The Apache Tomcat Servlet/JSP Container

Apache Tomcat 7

Version 7.0.27, Mar 31 2012
Apache Logo


User Guide


Apache Tomcat Development


Tomcat 7.0.27 (markt)
update Explicitly ignore empty path values in virtualClasspath attribute of VirtualWebappLoader class. Document that whitespace around the values is trimmed. Reformat documentation examples to make them more readable. (kkolinko)
fix Further improve fix for 51197 to allow an error reporting Valve to write a response body if sendError() is called during an asynchronous request on a container thread. (markt)
fix Correct fix for 51741 (r1307600): If VirtualDirContext class is configured with non-empty value of extraResourcePaths option (a feature added in 7.0.24), do not implicitly set allowLinking option to the value of true. If it is really needed, it should be set explicitly. (kkolinko)
fix 52500: Added configurable mechanism to retrieve user names from X509 client certificates. Based on a patch provided by Michael Furman. (schultz)
fix 52719: Fix a theoretical resource leak in the JAR validation that checks for non-permitted classes in web application JARs. (markt)
code Code clean-up identified by 52723, 52724, 52726, 52727, 52729, 52731 and 52732. (markt)
fix 52792: Improve error message when a JNDI resource can not be found. (markt)
fix 52830: Correct JNDI lookups when using javax.naming.Name to identify the resource rather than a java.lang.String. (markt)
fix 52833: Handle the case where the parent class loader for the Catalina object does not have the system class loader in its hierarchy. This may happen when embedding. Patch provided by olamy. (markt)
add 52839: Add a unit test for DigestAuthenticator and SingleSignOn. Patch provide by Brian Burch. (markt)
fix 52846: Make sure NonLoginAuthenticator registers not MemoryUser but GenericPrincipal into a session when UserDatabaseRealm is used. (kfujino)
add 52850: Extend memory leak prevention and detection code to work with IBM as well as Oracle JVMs. Extend unit tests to check direct and indirect ThreadLocal memory leak detection. Based on a patch provided by Rohit Kelapure. (markt)
add Add support for the WebSocket protocol (RFC6455). Both streaming and message based APIs are provided and the implementation currently fully passes the Autobahn test suite. Also included are several examples. A significant contribution to this new functionality was provided by Johno Crawford — particularly the examples. Contributions were also provided by Petr Praus, Jonathan Drake & Slávka. (markt)
fix When stopping a Context, ensure that any Servlets registered with JMX are unregistered. (markt)
code Make the implementation of Catalina.getParentClassLoader consistent with similar methods across the code base and have it return the system class loader if no parent class loader is set. (markt)
fix 52953: Ensure users can authenticate when using DIGEST authentication with digested passwords if the digested password is stored using upper case hexadecimal characters since DIGEST authentication expects digests to use lower case characters. Based on a patch provided by Neale Rudd. (markt)
fix 52957: Ensure that a Valve implements Lifecycle before calling any Lifecycle methods on that Valve. (markt)
fix 52958: Fix MBean descriptors for org.apache.catalina.realm package. (markt)
fix 52974: Fix NameNotFoundException when field/method is annotated with @Resource annotation. Patch provided by Violet Agg. (markt)
add Add support for multi-thread deployment in UserConfig. (kfujino)
fix Correctly register NIO sockets with poller after processing Comet events to ensure that no read events are missed. This fixes an intermittent issue observed in the unit tests. (fhanik/markt)
fix 52770: Fix a bug in the highly unlikely circumstance that an infinite timeout was specified for writing data to a client when using NIO. (markt)
fix 52858: Fix high CPU load with SSL, NIO and sendfile when client breaks the connection before reading all the requested data. (markt)
fix 52926: Avoid NPE when an NIO Comet connection times out on one thread at the same time as it is closed on another thread. (markt)
add Include port number when known in connector name when loggin messages from connectors that use automatic free port allocation. (markt)
fix Don't try an unlock the acceptor thread if it is not locked. This is unlikely to impact normal usage but it does fix some unit test issues. (markt)
fix When using the APR connector ensure that any connections in a keep-alive state are closed when the connector is stopped rather than when the connector is destroyed. This is important when stop() followed by start() is called on the connector. (markt)
fix 52725: Use configurable package name for tags rather than hard-coded value so configuration actually works. (markt)
code 52758: Implement additional interface methods in Eclipse JDT integration required for Jasper to correctly with the latest Eclipse development code. (markt)
fix 52772: Ensure uriRoot is fully validated before it is used. Patch based on a suggestion by Eugene Chung. (markt)
fix 52776: Refactor the code so JspFragment.invoke cleans up after itself. Patch provided by Karl von Randow. (markt)
