Changelog

Tomcat 8.0.30 (markt)

Catalina

  • Fix: 34319: Only load those keys in StoreBase.processExpire from JDBCStore, that are old enough, to be expired. Based on a patch by Tom Anderson. (fschumacher)
  • Add: 56917: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later redirects to use relative URIs. This is controlled by a new attribute useRelativeRedirects on the Context and defaults to true. (markt)
  • Fix: 58629: Allow an embedded Tomcat instance to start when the Service has no Engine configured. (markt)
  • Fix: 58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)
  • Fix: 58660: Correct a regression in 8.0.29 caused by the change that moved the redirection for context roots from the Mapper to the Default Servlet. (markt)
  • Fix: Fixed potential NPE in HostConfig while deploying an application. Issue reported by coverity scan. (violetagg)
  • Fix: 58655: Fix an IllegalStateException when calling HttpServletResponse.sendRedirect() with the RemoteIpFilter. This was caused by trying to correctly generate the absolute URI for the redirect. With the fix for 56917, redirects may now be relative making the sendRedirect() implementation for the RemoteIpFilter much simpler. This also addresses issues where the redirect may not have behaved as expected when redirecting from http to https to from https to http. (markt)
  • Fix: 58657: Exceptions in a Servlet 3.1 ReadListener or WriteListener do not need to be immediately fatal to the connection. Allow an error response to be written. (markt)

Coyote

  • Fix: Improve upgrade context classloader handling by using Context.bind and unbind. (remm)

Jasper

  • Fix: 57136#c25: Change default value of quoteAttributeEL setting in Jasper to be true for better compatibility with other implementations and older versions of Tomcat (8.0.26/7.0.64 and earlier). Add command line option -no-quoteAttributeEL in JspC. (kkolinko)

Cluster

  • Fix: Fix potential integer overflow in DeltaSession. Reported by coverity scan. (fschumacher)

WebSocket

  • Add: 55006: The WebSocket client now honors the java.net.java.net.ProxySelector configuration (using the HTTP type) when establishing WebSocket connections to servers. Based on a patch by Niki Dokovski. (markt)
  • Fix: 58624: Correct a thread safety issue that meant that blocking message writes could block indefinitely if the WebSocket connection was closed while a message write was in progress. (markt)

Web Applications

  • Fix: 58631: Correct the continuation character use in the Windows Service How-To page of the documentation web application. (markt)

Tribes

  • Fix: Ensure that the static member is registered to the add suspect list even if the static member that is registered to the remove suspect list has disappeared. (kfujino)
  • Fix: Correct the warning log of when the member that is not registered in the membership is detected. (kfujino)
  • Fix: When using a static cluster, add the members that have been cached in the membership service to the map members list in order to ensure that the map member is a static member. (kfujino)

jdbc-pool

  • Fix: Correct evaluation of system property org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader. It was basically ignored before. Reported by coverity scan. (fschumacher)
  • Fix: Fix potential integer overflow in ConnectionPool and PooledConnection. Reported by coverity scan. (fschumacher)

Other

  • Update: Update optional Checkstyle library to 6.13. (kkolinko)

2015-11-24 Tomcat 8.0.29 (markt)

General

  • Update: 58596: Clarify the description in RUNNING.txt of how environment variables are used. (markt)

Catalina

  • Add: Extend the fix for 57136 to provide a JSP Servlet initialisation parameter per web application that controls whether or not EL in JSP attributes is processed as if it uses JSP attribute quoting. By default, EL does not use JSP attribute quoting. (markt)
  • Fix: 57799: InputStream.available() was causing an IO operation to occur even in blocking mode, which caused problems with NIO2. (remm)
  • Add: Extend the fix for 58228 to include ServletContext.getRealPath(). (markt)
  • Add: 58486: Protect against two further possible memory leaks associated with XML parsing. (markt)
  • Fix: 58490: Fixed NPE thrown when scanning for javax.servlet.ServletContainerInitializer in case the web application is not extracted. (violetagg)
  • Code: 58497: Make AbstractHttp11Processor easy to extend. (markt)
  • Fix: 58508: Escape role names when generating associated MBeans in case the role name contains characters not permitted in an MBean name. (markt)
  • Fix: 58518: Correct a regression in the fix for 56777 that added support for URIs in config file locations. File paths on Windows could previously be specified with \ or / as the separator. 56777 broke that. (markt)
  • Fix: 58519: Fix ISE thrown by web application classloader in some error conditions due to trying to call initCause() on a ClassNotFoundException which is not permitted. (markt)
  • Fix: 58534: Removed repeated conditional tests in o.a.tomcat.websocket.pojo.PojoMethodMapping and o.a.tomcat.util.net.AprEndpoint Patch provided by Anthony Whitford. (violetagg)
  • Fix: 58535: Use Collections.reverseOrder when a reverse ordering is needed. (violetagg)
  • Fix: 58537, 58546: Some of the inner classes in o.a.catalina.valves.ExtendedAccessLogValve and o.a.tomcat.util.net.SecureNio2Channel are made static. Patch provided by Anthony Whitford. (violetagg)
  • Fix: 58540: Removed unused code from o.a.catalina.connector.Request. Patch provided by Anthony Whitford. (violetagg)
  • Fix: 58541, 58544: It is more efficient to call Integer.toString(int) instead of Integer.valueOf(int).toString() when only a string representation of a primitive is needed. Based on a patch provided by Anthony Whitford. (violetagg)
  • Fix: 58541, 58547: It is more efficient to call valueOf(...) instead of Number constructor. Based on a patch provided by Anthony Whitford. (violetagg)
  • Fix: 58545: In some use cases it is more efficient to use Map.entrySet() instead of Map.keySet() Based on a patch provided by Anthony Whitford. (violetagg)
  • Fix: Ensure that ServletRequest.getContentLengthLong is used instead of ServletRequest.getContentLength for servlets and valves provided by Tomcat. The API is available since Servlet specification 3.1. (violetagg)
  • Add: Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs. (violetagg)
  • Fix: 58578: Avoid NPE accessing cookies during access logging for request that had no context mapping. (remm)
  • Fix: Avoid UnsupportedOperationException when releasing an user-provided URLStreamHandlerFactory. Patch provided by Cristian Talau. (violetagg)
  • Fix: 58581: If a custom error page fails, fall back to the standard error page rather than throwing an NPE. Based on a patch by Huxing Zhang. (markt)
  • Fix: 58582: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (schultz)
  • Fix: Handle the unlikely case where different versions of a web application are deployed with different session settings. (markt)
  • Add: Add a new Context option, enabled by default, that enables an additional check that a client provided session ID is in use in at least one other web application before allowing it to be used as the ID for a new session in the current web application. (markt)
  • Add: Add support for DIGEST authentication to the JNDIRealm. Based on a patch by Alexis Hassler. (markt)
  • Fix: 58603: Ensure that HttpServletRequest.getRequestURL() returns the correct value when using the RemoteIpFilter. (markt)
  • Fix: Ensure that in an embedded Tomcat the logging configuration is not lost during garbage collection. (violetagg)
  • Add: Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt)

