Apache Tomcat 10 (10.1.48)

Catalina

Log warnings when the SSO configuration does not comply with the documentation. (remm)
Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the RemoteCIDRFilter and RemoteCIDRValve. (markt)
69837: Fix corruption of the class path generated by the Loader when running on Windows. (markt)
Reject requests that map to invalid Windows file names earlier. (markt)
69839: Ensure that changes to session IDs (typically after authentication) are promulgated to the SSO Valve to ensure that SSO entries are fully clean-up on session expiration. Patch provided by Kim Johan Andersson. (markt)
Fix a race condition in the creation of the storage location for the FileStore. (markt)

Coyote

69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests received via the AJP connector were processed as OPTIONS requests and PROPFIND requests were processed as TRACE. (markt)

WebSocket

69845: When using permessage-deflate with Java 25 onwards, handle the underlying Inflater and/or Deflater throwing IllegalStateException when closed rather than NullPointerException as they do in Java 24 and earlier. (markt)

Catalina

HTTP methods are case-sensitive so always use case sensitive comparisons when comparing HTTP methods. (markt)
69814: Ensure that HttpSession.isNew() returns false once the client has joined the session. (markt)
Further performance improvements for ParameterMap. (jengebr/markt)
Refactor access log time stamps to be based on the Instant request processing starts. (markt)
Fix a case-sensitivity issue in the trailer header allow list. (markt)
Be proactive in cleaning up temporary files after a failed multi-part upload rather than waiting for GC to do it. (markt)

Coyote

Add specific certificate selection code for TLS 1.3 supporting post quantum cryptography. Certificates defined with type MLDSA will be selected depending on the TLS client hello. (remm)
Add groups attribute on SSLHostConfig allowing to restrict which groups can be enabled on the SSL engine. (remm)
Optimize the conversion of HTTP method from byte form to String form. (markt)
Store HTTP request headers using the original case for the header name rather than forcing it to lower case. (markt)

Cluster

Prevent the channel configuration (sender, receiver, membership service) from being changed unless the channel is fully stopped. (markt)

Web applications

Documentation. Clarify the purpose of the maxPostSize attribute of the Connector element. (markt)
Avoid NPE in manager webapp displaying certificate information. (remm)

Other

Update Byte Buddy to 1.17.7. (markt)
Update Checkstyle to 11.1.0. (markt)
Update SpotBugs to 4.9.6. (markt)
Update Jsign to 7.2. (markt)
Improvements to Russian translations provided by usmazat. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations provided by tak7iji. (markt)
Minor refactoring in JULI loggers. Patch provided by minjund. (schultz)

Catalina

Change the digest used to calculate strong ETags (if enabled) for the default Servlet from SHA-1 to SHA-256 to align with the recommendation in RFC 9110 that hash functions used to generate strong ETags should be collision resistant. (markt)
Correct a regression in the fix for 69781 that broke FileStore. (markt)

Coyote

Add hybrid PQC support to OpenSSL, based on code from mod_ssl. Using this OpenSSL specific code path, additional PQC certificates defined with type MLDSA are added to contexts which use classic certificates. (jfclere/remm)

Catalina

Remove a number of unnecessary packages from the catalina-deployer.jar. (markt)
69781: Fix concurrent access issues in the session FileStore implementation that were causing lost sessions when the store was used with the PersistentValve. Based on pull request #882 by Aaron Ogburn. (markt)
Fix handling of QSA and QSD flags in RewriteValve. (markt)

Coyote

Ensure keys are handed out to OpenSSL even if PEMFile fails to process it, with appropriate logging. (remm)
Add new ML-DSA key algorithm to PEMFile and improve reporting when reading a key fails. (remm)
Fix possible early timeouts for network operations caused by a spurious wake-up of a waiting thread. Found by Coverity Scan. (markt)

Cluster

Handle spurious wake-ups during leader election for NonBlockingCoordinator. (markt)
Handle spurious wake-ups during sending of messages by RpcChannel. (markt)

Other

Review logging and include the full stack trace and exception message by default rather then just the exception message when logging an error or warning in response to an exception. (markt)
Add escaping to log formatters to align with JSON formatter. (markt)
Update Checkstyle to 11.0.0. (markt)

Catalina

Fix bloom filter population for archive indexing when using a packed WAR containing one or more JAR files. (markt)

Coyote

69748: Add missing call to set keep-alive timeout when using HTTP/1.1 following an async request, which was present for AJP. (remm/markt)
69762: Fix possible overflow during HPACK decoding of integers. Note that the maximum permitted value of an HPACK decoded integer is Integer.MAX_VALUE. (markt)
Update the HTTP/2 overhead documentation - particularly the code comments - to reflect the deprecation of the PRIORITY frame and clarify that a stream reset always triggers an overhead increase. (markt)
69762: Additional overflow fix for HPACK decoding of integers. Pull request #880 by Chenjp. (markt)

Cluster

Add enableStatistics configuration attribute for the DeltaManager, defaulting to true. (remm)

WebSocket

Align the WebSocket extension handling for WebSocket client connections with WebSocket server connections. The WebSocket client now only includes an extension requested by an endpoint in the opening handshake if the WebSocket client supports that extension. (markt)

Web applications

Manager and Host Manager. Provide the Manager and Host Manager web applications with a dedicated favicon file rather than using the one from the ROOT web application which might not be present or may represent something entirely different. Pull requests #876 and #878 by Simon Arame.

Other

Update Checkstyle to 10.26.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt)
Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt)
69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt)
69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt)
Align size tracking for multipart requests with FileUpload's use of long. (schultz)

Coyote

69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt)
69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt)
Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt)
Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm)
69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt)
When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt)

Jasper

Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt)

Web applications

Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt)
Documentation. Add a section on reverse proxies to the security considerations page. (markt)

Other

Update UnboundID to 7.0.3. (markt)
Update Checkstyle to 10.25.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations provided by tak7iji. (markt)

Catalina

Add support for the java:module namespace which mirrors the java:comp namespace. (markt)
Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)
Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)
69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. (remm)
#863: Add support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. (markt)
69706: Fix saved request serialization issue in FORM introduced when allowing infinite session timeouts. (remm)
Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. (markt)

Coyote

#861: Refactor TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. (markt)
Provide finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. (markt)

Jasper

69696: Mark the JSP wrapper for reload after a failed compilation. (remm)

Web applications

69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. (remm)

Other

Add thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. (schultz)
Update Tomcat Native to 2.0.9. (markt)
Update the internal fork of Apache Commons FileUpload to 1.6.0 (2025-06-05). (markt)
Update EasyMock to 5.6.0. (markt)
Update Checkstyle to 10.25.0. (markt)
Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. (markt)
Improvements to Japanese translations provided by tak7iji. (markt)

Catalina

Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung)
Process possible path parameters rewrite production in the rewrite valve. (remm)
69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. (markt)
69633: Add support for Filters using context root mappings. (markt)
69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. (remm)
#843: Fix off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. (remm)
Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. (markt)
Refactor GCI servlet to access resources via the WebResource API. (markt)
69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. (remm)
Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. (markt)
Provide a content type based on file extension when web application resources are accessed via a URL. (markt)

Coyote

Refactor the SavedRequestInputFilter so the buffered data is used directly rather than copied. (markt)

Jasper

69635: Add support to jakarta.el.ImportHandler for resolving inner classes. (markt)
#842Add support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. (jengebr)
Fix an edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. (markt)

Web applications

68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. (markt)

Other

Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge. (remm)
Update Jacoco to 0.8.13. (remm)
Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. (schultz)
Update Byte Buddy to 1.17.5. (markt)
Update Checkstyle to 10.23.1. (markt)
Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations provided by tak7iji. (markt)

Catalina

Return 400 if the amount of content sent for a partial PUT is inconsistent with the range that was specified. (remm)
Add a new RateLimiter implementation, org.apache.catalina.util.ExactRateLimiter, that can be used with org.apache.catalina.filters.RateLimitFilter to provide rate limit based on the exact values configured. Based on pull request #794 by Chenjp. (markt)
Fix parsing of the time-taken token in the ExtendedAccessLogValve. (remm)
Fix invocation of the FFM OpenSSL code for setting a SSL engine and FIPS mode. (remm)
69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the default internal proxies for the RemoteIpFilter and RemoteIpValve. (markt)
69615: Improve integration with the not found class resources cache for users who are using a custom web application class loader and/or using reflection to dynamically add external repositories to the web application class loader. (markt)
Add a new initialisation parameter to the Default servlet - allowPostAsGet - which controls whether a direct request (i.e. not a forward or an include) for a static resource using the POST method will be processed as if the GET method had been used. If not allowed, the request will be rejected. The default behaviour of processing the request as if the GET method had been used is unchanged. (markt)
69623: Correct a long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled. (markt)
69634: Avoid NPE on JsonErrorReportValve. (remm)
Add missing throwable stack trace to JsonErrorReportValve equivalent to the one from ErrorReportValve. (remm)
Improve the handling of %nn URL encoding in the RewriteValve and document how %nn URL encoding may be used with rewrite rules. (markt)
Fix a potential exception when calling WebappClassLoaderBase.getResource(""). (markt)

Coyote

69607: Allow failed initialization of MD5. Based on code submitted by Shivam Verma. (remm)
69614: HTTP/2 priority frames with an invalid priority field value should be ignored. (markt)
Improve handling of unexpected errors during HTTP/2 processing. (markt)
Add missing code to process an OpenSSL profile, such as PROFILE=SYSTEM, using FFM. (remm)
Simplify the process of using a custom SSLContext for an HTTPS enabled connector. Based on pull request #805 by Hakky54. (markt)

Jasper

Replace custom URL encoding provided by the JSP runtime library with calls to java.net.URLEncoder.encode(). (markt)
Add compiler using the Java Compiler API, supporting exploded web applications. The compilerClassName to use is org.apache.jasper.compiler.JavaCompiler. (remm)
Add support for specifying Java 25 (with the value 25) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt)

Cluster

Fix resetting cross context sessions in the ReplicationValve. (remm)

Web applications

Documentation. Add a link to the Log4j documentation that describes how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
Documentation. Document the runtime attributes available to web applications via the Request or the ServletContext. Based on pull request #832 by usmazat. (markt)

Other

Revert JSign to 6.0 to avoid a file locking issue. (markt)
Update to NSIS 3.11. (markt)
Update to ByteBuddy 1.17.4. (markt)
Update to Checkstyle 10.21.4. (markt)
Update to SpotBugs to 4.9.3. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations provided by tak7iji. (markt)

Catalina

69602: Fix regression in releases from 12-2024 that were too strict and rejected weak etags in the If-Range header with a 400 response. Instead will consider it as a failed match since strong etags are required for If-Range. (remm)

Catalina

When looking up class loader resources by resource name, the resource name should not start with '/'. If the resource name does start with '/', Tomcat is lenient and looks it up as if the '/' was not present. When the web application class loader was configured with external repositories and names starting with '/' were used for lookups, it was possible that cached 'not found' results could effectively hide lookup results using the correct resource name. (markt)
Enable the JNDIRealm to validate credentials provided to HttpServletRequest.login(String username, String password) when the realm is configured to use GSSAPI authentication. (markt)
Fix a bug in the JRE compatibility detection that incorrectly identified Java 19 and Java 20 as supporting Java 21 features. (markt)
Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed. (markt)
Add support for logging the connection ID (as returned by ServletRequest.getServletConnection().getConnectionId()) with the AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by Dmole. (markt)
Avoid scenarios where temporary files used for partial PUT would not be deleted. (remm)

Coyote

69575: Avoid using compression if a response is already compressed using compress, deflate or zstd. (remm)
Use Transfer-Encoding for compression rather than Content-Encoding if the client submits a TE header containing gzip. (remm)
Fix a race condition in the handling of HTTP/2 stream reset that could cause unexpected 500 responses. (markt)

Cluster

69598: Add detection of service account token changes to the KubernetesMembershipProvider implementation and reload the token if it changes. Based on a patch by Miroslav Jezbera. (markt)

Other

Add makensis as an option for building the Installer for Windows on non-Windows platforms. (rjung/markt)
Update Byte Buddy to 1.17.1. (markt)
Update Checkstyle to 10.21.3. (markt)
Update SpotBugs to 4.9.1. (markt)
Update JSign to 7.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

69576: Avoid possible failure initializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm)

Other

Add org.apache.juli.JsonFormatter to format log as one line JSON documents. (remm)

Catalina

Add tableName configuration on the DataSourcePropertyStore that may be used by the WebDAV Servlet. (remm)
Improve HTTP If headers processing according to RFC 9110. Based on pull request #796 by Chenjp. (remm/markt)
Allow readOnly attribute configuration on the Resources element and allow configure the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm)
69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt)
69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm)
Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm)
69528: Add multi-release JAR support for the bloom archiveIndexStrategy of the Resources. (remm)
Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm)
Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt)
When using the WebDAV servlet with serveSubpathOnly set to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt)
Generate an appropriate Allow HTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETE request because the target resource cannot be deleted. Pull request #802 provided by Chenjp. (markt)
Refactor creation of RequestDispatcher instances so that the processing of the provided path is consistent with normal request processing. (markt)
Add encodedReverseSolidusHandling and encodedSolidusHandling attributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt)
Handle a potential NullPointerException after an IOException occurs on a non-container thread during asynchronous processing. (markt)
Enhance lifecycle of temporary files used by partial PUT. (remm)

Coyote

Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt)
Avoid a rare NullPointerException when recycling the Http11InputBuffer. (markt)
Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt)
Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt)
Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5c sequences in URLs are handled. The default behaviour is unchanged (decode) keeping in mind that the allowBackslash attribute determines how the decoded URI is processed. (markt)
69545: Improve CRLF skipping for the available method of the ChunkedInputFilter. (remm)
Improve the performance of repeated calls to getHeader(). Pull request #813 provided by Adwait Kumar Singh. (markt)
69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code will be used. (markt)

Jasper

69508: Correct a regression in the fix for 69382 that broke JSP include actions if both the page attribute and the body contained parameters. Pull request #803 provided by Chenjp. (markt)
Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _ is also a Java keyword and may not be used as an identifier. (markt)
69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt)
69532: Optimise the creation of ExpressionFactory instances. Patch provided by John Engebretson. (markt)

Web applications

Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabled and/or mapperDirectoryRedirectEnabled to true. (markt)
Documentation. Better document the default for the truststoreProvider attribute of a SSLHostConfig element. (markt)

Other

Update to Commons Daemon 1.4.1. (markt)
Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.9. (markt)
Update the internal fork of Commons Pool to 2.12.1. (markt)
Update Byte Buddy to 1.16.1. (markt)
Update UnboundID to 7.0.2. (markt)
Update Checkstyle to 10.21.2. (markt)
Update SpotBugs to 4.9.0. (markt)
Improvements to French translations. (remm)
Improvements to Chinese translations by leeyazhou. (markt)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo)
Add special handling for the protocols attribute of SSLHostConfig in storeconfig. (remm)
69442: Fix case sensitive check on content-type when parsing request parameters. (remm)
Refactor duplicate code for extracting media type and subtype from content-type into a single method. (markt)
Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm)
The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt)
#780: Fix content-range header length. Submitted by Chenjp. (remm)
69444: Ensure that the jakarta.servlet.error.message request attribute is set when an application defined error page is called. (markt)
Avoid quotes for numeric values in the JSON generated by the status servlet. (remm)
Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm)
Use client locale for directory listings. (remm)
69439: Improve the handling of multiple Cache-Control headers in the ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt)
69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt)
69471: Log instances of CloseNowException caught by ApplicationDispatcher.invoke() at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt)
Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request #779 by Chenjp. (markt)
69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm)
Add support for RateLimit header fields for HTTP (draft) in the RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
#787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt)
The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request #782 provided by Chenjp. (markt)
Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request #778. (markt)
Harmonize DataSourceStore lookup in the global resources to optionally avoid the comp/env prefix which is usually not used there. (remm)
As required by RFC 9110, the HTTP Range header will now only be processed for GET requests. Based on pull request #790 provided by Chenjp. (markt)
Deprecate the useAcceptRanges initialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt)
Add DataSource based property storage for the WebdavServlet. (remm)