fix 52970: Take account of coercion rules when invoking methods via EL. (markt)
fix 52998: Partial fix. Remove static references to the EL expression factory and use per web application references instead. (markt)
fix 52998: Remainder of fix. Cache the class to use for the EL expression factory per class loader. (kkolinko)
fix 53001: Revert the fix for 46915 since the use case described in the bug is invalid since it breaks the EL specification. (markt)
fix Replicate principal in ClusterSingleSignOn. (kfujino)
Web applications
fix 52760: Fix expires filter mime type in javascript examples. (rjung)
fix 52842: Exception in MBeanDumper when dumping MBean for StandardThreadExecutor. (rjung)
update Bring built-in mime types for embedded Tomcat more in line with the ones defined in the default web.xml configuration file. (rjung)
update Pool cleaner thread should be created using the classloader that loaded the pool, not the context loader (fhanik)
fix 52804: Make pool properties serializable and cloneable. (fhanik)
fix 51237 (r1302902): Slow Query Report should log using WARN level when queries are slow and within the threshold of caching it. (fhanik)
fix 52002 (r1302948): Add in configuration option to disallow connection reuse. (r1305862): useDisposableConnectionFacade is by default enabled (fhanik)
fix 52493 (r1302969): Java 7 DataSource method addition. (fhanik)
fix 51893 (r1302990): Throw an error and notification when pool is exhausted. (fhanik)
fix 50860 (r1303031): Add in option to configure logging for validation errors. (fhanik)
fix 52066 (r1305931): Add in configuration option, progagateInterruptState, to allow threads to retain the interrupt state. (fhanik)
fix 52750: Fix the way how parses command options so that more then one can be provided. (mturk)
update Rearrange validate-eoln target in build.xml so that it could be run ahead of compilation. (kkolinko)
update Update Apache Commons Daemon to 1.0.10. (mturk)
update Update the native component of the Tomcat APR/native connector to 1.1.23 and take advantage of the simplified distribution. (mturk)
update Update to Eclipse JDT Compiler 3.7.2. (markt)
Tomcat 7.0.26 (markt)released 2012-02-21
code Provide constants for commonly used Charset objects and use these constants where appropriate. (markt)
fix Refactor the fix for 52184 to correct two issues (a missing class and incorrect class/method names) when using the extras logging packages. (markt)
fix 52444: Only load classes during HandlesTypes processing if the class is a match. Previously, every class in the web application was loaded regardless of whether it was a match or not. (markt)
fix 52488: Correct typo: exipre -> expire. (markt)
add Add a unit test for SSO authentication. Patch provided by Brian Burch. (markt)
fix 52511: Correct regression in the fix for 51741 that caused a harmless exception to be logged when scanning for annotations and WEB-INF/classes did not exist. (markt)
code Refactor to remove a circular dependency between org.apache.catalina and org.apache.naming. (markt)
code Remove some initialisation code from the standard start process (i.e. via the scripts) that was intended for embedding but is not required when performing a standard start.(markt)
add Add new method to MBeanFactory that allows any Valve to be created and deprecate the methods to create specific Valves. (markt)
add Partial sync of MIME type mapping with mime.types from the Apache web server. (rjung)
fix 52577: Fix a regression in the fix for 52328. Prevent output truncation when reset() is called on a response. (mark)
fix 52586: Remove an old and now unnecessary hack that modified the path info reported via the javax.servlet.forward.path_info request attribute when forwarding to an error page. (markt)
fix 52587: Ensure that if it is necessary to fall back to the default NullRealm, the NullRealm instance is created early enough for it to be correctly initialised. (markt)
fix Fix millisecond output in AccessLogValve when using a SimpleDateFormat based time pattern. (rjung)
fix 52591: When dumping MBean data, skip attributes where getters throw UnsupportedOperationException. (markt)
fix 52607: Ensure that the extension validator checks the JARs in the shared and common class loaders for extensions. (markt)
fix Correct a threading issue in the generation of the list of standard authenticators during Context initialization that could lead to a web application failing to start if Contexts were started in parallel. (markt)
fix 52669: Correct regression that broke annotation processing in /WEB-INF/classes for web applications deployed as WARs, packageless classes and some embedding scenarios. The regression was introduced by the invalid assumptions made in the fix for 51741. (markt)
fix 52671: When dumping MBean data, skip attributes where getters throw NullPointerException. (markt)
add 51543: Provide a meaningful error message when writing more response headers than permitted. (markt)
fix 52547: Ensure that bytes written (which is used by the access log) is correctly reset after an HTTP 1.0 request has been processed. (markt)
