (2023-03-08,
- 2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2.
- (markt)
- </update>
- <fix>
- Improve the error messages if <code>JRE_HOME</code> or
- <code>JAVA_HOME</code> are not set correctly. On windows, align the
- handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the
- start-up scripts and the service install script. (markt)
- </fix>
- <update>
- Update to the Eclipse JDT compiler 4.27. (markt)
- </update>
- <update>
- Update UnboundID to 6.0.8. (markt)
- </update>
- <update>
- Update Checkstyle to 10.9.3. (markt)
- </update>
- <update>
- Update Jacoco to 0.8.9. (markt)
- </update>
- <fix>
- Enhance PEMFile to load from an InputStream. Patch provided by
- Romain Manni-Bucau. (schultz)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M4 (markt)" rtext="2023-03-06">
- <subsection name="General">
- <changelog>
- <fix>
- Fix a bug that memory allocation is larger than limit in
- <code>SynchronizedStack</code> to reduce memory footprint. (lihan)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <add>
- Add support for <code>txt:</code> and <code>rnd:</code> rewrite map
- types from mod_rewrite. Based on a pull request <pr>591</pr>
- provided by Dimitrios Soumis. (remm)
- </add>
- <update>
- Provide a more appropriate response (501 rather than 400) when
rejecting
- an HTTP request using the CONNECT method. (markt)
- </update>
- <fix>
- <bug>66491</bug>: Revert the switch to using the ServiceLoader
mechanism
- to load the custom URL protocol handlers that Tomcat uses. The original
- system property based approach has been restored. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Add a check for the validity of the scheme pseudo-header in HTTP/2.
- (markt)
- </add>
- <fix>
- <bug>66482</bug>: Restore inline state after async operation in NIO2,
- to account the fact that unexpected exceptions are sometimes thrown
- by the implementation. Patch submitted by zhougang. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Provide an implementation of the sub-set of JavaBeans support that does
- not depend on the <code>java.beans</code> package. This for use by
- Expression Language when the <code>java.desktop</code> module (which is
- where the <code>java.beans</code> package resides) is not available.
- (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M3 (markt)" rtext="2023-02-23">
- <subsection name="General">
- <changelog>
- <update>
- Increase the minimum supported Java version to Java 17. Note that
- Jakarta EE 11 permits a minimum Java version of 21. The minimum Java
- version for Tomcat 11 may be increased to Java 21 before the first
- stable release. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <fix>
- Allow a Valve to access cookies from a request that cannot be mapped to
- a Context. (markt)
- </fix>
- <add>
- Implement the new Servlet API methods for setting character encodings
- that accept <code>Charset</code> objects. (markt)
- </add>
- <update>
- The default HEAD response no longer includes some HTTP header fields
- where the value is determined only while generating the content as per
- section 9.3.2 of RFC 9110. (markt)
- </update>
- <fix>
- <bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata.
- (markt)
- </fix>
- <update>
- Switch to using the ServiceLoader mechanism to load the custom URL
- protocol handlers that Tomcat uses. (markt)
- </update>
- <fix>
- Switch to using <code>LongAdder</code> rather than
- <code>AtomicInteger</code> to track request count and error count for
- servlets. (markt)
- </fix>
- <fix>
- Implement the clarification from the Jakarta Servlet project that
- Servlets mapped to the context root should be mapped for requests to
the
- context root with or without the trailing <code>/</code>. (markt)
- </fix>
- <fix>
- Implement the clarification from the Jakarta Servlet project that
- calling <code>ServletOutputStream.close()</code> on a stream in
- non-blocking mode returns immediately with the stream effectively
closed
- and any data remaining to be written is written in the background by
the
- container. (markt)
- </fix>
- <fix>
- Avoid possible ISE when scanning from bad JAR URLs, to restore the
- previous behavior following the removal of Java 9+ reflection code
which
- caught the ISE. (remm)
- </fix>
- <fix>
- Refactor uses of <code>String.replaceAll()</code> to use
- <code>String.replace()</code> where regular expressions where not being
- used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt)
- </fix>
- <add>
- Add error report valve that allows redirecting to of proxying from an
- external web server. Based on code and ideas from pull request
- <pr>506</pr> provided by Max Fortun. (remm)
- </add>
- <add>
- <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
- (100.64.0.0/10) to the regular expression used to identify internal
- proxies for the <code>RemoteIpFilter</code> and
- <code>RemoteIpValve</code>. (markt)
- </add>
- <fix>
- <bug>66471</bug>: Fix JSessionId secure attribute missing When
- <code>RemoteIpFilter</code> determines that this request was submitted
- via a secure channel. (lihan)
- </fix>
- <add>
- Add the additional HTTP status code constants to
- <code>HttpServletResponse</code> defined by the Jakarta Servlet project
- for the Servlet 6.1 API. (markt)
- </add>
- <fix>
- Implement the clarification from the Jakarta Servlet project that
- calling one of the <code>HttpServletResponse</code> methods for setting
- HTTP header values with <code>null</code> as the new header value
- removes any existing header of that name. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Log basic information for each configured TLS certificate when Tomcat
- starts. (markt)
- </add>
- <fix>
- <bug>66442</bug>: When an HTTP/2 response must not include a body,
- ensure that the end of stream flag is set on the headers frame and that
- no data frame is sent. (markt)
- </fix>
- <fix>
- Fix a bug that prevented HTTP/2 connections from timing out when using
- a Connector configured with <code>useAsyncIO=true</code> (the default).