Coyote

  • Fix: Cancel pending blocking IO operation following a timeout in the NIO2 connector. (remm)
  • Fix: Add instance manager support for upgrade handlers, and set context class loader. (remm)
  • Update: Synchronize OpenSSL to JSSE cipher mapping to recent OpenSSL changes. In particular, TLSv1.0 is now an alias for those ciphers that require TLSv1 and will not work with SSLv3. TLSv1 remains an alias for SSLv3. (markt)

Jasper

  • Add: Deprecate the STRICT_QUOTE_ESCAPING system property and replace it with an initialisation parameter for the JSP Servlet. This enables per web application control of this configuration setting. (markt)

Cluster

  • Fix: Optimize the session lock range in DeltaManager.requestCompleted. (kfujino)
  • Fix: Enable an explicit configuration of local member in the static cluster membership. (kfujino)

Tribes

  • Code: Distinguish the handling of the shutdown payload and member verification clearly. When handling shutdown payload, verification completion message is not required. (kfujino)
  • Fix: When starting the StaticMembershipInterceptor, StaticMembershipInterceptor checks the required Interceptors. If the required Interceptor does not exist, it issues warning logs. (kfujino)

WebSocket

  • Fix: Use instance manager for server endpoint instances. (remm)

Web applications

  • Add: Make it clear in the documentation for the CGI servlet that the debug page is not considered secure and should not be used in production. (markt)
  • Fix: The domain attribute of StaticMember is not required but optional. (kfujino)

jdbc-pool

  • Fix: 58489: Correct QueryStatsComparator to hold up the general contract for Comparator. (fschumacher)
  • Fix: When creating a QueryStats object, ensure that maxQueries is checked. If maxQueries is a value less than or equal to 0, QueryStats are never created. (kfujino)

Other

  • Update: Update optional Checkstyle library to 6.12.1. (kkolinko)
  • Add: Add support for creating a FindBugs report when building Tomcat. It is disabled by default. (violetagg)

2015-10-12 Tomcat 8.0.28 (markt)

Catalina

  • Add: Add support for the custom classpath protocol in URLs. It an be used anywhere Tomcat accepts a URL for a configuration parameter. (markt)
  • Fix: 56777: Allow file based configuration resources (user database, certificate revocation lists, keystores and trust stores) to be configured using URLs as well as files. (markt)
  • Fix: Perform null-checking on input and stored credentials in all Realms before passing credentials off to CredentialHandlers for matching. (schultz)

Coyote

  • Update: Add the new ciphers from RFC6655 and RFC7251 to the OpenSSL to JSSE cipher mapping. (markt)
  • Update: Remove DES, RC2 and RC4 from DEFAULT for the OpenSSL to JSSE cipher mapping to align with the OpenSSL development branch. (markt)

Jasper

  • Fix: Improve the error message when JSP parser encounters an error parsing an attribute value. (markt)

Web applications

  • Update: 58474: Provide a reference to the differences between CATALINA_HOME and CATALINA_BASE in the sample application that is part of the documentation web application. (markt)

Extras

  • Fix: Ensure JULI adapters does not include the LogFactoryImpl class. Patch provided by Benjamin Gandon. (markt)

2015-10-01 Tomcat 8.0.27 (markt)

Catalina

  • Fix: 58187: Correct a regression in the fix for 57765 that meant that deployment of web applications deployed via the Manager application was delayed until the next execution of the automatic deployment background process. (markt)
  • Fix: 58284: Correctly implement session serialization so non-serializable attributes are skipped with a warning. Patch provided by Andrew Shore. (markt)
  • Fix: 58313: Fix concurrent access of encoders map when clearing encoders prior to switch to async. (markt)
  • Fix: 58320: Fix concurrent access of request attributes which is possible during asynchronous processing. (markt)
  • Fix: 58352: Always trigger a thread dump if Tomcat fails to stop gracefully from catalina.sh even if using -force. Patch provided by Alexandre Garnier. (markt)
  • Fix: 58368: Fix a rare data race in the code that obtains the ApplicationFilterFactory instance. (markt)
  • Fix: 58369: Fix a rare data race in the code that obtains the CookieProcessor for a StandardContext instance. (markt)
  • Fix: Ensure the JAASRealm uses the configured CredentialHandler. (markt)
  • Fix: 58372: Fix rare data races closed and suspended flags that could be triggered by async and/or comet processing. (markt)
  • Fix: 58373: Fix rare data race with the application event listeners for StandardContext. (markt)
  • Fix: 58374: Fix a rare data race in the AsyncContext implementation for access to the internal Tomcat request object to which it holds a reference. (markt)
  • Fix: 58380: Fix two rare data races in the standard session implementation on the flag that tracks if the session is new and on the field that tracks the maximum inactive period. (markt)
  • Fix: 58385: Fix a rare data race in the internal flag Tomcat uses to keep track of whether or not a request is being used for Comet processing. (markt)
  • Fix: 58394: Fix a rare data race in Mapper when adding or removing a host. (markt)
  • Fix: 58398: Fix a rare data race in LifecycleSupport. (markt)
  • Fix: 58412: Ensure that the AsyncFileHandler has the source class and method name available for logging. (fschumacher)
  • Fix: 58416: Correctly detect when a forced stop fails to stop Tomcat because the Tomcat process is waiting on some system call or is uninterruptible. (markt)
  • Fix: 58436: Fix some rare data races in JULI's ClassLoaderLogManager during shutdown. (markt)
  • Fix: 58845: Fix off-by one error in calculation of valid characters in a cookie domain. Patch provided by Thorsten Ehlers. (markt)

Coyote

  • Fix: Correct some edge cases in RequestUtil.normalize(). (markt)
  • Fix: 58275: The IBM JREs accept cipher suite names starting with TLS_ or SSL_ but when listing the supported cipher suites only the SSL_ version is reported. This can break Tomcat's check that at least one requested cipher suite is supported. Tomcat now includes a work-around so either form of the cipher suite name can be used when running on an IBM JRE. (markt)
  • Fix: 58357: For reasons not currently understood when the APR/native connector is used with OpenSSL reads can return an error code when there is no apparent error. This was work-around for HTTP upgrade connections by treating this as EAGAIN. The same fix has now been applied to the standard HTTP connector. (markt)
  • Code: Minor clean-up in NIO2 SSL handshake code to address some theoretical concurrency issues. (markt)
  • Fix: 58367: Fix a rare data race in the code that obtains the reason phrase for a given HTTP response code. (markt)
  • Fix: 58370: Fix a rare data race in the connector shutdown code. (markt)
  • Fix: 58371: Fix a rare data race when accessing request URI in String form when switching from non-async to async due to early triggering of the gathering of request statistics. (markt)
  • Fix: 58375: Fix a rare data race on the internal flag Tomcat uses to mark a response as committed. (markt)
  • Fix: 58377: Fix a rare data race on the internal flag Tomcat uses to mark a request as using HTTP keep-alive when switching to asynchronous processing. (markt)
  • Fix: 58379: Fix a rare data race on the internal reference Tomcat retains to the socket when switching to asynchronous processing. (markt)
  • Fix: 58387: Fix a rare data race when closing Comet connections. (markt)
  • Fix: 58388: Fix a data race when determining if Comet processing is occurring on a container or non-container thread. (markt)
  • Fix: 58389: Fix a rare data race while shutting down the thread pools on Connector stop. (markt)
  • Code: Clean up use of error flag on socket wrapper prompted by 58390. (markt)
  • Code: Remove some unnecessary code from the NIO Poller and fix 58396 as a side-effect. (markt)
  • Fix: 57799: Remove useless sendfile check for NIO SSL. (remm)

Jasper

  • Fix: 57136: Correct a regression in the previous fix for this issue. \${ should only be an escape for ${ within an EL expression. Within a JSP page \$ should be an escape for $. The EL specification applies when parsing the expression delimited by ${ and }. Parsing of the delimiting ${ and } is the responsibility of the JSP specification. (markt)
  • Fix: 58296: Fix a memory leak in the JSP unloading feature that meant that using a value other than -1 for maxLoadedJsps triggered a memory leak once the limit was reached. (markt)
  • Fix: 58327: Cache the expression string for value expression literals since it is frequently used and may be expensive to evaluate. Patch provided by Andreas Kohn. (markt)
  • Fix: 58340: Improve error reporting for tag files packaged in JARs. (markt)
  • Fix: 58424: When parsing TLD files, allow whitespace around boolean configuration values. (schultz)
  • Fix: Fix a possible resource leak reported by coverity scan. (fschumacher)
  • Fix: 58427: Enforce the JSP specification defined limitations of which elements are allowed in an implicit.tld file. (markt)
  • Fix: 58444: Ensure that JSPs work with any custom base class that meets the requirements defined in the JSP specification without requiring that base class to implement Tomcat specific code. (markt)

Cluster

  • Fix: Fix a default clusterListeners in SimpleTcpCluster. The optimal default value is different for each session manager. ClusterSessionListener is never used in BackupManager. (kfujino)
  • Fix: Correct log messages in case of using BackupManager. (kfujino)

WebSocket

  • Fix: 58342: Fix a copy and paste error that meant MessageHandler removal could fail for binary and pong MessageHandlers. Patch provided by DJ. (markt)
  • Fix: Data races detected by RV-Predict, mostly caused by completion handlers running in separate threads. (markt)
  • Fix: 58414: Correctly handle sending zero length messages when using per message deflate. (markt)

Web applications

  • Fix: Correct documentation for cluster-howto. (kfujino)
  • Fix: Add missing documentation for property alwaysAddExpires for the LegacyCookieProcessor. (markt)

Tribes

  • Add: Add support for configurations of ChannelListener and MembershipListener in server.xml. (kfujino)
  • Fix: Correct log messages in case of using ReplicatedMap. (kfujino)
  • Fix: 58381: Fix a rare data race in the NioReceiver. (markt)
  • Fix: 58382: Fix multiple rare data races in the default membership implementation. (markt)
  • Fix: 58383: Fix a data race in SenderState. (markt)
  • Fix: 58386: Fix a data race in ObjectReader. (markt)
  • Fix: 58391: Fix multiple data races in NonBlockingCoordinator, most of which were associated with ensuring that log messages contained the correct information. (markt)
  • Fix: 58392: Fix a data race in DomainFilterInterceptor. (markt)
  • Fix: 58393: Fix a data race on the listener in McastService. (markt)
  • Fix: 58395: Fix multiple data races in MemberImpl that were likely to cause issues if certain properties were updated concurrently (such updates are unlikely in normal usage). (markt)
  • Code: Remove some unnecessary code from PooledParallelSender and fix 58397. (markt)

jdbc-pool

  • Fix: Make sure the pool has been properly configured when attributes that related to the pool size are changed via JMX. (kfujino)

Other

  • Fix: Ensure logging works for all tests in a class rather than just the first one executed. (markt)
  • Add: 58344: Add build properties to enable tests to be executed against alternative binaries. Based on a patch by Petr Sumbera. (markt)

2015-08-21 Tomcat 8.0.26 (markt)

Web applications

  • Add: 58255: Document the Semaphore valve. Patch provided by Kyohei Nakamura. (markt)

not released Tomcat 8.0.25 (markt)

Catalina

  • Fix: Make the WAR manifest file available for WebResource instances from an unpacked WAR in the same way the manifest is available if the WAR is not unpacked. (markt)
  • Fix: Ensure that only /WEB-INF/classes/ and /WEB-INF/lib/ are excluded from the web resource caching. (Resources loaded from these locations are cached by the web application class loader.) (markt)
  • Add: 57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt)
  • Fix: 58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt)
  • Fix: 58086: Correct a regression in the fix for 58086 that incorrectly handled WAR URLs. (violetagg)
  • Fix: 58096: Classes loaded from /WEB-INF/classes/ should use that directory as their code base. (markt)
  • Fix: Fix possible resource leaks by closing streams properly. Issues reported by Coverity Scan. (violetagg)
  • Fix: 58116: Fix regression in the fix for 57281 that broke Comet support when running under a security manager. Based on a patch provided by Johno Crawford. (markt)
  • Fix: 58125: Avoid a possible ClassCircularityError when running under a security manager. (markt)
  • Fix: 58179: Fix a thread safety issues that could mean concurrent threads setting the same attribute on a ServletContext could both see null as the old value. (markt)
  • Fix: Allow web archives bigger than 2G to be deployed using ANT tasks. (violetagg)
  • Fix: 58192: Correct a regression in the previous fix for 58023. Ensure that classes are associated with their manifest even if the class file is first read (and cached) without the manifest. (markt)
  • Fix: Fix thread safety issue in the AsyncContext implementation that meant a sequence of start();dispatch(); calls using non-container threads could result in a previous dispatch interfering with a subsequent start. (markt)
  • Fix: 58228: Make behaviour of ServletContext.getResource() and ServletContext.getResourceAsStream() consistent with each other and the expected behaviour of the GET_RESOURCE_REQUIRE_SLASH system property. (markt)
  • Fix: 58230: Fix input stream corruption if non-blocking I/O is used and the first read is made immediately after the switch to async mode rather than in response to onDataAvaiable() and that read does not read all the available data. (markt)
  • Fix: Ensure that log4javascript*.jar was not excluded from the standard JAR scanning by default. (markt)