Coyote

Align encodedSolidusHandling with the Servlet specification. If the pass-through mode is used, any %25 sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt)

Jasper

Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt)

Web applications

Documentation. Remove references to the ResourceParams element. Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
Documentation. 69477: Correct name of attribute for RemoteIPFilter. The attribute is internalProxies rather than allowedInternalProxies. Pull request #786 provided by Jorge Díaz. (markt)
Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt)
Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt)
Examples. Add the ability to delete session attributes in the servlet session example. (markt)
Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt)
Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt)
Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt)
Examples. Remove JSP calendar example. (markt)

Other

69465: Fix warnings during native image compilation using the Tomcat embedded JARs. (markt)
Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
Update EasyMock to 5.5.0. (markt)
Update Checkstyle to 10.20.2. (markt)
Update BND to 7.1.0. (markt)
Improvements to French translations. (remm)
Improvements to Korean translations. (markt)
Improvements to Chinese translations. (markt)
Improvements to Japanese translations by tak7iji. (markt)

Other

Fix release build issue.

Catalina

Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
55470: Add debug logging that reports the class path when a ClassNotFoundException occurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt)
69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo)
69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo)
Improve HTML output of DefaultServlet. (michaelo)
Refactor RateLimitFilter to use FilterBase as the base class. The primary advantage for doing this is less code to process init-param values. (markt)
69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo)
Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
Add missing WebDAV Lock-Token header in the response when locking a folder. (remm)
Invalid WebDAV lock requests should be rejected with 400. (remm)
Fix regression in WebDAV when attempting to unlock a collection. (remm)
Verify that destination is not locked for a WebDAV copy operation. (remm)
Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm)
Enforce DAV: namespace on WebDAV XML elements. (remm)
Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm)
WebDAV DELETE should remove any existing lock on successfully deleted resources. (remm)
Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead a lock on a non existing resource will create an empty file locked with a regular lock. (remm)
Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm)
Implement WebDAV If header using code from the Apache Jackrabbit project. (remm)
Add PropertyStore interface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the propertyStore init parameter of the WebDAV servlet by specifying the class name of the store. A simple non persistent implementation is used if no custom store is configured. (remm)
Implement WebDAV PROPPATCH method using the newly added PropertyStore, and update PROPFIND to support it. (remm)
Cache not found results when searching for web application class loader resources. This addresses performance problems caused by components such as java.sql.DriverManager which, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
Stop after INITIALIZED state should be a noop since it is possible for subcomponents to be in FAILED after init. (remm)
Fix incorrect web resource cache size calculations when there are concurrent PUT and DELETE requests for the same resource. (markt)
Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt)
Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with urn:uuid: as recommended by RFC 4918, and remove secret init parameter. (remm)
Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same path caused corruption of the FileResource where some of the fields were set as if the file exists and some were set as if it does not. This resulted in inconsistent metadata. (markt)
69415: Ensure that the ExpiresFilter only sets cache headers on GET and HEAD requests. Also skip requests where the application has set Cache-Control: no-store. (markt)
69419: Improve the performance of ServletRequest.getAttribute() when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt)
All applications to send an early hints informational response by calling HttpServletResponse.sendError() with a status code of 103. (schultz)

Coyote

Return null SSL session id on zero length byte array returned from the SSL implementation. (remm)
Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
Create the HttpParser in Http11Processor if it is not present on the AbstractHttp11Protocol to provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm)
OpenSSLContext will now throw a KeyManagementException if something is known to have gone wrong in the init method, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm)
69379: The default HEAD response no longer includes the payload HTTP header fields as per section 9.3.2 of RFC 9110. (markt)

Jasper

Add back tag release method as deprecated in the runtime for compat with old generated code. (remm)
69399: Fix regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm)
69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request #770 by John Engebretson. (markt)
69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt)
69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt)
69406: When using StringInterpreterEnum, do not throw an IllegalArgumentException when an invalid Enum is encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt)
69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt)
Further optimise EL evaluation of method parameters. Patch provided by Paolo B. (markt)

Other

Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
Update Byte Buddy to 1.15.10. (markt)
Update CheckStyle to 10.20.0. (markt)
Improvements to German translations. (remm)

Catalina

Ensure that ServerAuthModule.initialize() is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt)
Ensure that the Jakarta Authentication CallbackHandler only creates one GenericPrincipal in the Subject. (markt)
If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContext may not have set it. (markt)
When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt)
Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt)
When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallback with null if the CallerPrincipalCallback does not provide a Principal. (markt)
Avoid store config backup loss when storing one configuration more than once per second. (remm)
69359: WebdavServlet duplicates getRelativePath() method from super class with incorrect Javadoc. (michaelo)
69360: Inconsistent DELETE behavior between WebdavServlet and DefaultServlet. (michaelo)
Make WebdavServlet properly return the Allow header when deletion of a resource is not allowed. (michaelo)
Add log warning if non wildcard mappings are used with the WebdavServlet. (remm)
69361: Ensure that the order of entires in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt)
69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt)
69363: Use getPathPrefix() consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt)

Coyote

69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to generate Date headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have wrong by one second in some cases. Pull request #751 provided by Chenjp. (markt)
Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt)
Add server and serverRemoveAppProvidedValues to the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt)
Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm)
Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be recieved before the headers of the subsequent stream nor are trailer fields for an in progress stream swallowed if the Connector is paused before the trailer fields are received. (markt)
Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt)

