Apache Tomcat 10.0.6 released: open source web application server

by · Published · Updated

Apache Tomcat is an open-source implementation of Java Servlets, JavaServer Pages, Java Expression Language, and Java WebSocket technology. Designed to provide users with the original Java environment to run Web applications.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat 10.0.6 released.

Changelog

Catalina

  • Code:  Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
  • Fix:  65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
  • Fix:  65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
  • Fix:  65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)
  • Fix:  65251: Correct a regression introduced in 10.0.3 that meant that the auto-deployment process may attempt a second, concurrent deployment of a web application that is being deployed by the Manager resulting in one of the deployments failing and errors being reported. (markt)

Coyote

  • Fix:  Ensure that all HTTP requests that contain an invalid character in the protocol component of the request line are rejected with a 400 response rather than some requests being rejected with a 505 response. (markt)
  • Fix:  When generating the error message for an HTTP request with an invalid request line, ensure that all the available data is included in the error message. (markt)
  • Fix:  65272: Restore the optional HTTP feature that allows LF to be treated as a line terminator for the request line and/or HTTP headers lines as well as the standard CRLF. This behaviour was previously removed as a side-effect of the fix for CVE-2020-1935. (markt)

Jasper

  • Code:  Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt)
  • Update:  <servlet> entries in web.xml that include a <jsp-file> element and a negative <load-no-startup> element that is not the default value of -1 will no longer be loaded at start-up. This makes it possible to define a <jsp-file> that will not be loaded at start-up. (markt)
  • Fix:  Allow the JSP configuration option useInstanceManagerForTags to be used with Tags that are implemented as inner classes. (markt)

WebSocket

  • Code:  Refactor the way Tomcat passes path parameters to POJO end points to simplify the code. (markt)
  • Fix:  65262: Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible. (markt)

Web applications

  • Fix:  65235: Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt)
  • Fix:  65265: Avoid getting the boot classpath when it is not available in the Manager diagnostics. (remm)

Other

  • Fix:  Create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than via the aQute.bnd.annotation.spi.ServiceConsumer annotation as this triggers TCK failures for downstream consumers of the API JARs. (markt)
  • Update:  Update the packaged version of the Tomcat Native Library to 1.2.28. (markt)
  • Update:  Update the OWB module to Apache OpenWebBeans 2.0.22. (remm)
  • Update:  Update the CXF module to Apache CXF 3.4.3. (remm)
  • Fix:  65218: Update the version number shown on the left-hand banner of the Tomcat installer for Windows to Apache Tomcat 10. (markt)
  • Fix:  Move SystemPropertySource to be a regular class to allow more precise configuration if needed. The system property source will still always be enabled. (remm)
  • Add:  Improvements to Chinese translations. Provided by bytesgo. (mark)
  • Add:  Improvements to French translations. (remm)
  • Add:  Improvements to Korean translations. (woonsan)
  • Update:  Update the version of the Tomcat Migration Tool for Jakarta EE used to provide automatic deployment for Java EE applications to 1.0.0. (markt)

Download

Tags: