Catalina

54741: Add a new method, Tomcat.addWebapp(String,URL), that allows a web application to be deployed from a URL when using Tomcat in embedded mode. (markt) 62897: Provide a property (clearReferencesThreadLocals) on the standard Context implementation that enables the check for memory leaks via ThreadLocals to be disabled because this check depends on the use of an API that has been deprecated in later versions of Java. (markt) 62978: Update the RemoteIpValve to handle multiple values in the x-forwarded-proto header. Patch provided by Tom Groot. (markt) Update the RemoteIpFilter to handle multiple values in the x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt) 62986: Refactor the code that performs class scanning during web application start to make integration simpler for downstream users. Based on a patch provided by rmannibucau. (markt) Implement the requirements of section 8.2.2 2c of the Servlet specification and prevent a web application from deploying if it has fragments with duplicate names and is configured to use relative ordering of fragments. (markt) Update the recommended minimum Tomcat Native version to 1.2.19. (markt) Ensure that the ServletOutputStream implementation is consistent with the requirements of asynchronous I/O and that all of the write methods use a single write rather than multiple writes. (markt) Correct the Javadoc for Context.getDocBase() and Context.setDocBase() and remove text that indicates that a URL may be used for the docBase as this has not been the case for quite some time. (markt) Ensure that Tomcat is fully terminated when running as a service. (markt) 63003: Extend the unloadDelay attribute on a Context to include in-flight asynchronous requests. (markt) 63026: Add a new attribute, forceDnHexEscape, to the JNDIRealm that forces escaping in the String representation of a distinguished name to use the \nn form. This may avoid issues with realms using Active Directory which appears to be more tolerant of optional escaping when the \nn form is used. (markt) Update the recommended minimum Tomcat Native version to 1.2.21. (markt) Simplify the value of jarsToSkip property in catalina.properties file for tomcat-i18n jar files. Use prefix pattern instead of listing each language. (kkolinko)

WebSocket

57974: Ensure implementation of Session.getOpenSessions() returns correct value for both client-side and server-side calls. (markt) 63019: Use payload remaining bytes rather than limit when writing. Submitted by Benoit Courtilly. (remm) When running under a SecurityManager, ensure that the ServiceLoader look-up for the default javax.websocket.server.ServerEndpointConfig.Configurator implementation completes correctly rather than silently using the hard-coded fall-back. (markt) Ensure that the network connection is closed if the client receives an I/O error trying to communicate with the server. (markt) Ignore synthetic methods when scanning POJO methods. (markt) Implement the requirements of section 5.2.1 of the WebSocket 1.1 specification and ensure that if the deployment of one Endpoint fails, no Endpoints are deployed for that web application. (markt) Implement the requirements of section 4.3 of the WebSocket 1.1 specification and ensure that the deployment of an Endpoint fails if @PathParam is used with an invalid parameter type. (markt) Ensure a DeploymentException rather than an IllegalArgumentException is thrown if a method annotated with @OnMessage does not conform to the requirements set out in the Javadoc. (markt) Improve algorithm that determines if two @OnMessage annotations have been added for the same message type. Prior to this change some matches were missed. (markt) Remove the STREAMS_DROP_EMPTY_MESSAGES system property that was introduced to work-around four failing TCK tests. An alternative solution has been implemented. Sending messages via getSendStream() and getSendWriter() will now only result in messages on the wire if data is written to the OutputStream or Writer. Writing zero length data will result in an empty message. Note that sending a message via an Encoder may result in the message being send via getSendStream() or getSendWriter(). (markt)

Web applications

63103: Remove the unused source.jsp file and associated tag from the examples web application as it is no longer used. (markt) 63143: Ensure that the Manager web application respects the language preferences of the user as configured in the browser when the language of the default system locale is not English. (markt) Use client's preferred language for the Server Status page of the Manager web application. Review and fix several cases when the client's language preference was not respected in Manager and Host Manager web applications. (kkolinko) Fix messages used by Manager and Host Manager web applications. Disambiguate message keys used when adding or removing a host. Improve display of summary values on the status page: separate terms and values with a whitespace. Improve wording of messages for expire sessions command. (kkolinko) Do not add CSRF nonce parameter and suppress Referer header for external links in Manager and Host Manager web applications. (kkolinko)

Other

Prevent an error when running in a Cygwin shell and the JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. (markt) Update the packaged version of the Tomcat Native Library to 1.2.19 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. (markt) Correct AsyncFileHandler to FileHandler in logging.properties. (huxing) Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt) Enable compilation and test execution with Java 11. Note that the deprecated class org.apache.catalina.util.Base64 will be excluded from the build in this case as it depends on JRE classes that have been removed in Java 11 onwards. (markt) Update the NSIS Installer used to build the Windows installer to version 3.04. (markt) Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko)

Catalina

Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher) Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt) 62788: Add explicit logging configuration to write log files using UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt) 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm) 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt) Update the recommended minimum Tomcat Native version to 1.2.18. (markt) Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt) 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir) Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt) 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)

Coyote

Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung) 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt) 62748: Add TLS 1.3 support for the APR/Native connector. (schultz/markt) 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)

