Fri. Jan 17th, 2020

Apache Tomcat 8.5.50 released

4 min read

The Apache Tomcat® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation.

Changelog Apache Tomcat 8.5.50

Catalina

  • Add:  Improvements to CsrfPreventionFilter: additional logging, allow the CSRF nonce request parameter name to be customized. (schultz)
  • Add:  63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
  • Fix:  63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
  • Fix:  63968: Fix ClassCastException in the Expires filter which was a regression in the fix for 63909. (markt)
  • Fix:  63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
  • Add:  63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
  • Fix:  63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a deafult port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
  • Fix:  63982: CombinedRealm makes assumptions about principal implementation (michaelo)
  • Fix:  63983: Correct a regression in the static resource caching changes introduced in 9.0.28. A large number of file descriptors were opened that could reach the OS limit before being released by GC. (markt)
  • Update:  63987: Deprecate Realm.getRoles(Principal). (michaelo)
  • Code:  Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
  • Fix:  Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)

Coyote

  • Code:  Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported. (markt)
  • Update:  Add vectoring for NIO in the base and SSL channels. (remm)
  • Add:  Add async API to the NIO and APR connector. (remm)
  • Fix:  63931: Improve timeout handling for asyncIO to ensure that blocking operations see a SocketTimeoutException if one occurs. (remm/markt)
  • Fix:  63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 connectors via the new Connector attribute noCompressionStrongETag. (markt)
  • Fix:  Simplify regular endpoint writes by removing write(Non)BlockingDirect. All regular writes will now be buffered for a more predictable behavior. (remm)
  • Fix:  Send an exception directly to the completion handler when a timeout exception occurs for the operation, and add a boolean to make sure the completion handler is called only once. (remm/markt)

WebSocket

  • Fix:  Ensure a couple of very unlikely concurrency issues are avoided when writing WebSocket messages. (markt)

Web applications

  • Fix:  Fix the broken re-try link on the error page for the FORM authentication example in the JSP section of the examples web application. (markt)
  • Fix:  Correct the documentation for the maxConnections attribute of the Connector in the documentation web application. (markt)
  • Add:  Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)

Other

  • Fix:  Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
  • Add:  Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
  • Add:  Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. (markt)
  • Add:  Expand the coverage of the French translations provided with Apache Tomcat. (remm)
  • Add:  Expand the coverage of the Japanese translations provided with Apache Tomcat. (markt)
  • Add:  Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
  • Add:  Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
  • Add:  Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
  • Add:  Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
  • Add:  Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
  • Add:  Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
  • Add:  Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, 2.7.1-SNAPSHOT). Minor refactoring. (markt)

Download