Coyote

  • Fix: 57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt)
  • Fix: Add text/javascript,application/javascript to the default list of compressable MIME types. (violetagg)
  • Fix: 58103: When pipelining requests, and the previous request was an async request, ensure that the socket is removed from the waiting requests so that the async timeout thread doesn't process it during the next request. (markt)
  • Fix: 58151: Correctly handle EOF in the AJP APR/native connector to prevent the connector entering a loop and generate excessive CPU load. (markt)
  • Fix: In the AJP and HTTP NIO connectors, ensure that the socket timeout is correctly set before adding the socket back to the poller for read. (markt)
  • Fix: 58157: Ensure that the handling of async timeouts does not result in an unnecessary dispatch to a container thread that could result in the current socket being added to the Poller multiple times with multiple attempts to process the same event for the same socket. (markt)
  • Fix: Correct a couple of edge cases in RequestUtil.normalize(). (markt)

Jasper

  • Fix: 58110: Like scriptlet sections, declaration sections of JSP pages have a one-to-one mapping of lines to the generated .java file. Use this information to provide more accurate error messages if a compilation error occurs in a declaration section. (markt)
  • Fix: 58119: When tags are compiled they must be placed in the org/apache/jsp/tag/web directory. Correct a regression in the fix for 52725. (violetagg)
  • Fix: Fix a resource leak in JspC identified by Eclipse. (markt)
  • Fix: 58178: Expressions in a tag file should use the tag file's PageContext rather than that of the containing page. (markt)
  • Fix: Following on from the fix for 58178, expressions in a tag file should use the tag file's imports rather than those of the containing page. (markt)

WebSocket

  • Fix: 58166: Allow applications to send close codes in the range 3000-4999 inclusive. (markt)
  • Fix: 58232: Avoid possible NPE when adding endpoints programmatically to the javax.websocket.server.ServerContainer. Based on a patch provided by bastian.(violetagg)

Web applications

  • Fix: Correct the incorrect document of QueryTimeoutInterceptor. The setting value is not in milliseconds but in seconds. (kfujino)
  • Fix: 58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt)
  • Fix: Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt)

jdbc-pool

  • Fix: 58042: The default value of logFailed attribute of SlowQueryReport is changed to false so that the failed queries are not logged by default. (kfujino)
  • Fix: Fix potential NPE in QueryTimeoutInterceptor. (kfujino)
  • Fix: Add support for stopping the pool cleaner via JMX. (kfujino)
  • Fix: The fairness attribute and ignoreExceptionOnPreLoad attribute do not allow a change via JMX. (kfujino)
  • Fix: If the timeBetweenEvictionRunsMillis attribute is changed via jmx, it should restart the pool cleaner because this attribute affects the execution interval of the pool cleaner. (kfujino)
  • Fix: Eliminate the dependence on maxActive of busy queues and idle queue in order to enable the expansion of the pool size via JMX. (kfujino)

Other

  • Update: Update optional Checkstyle library to 6.8.1. (kkolinko)
  • Fix: Update sample Eclipse IDE configuration to exclude test/webapp* and similar paths from compiler sourcepath. (kkolinko)
  • Update: Update package renamed Apache Commons Pool to Commons Pool 2.4.2. (markt)
  • Update: Update package renamed Apache Commons DBCP to Commons DBCP 2.1.1. (markt)
  • Add: Support the use of the threads attribute on Ant's junit task. Note that using this with a value of greater than one will disable Cobertura code coverage. (markt)

2015-07-06 Tomcat 8.0.24 (markt)

Catalina

  • Fix: 57938: Correctly handle empty form fields when a form is submitted as multipart/form-data, the maxPostSize attribute of the Connector has been set to a negative value and the Context has been configured with a value of true for allowCasualMultipartParsing. The meaning of the value zero for the maxPostSize has also been changed to mean a limit of zero rather than no limit to align it with maxSavePostSize and to be more intuitive. (markt)
  • Fix: 57977: Correctly bind and unbind the web application class loader during execution of the PersistentValve. (markt)
  • Fix: Remove some unnecessary code from the web application class loader and deprecate the now unused validate() method since the requirements of SRV.10.7.2 are met using cleaner code in loadClass(String, boolean) and filter(). (markt)
  • Fix: Correct a bug that prevented the web application class loader's filter() from working correctly. It only returned true for classes in sub-packages of the listed packages, but not classes located in the packages themselves. (markt)
  • Fix: Add the WebSocket API classes to the list of classes that the web application class loader will always delegate to its parent for loading first. (markt)
  • Fix: 58015: Ensure that whenever the web application class loader checks to see if it should delegate first, it also checks the result of the filter() method which may indicate that it should always delegate first for the current class/resource regardless of the value of the delegate configuration option. (markt)
  • Fix: 58023: Fix potentially excessive memory usage due to unnecessary caching of JAR manifests in the web application class loader. (markt)
  • Fix: 57700: Ensure that Container event ADD_CHILD_EVENT will be sent in all cases. (violetagg)
  • Fix: 58086: Ensure that WAR URLs are handled properly when using ANT for web application deployment. Based on a patch provided by Lukasz Jader. (violetagg)
  • Fix: Fix CredentialHandler element handling in storeconfig. (remm)

Coyote

  • Fix: 57265: Further fix to address a potential threading issue when sendfile is used in conjunction with TLS. (markt)
  • Fix: 57936: Improve robustness of the acceptor thread count parameter for NIO2, since it must be set to 1. Submitted by Oliver Kant. (remm)
  • Add: 57943: Added a work-around to catch ConcurrentModificationExceptions during Poller timeout processing that were causing the Poller thread to stop. The root cause of these exceptions is currently unknown. (markt)
  • Fix: 57944: Ensure that if non-blocking I/O listeners are set on a non-container thread that the expected listener events are still triggered. (markt)
  • Fix: Fix possible very long (1000 seconds) timeout with APR/native connector. (markt)
  • Add: Support "-" separator in the SSLProtocol configuration of the APR/native connector for protocol exclusion. (rjung)
  • Fix: 58004: Fix AJP buffering output data even in blocking mode. (remm)

