Tomcat 9.0.13 (markt)


  • Add: 58590: Add the ability for a UserDatabase to monitor the backing XML file for changes and reload the source file if a change in the last modified time is detected. This is enabled by default meaning that changes to $CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the file is saved. (markt)
  • Add: 61171: Add the portOffset attribute to the Server element which is added to the configured shutdown and Connector ports. Based on a patch by Marek Czernek. (markt)
  • Add: 61692: Add the ability to control which HTTP methods are handled by the CGI Servlet via a new initialization parameter cgiMethods. (markt)
  • Fix: 62687: Expose content length information for resources when using a compressed war. (remm)
  • Fix: 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
  • Fix: Add rewrite flags output when getting the rewrite configuration back. (remm)
  • Fix: Add missing qsdiscard flag to the rewrite flags as a cleaner way to discard the query string. (remm)
  • Add: 62755: Add ability to opt out of adding the default web.xml config when embedding Tomcat and adding a context via addWebapp(). Call setAddDefaultWebXmlToWebapp(false) to prevent the automatic config. (isapir)
  • Fix: Add documentation about the files context.xml.default and web.xml.default that can be used to customize conf/context.xml and conf/web.xml on a per host basis. (fschumacher)
  • Fix: Ensure that a canonical path is always used for the docBase of a Context to ensure consistent behaviour. (markt)
  • Fix: 62803: Fix SSL connector configuration processing in storeconfig. (remm)
  • Fix: 62797: Pass throwable to keep client aborts with status 200 rather than 500. Patch submitted by zikfat. (remm)
  • Fix: 62802: Restore the appContextProtection attribute to the JreMemoryLeakPreventionListener as application code may still trigger this memory leak. (markt)
  • Fix: 62809: Correct a regression in the implementation of DIGEST authentication support for the Deployer Ant tasks (bug 45832) that prevented the DeployTask from working when authentication was required. (markt)
  • Update: Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
  • Add: Ignore an attribute named source on Context elements provided by StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat integration provided by Eclipse. Based on a patch by mdfst13. (markt)
  • Add: 62830: Added JniLifeCycleListener and static methods Library.loadLibrary(libraryName) and Library.load(filename) to load a native library by a shared class loader so that more than one Webapp can use it. (isapir)
  • Code: Refactor the Connector so that the port is obtained from the Endpoint rather than a local field that could end up out of sync. (markt)
  • Add: Add EncryptInterceptor to the portfolio of available clustering interceptors. This adds symmetric encryption of session data to Tomcat clustering regardless of the type of cluster manager or membership being used. (schultz)
  • Fix: Correct a typo in the Spanish resource files. Patch provided by Diego Agulló. (markt)
  • Fix: 62868: Order the Enumeration<URL> provided by WebappClassLoaderBase.getResources(String) according to the setting of the delegate flag. (markt)


  • Add: Add TLSv1.3 to the default protocols and to the all alias for JSSE based TLS connectors when running on a JVM that supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
  • Fix: 62685: Correct an error in host name validation parsing that did not allow a fully qualified domain name to terminate with a period. Patch provided by AG. (markt)
  • Fix: Make PEM file parser a public utility class. (remm)
  • Fix: 62739: Do not reject requests with an empty HTTP Host header. Such requests are unusual but not invalid. Patch provided by Michael Orr. (markt)
  • Add: 62748: Add TLS 1.3 support for the APR/Native connector and the NIO/NIO2 connector when using the OpenSSL backed JSSE implementation. (schultz/markt)
  • Fix: 62791: Remove an unnecessary check in the NIO TLS implementation that prevented from secure WebSocket connections from being established. (markt)
  • Fix: Fix server initiated TLS renegotiation to obtain a client certificate when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation. (m