Jasper

69333: Remove unnecessary code from generated JSPs. (markt)
69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt)
69348: Reduce memory consumption in ELContext by using lazy initialization for the data structure used to track lambda arguments. (markt)

Web applications

The manager webapp will now be able to access certificates again when OpenSSL is used. (remm)

Other

Update Byte Buddy to 1.15.3. (markt)
Update CheckStyle to 10.18.2. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Chinese translations by Ch_jp. (markt)

Coyote

Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt)

Catalina

Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt)

Coyote

Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt)
Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt)
Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt)
69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt)
69302: If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onErrror(). (markt)

Jasper

Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt)

WebSocket

If a blocking message write exceeds the timeout, don't attempt the write again before throwing the exception. (markt)
An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt)

Web applications

Documentation. Align the logging configuration documentation with the current defaults. (markt)

jdbc-pool

69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in an java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt)
69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)

Other

Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt)
Update Hamcrest to 3.0. (markt)
Update EasyMock to 5.4.0. (markt)
Update Byte Buddy to 1.15.0. (markt)
Update CheckStyle to 10.18.0. (markt)
Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
Improvements to Spanish translations by Fernando. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Coyote

Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt)

Catalina

Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector.Reponse and then calling the method void sendEarlyHints(). This method will be added to the Servlet API (removing the need for the cast) in Servlet 6.2 onwards. (markt)
69214: Do not reject a CORS request that uses POST but does not include a content-type header. Tomcat now correctly processes this as a simple CORS request. Based on a patch suggested by thebluemountain. (markt)
Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than Subject.doAs() when the available. (markt)

Coyote

Ensure that HTTP/2 stream input buffers are only created when there is a request body to be read. (markt)
Refactor creation of HttpParser instances from the Processor level to the Protocol level since the parser configuration depends on the protocol and the parser is, otherwise, stateless. (markt)
Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. (markt)

jdbc-pool

69206: Ensure statements returned from Statement methods executeQuery(), getResultSet() and getGeneratedKeys() are correctly wrapped before being returned to the caller. Based on pull request #742 provided by Michael Clarke.

Other

Fix packaging regression with missing osgi information following addition of the test-only build target. (remm)
Update Tomcat Native to 2.0.8. (markt)
Update Byte Buddy to 1.14.18. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Allow JAASRealm to use the configuration source to load a configured configFile, for easier use with testing. (remm)
Add missing algorithm callback to the JAASCallbackHandler. (remm)
Add the OpenSSL version number on the APR and OpenSSL status classes. (remm)
69131: Expand the implementation of the filter value of the Authenticator attribute allowCorsPreflight, so that it applies to all requests that match the configured URL patterns for the CORS filter, rather than only applying if the CORS filter is mapped to /*. (markt)
Using the OpenSSLListener will now cause the connector to use OpenSSL if available. (remm)

Coyote

Clean and log OpenSSL errors before processing of OpenSSL conf commands in the FFM code. (remm)
69121: Ensure that the onComplete() event is triggered if AsyncListener.onError() dispatches to a target that throws an exception. (markt)
Following the trailer header field refactoring, -1 is no longer an allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)
Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.jar that advertises Java 22 in its manifest. (remm)
Fix search for OpenSSL library for FFM on Mac OS so that java.library.path is searched. (markt)
Add FFM compatibility methods for LibreSSL support. Renegotiation is not supported at the moment. (remm)
Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY (set to true to use System.loadLibrary rather than the FFM library loading code) to configure the OpenSSL library loading using FFM. (remm)
Add FFM compatibility methods for BoringSSL support. Renegotiation is not supported in many cases. (remm)

Jasper

Update the optimisation in jakarta.el.ImportHandler so it is aware of new classes added to the java.lang package in Java 23. (markt)
Ensure that an exception in toString() still results in an ELException when an object is coerced to a String using ExpressionFactory.coerceToType(). (markt)
Add support for specifying Java 24 (with the value 24) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
69135: When using include directives in a tag file packaged in a JAR file, ensure that context relative includes are processed correctly. (markt)
69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are processed correctly. (markt)
69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are are not permitted to access files outside of the /META_INF/tags/ directory nor outside of the JAR file. (markt)

Web applications

Fix status servlet detailed view of the connectors when using automatic port. (remm)

Other

Add test-only build target to allow running only the testsuite, supporting Java versions down to the minimum supported to run Tomcat. (rjung)
Update UnboundID to 7.0.1. (markt)
Update to SpotBugs 4.8.6. (markt)
Remove cglib dependency as it is not required by the version of EasyMock used by the unit tests. (markt)
Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy 1.14.17. (markt)
Improvements to Czech translations by Vladimír Chlup. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Chinese translations by fangzheng. (markt)

Catalina

Add support for shallow copies when using WebDAV. (markt)
Deprecate the WebdavFixFilter as it is no longer required. (markt)
69066: Fix regression in SPNEGO authenticator when processing Base64. Submitted by Daniel Lyko. (remm)
Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for retrieving extended/additional information from an established GSS context. (michaelo)
Correct a regression in the fix for 68721 that caused some instances of LinkageError to be reported as ClassNotFoundException. (markt)
Ensure that static resources deployed via a JAR file remain accessible when the context is configured to use a bloom filter. Based on pull request #730 provided by bergander. (markt)
Introduce reference counting so the AprLifecycleListener is more robust. This particularly targets more complex embedded configurations with multiple server instances with independent lifecycles where more than one server instance requires the AprLifecycleListener. (markt)