WebSocket

  • Fix: 57969: Provide path parameters to POJO via per session javax.websocket.server.ServerEndpointConfig as they vary between different requests. (violetagg)
  • Fix: 57974: Session.getOpenSessions should return all sessions associated with a given endpoint instance, rather than all sessions from the endpoint class. (remm)

Web applications

  • Fix: 57282: Update request processing sequence diagrams. Updated diagrams provided by Stephen Chen. (markt)
  • Fix: 57971: Correct the documentation for the cluster configuration setting recoverySleepTime. (markt)
  • Add: 57758: Add document of testOnConnect attribute in jdbc-pool doc. (kfujino)
  • Add: Add description of validatorClassName attribute to testXXXX attributes in jdbc-pool docs. (kfujino)

Tribes

  • Code: Use StringManager to provide i18n support in the org.apache.catalina.tribes packages. (kfujino)
  • Fix: Do not set the nodes that failed to replication to the backup nodes. Ensure that the nodes that the data has been successfully replicated are set to the backup node. (kfujino)
  • Fix: When failed to replication, rather than all member is handled as a failed member, exclude the failure members from backup members. (kfujino)

jdbc-pool

  • Fix: Refactoring of the removeOldest method in SlowQueryReport to behave as expected. (kfujino)
  • Fix: 57783: Fix NullPointerException in SlowQueryReport. To avoid this NPE, Refactor SlowQueryReport#removeOldest and handle the abandoned connection properly. (kfujino)
  • Fix: 58042: In SlowQueryReportJmx, the LogSlow and logFailed attributes that inherited from SlowQueryReport are used as a condition of whether JMX notifications are sent. (kfujino)
  • Fix: Ensure that specified Boolean attribute values of SlowQueryReport reflect correctly. The LogSlow and the logFailed are not system property, these are attributes of SlowQueryReport. (kfujino)

Other

  • Update: Update package renamed Apache Commons BCEL to r1682271 to pick up some some code clean up. (markt)
  • Update: Update package renamed Apache Commons DBCP to r1682314 to pick up the DBCP 2.1 release and additional fixes since then. (markt)
  • Update: Update package renamed Apache Commons Pool to the 2.4 release. (markt)
  • Update: Update package renamed Apache Commons File upload to r1682322 to pick up the post 1.3.1 fixes. (markt)
  • Update: Update package renamed Apache Commons Codec to r1682326. No functional changes. Javadoc only. (markt)
  • Update: Update optional Checkstyle library to 6.7. (kkolinko)

2015-05-22 Tomcat 8.0.23 (markt)

Catalina

  • Add: 54618: Add a new HttpHeaderSecurityFilter that adds the Strict-Transport-Security, X-Frame-Options and X-Content-Type-Options HTTP headers to the response. (markt)
  • Fix: 57875: Add javax.websocket.* to the classes for which the web application class loader always delegates first. (markt)
  • Fix: 57871: Ensure that setting the allowHttpSepsInV0 property of a LegacyCookieProcessor to false only prevents HTTP separators from being used without quotes. (markt)
  • Fix: Add a workaround for issues with SPNEGO authentication when running on Java 8 update 40 and later. The workaround should be safe for earlier Java versions but it can be disabled with the applyJava8u40Fix attribute of the SPNEGO authenticator if necessary. (markt)
  • Fix: 57926: Restore the original X-Forwarded-By and X-Forwarded-For headers after processing by the RemoteIPValve . (markt)

Coyote

  • Fix: Follow up to previous fix that removed the behavior difference between NIO and NIO2 for SSL, which caused corruption with NIO2. (remm)
  • Fix: 57931: Ensure that TLS connections with the NIO or NIO2 HTTP connectors that experience issues during the handshake (e.g. missing or invalid client certificate) are closed cleanly and that the client receives the correct error code rather than simply closing the connection. (markt)

Jasper

  • Fix: 56438: Add debug logging to TLD discovery that logs positive and negative results for JARs, resource paths and directories. Patch provided by VIN. (markt)
  • Fix: 57802: Correct the default implementation of convertToType() provided by javax.el.ELResolver. (markt)
  • Fix: 57887: Fix compilation of recursive tag files packaged in a JAR. (markt)

Cluster

  • Fix: Make sure that stream is closed after using it in DeltaSession.applyDiff(). (kfujino)
  • Code: Use StringManager to provide i18n support in the org.apache.catalina.ha packages. (kfujino)
  • Code: Add the context name to log messages when replication context failed to start. (kfujino)

Web applications

  • Fix: 57875: Update the web application class loader documentation to reflect the more relaxed approach to SRV.10.7.2 in Tomcat 8 onwards. (markt)
  • Fix: 57896: Document system property org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER that was introduced in Tomcat 8.0.0. (kkolinko)

Tribes

  • Fix: Ensure that the state transfer flag is updated to true only when the map states have been transferred correctly from existing map members. (kfujino)

Other

  • Update: Update optional Checkstyle library to 6.6. (kkolinko)

2015-05-05 Tomcat 8.0.22 (markt)

Catalina

  • Fix: 57736: Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted. (markt)
  • Fix: 57752: Exclude non-cached resources from the Cache statistics for resource lookups. Patch provided by Adam Mlodzinski. (markt)
  • Add: Allow logging of the remote port in the access log using the format pattern %{remote}p. (rjung)
  • Fix: 57556: Refine the previous fix for this issue so that the real path returned only has a trailing separator if the requested path ended with /. (markt)
  • Fix: 57765: When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified. (markt)
  • Fix: Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed. (markt)
  • Fix: Cleanup o.a.tomcat.util.digester.Digester from debug messages that do not give any valuable information. Patch provided by Polina Genova. (violetagg)
  • Fix: 57772: When reloading a web application and a directory representing an expanded WAR needs to be deleted, delete the directory after the web application has been stopped rather than before to avoid potential ClassNotFoundExceptions. (markt)
  • Fix: Fix wrong logger name of org.apache.catalina.webresources.StandardRoot. (kfujino)
  • Fix: 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung)
  • Fix: 57841: Improve error logging during web application start. (markt)
  • Fix: 57856: Ensure that any scheme/port changes implemented by the RemoteIpFilter also affect HttpServletResponse.sendRedirect(). (markt)
  • Fix: 57863: Fix the RewriteMap support in RewriteValve that did not use the correct key value to look up entries. Based on a patch provided by Tatsuya Bessho. (markt)