code Minor refactoring to reduce code duplication in the HTTP connectors. (markt)
fix 52606: Ensure that POST bodies are available for reply after FORM authentication when using the AJP connectors. (markt)
fix 52474: Ensure that leading and trailing white space is removed from listener class names when parsing TLD files. (markt)
fix 52480: When converting class path entries from URLs to files/directories, ensure that any URL encoded characters are converted. Fixes JSP compilation with javac when Tomcat is installed at a path that includes spaces. (markt)
fix 52666: Correct coercion order in EL when processing the equality and inequality operators. (markt)
Web applications
update Improve BUILDING.txt. Update instructions for building. Add instructions for using Checkstyle and running the tests. (kkolinko)
add 38216: Improve handling of null return values in the JMX proxy servlet which is part of the Manager application. (kkolinko)
fix 52515: Make it clear in the Realm how-to in the documentation web application that digested password storage when using DIGEST authentication requires that MD5 digests are used. (markt)
fix 52634: Fix typos in JSP examples. Patch provided by Felix Schumacher. (rjung)
fix 52641: Remove mentioning of ldap.jar from docs. Patch provided by Felix Schumacher. (rjung)
fix Fix code style issues and enable Checkstyle checks for jdbc-pool when it is built within Tomcat. (kkolinko)
fix 51582 Correct set and reset the query cache to avoid NPE (fhanik)
fix Update Commons Daemon to 1.0.9 to resolve 52548 which meant that services created with service.bat did not set the catalina.home and catalina.base system properties. (markt)
add Implement check for correct end-of-line characters in the source files. It is run as separate target in build.xml. (kkolinko)
Tomcat 7.0.25 (markt)released 2012-01-21
Web applications
fix Restore format of the first line of error message for JMX proxy servlet in case scripts were depending on it. (markt)
fix When building a Windows installer do not copy whole "res" folder to output/dist, but only the files that we need. Apply fixcrlf filter only after the files are copied, so that INSTALLLICENSE file had correct line ends. (kkolinko)
update Remove res/License.rtf. The file that is actually shown by the Windows installer is res/INSTALLLICENSE. (kkolinko)
add Automate the OpenPGP signature generation for the release process. (markt)
fix Don't exclude directories named target from the build process. (rjung)
Tomcat 7.0.24 (markt)not released
add 52184: Provide greater control over the logging of errors triggered by invalid input data (i.e. data over which Tomcat has no control). (markt/kkolinko)
fix 52225: Fix ClassCastException in an Alias added to existing host through JMX. (kkolinko)
fix Do not throw IllegalArgumentException from parseParameters() call when chunked POST request is too large, but treat it like an IO error. The FailedRequestFilter filter can be used to detect this condition. (kkolinko)
fix 52245: Don't allow web applications to package classes from the javax.el package. Patch provided by pid. (markt)
fix 52259: Fix regression caused by the addition of the threaded component start (46264) that triggered a deadlock on startup if no Realm was configured. (markt)
fix 52293: Correctly handle the case when antiResourceLocking is enabled at the Context level when unpackWARs is disabled at the Host level. Based on a patch by Justin Miller. (markt)
fix In ExtendedAccessLogValve when printing %-encoded value of a parameter, use UTF-8 encoding to convert parameter value to bytes instead of platform default encoding. (markt/kkolinko)
fix 52303: Allow web applications that do not have a login configuration to participate in a SSO session. Patch provided by Brian Burch. (markt)
fix 52316: When using sendfile, use the number of bytes requested to be written to the response in the access log valve for bytes written rather than recording a value of zero. (markt)
fix 52326: Reduce log level for class loading errors during @HandlesTypes processing to debug. (markt)
fix 52328: Improve performance when large numbers of single characters and/or small strings are written to the response via a Writer. (markt)
fix 52384: Do not fail with parameter parsing when debug logging is enabled. (kkolinko)
fix Do not flag extra '&' characters in parameters as parse errors. (kkolinko)
fix Reduce log level for the message about hitting maxParameterCount limit from WARN to INFO. (kkolinko)
fix 52387: Ensure that the correct host is used when configuring logging when Tomcat is embedded. Patch provided by David Calavera. (markt)
update 52405: Align the Servlet 3.0 implementation with the changes defined in the first maintenance release (also know as Rev. A). See the JCP documentation for a detailed list of changes. (markt)
fix Improve JMX names for objects related to Connectors that have the address attribute set. (markt)
fix Remove some stale attributes from MBeans. (rjung)
code Move destruction of ContainerBase objects to ContainerBase to ensure that they are destroyed. (markt)
