Changelog

Tomcat 8.5.50 (markt)

Catalina

  • Add: Improvements to CsrfPreventionFilter: additional logging, allow the CSRF nonce request parameter name to be customized. (schultz)
  • Add: 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
  • Fix: 63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
  • Fix: 63968: Fix ClassCastException in the Expires filter which was a regression in the fix for 63909. (markt)
  • Fix: 63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
  • Add: 63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
  • Fix: 63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a deafult port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
  • Fix: 63982: CombinedRealm makes assumptions about principal implementation (michaelo)
  • Fix: 63983: Correct a regression in the static resource caching changes introduced in 9.0.28. A large number of file descriptors were opened that could reach the OS limit before being released by GC. (markt)
  • Update: 63987: Deprecate Realm.getRoles(Principal). (michaelo)
  • Code: Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
  • Fix: Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)

Coyote

  • Code: Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported. (markt)
  • Update: Add vectoring for NIO in the base and SSL channels. (remm)
  • Add: Add async API to the NIO and APR connector. (remm)
  • Fix: 63931: Improve timeout handling for asyncIO to ensure that blocking operations see a SocketTimeoutException if one occurs. (remm/markt)
  • Fix: 63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 connectors via the new Connector attribute noCompressionStrongETag. (markt)
  • Fix: Simplify regular endpoint writes by removing write(Non)BlockingDirect. All regular writes will now be buffered for a more predictable behavior. (remm)
  • Fix: Send an exception directly to the completion handler when a timeout exception occurs for the operation, and add a boolean to make sure the completion handler is called only once. (remm/markt)

WebSocket

  • Fix: Ensure a couple of very unlikely concurrency issues are avoided when writing WebSocket messages. (markt)

Web applications

  • Fix: Fix the broken re-try link on the error page for the FORM authentication example in the JSP section of the examples web application. (markt)
  • Fix: Correct the documentation for the maxConnections attribute of the Connector in the documentation web application. (markt)
  • Add: Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)

Other

  • Fix: Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
  • Add: Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
  • Add: Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. (markt)
  • Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add: Expand the coverage of the Japanese translations provided with Apache Tomcat. (markt)
  • Add: Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
  • Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
  • Add: Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
  • Add: Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
  • Add: Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
  • Add: Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
  • Add: Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, 2.7.1-SNAPSHOT). Minor refactoring. (markt)

2019-11-21 Tomcat 8.5.49 (markt)

Catalina

  • Fix: Correct a regression introduced in 8.5.48 that could trigger a NullPointerException when using a RequestDispatcher. (markt)
  • Add: Improvement to CsrfPreventionFilter: expose the latest available nonce as a request attribute; expose the expected nonce request parameter name as a context attribute. (schultz)

not released Tomcat 8.5.48 (markt)

Catalina

  • Fix: 63832: Properly mark container as FAILED when a JVM error occurs on stop. (remm)
  • Fix: 63836: Ensure that references to the Host object are cleared once the Host instance is destroyed. (markt)
  • Fix: 63872: Fix some edge cases where the docBase was not being set using a canonical path which in turn meant resource URLs were not being constructed as expected. (markt)
  • Fix: Make a best effort attempt to clean-up if a request fails during processing due to an OutOfMemoryException. (markt)
  • Fix: Ensure that, when static resource caching is enabled for a web application, all access to static files (including JSP files) goes via the cache so that a consistent view of the static files is seen. Prior to this change it was possible to see an updated last modified time but the content would be that prior to the modification. (markt)
  • Update: 63905 Clean up Tomcat CSS. (michaelo)
  • Fix: 63909: When the ExpiresFilter is used without a default and the response is served by the Default Servlet, ensure that the filter processes the response if the Default Servlet sets a 304 (Not Found) status code. (markt)
  • Fix: Update the Servlet 4 preview API to reflect changes made to the API in the final release. Note that this preview API has been deprecated for over a year and may be removed as soon as the next 8.5.x release. (markt)
  • Fix: Refactor JMX remote RMI registry creation. (remm)

Coyote

  • Fix: Ensure that ServletRequest.isAsyncStarted() returns false once AsyncContext.complete() or AsyncContext.dispatch() has been called during AsyncListener.onTimeout() or AsyncListener.onError(). (markt)
  • Fix: 63816 and 63817: Correctly handle I/O errors after asynchronous processing has been started but before the container thread that started asynchronous processing has completed processing the current request/response. (markt)
  • Fix: 63825: When processing the Expect and Connection HTTP headers looking for a specific token, be stricter in ensuring that the exact token is present. (markt)
  • Fix: 63829: Improve the check of the Content-Encoding header when looking to see if Tomcat is serving pre-compressed content. Ensure that only a full token is matched and that the match is case insensitive. (markt)
  • Add: 63835: Add support for Keep-Alive response header. (michaelo)
  • Fix: 63864: Refactor parsing of the transfer-encoding request header to use the shared parsing code and reduce duplication. (markt)
  • Fix: 63865: Add Unset option to same-site cookies and pass through None value if set by user. Patch provided by John Kelly. (markt)
  • Fix: 63894: Ensure that the configured values for certificateVerification and certificateVerificationDepth are correctly passed to the OpenSSL based SSLEngine implementation. (remm/markt)
  • Fix: Do not perform a blocking read after a CPING message is received by the AJP connector because, if the JK Connector is configured with ping_mode="I", the CPING message will not always be followed by the start of a request. (markt)
  • Fix: Properly calculate all dynamic parts of the ErrorReportValve response on the fly in org.apache.coyote.http2.TestHttp2InitialConnection. (michaelo)

Jasper

  • Fix: 63897: Capture the timestamp of a JSP for the purposes of modification tracking before the JSP is compiled to prevent a race condition if the JSP is modified during compilation. Patch provided by Karl von Randow. (markt)
  • Fix: Fix a race condition that could mean changes to a modified JSP were not visible to end users. (markt)

WebSocket

  • Fix: 63913: Wrap any NullPointerExceptions throw by the Inflater or Deflater used by the PerMessageDeflate extension in an IOException so that the error can be caught and handled by the WebSocket error handling mechanism. (markt)

Web applications

  • Fix: Correct the description of the default value for the server attribute in the security How-To. (markt)

Other

  • Fix: 63815: Quote the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *. Note that any newlines present in CATALINA_OPTS and/or JAVA_OPTS will no longer removed. (markt)
  • Fix: 63826