Coyote

  • Fix: 57779: When an I/O error occurs on a non-container thread only dispatch to a container thread to handle the error if using Servlet 3+ asynchronous processing. This avoids potential deadlocks if an application is performing I/O on a non-container thread without using the Servlet 3+ asynchronous API. (markt)
  • Code: Remove the experimental support for SPDY. No current user agent supports the version of SPDY that the experiment targeted. Note: HTTP/2 support is under development for Tomcat 9 and may be back-ported to Tomcat 8 once complete. (markt)
  • Fix: Possible incomplete writes with SSL NIO2. (remm)
  • Fix: Incorrect reads with SSL NIO2 caused by a bad strategy for handling IO differences between NIO and NIO2 that don't seem to be justified. (remm)
  • Fix: After some errors, the pending flags could remain set when using SSL NIO2. (remm)
  • Fix: 57833: When using JKS based keystores for NIO or NIO2, ensure that the key alias is always converted to lower case since that is what JKS key stores expect. Based on a patch by Santosh Giri Govind M. (markt)
  • Fix: 57837: Add text/css to the default list of compressable MIME types. (markt)

Jasper

  • Fix: 57845: Ensure that, if the same JSP is accessed directly and via a <jsp-file> declaration in web.xml, updates to the JSP are visible (subject to the normal rules on re-compilation) regardless of how the JSP is accessed. (markt)
  • Fix: 57855: Explicitly handle the case where a MethodExpression is invoked with null or the wrong number of parameters. Rather than failing with an ArrayIndexOutOfBoundsException or a NullPointerException throw an IllegalArgumentException with a useful error message. (markt)

Cluster

  • Fix: Avoid unnecessary call of DeltaRequest.addSessionListener() in non-primary nodes. (kfujino)
  • Add: Add new attribute that send all actions for session across Tomcat cluster nodes. (kfujino)
  • Fix: Remove unused pathname attribute in mbean definition of BackupManager. (kfujino)

WebSocket

  • Fix: 57761: Ensure that the opening HTTP request is correctly formatted when the WebSocket client connects to a server root. (remm)
  • Fix: 57762: Ensure that the WebSocket client correctly detects when the connection to the server is dropped. (markt)
  • Fix: 57776: Revert the 8.0.21 fix for the permessage-deflate implementation and incorrect op-codes since the fix was unnecessary (the bug only affected trunk) and the fix broke rather than fixed permessage-deflate if an uncompressed message was converted into more than one compressed message. (markt)
  • Fix: Fix log name typo in WsRemoteEndpointImplServer class, caused by a copy-paste. (markt/kkolinko)
  • Fix: 57788: Avoid NPE when looking up a class hierarchy without finding anything. (remm)

Web applications

  • Add: 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt)
  • Fix: 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt)

Tribes

  • Fix: Fix a concurrency issue when a backup message that has all session data and a backup message that has diff data are processing at the same time. This fix ensures that MapOwner is set to ReplicatedMapEntry. (kfujino)

Other

  • Fix: Add missing pom for tomcat-storeconfig. (remm)
  • Update: Update optional Checkstyle library to 6.5. (kkolinko)
  • Fix: 57707: Improve error message when trying to run a release build on a non-Windows platform and Wine is not available. (markt)

2015-03-26 Tomcat 8.0.21 (markt)

Catalina

  • Add: 49785: Enable StartTLS connections for JNDIRealm. (fschumacher)
  • Fix: When docBase refers internal war and unpackWARs is set to false, avoid registration of the invalid redeploy resource that has been added ".war" extension in duplicate. (kfujino)
  • Fix: If WAR exists, it is not necessary to trigger a reload when adding a Directory. (kfujino)
  • Fix: 55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8 and is controlled by useServerCipherSuitesOrder attribute on an HTTP connector. Based upon a patch provided by Ognjen Blagojevic. (schultz)
  • Fix: 56608: When deploying an external WAR, add watched resources in the expanded directory based on whether the expanded directory is expected to exist rather than if it does exist. (markt)
  • Fix: When triggering a reload due to a modified watched resource, ensure that multiple changed watched resources only trigger one reload rather than a series of reloads. (markt)
  • Fix: 57601: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by the Default servlet. (jboynes/markt)
  • Fix: 57602: Ensure that HEAD requests return the correct content length (i.e. the same as for a GET) when the requested resource includes a resource served by a servlet that extends HttpServlet. (markt)
  • Fix: 57621: When an async request completes, ensure that any remaining request body data is swallowed. (markt)
  • Fix: 57637: Do not create unnecessary sessions when using PersistentValve. (jboynes/fschumacher)
  • Fix: 57645: Correct a regression in the fix for 57190 that incorrectly required the path passed to ServletContext.getContext(String) to be an exact match to a path to an existing context. (markt)
  • Fix: Make sure that unpackWAR attribute of Context is handled correctly in HostConfig. (kfujino)
  • Fix: When deploying a WAR file that contains a context.xml file and unpackWARs is false ignore any context.xml file that may exist in an expanded directory associated with the WAR. (markt)
  • Fix: 57675: Correctly quote strings when using the extended access log. (markt)
  • Add: Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running. Tomcat does this by adding a META-INF/war-tracking file to the expanded directory and setting the last modified time of this file to the last modified time of the WAR. If Tomcat detects a modified WAR via this mechanism the web application will be redeployed (i.e. the expanded directory will be removed and the modified WAR expanded in its place). (markt)
  • Fix: 57704: Fix potential NPEs during web application start/stop when org.apache.tomcat.InstanceManager is not initialized. (violetagg)
  • Add: Use the simplified digest output for digest.bat|sh when generating digests with no salt and a single iteration to make it easier to use with DIGEST authentication. (markt)
  • Fix: Add support for LAST_ACCESS_AT_START system property to SingleSignOn. (kfujino)
  • Code: Refactor Authenticator implementations to reduce code duplication. (markt)
  • Fix: 57724: Handle the case in the CORS filter where a user agent includes an origin header for a non-CORS request. (markt)
  • Fix: When searching for SCIs o.a.catalina.Context.getParentClassLoader will be used instead of java.lang.ClassLoader.getParent. Thus one can provide the correct parent class loader when running embedded Tomcat in other environments such as OSGi. (violetagg)
  • Fix: 57743: Fix a locked file / resource leak issue when a JAR is accessed just before or during web application undeploy. Patch provided by Pavel Avgustinov. (markt)

Coyote

  • Add: 57540: Make TLS/SSL protocol available in a new request attribute (org.apache.tomcat.util.net.secure_protocol_version). (Note that AJP connectors will require mod_jk 1.2.41 or later, or an as-yet-unknown version of mod_proxy_ajp, or configure the proxy to send the AJP_SSL_PROTOCOL request attribute to Tomcat. Please see the bug comments for details.) Based upon a patch provided by Ralf Hauser. (schultz)
  • Fix: Fix a cipher ordering issue when using the OpenSSL syntax for JSSE cipher configuration to ensure that ephemeral ECDH with AES is preferred to ephemeral ECDH with anything else. (markt)
  • Fix: 57570: Make the processing of trailer headers with chunked input optional and disabled by default. (markt)
  • Fix: 57592: Correctly handle the case where an AsyncContext is used for non-blocking I/O and is completed during a write operation. (markt)
  • Fix: 57638: Avoid an IllegalArgumentException when an AJP request body chunk larger than the socket read buffer is being read. This typically requires a larger than default AJP packetSize. (markt)
  • Fix: 57674: Avoid a BufferOverflowException when an AJP response body chunk larger than the socket write buffer is being written. This typically requires a larger than default AJP packetSize. (markt)
  • Update: Align the OpenSSL syntax cipher configuration with the OpenSSL 1.0.2 branch. (markt)
  • Fix: Numerous fixes to the APR/native connector to improve robustness. (markt)
  • Fix: Stop caching and re-using SocketWrapper instances. With the introduction of upgrade and non-blocking I/O, I/O can occur on non-container threads. This makes it nearly impossible to track whether a SocketWrapper is still being referenced or not, making re-use a risky proposition. (markt)
  • Code: Refactor Connector authentication (only used by AJP) into a separate method. (markt)
  • Add: 57708: Implement a new feature for AJP connectors - Tomcat Authorization. If the new tomcatAuthorization attribute is set to true (it is disabled by default) Tomcat will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user. (markt)
  • Fix: Fix an issue that meant that any pipe-lined data read by Tomcat before an asynchronous request completed was lost during the completion of the asynchronous request. This mean that the pipe-lined request(s) would be lost and/or corrupted. (markt)
  • Update: Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt)

Jasper

  • Fix: 57135: Package imports via javax.el.ImportHandler should only import public, concrete classes. (markt)
  • Fix: 57583: Cache 'Not Found' results in javax.el.ImportHandler.resolveClass() to save repeated attempts to load classes that are known not to exist to improve performance. (markt)
  • Fix: 57626: Correct a regression introduced in the 8.0.16 fix for ensuring Jars were closed after use, that broke recompilation of modified JSPs that depended on a tag file packaged in a Jar. (markt)
  • Fix: 57627: Correctly determine last modified times for dependencies when a tag file packaged in a JAR depends on a tag file packaged in a second JAR. (markt)
  • Fix: 57647: Ensure INFO message is logged when scanning jars for TLDs if the scan does not find a TLD in any jar. Previously a message would only be logged if a TLD was not found in all scanned jars. (jboynes)
  • Update: 57662: Update all references to the ECJ compiler to version 4.4.2. (violetagg)

Cluster

  • Fix: Remove unnecessary method that always returns true. The domain filtering works on DomainFilterInterceptor. (kfujino)

WebSocket

  • Fix: Correct a bug in the permessage-deflate implementation that meant that the incorrect op-codes were used if an uncompressed message was converted into more than one compressed message. (markt)
  • Add: 57676: List conflicting WebSocket endpoint classes when there is a path conflict. Based upon a patch proposed by yangkun. (schultz)

Web applications

  • Fix: 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt)
  • Fix: 57587: Update the JNDI Datasource HOWTO for DBCP2. Patch provided by Phil Steitz. (markt)
  • Fix: Remove incorrect note from context configuration page in the documentation web application that stated WAR files located outside the appBase were never unpacked. (markt)
  • Update: 57644: Update examples to use Apache Standard Taglib 1.2.5. (jboynes)
  • Fix: 57683: Ensure that if a client aborts their connection to the stock ticker example (the only way a client can disconnect), the example continues to work for existing and new clients. (markt)
  • Fix: Make it clear that when using digested passwords with DIGEST authentication that no salt and only a single iteration must be used when generating the digest. (markt)

Extras

  • Fix: 57377: Remove the restriction that prevented the use of SSL when specifying a bind address with the JMXRemoteLifecycleListener. Also enable SSL to be configured for the registry as well as the server. (markt)

Tribes

  • Fix: When a map member has been added to ReplicatedMap, make sure to add it to backup nodes list of all other members. (kfujino)
  • Fix: Make sure that refuse the messages from a different domain in DomainFilterInterceptor. (kfujino)

Other

  • Update: Update optional Checkstyle library to 6.4.1. (kkolinko)
  • Fix: 57703: Update the http-method definition for web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6. (markt)
  • Update: Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt)

2015-02-20 Tomcat 8.0.20 (markt)

Coyote

  • Fix: Fix a concurrency issue that meant that a change in socket timeout (e.g. when switching to asynchronous I/O) did not always take effect immediately. (markt)

not released Tomcat 8.0.19 (markt)

Catalina

  • Fix: Clarify threaded usage of variables by removing volatile marker in NonceInfo. Issue reported by Coverity Scan. (fschumacher)
  • Fix: 57180: Further fixes to support the use of arbitrary HTTP methods with the CORS filter. (markt)
  • Fix: 57472: Fix performance regression in resources implementation when signed JARs are used in a web application. (markt)
  • Add: Warn about problematic setting of appBase. (fschumacher)
  • Fix: Fix exception while authentication in JDBCRealm. (fschumacher)
  • Fix: 57534: CORS Filter should only look at media type component of Content-Type request header. (markt)
  • Fix: 57556: Align getRealPath() behaviour with that of earlier versions and include a trailing separator if the real path refers to a directory. (markt)
  • Fix: Ensure that Servlet 3.0 async requests where startAsync() is called in one container thread and dispatch() is called in a different container thread complete correctly. (markt)
  • Fix: Ensure that user name checking in the optional SecurityListener is case-insensitive (as documented) and than the case-insensitive comparison is performed using the system default Locale. (markt)
  • Add: 57021: Improve logging in AprLifecycleListener and jni.Library when Tomcat-Native DLL fails to load. Based on a patch by Pravallika Peddi. (markt/kkolinko)

Coyote

  • Fix: Fix several bugs that could cause multiple registrations for write events for a single socket when using Servlet 3.0 async. Typically, the side effects of these multiple registrations would be exceptions appearing in the logs. (markt)
  • Fix: 57432: Align SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 constant values with OpenSSL (they had been swapped). (markt)
  • Fix: 57509: Improve length check when writing HTTP/1.1 response headers: reserve space for 4 extra bytes. (kkolinko)
  • Fix: 57544: Fix potential infinite loop when preparing a kept alive HTTP connection for the next request. (markt)
  • Fix: 57546: Ensure that a dropped network connection does not leave references to the UpgradeProcessor associated with the connection in memory. (markt)
  • Fix: When applying the maxSwallowSize limit to a connection read that many bytes first before closing the connection to give the client a chance to read the response. (markt)
  • Fix: Prevent an async timeout being processed multiple times for the same socket when running on slow and/or heavily loaded systems. (markt)
  • Fix: 57581: Change statistics byte counter in coyote Request object to be long to allow values above 2Gb. (kkolinko)
  • Update: Use the data that supports cipher definition using OpenSSL syntax to improve the quality of values provided for the javax.servlet.request.key_size request attribute. (markt)
  • Fix: Fix a concurrency issue in the APR Poller that meant it was possible under low load for a socket queued to be added to the Poller not to be added for 10 seconds. (markt)