Coyote

Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, and use ERR_error_string_n instead. (remm)
Fix a crash on Windows setting CA certificate on null path. (remm)
69068: Ensure read timouts are triggered for asynchronous, non-blocking reads when using HTTP/2. (markt)
69133: Add task queue size configuration on the Connector element, similar to the Executor element, for consistency. (remm)
Make counting of active HTTP/2 streams per connection more robust. (markt)
Add support for TLS 1.3 client initiated re-keying. (markt)
Improve the algorithm used to identify the IP address to use to unlock the acceptor thread when a Connector is listening on all local addresses. Interfaces that are configured for point to point connections or are not currently up are now skipped. (markt)

Jasper

68546: Small additional optimisation for initial loading of Servlet code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)

Web applications

Add the ability to set a sub-title for the Manager web application main page. This is intended to allow users with lots of instances to easily distinguish them. Based on pull request #724 by Simon Arame. (markt)

Other

Revert Derby to 10.16.1.1 as that is the latest version of Derby that runs on Java 17. (markt)
Update to Commons Daemon 1.4.0. (markt)
Update to Objenesis 3.4. (markt)
Update to Checkstyle 10.17.0. (markt)
Update to SpotBugs 4.8.5. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Small performance optimization when logging cookies with no values. (schultz)
Correct error handling for asynchronous requests. If the application performs an dispatch during AsyncListener.onError() the dispatch is now performed rather than completing the request using the error page mechanism. (markt)
Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable style. (schultz)
Add more timescale options to AccessLogValve and ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in ExtendedAccessLogValve. (schultz)
Fix WebDAV lock null (locks for non existing resources) thread safety and removal. (remm)
Add periodic checking for WebDAV locks expiration. (remm)
Extend Asn1Parser to parse UTF8Strings. (michaelo)
Remove MBean metadata for attibutes that have been removed. Based on pull request #719 by Shawn Q. (markt)

Coyote

Align non-secure and secure writes with NIO and skip the write attempt when there are no bytes to be written. (markt)
Allow any positive value for socket.unlockTimeout. If a negative or zero value is configured, the default of 250ms will be used. (mark)
Reduce the time spent waiting for the connector to unlock. The previous default of 10s was noticeably too long for cases where the unlock has failed. The wait time is now 100ms plus twice socket.unlockTimeout. (markt)
Ensure that the onAllDataRead() event is triggered when the request body uses chunked encoding and is read using non-blocking IO. (markt)
68934: Add debug logging in the latch object when exceeding maxConnections. (remm)
Refactor trailer field handling to use a MimeHeaders instance to store trailer fields. (markt)
Ensure that multiple instances of the same trailer field are handled correctly. (markt)
Fix non-blocking reads of chunked request bodies. (markt)
When an invalid HTTP response header was dropped, an off-by-one error meant that the first header in the response was also dropped. Fix based on pull request #710 by foremans. (markt)

Jasper

Add support for specifying Java 23 (with the value 23) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)

WebSocket

69844: Close the connection with a protocol error if the server sends masked frames. (markt)
68884: Reduce the write timeout when writing WebSocket close messages for abnormal closes. The timeout defaults to 50 milliseconds and may be controlled using the org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in the user properties collection associated with the WebSocket session. (markt)

Web applications

Examples: Improve performance of WebSocket chat application when multiple clients disconnect at the same time. (markt)
Examples: Increase the number of previous messages displayed when using the WebSocket chat application. (markt)
Examples: Improve performance of WebSocket snake application when multiple clients disconnect at the same time. (markt)

Other

Switch to using the Base64 encoder and decoder provided by the JRE rather than the version provided by Commons Codec. The internal fork of Commons Codec has been deprecated and will be removed in Tomcat 11. (markt)
Update NSIS to 3.10. (mark0t)
Update UnboundID to 7.0.0. (markt)
Update Checkstyle to 10.16.0. (markt)
Update JaCoCo to 0.8.12. (markt)
Update SpotBugs to 4.8.4. (markt)
Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Deprecate and remove sessionCounter (replaced by the addition of the active session count and the expired session count, as a reasonable approximation) and duplicates (which does not represent a possible event in current implementations) statistics from the session manager. (remm)
68890 Align output encoding of JSPs in the Manager webapp with the XML declarations in those same files. (schultz)
Update Basic authentication to implement the requirements of RFC 7617 including the changing of the trimCredentials setting which is now defaults to false. Note that the trimCredentials setting will be removed in Tomcat 11. (markt)

Coyote

Fix bnd jar descriptor to include the OpenSSL FFM support. (remm)
Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm)

Other

Release re-built using correct JDK version.

Catalina

Change the thread-safety mechanism for protecting StandardServer.services from a simple synchronized lock to a ReentrantReadWriteLock to allow multiple readers to operate simultaneously. Based upon a suggestion by Markus Wolfe. (schultz)
Improve Service connectors, Container children and Service executors access sync using a ReentrantReadWriteLock. (remm)
Improve handling of integer overflow if an attempt is made to upload a file via the Servlet API and the file is larger than Integer.MAX_VALUE. (markt)
68862: Handle possible response commit when processing read errors. (remm)

Coyote

Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. (remm)

Other

Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (remm)
Improvements to Chinese translations by leeyazhou. (remm)