Jasper

62674: Correct a regression in the stand-alone JSP compiler utility, JspC, caused by the fix for 53492, that caused the JSP compiler to hang. (markt) 62721: Correct generation of web.xml header when using JspC. (markt) Fix a regression in the TLD whitespace parsing fix that broke parsing when whitespace was present between the method name and the parameters. (markt) 62757: Correct a regression in the fix for 62603 that caused NullPointerExceptions when compiling tag files on first access when development mode was disabled and background compilation was enabled. Based on a patch by Jordi Llach. (markt) 62808: Fix a regression in the TLD whitespace parsing fix that broke parsing when new lines were present in the method signature. (markt)

WebSocket

62731: Make the URI returned by HandshakeRequest.getRequestURI() and Session.getRequestURI() absolute so that the scheme, host and port are accessible. (markt)

Web applications

62761: Correct the advanced CORS example in the Filter documentation to use a valid configuration. (markt) 62786: Add a note to the Context documentation to explain that, by default, settings for a Context element defined in server.xml will be overwritten by settings specified in a default context file such as conf/context.xml. (markt) Create a little visual separation between the Undeploy button and the other buttons in the Manager application. Patch provided by Łukasz Jąder. (markt)

Other

Update the packaged version of the Tomcat Native Library to 1.2.18 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. (markt)

Catalina

61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt) Ensure that the HTTP Vary header is set correctly when using the CORS filter and improve the cacheability of requests that pass through the COPRS filter. (markt) 62527: Revert restriction of JNDI to the java: namespace. (remm) Introduce a new class - MultiThrowable - to report exceptions when multiple actions are taken where each action may throw an exception but all actions are taken before any errors are reported. Use this new class when reporting multiple container (e.g. web application) failures during start. (markt) Correctly decode URL paths (+ should not be decoded to a space in the path) in the RequestDispatcher and the web application class loader. (markt) 62559: Add jaxb-*.jar to the list of JARs ignored by StandardJarScanner. (markt) 62560: Add oraclepki.jar to the list of JARs ignored by StandardJarScanner. (markt) 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat fails to start. (markt) Remove ServletException from declaration of Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by Tzafrir. (markt) Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher) Simplify construction of appName from container name in JAASRealm. (fschumacher) Improve the handling of path parameters when working with RequestDispatcher objects. (markt) 62664: Process requests with content type multipart/form-data to servlets with a @MultipartConfig annotation regardless of HTTP method. (markt) 62669: When using the SSIFilter and a resource does not specify a content type, do not force the content type to application/x-octet-stream. (markt) When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt)

Coyote

Refactor code that adds an additional header name to the Vary HTTP response header to use a common utility method that addresses several additional edge cases. (markt) 62526: Correctly handle PKCS12 format key stores when the key store password is configured to be the empty string. Note that Java 6 does not support PKCS12 key stores configured to use a store password of the empty string. (markt) 62670: Adjust the memory leak protection for the DriverManager so that JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via the service loader mechanism when the protection is enabled. (markt) 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)

Jasper

53011: When pre-compiling with JspC, report all compilation errors rather than stopping after the first error. A new option -failFast can be used to restore the previous behaviour of stopping after the first error. Based on a patch provided by Marc Pompl. (markt) 53492: Make the Java file generation process multi-threaded. By default, one thread will be used per core. Based on a patch by Dan Fabulich. (markt) 62603: Fix a potential race condition when development mode is disabled and background compilation checks are enabled. It was possible that some updates would not take effect and/or ClassNotFoundExceptions would occur. (markt) Correct the JSP version in the X-PoweredBy HTTP header generated when the xpoweredBy option is enabled. (markt) 62662: Fix the corruption of web.xml output during JSP compilation caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt) Correct parsing of XML whitespace in TLD function signatures that incorrectly only looked for the space character. (markt)

WebSocket

62596: Remove the limit on the size of the initial HTTP upgrade request used to establish the web socket connection. (markt)

Web applications

62558: Add Russian translations for the Manager and Host Manager web applications. Based on a patch by Ivan Krasnov. (markt) 62561: Add advanced class loader configuration information regarding the use of the Server and Shared class loaders to the documentation web application. (markt) Expand the information in the documentation web application regarding the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. (markt) 62652: Make it clearer that the version of DBCP that is packaged in Tomcat 7.0.x is DBCP 1. (markt) 62666: Expand internationalisation support in the Manager application to include the server status page and provide Russian translations in addition to English. Patch provided by Artem Chebykin. (markt) 62676: Expand the CORS filter documentation to make it clear that explicit configuration is required to enable support for cross-origin requests. (markt)

Tribes

Ensures that the specified rxBufSize is correctly set to receiver buffer size. (kfujino)

Other

Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg) Correct various spelling errors throughout the source code and documentation. Patch provided by Kazuhiro Sera. (markt)

Catalina

62498: Correct a regression in the fix for CVE-2017-12617 that caused request failures for some requests when using the VirtualDirContext. (markt) Delete reference to removed class that prevented Tomcat from starting when running under a security manager. (markt)

Catalina

JNDI resources that are defined with injection targets but no value are now treated as if the resource is not defined. (markt) Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace. (markt) 51953: Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges are defined using CIDR notation. Based on a patch by Francis Galiegue. (markt) 62343: Make CORS filter defaults more secure. This is the fix for CVE-2018-8014. (markt)