October 25, 2020

Apache Tomcat 10.0.0-M9 released: open source web application server

4 min read

Apache Tomcat is an open-source implementation of Java Servlets, JavaServer Pages, Java Expression Language, and Java WebSocket technology. Designed to provide users with the original Java environment to run Web applications.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat 10.0.0-M9 released.



  • Update:  The health check valve will now check the state of its associated containers to report availability. (remm)
  • Fix:  Fix race condition when saving and recycling session in PersistentValve. (kfujino)
  • Update:  Remove the JDBCRealm. (markt)
  • Fix:  Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)
  • Fix:  64715: Add PasswordValidationCallback to the Jakarta Authentication implementation. Patch provided by Robert Rodewald. (markt)
  • Update:  Allow using the utility executor for annotation scanning. Patch provided by Jatin Kamnani. (remm)
  • Fix:  64751: Correct the JPMS module descriptor so the embedded JARs may be used with JPMS. (markt)
  • Fix:  When performing an incremental build, ensure bdn does not create unwanted JPMS dependencies between embedded JARs. (markt)
  • Update:  Add a bloom filter to speed up archive lookup and improve deployment speed of applications with a large number of JARs. Patch provided by Jatin Kamnani. (remm)
  • Fix:  Throw SQLException instead of NullPointerException when failing to connect to the database. (kfujino)
  • Fix:  64735: Ensure that none of the methods on a ServletContext instance always fail when running under a SecurityManager. Pull request provided by Kyle Stiemann. (markt)
  • Fix:  64765: Ensure that the number of currently processing threads is tracked correctly when a web application is undeployed, long running requests are being processed and renewThreadsWhenStoppingContext is enabled for the web application. (markt)
  • Add:  Improve the error messages when running under JPMS without the necessary options to enable reflection required by the memory leak prevention / detection code. (markt)
  • Fix:  When estimating the size of a resource in the static resource cache, include a specific allowance for the path to the resource. Based on a pull request by blueSky1825821. (markt)


  • Fix:  Do not send an HTTP/2 PING frame to measure round-trip time when it is known that the HTTP/2 connection is not in a good state. (markt)
  • Fix:  Ensure HTTP/2 timeouts are processed for idle connections. (markt)
  • Fix:  64743: Correct a regression introduced in 10.0.0-M7 that caused a Connection: close header to be added to the response if the Connector was configured with maxSwallowSize=-1. (markt)
  • Fix:  When logging HTTP/2 debug messages, use consistent formatting for stream identifiers. (markt)
  • Fix:  Correct some double counting in the code that tracks the number of in-flight asynchronous requests. The tracking enables Tomcat to shutdown gracefully when asynchronous processing is in use. (markt)
  • Fix:  Improve the error handling for the HTTP/2 connection preface when the Connector is configured with useAsyncIO="true". (markt)
  • Fix:  Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. (markt)
  • Fix:  Don’t send the Keep-Alive response header if the connection has been explicitly closed. (markt)
  • Fix:  64710: Avoid a BufferOverflowException if an HTTP/2 connection is closed while the parser still has a partial HTTP/2 frame in the input buffer. (markt)


  • Fix:  Use lazy instantiation to improve the performance when working with listeners added to the ELContext. Pull request provided by Thomas Andraschko. (markt)

Web applications

  • Add:  Configure the Manager and Host Manager web applications to set SameSite=strict for all cookies, including session cookies, created by the application. (markt)
  • Fix:  Update the Manager How-To in the documentation web application to clarify when a user may wish to deploy additional instances of the Manager web application. (markt)
  • Fix:  64774: Review references to Tomcat 9 in the documentation web application and remove them or update them to refer to Tomcat 10 as appropriate. (markt)


  • Update:  Update to Commons Daemon 1.2.3. This adds support to jsvc for --enable-preview and native memory tracking (Procrun already supported these features), adds some additional debug logging and adds a new feature to Procrun that outputs the command to (re-)configure the service with the current settings. (markt)
  • Add:  When building, only rebuild JAR files (including OSGi and JPMS metadata) if the contents has changed. (markt)
  • Add:  Improvements to Chinese translations. Pull request provided by Yang Yang. (markt)
  • Add:  Expand coverage of Russian translations. Pull request provided by Nikolay Gribanov. (markt)
  • Update:  Update the OWB module to Apache OpenWebBeans 2.0.18. (remm)
  • Update:  Update the CXF module to Apache CXF 3.4.0. (remm)
  • Fix:  Fix running service.bat when called from $CATALINA_HOME. (markt)
  • Fix:  Complete the fix for 63815. Users wishing to use system properties that require quoting with catalina.sh and the debug option must use a JRE that includes the fix for JDK-8234808. (markt)
  • Add:  Improvements to Chinese translations. Provided by leeyazhou. (markt)
  • Add:  Improvements to Czech translations. Provided by Dušan Hlaváč and Arnošt Havelka. (markt)
  • Add:  Improvements to French translations. (remm)
  • Add:  Improvements to Korean translations. (woonsan)
  • Add:  Improvements to Spanish translations. Provided by Andrewlanecarr. (markt)