Catalina

Minor performance improvement for building filter chains. Based on ideas from pull request #702 by Luke Miao. (remm)
Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt)
68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm)
68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt)
After forwarding a request, attempt to unwrap the response in order to suspend it, instead of simply closing it if it was wrapped. Add a new suspendWrappedResponseAfterForward boolean attribute on Context to control the bahavior, defaulting to false. (remm)
68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)
The rewrite valve should not do a rewrite if the output is identical to the input. (remm)
Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)
Add highConcurrencyStatus attribute to the SemaphoreValve to optionally allow the valve to return an error status code to the client when a permit cannot be acquired from the semaphore. (remm)
Add checking of the "age" of the running Tomcat instance since its build-date to the SecurityListener, and log a warning if the server is old. (schultz)
When using the AsyncContext, throw an IllegalStateException, rather than allowing an NullPointerException, if an attempt is made to use the AsyncContext after it has been recycled. (markt)

Coyote

Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)
Add threadsMaxIdleTime attribute to the endpoint, to allow configuring the amount of time before an internal executor will scale back to the configured minSpareThreads size. (remm)
Correct a regression in the support for user provided SSLContext instances that broke the org.apache.catalina.security.TLSCertificateReloadListener. (markt)

Jasper

Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt)
Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt)
Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt)
Prevent the web application's ClassLoader from being pinned by the JSP compiler if an application uses a custom XMLInputFactory. Based upon a suggestion from Simon Niederberger. (schultz)

Cluster

Avoid updating request count stats on async. (remm)

Other

Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
57130: Allow digest.(sh|bat) to accept password from a file or stdin. (csutherl/schultz)
Update Checkstyle to 10.14.1. (markt)

Catalina

Correct JPMS and OSGi meta-data for tomcat-embed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt)
Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)
Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)
Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)

Coyote

Setting a null value for a cookie attribute should remove the attribute. (markt)
Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt)
Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that would otherwise occur if application threads continued to access the AsyncContext.
Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm)
Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt)
Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)
Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)
Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)

Jasper

68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm)
Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)

WebSocket

Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)
Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)
Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)

Web applications

Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)

Other

Correct the remaining OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. Based on pull request #685 provided by Paul A. Nicolucci. (markt)
Update Checkstyle to 10.13.0. (markt)
Update JSign to 6.0. (markt)
Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)
Update Tomcat Native to 2.0.7. (markt)
Add strings for debug level messages. (remm)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt)

Coyote

Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)
Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)
Allow multiple operations with the same name on introspected mbeans, fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)
Relax the check that the HTTP Host header is consistent with the host used in the request line, if any, to make the check case insensitive since host names are case insensitive. (markt)
68348: Add support for the partitioned attribute for cookies including session cookies. (markt)

Web Applications

68035: Additional fix to the Manager application to enable the deployment of a web application located in a Host's appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt)

Other

Update Checkstyle to 10.12.7. (markt)
Update SpotBugs to 4.8.3. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

Background processes should not be run concurrently with lifecycle operations of a container. (remm)
Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)
68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)

Jasper

68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)

Web Applications

Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)

Other

68124: Migrate sample.war from javax to jakarta. (lihan)
Update UnboundID to 6.0.11. (markt)
Update Checkstyle to 10.12.5. (markt)
Update SpotBugs to 4.8.2. (markt)
Update Derby to 10.17.1. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Brazilian Portuguese translations by John William Vicente. (markt)
Improvements to Russian translations by usmazat and remm. (markt)

Catalina

67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo)
The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm)
Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz)
67793: Ensure the original session timeout is restored after FORM authentication if the user refreshes a page during the FORM authentication process. Based on a suggestion by Mircea Butmalai. (markt)
67926: PEMFile prints unidentifiable string representation of ASN.1 OIDs. (michaelo)
66875: Ensure that setting the request attribute jakarta.servlet.error.exception is not sufficient to trigger error handling for the current request and response. (markt)
68054: Avoid some file canonicalization calls introduced by the fix for 65433. (remm)
68089: Improve performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)
Use a 400 status code to report an error due to a bad request (e.g. an invalid trailer header) rather than a 500 status code. (markt)
Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. (markt)

Coyote

66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
When calling SSLHostConfigCertificate.setCertificateKeystore(ks), automatically call setCertificateKeystoreType(ks.getType()). (markt)
67628: Clarify how the ciphers attribute of the SSLHostConfig is used. (markt)
67666: Ensure TLS connectors using PEM files either work with the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt)
67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
67927: Reloading TLS configuration can cause the Connector to refuse new connections or the JVM to crash. (markt)
67938: Correct handling of large TLS client hello messages that were causing the TLS handshake to fail. (markt)
68026: Convert selected MessageByte values to String when first accessed to speed up subsequent accesses and reduce garbage collection. (markt)

Jasper

68068: Performance improvement for EL. Based on a suggestion by John Engebretson. (markt)

WebSocket

Correct missing metadata in the MANIFEST of the for WebSocket client API JAR file. (markt)

Web applications

68035: Correct a regression in the fix for 56248 that prevented deployment via the Manager of a WAR or directory that was already present in the appBase or a context file that was already present in the xmlBase. (markt)

Other

67538: Make use of Ant's <javaversion /> task to enfore the mininum Java build version. (michaelo)
Update Checkstyle to 10.12.4. (markt)
Update JaCoCo to 0.8.11. (markt)
Update SpotBugs to 4.8.0. (markt)
Update BND to 7.0.0. (markt)
The minimum Java version required to build Tomcat has been raised to Java 17. (markt)
Update the OWB module to Apache OpenWebBeans 4.0.0. (remm)

