October 25, 2020

Apache Tomcat 8.5.59 released

3 min read

The Apache Tomcat® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation.

Changelog Apache Tomcat 8.5.59


  • Fix:  Fix race condition when saving and recycling session in PersistentValve. (kfujino)
  • Update:  Deprecate the JDBCRealm. (markt)
  • Fix:  Correct numerous spellings throughout the code base. Based on a pull request from John Bampton. (markt)
  • Fix:  64715: Add PasswordValidationCallback to the JASPIC implementation. Patch provided by Robert Rodewald. (markt)
  • Fix:  Throw SQLException instead of NullpointerException when failing to connect to the database. (kfujino)
  • Fix:  64735: Ensure that none of the methods on a ServletContext instance always fail when running under a SecurityManager. Pull request provided by Kyle Stiemann. (markt)
  • Fix:  64765: Ensure that the number of currently processing threads is tracked correctly when a web application is undeployed, long running requests are being processed and renewThreadsWhenStoppingContext is enabled for the web application. (markt)
  • Add:  Improve the error messages when running under JPMS without the necessary options to enable reflection required by the memory leak prevention / detection code. (markt)
  • Fix:  When estimating the size of a resource in the static resource cache, include a specific allowance for the path to the resource. Based on a pull request by blueSky1825821. (markt)


  • Fix:  Do not send an HTTP/2 PING frame to measure round-trip time when it is known that the HTTP/2 connection is not in a good state. (markt)
  • Fix:  64743: Correct a regression introduced in 8.5.57 that caused a Connection: close header to be added to the response if the Connector was configured with maxSwallowSize=-1. (markt)
  • Fix:  When logging HTTP/2 debug messages, use consistent formatting for stream identifiers. (markt)
  • Fix:  Correct some double counting in the code that tracks the number of in-flight asynchronous requests. The tracking enables Tomcat to shutdown gracefully when asynchronous processing is in use. (markt)
  • Fix:  Don’t send the Keep-Alive response header if the connection has been explicitly closed. (markt)
  • Fix:  Refactor the handling of closed HTTP/2 streams to reduce the heap usage associated with used streams and to retain information for more streams in the priority tree. (markt)


  • Fix:  Use lazy instantiation to improve the performance when working with listeners added to the ELContext. Pull request provided by Thomas Andraschko. (markt)

Web applications

  • Add:  Configure the Manager and Host Manager applications to set SameSite=strict for all cookies, including session cookies, created by the application. (markt)
  • Fix:  Update the Manager How-To in the documentation web application to clarify when a user may wish to deploy additional instances of the Manager web application. (markt)


  • Update:  Update to Commons Daemon 1.2.3. This adds support to jsvc for --enable-preview and native memory tracking (Procrun already supported these features), adds some addition debug logging and adds a new feature to Procrun that outputs the command to (re-)configure the service with the current settings. (markt)
  • Add:  When building, only rebuild JAR files if the contents has changed. (markt)
  • Add:  Improvements to Chinese translations. Pull request provided by Yang Yang. (markt)
  • Add:  Expand coverage of Russian translations. Pull request provided by Nikolay Gribanov. (markt)
  • Fix:  Fix running service.bat when called from $CATALINA_HOME. (markt)
  • Fix:  Complete the fix for 63815. Users wishing to use system properties that require quoting with catalina.sh and the debug option must use a JRE that includes the fix for JDK-8234808. (markt)
  • Add:  Improvements to Chinese translations. Provided by leeyazhou. (markt)
  • Add:  Improvements to French translations. (remm)
  • Add:  Improvements to Korean translations. (woonsan)
  • Add:  Improvements to Spanish translations. Provided by Andrewlanecarr. (markt)