- (markt)
- </fix>
- <add>
- Provided dedicated loggers
- (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
- <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
- logging of configured TLS certificates. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>66419</bug>: Fix calls from expression language to a method that
- accepts varargs when only one argument was passed. (markt)
- </fix>
- <fix>
- <bug>66441</bug>: Make imports of static fields in JSPs visible to any
- EL expressions used on the page. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>66429</bug>: Documentation. Limit access to the documentation web
- application to localhost by default. (markt)
- </fix>
- <fix>
- <bug>66429</bug>: Examples. Limit access to the examples web
application
- to localhost by default. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update BND to 6.4.0. (markt)
- </update>
- <update>
- Remove support for starting Tomcat under a SecurityManager. (markt)
- </update>
- <add>
- Improvements to Chinese translations. (lihan)
- </add>
- <add>
- Improvements to French translations. (remm)
- </add>
- <add>
- Improvements to Japanese translations. Contributed by tak7iji. (markt)
- </add>
- <add>
- Improvements to Korean translations. (woonsan)
- </add>
- <update>
- Update the packaged version of the Apache Tomcat Native Library to
2.0.3
- to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M2 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- Update the <code>ServletInputStream</code> and
- <code>ServletOuputStream</code> classes in the Servlet API to align
with
- the recent updates in the Jakarta Servlet specification to support
- reading and writing with <code>ByteBuffer</code>s. The changes also
- clarified various aspects of the Servlet non-blocking API. (markt)
- </add>
- <fix>
- <bug>66388</bug>: Correct a regression in the refactoring that replaced
- the use of the <code>URL</code> constructors. The regression broke
- lookups for resources that contained one or more characters in their
- name that required escaping when used in a URI path. (markt)
- </fix>
- <fix>
- <bug>66392</bug>: Change the default value of
<code>AccessLogValve</code>'s
- file encoding to UTF-8 and update documentation. (lihan)
- </fix>
- <fix>
- <bug>66393</bug>: Align <code>ExtendedAccessLogValve</code>'s x-P(XXX)
with the
- documentation. (lihan)
- </fix>
- <fix>
- Remove JAX-RPC support which was removed from the Jakarta EE platform
- for Jakarta EE 9. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Update Cookie parsing and handling to treat the quotes in a quoted
- cookie value as part of the value as required by RFC 6265 and
explicitly
- clarified in RFC 6265bis. (markt)
- </fix>
- <add>
- Add an RFC 8941 structured field parser. (markt)
- </add>
- <add>
- Add a parser for the <code>priority</code> HTTP header field defined in
- RFC 9218. (markt)
- </add>
- <fix>
- When resetting an HTTP/2 stream because the final response has been
- generated before the request has been fully read, use the HTTP/2 error
- code <code>NO_ERROR</code> so that client does not discard the
response.
- Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
- </fix>
- <fix>
- <bug>66385</bug>: Correct a bug in HTTP/2 where a non-blocking read for
- a new frame with the NIO2 connector was incorrectly made using the read
- timeout leading to unexpected stream closure. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>66370</bug>: Change the default of the
- <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
- property to <code>true</code> unless the EL library is running on
Tomcat
- in which case the default remains <code>false</code> as the EL library
- is already called from within a privileged block and skipping the
- unnecessary privileged block improves performance. (markt)
- </fix>
- <add>
- Add support for specifying Java 21 (with the value <code>21</code>) as
- the compiler source and/or compiler target for JSP compilation. If used
- with an Eclipse JDT compiler version that does not support these
values,
- a warning will be logged and the default will used.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the packaged version of the Apache Tomcat Migration Tool for
- Jakarta EE to 1.0.6. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
- 6.7.1-SNAPSHOT). (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons Codec to 3eafd6c
(2023-01-03,
- 1.16-SNAPSHOT). (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons FileUpload to 34eb241
- (2023-01-03, 2.0-SNAPSHOT). (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
- 2.10.0-SNAPSHOT). (markt)
- </update>
- <add>
- Improvements to Japanese translations. Contributed by Shirayuking.
- (markt)
- </add>
- <add>
- Improvements to Portuguese translations. Contributed by Guilherme
- Custódio. (markt)
- </add>
- <update>
- Update to the Eclipse JDT compiler 4.26. (markt)
- </update>
- <update>
- Update Checkstyle to 10.6.0. (markt)
- </update>
- <update>
- Update Unboundid to 6.0.7. (markt)
- </update>
- <update>
- Update SpotBugs to 4.7.3. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 11.0.0-M1 (markt)" rtext="2022-12-05">
- <subsection name="General">
- <changelog>
- <scode>
- This release contains all of the changes up to and including those in
- Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>66175</bug>: Change the default character set used by the
- <code>BasicAuthenticator</code> from ISO-8859-1 to UTF-8. (markt)
- </fix>
- <add>
- <bug>66209</bug>: Add a configuration option to allow bloom filters
used
- to index JAR files to be retained for the lifetime of the web
- application. Prior to this addition, the indexes were always flushed by
- the periodic calls to <code>WebResourceRoot.gc()</code>. As part of
this
- addition, configuration of archive indexing moves from
- <code>Context</code> to <code>WebResourceRoot</code>. Based on a patch
- provided by Rahul Jaisimha. (markt)
- </add>
- <fix>
- <bug>66330</bug>: Correct a regression introduced when fixing
- <bug>62897</bug> that meant any value configured for
- <code>skipMemoryLeakChecksOnJvmShutdown</code> on the
- <code>Context</code> was ignored and the default was always used.
- (markt)
- </fix>
- <fix>
- <bug>66331</bug>: Fix a regression in refactoring for
<code>Stack</code>
- on the <code>SystemLogHandler</code> which caught incorrect exception.
- (lihan)
- </fix>
- <fix>
- <bug>66338</bug>: Fix a regression that caused a nuance in refactoring
- for <code>ErrorReportValve</code>. (lihan)
- </fix>
- <fix>
- Escape values used to construct output for the
- <code>JsonErrorReportValve</code> to ensure that it always outputs
valid
- JSON. (markt)
- </fix>
- <fix>
- Correct the default implementation of
- <code>HttpServletRequest.isTrailerFieldsReady()</code> to return
- <code>true</code> so it is consistent with the default implementation
of
- <code>HttpServletRequest.getTrailerFields()</code> and with the Servlet
- API provided by the Jakarta EE project. (markt)
- </fix>
- <fix>
- Refactor <code>WebappLoader</code> so it only has a runtime dependency
- on the migration tool for Jakarta EE if configured to use the converter
- as classes are loaded. (markt)
- </fix>
- <fix>
- Improve the behavior of the credential handler attribute that is set in
- the Servlet context so that it actually reflects what is used during
- authentication. (remm)
- </fix>
- <fix>
- <bug>66359</bug>: Update javadoc for RemoteIpValve and RemoteIpFilter
with
- correct <code>protocolHeader</code> default value of
"X-Forwarded-Proto".
- (lihan)
- </fix>
- <add>
- Add support for the new attribute for error dispatches
- <code>jakarta.servlet.error.query_string</code>. (markt)
- </add>
- <update>
- Update <code>ignoreAnnotation</code> attribute on <code>Context</code>
- to dissociate it from <code>metadata-complete</code>. (remm)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct the date format used with the expires attribute of HTTP
cookies.