Coyote

67670: Fix regression with HTTP compression after code refactoring. (remm)

jdbc-pool

67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 10.1.14 that broke the jdbc-pool. (markt)

Catalina

65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. (markt)
Fix handling of an error reading a context descriptor on deployment. (remm)
Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. (remm)
67472: Send fewer CORS-related headers when CORS is not actually being engaged. (schultz)
Improve handling of failures within recycle() methods. (markt)

Coyote

67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. (markt)
67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. (markt)
When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. (markt)
Fix logic issue trying to match no argument method in IntropectionUtil. (remm)
Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. (remm)
Avoid rare thread safety issue accessing message digest map. (remm)
Improve statistics collection for upgraded connections under load. (remm)
Align validation of HTTP trailer fields with standard fields. (markt)
Improvements to HTTP/2 overhead protection. (markt)

Jasper

67080: Improve performance of EL expressions in JSPs that use implicit objects. Based on suggestions by John Engebretson, Anurag Dubey and Christopher Schultz. (markt)

Other

Update the internal fork of Apache Commons FileUpload to 7a8c324 (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x branch requiring additional Commons IO dependencies, Tomcat has switched to tracking the 1.x branch. (markt)
Add the Bundle-License header to the JAR manifest for all Tomcat JARs. (markt)
Update UnboundID to 6.0.10. (markt)
Update Checkstyle to 10.12.3. (markt)
Update Tomcat Native to 2.0.6. (markt)
Update Commons Pool to 2.12.0. (markt)
67611: Correct the download link in BUILDING.txt. (lihan)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)
Improvements to Russian translations by usmazat. (markt)

Catalina

If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. (markt)
Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)
Avoid protocol relative redirects in FORM authentication. (markt)

Web applications

Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)

Other

Improvements to Chinese translations. (lihan)
Improvements to French translations. (remm)
Improvements to Japanese translations by tak7iji. (markt)

Catalina

66680: When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable. Pull request #638 provided by tsryo. (markt)
Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections. (fschumacher)
66822: Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance. (markt)
The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first. (remm)

Coyote

Correct a regression introduced in 10.1.11 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance. (markt)
Refactor HTTP/2 implementation to reduce pinning when using virtual threads. (markt)
Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. (remm)
66841: Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2. (markt)
66842: When using asynchronous I/O (the default), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. (markt)
Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream. (markt)

WebSocket

66681: Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate. (markt)

jdbc-pool

Fix the releaseIdleCounter does not increment when testAllIdle releases them. Pull request #241 provided by Arun Chaitanya Miriappalli (lihan)
Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing. Pull request #643 provided by Wenjun Xiao. (lihan)

Other

Update NSIS to 3.09. (markt)
Update Checkstyle to 10.12.2. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by tak7iji and Shirayuking. (markt)
66829: Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces. (markt)
66834: Correct the OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. (markt)
Update Tomcat Native to 2.0.5. (markt)

Catalina

59232: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries. (michaelo)
66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. (michaelo)
Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)
Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. (remm)
Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan. (markt)
Make parsing of ExtendedAccessLogValve patterns more robust. (markt)

Coyote

66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)
66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)
Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt)
Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt)

WebSocket

Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown. (markt)
Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)

Web applications

Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)
66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)

Other

Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)
Improvements to French translations. (remm)
Improvements to Japanese translations. Contributed by tak7iji. (markt)
Update UnboundID to 6.0.9. (markt)
Update Checkstyle to 10.12.1. (markt)
Update BND to 6.4.1. (markt)
Update JSign to 5.0. (markt/rjung)
Align documentation for maxParameterCount to match hard-coded defaults. Contributed by Michal Sobkiewicz. (schultz)

Catalina

Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods. (markt)
Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21. (markt)
66513: Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore. (markt)
66609: Ensure that the default servlet correctly escapes file names in directory listings when using XML

Changelog

Tomcat 10.1.48 (schultz)

Catalina

Coyote

WebSocket

2025-09-07 Tomcat 10.1.47 (schultz)

Catalina

Coyote

Cluster

Web applications

Other

2025-09-12 Tomcat 10.1.46 (schultz)

Catalina

Coyote

2025-09-08 Tomcat 10.1.45 (schultz)

Catalina

Coyote

Cluster

Other

2025-08-07 Tomcat 10.1.44 (schultz)

Catalina

Coyote

Cluster

WebSocket

Web applications

Other

2025-07-04 Tomcat 10.1.43 (schultz)

Catalina

Coyote

Jasper

Web applications

Other

2025-06-09 Tomcat 10.1.42 (schultz)

Catalina

Coyote

Jasper

Web applications

Other

2025-05-12 Tomcat 10.1.41 (schultz)

Catalina

Coyote

Jasper

Web applications

Other

2025-04-08 Tomcat 10.1.40 (schultz)

Catalina

Coyote

Jasper

Cluster

Web applications

Other

2025-03-07 Tomcat 10.1.39 (schultz)

not released Tomcat 10.1.38 (schultz)

Catalina

not released Tomcat 10.1.37 (schultz)

Catalina

Coyote

Cluster

Other

2025-02-18 Tomcat 10.1.36 (schultz)

Catalina

Other

2025-02-10 Tomcat 10.1.35 (schultz)

Catalina

Coyote

Jasper

Web applications

Other

2024-12-09 Tomcat 10.1.34 (schultz)

Catalina

Coyote

Jasper

Web applications

Other

2024-11-11 Tomcat 10.1.33 (schultz)

Other

not released Tomcat 10.1.32 (schultz)

Catalina

Coyote

Jasper