Jasper

  • Update: 57123: Update all references to the ECJ compiler to version 4.4.1. With thanks to Ralph Schaer for uploading the 4.4.1 JAR to Maven Central. (markt)
  • Add: 57564: Make JspC amenable to subclassing. Patch provided by Jan Bartel. (markt)
  • Fix: Simplify code in ProtectedFunctionMapper class of Jasper runtime. (kkolinko)
  • Fix: 57574: Do not check existence of a Java package in javax.el.ImportHandler.importPackage(). (kkolinko)

WebSocket

  • Fix: 57490: Make it possible to use Tomcat's WebSocket client within a web application when running under a SecurityManager. Based on a patch by Mikael Sterner. (markt)
  • Add: Add some debug logging to the WebSocket session to track session creation and session closure. (markt)

Web applications

  • Update: Clarify documentation for useBodyEncodingForURI attribute of a connector. (kkolinko)
  • Fix: Fix possible resource leaks by closing streams properly. Issues reported by Coverity Scan. (fschumacher)
  • Fix: 57503: Make clear that the JULI integration for log4j only works with log4j 1.2.x. (markt)
  • Fix: 57496: Remove hard-coded URL in JSP SVG example. (markt)

Tribes

  • Fix: Fix a possible deadlock when receiver thread invokes mapMemberAdded() while ping thread invokes memberAlive(). (kfujino)

Other

  • Add: Enhance bean factory used for JNDI resources. New attribute forceString allows to support non-standard string argument property setters. (rjung)
  • Fix: Assign newly created stream to field instead of leaking it uselessly. Issue reported by Coverity Scan. (fschumacher)
  • Update: Update optional Checkstyle library to 6.3. (kkolinko)
  • Fix: Guard the digester from MbeansDescriptorsDigesterSource with its own lock object. (fschumacher)
  • Fix: Refactor the unit tests and add some new test properties to make it easier to exclude performance tests and relax timing tests. This is primarily for the ASF CI system where these tests frequently fail. (markt)
  • Fix: 57558: Add missing JAR in Ant task definition required by the validate task. (markt)
  • Add: List names of Testsuites that have failed or skipped tests when running the tests with Ant. (kkolinko)

2015-01-26 Tomcat 8.0.18 (markt)

Catalina

  • Fix: 57178: The CORS filter now treats null as a valid origin that matches *. Patch provided by Gregor Zurowski. (markt)
  • Fix: 57425: Don't add attributes with null value or name to the replicated context. (fschumacher)
  • Add: 57431: Enable usage of custom class for context creation when using embedded tomcat. (fschumacher)
  • Fix: 57446: Ensure that ServletContextListeners that have limited access to ServletContext methods are called with the same ServletContext instance for both contextInitialized() and contextDestroyed(). (markt)
  • Fix: 57455: Explicitly block the use of the double-quote character when configuring the common, server and shared class loaders since double-quote is used to quote values that contain commas. (markt)
  • Fix: 57461: When an instance of org.apache.catalina.startup.VersionLoggerListener logs the result of System.getProperty("java.home") don't report it in a manner that makes it look like the JAVA_HOME environment variable. (markt)
  • Fix: 57476: Ensure the responses written as part of a forward are fully written. This fixes a regression in 8.0.15 caused by the fix for 57252. (markt)
  • Fix: While closing streams for given resources ensure that if an exception happens it will be handled properly. Issue is reported by Coverity Scan. (violetagg)
  • Fix: 57481: Fix IllegalStateException at the end of the request when using non-blocking reads with the HTTP BIO connector. (markt)
  • Fix: Change Response to use UEncoder instances with shared safeChars. (fschumacher)
  • Fix: Ensure that when static resources are served from JARs, only static resources are served. (markt)
  • Add: Allow VersionLoggerListener to log all system properties. This feature is off by default. (kkolinko)

Jasper

  • Fix: Ensure that classes imported via the page directive are made available to the EL environment via the ImportHandler. Issue is reported by Coverity Scan. (violetagg)
  • Fix: 57441: Do not trigger an error when using functions defined by lambdas or imported via an ImportHandler in an EL expression in a JSP. (markt)

Cluster

  • Fix: Fix mbean descriptor of ClusterSingleSignOn. (kfujino)
  • Fix: 57473: Add sanity check to FarmWebDeployer's WarWatcher to detect suspected incorrect permissions on the watch directory. (schultz)

Tribes

  • Fix: Clarify the handling of Copy message and Copy nodes. (kfujino)
  • Fix: Copy node does not need to send the entry data. It is enough to send only the node information of the entry. (kfujino)
  • Fix: ReplicatedMap should send the Copy message when replicating. (kfujino)
  • Fix: Fix behavior of ReplicatedMap when member has disappeared. If map entry is primary, rebuild the backup members. If primary node of map entry has disappeared, backup node is promoted to primary. (kfujino)

2015-01-16 Tomcat 8.0.17 (markt)

Catalina

  • Fix: Correct a regression in the previous fix for 57252 that broke request listeners for non-async requests that triggered an error that was handled by the ErrorReportingValve. (markt/violetagg)

Coyote

  • Fix: Add flushing to send ack in the NIO2 connector. (remm)

not released Tomcat 8.0.16 (markt)

Catalina

  • Fix: 57172: Provide a better error message if something attempts to access a resource through a web application class loader that has been stopped. (markt/kkolinko)
  • Fix: 57173: Revert the fix for 56953 that broke annotation scanning in some cases. (markt)
  • Fix: 57180: Do not limit the CORS filter to only accepting requests that use an HTTP method defined in RFC 7231. (markt)
  • Fix: 57190: Fix ServletContext.getContext(String) when parallel deployment is used so that the correct ServletContext is returned. (markt)
  • Fix: 57208: Prevent NPE in JNDI Realm when no results are found in a directory context for a user with specified user name. Based on a patch provided by Jason McIntosh. (violetagg)
  • Add: 57209: Add a new attribute, userSearchAsUser to the JNDI Realm. (markt)
  • Fix: 57215: Ensure that t