- A single space rather than a single dash should be used to separate the
- day, month and year components to be compliant with RFC 6265. (markt)
- </fix>
- <add>
- Include the name of the current stream state in the error message when
a
- stream is cancelled due to an attempt to write to the stream when it is
- in a state that does not permit writes. (markt)
- </add>
- <scode>
- NIO writes never return -1 so refactor <code>CLOSED_NIO_CHANNEL</code>
- not to do so and remove checks for this return value. Based on
- <pr>562</pr> by tianshuang. (markt)
- </scode>
- <scode>
- Remove unnecessary code that exposed the <code>asyncTimeout</code> to
- components that never used it. (markt)
- </scode>
- <fix>
- Ensure that all <code>MessageBytes</code> conversions to byte arrays
are
- valid for the configured character set and throw an exception if not.
- (markt)
- </fix>
- <fix>
- When an HTTP/2 stream was reset, the current active stream count was
not
- reduced. If enough resets occurred on a connection, the current active
- stream count limit was reached and no new streams could be created on
- that connection. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>66294</bug>: Make the use of a privileged block to obtain the
- thread context class loader added to address <bug>62080</bug> optional
- and disabled by default. This is now controlled by the
- <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
- property. (markt)
- </fix>
- <fix>
- <bug>66317</bug>: Fix for Lambda coercion security manager missing
- privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
- </fix>
- <fix>
- <bug>66325</bug>: Fix concurrency issue in evaluation of expression
- language containing lambda expressions. (markt)
- </fix>
- <add>
- Update the <code>ErrorData</code> class in the JSP API to align with
the
- recent changes in the Jakarta Pages specification to support the new
- error dispatch attribute
- <code>jakarta.servlet.error.query_string</code>.
- </add>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>66348</bug>: Update the JARs listed in the class loader
- documentation and note which ones are optional. (markt)
- </fix>
- <fix>
- Documentation. Replace references in the application developer's guide
- to CVS with more general references to a source code control system.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>66346</bug>: Ensure all JDBC pool JARs are reproducible. Pull
- request <pr>566</pr> provided by John Neffenger. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update to Commons Daemon 1.3.3. (markt)
- </update>
- <fix>
- <bug>66323</bug>: Move module start up parameters from
- <code>JDK_JAVA_OPTIONS</code> to <code>JAVA_OPTS</code> now that the
- minimum Java version is 11 and these options are always required.
- (markt)
- </fix>
- <add>
- Improvements to Chinese translations. Contributed by DigitalCat and
- lihan. (markt)
- </add>
- <add>
- Improvements to French translations. Contributed by Mathieu Bouchard.
- (markt)
- </add>
- <add>
- Improvements to Japanese translations. Contributed by Shirayuking and
- tak7iji. (markt)
- </add>
- <add>
- Improvements to Korean translations. (markt)
- </add>
- <add>
- Improvements to Spanish translations. (markt)
- </add>
- <fix>
- Correct a regression in the removal of the APR connector that broke
- Graal native image support. Pull request <pr>564</pr> provided by
- Sébastien Deleuze. (markt)
- </fix>
- <update>
- Update the packaged version of the Apache Tomcat Native Library to
2.0.2
- to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
- </update>
- <update>
- Update the packaged version of the Apache Tomcat Migration Tool for
- Jakarta EE to 1.0.5. (markt)
- </update>
- <scode>
- Refactor code base to replace use of URL constructors. While they are
- deprecated in Java 20 onwards, the reasons for deprecation are valid
for
- all versions so move away from them now. (markt)
- </scode>
- <scode>
- Refine the Tomcat native image metadata to avoid including unintended
- non-Tomcat resources. Pull request <pr>569</pr> provided by Sébastien
- Deleuze. (markt)
- </scode>
- <update>
- Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28,
- 6.7.0-RC1). (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons Codec to ae32a3f
(2022-11-29,
- 1.16-SNAPSHOT). (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons FileUpload to aa8eff6
- (2022-11-29, 2.0-SNAPSHOT). (markt)
- </update>
- </changelog>
- </subsection>
-</section>
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