fix 52443: Change the behaviour of the default Realm in the embedded use case so it is set once on the Engine rather than on every Context thereby avoiding the Lifecycle issues with having the same Realm set on multiple Contexts. (markt)
add Provide a new Realm implementation, the NullRealm, that does not contain any users and is used as the default Realm implementation (rather than the JAAS Realm which was used prior to this change) if no Realm is specified. (markt)
fix 52461: Don't assume file based URLs when checking last modified times for global and host level web.xml files. Patch provided by violetagg. (markt)
add Add test cases for the BASIC and NonLogin Authenticators when not using SSO. Patch provided by Brian Burch. (markt)
add 52028: Add support for automatic binding to a free port by a connector if the special value of zero is used for the port. This is mainly useful in embedded and testing scenarios. (markt)
update Remove obsolete emptySessionPath JMX attribute. (rjung)
fix Correct error in fix for 49683. (markt)
fix Ensure that the process of unlocking the acceptor thread does not trigger processing of the connection as if it were a valid request. (markt)
fix 52450: Add setter for entityResolver in ParserUtils. This is mainly useful when jasper and dtds are in different class loaders. (mturk)
fix 52321: Ensure that the order of multiple prelude/coda values for JSP pages is respected. (markt)
fix 52335: Only handle <\% and not \% as escaped in template text. (markt)
fix 52440: Ensure that when using ValueExpression.getValueReference() if the expression is an EL variable that the value returned is the ValueReference for the ValueExpression associated with the EL variable. (markt)
fix 52445: Don't assume that EL method expressions have exactly three components (identifier, method name, paramaters). (markt)
Web applications
add 38216: Add the ability to invoke MBean operations to the JMX proxy sevrlet in the Manager application. Based on a patch by Christopher Hlubek. (markt)
update Further clarify the relation between values used by RemoteIpValve and RemoteIpFilter and their use by AccessLogValve. (kkolinko)
fix 52243: Improve windows service documentation to clarify how to include # and/or ; in the value of an environment variable that is passed to the service. (markt)
fix 52366: Fix typo in VirtualWebappLoader documentation (configuration example). (rjung)
update Replace Bugzilla search link on ROOT/index.jsp page with one pointing to the bug reporting page of Tomcat site. (kkolinko)
update Move MBean dump code from JMXProxyServlet into a utility class. (rjung)
fix 52208: Fix threading issue that may lead to harmless NPE during shutdown that has occasionally been observed when running the unit tests. (markt)
fix 52213, 52354, 52355 and 52356: Fix some potential concurrency issues in FastQueue. (markt)
add r1207712: Pool cleaner should be a global thread, not spawn one thread per connection pool. (fhanik)
update Update Apache Commons Daemon to 1.0.8. (mturk)
update Update Apache Commons Pool to 1.5.7. (kkolinko)
fix Fix line ends in .gitignore files contained in source distributions. (rjung)
fix Run Mapper performance test twice if the first run took too long, to ignore occasional failures. (kkolinko)
fix Align .gitignore and build.xml exclude patterns with svn:ignore. (kkolinko)
fix Configure defaultexcludes for Ant 1.8.1/1.8.2. The .git and .gitignore patterns are in since Ant 1.8.2, but we include .gitignore in src distributions. (kkolinko)
add 52237: Allow JUnit logs to be generated in formats other than plain text. Patch provided by M Hasko. (markt/kkolinko)
fix Fix build condition for tomcat-dbcp to always rebuild whan a new version of commons-pool or commons-dbcp is downloaded. (kkolinko)
update Add example of configuration for SetCharacterEncodingFilter to the default web.xml file. (kkolinko)
update Switch unit tests to bind Connectors to localhost rather than all available IP addresses. (markt)
update Update to Eclipse JDT Compiler 3.7.1. (markt)
update Add Netbeans nbproject folder to svn:ignore and .gitignore. (rjung)
update Align .gitignore with trunk. (rjung)
Tomcat 7.0.23 (markt)released 2011-11-25
add 46264: Add the ability to start and stop containers (primarily Contexts) using a thread pool rather than a single thread. This can significantly improve start and stop time. Based on patches by Joe Kislo and Felix Schumacher. (markt)
fix 50570: Enable FIPS mode to be set in AprLifecycleListener. Based upon a patch from Chris Beckey. (schultz/kkolinko)
fix 51744: Throw the correct exception if an application attempts to modify the associated JNDI context. (markt)
add 51744: Add an option to the StandardContext that allows exception throwing when an application attempts to modify the associated JNDI context to be disabled. (markt)
fix 51910: Prevent NPE on connector stop if Comet applications are being used without the CometConnectionManagerValve. (markt)
fix 51940: Do not limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a request body. Based on a patch by Nicholas Sushkin. (markt/kkolinko)
fix 51956: RemoteAddrFilter used getRemoteHost instead of getRemoteAddr when filtering Comet events. (schultz)
fix 51952: Make the inclusion of a response body with a redirect response introduced to address 41718 optional and disabled by default due to the side-effects of including a body with the response in this case. (markt)
fix 51972: Correctly handle protocol relative URLs when used with sendRedirect(). (markt)
code Simplify the deployment code and use full paths in log messages to remove any ambiguity in where a context is being deployed from. (markt)
fix 52009: Fix a NPE during access log entry recording when an error occurred during the processing of a Comet request. (markt)
fix In OneLineFormatter log formatter in JULI always use the US locale to format the date (esp. the month names). (rjung)
add Cache the results of parsing the global and host level web.xml files to improve web application start time. (markt)
fix 52042: Correct threading issue in annotation caching that could lead to an NPE if multiple threads were processing the same class hierarchy for annotations. (markt)
fix Correct additional threading and premature clearance issues with the annotation cache. (markt)
fix Correct a regression in the fix for 49779 that parameters POSTed by an unauthenticated user to a page that required FORM authentication were lost during the authentication process. (markt)
fix 52055: Ensure that the input and output buffers are correctly reset between keep-alive requests when using Servlet 3.0 asynchronous request processing. (markt)
fix Ensure changes to the configuration of the RemoteHostValve and the RemoteAddrValve via JMX are thread-safe. (markt)
fix Ensure the the memory leak protection for the HttpClient keep-alive always operates even if the thread has already stopped. (markt)
code Remove the Java 1.2 specific error handling around the adding of the shutdown hook. (markt)
fix Correct errors in i18n resources and resource usage that meant some messages were either not used or were incorrectly formatted. (markt)
code Replace the use of deprecated auth method names from authenticator.Constants with the auth method names from HttpServletRequest. (kkolinko)
add Make configuration issues for security related Valves and Filters result in the failure of the valve or filter rather than just a warning message. (markt)
add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko)
fix 52091: Address performance issues related to lock contention in StandardWrapper. Patch provided by Taiki Sugawara. (markt)
code Switch to using Collections.enumeration() rather than custom code that does the same thing. (markt)
fix 52113: Don't assume presence of context.xml file with JMX deployment. (markt)
update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko)
fix 52156: Ensure that getServletContext().getResource(path) returns the correct resource when path contains /../ sequences or any other sequences that require normalization. (markt)
add Report existence of HTTP request parameter parsing errors via new special ServletRequest attribute, org.apache.catalina.parameter_parse_failed. (kkolinko)
add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko)
update Improve special attributes handling in Request object by using hash table lookup instead of series of string comparisons. (kkolinko)
code Deprecate unused methods in IntrospectionUtils class. (kkolinko)
fix Improve processing of errors that are wrapped in InvocationTargetException. Rethrow fatal errors that must be rethrown. (kkolinko)
fix Improve handling of failed web application deployments during automatic deployment. Once deployment of a web application fails in one form (e.g. WAR), no further attempt (e.g. directory) will be made to deploy that web application. The base Lifecycle implementation has been improved to allow failed web applications to be started once the configuration issues have been resolved. Any changes to a context.xml file (global, per host or web application specific) will now result in a redeploy of the affected web application(s) that ensures that any changes are correctly applied rather than a reload which ignores changes in context.xml files. (markt/kkolinko)
fix 52173: Improve Javadoc for delegate attribute of WebappClassLoader. Based on a patch by bmargulies. (markt)
add Add denyStatus attribute to RequestFilterValve (RemoteAddrValve, RemoteHostValve valves) and RequestFilter (RemoteAddrFilter, RemoteHostFilter filters). It allows to use different HTTP response code when rejecting denied request. E.g. 404 instead of 403. (kkolinko)
fix Slightly improve performance of UDecoder.convert(). Align %2f handling between implementations. (kkolinko)
fix 51881: Correctly complete Comet requests when the Comet END event is triggered asynchronously. (markt)
fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor unlock fails. Reduce timeout before forcefully closing the socket from 30s to 10s. (kkolinko)
fix 51912: Fix HTTP header processing in NIO HTTP connector. (kkolinko)
fix Improve MimeHeaders.toString(). (kkolinko)
fix Fix threading issue in NIO connectors during shutdown that meant Comet connections were not always shut down cleanly. (markt)
add In HTTP connectors: self-guard against using a non-recycled input buffer. Requests will be rejected with response status 400. (kkolinko)
fix 5212