Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-43214

Update Apache Tomcat 9.0.31



    • Type: Bug
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 19.3
    • Fix Version/s: 21.0 [Tentative]
    • Component/s: Master
    • Labels:
    • 20 status:
      Please Merge
    • 19 status:
      Please Merge





      •  Do not store username and password as session notes during authentication if they are not needed. (kkolinko)
      •  Avoid useless environment restore when not using GSSCredential in JNDIRealm. (remm)
      •  58577: Respect the argument-count when searching for MBean operations to invoke via the JMXProxyServlet. (schultz)
      •  63691: Skip all jar and directory scanning when the wildcard pattern "" or ".jar" is set or added to tomcat.util.scan.StandardJarScanFilter.jarsToSkip. (isapir)
      •  64005: Correct a regression in the static resource caching changes introduced in 9.0.28. Avoid a NullPointerException when working with the URL provided for the root of a packed WAR. (markt)
      •  64006: Provide default configuration source based on the current directory if none has been set, for full compatibility with existing code. (remm)
      •  64008: Clarify/expand the Javadoc for the Tomcat#addWebapp() and related methods. (markt)
      •  Deprecate the JmxRemoteLifecycleListener as the features it provides are now available in the remote JMX capability included with the JRE. This listener will be removed in Tomcat 10 and may be removed from Tomcat 9.0.x some time after 2020-12-31. (markt)
      •  64011JNDIRealm no longer authenticates to LDAP. (michaelo)
      •  64021: Ensure that container provided SCIs are always loaded before application provided SCIs. Note that where both the container and the application provide the same SCI, it is the application provided SCI that will be used. (markt)
      •  SCI definitions from JARs unpacked into WEB-INF/classes are now handled consistently and will always be found irrespective of whether the web application defines a JAR ordering or not. (markt)
      •  64023: Skip null-valued session attributes when deserializing sessions. (schultz)
      •  Do not throw a NullPointerException when an MBean or operation cannot be found by the JMXProxyServlet. (schultz)
      •  64067: Allow more than one parameter when defining RewriteMaps. (fschumacher)
      •  64074InputStream}}s for directories obtained from resource URLs now return a directory listing consistent with the behaviour of {{FileURLConnection. In addition to restoring the behaviour that was lost as a result of the introduction of CachedResourceURLConnection, it expands the feature to include packedWARs and to take account of resource JARs. (markt)
      •  Refactor recycle facade system property into a new connector attribute named discardFacades. (remm)
      •  64089: Add ${...} property replacement support to XML external entity definitions. (markt)
      •  Deprecate MappingData.contextPath as it is unused. (markt)
      •  Fix a problem that meant that remote host, address and port information could be missing in the access log for an HTTP/2 request where the connection was closed unexpectely.


      •  Simplify NIO blocking read and write. (remm)
      •  Ensure that Servlet Asynchronous processing timeouts fire when requests are made using HTTP/2. (markt)
      •  Fix the corrupton of the TLS configuration when using the deprecated TLS attributes on the Connector if the configuration has already been set via the new SSLHostConfig and SSLHostConfigCertificate elements. (markt)
      •  63966: Switch the message shown when using HTTP to connect to an HTTPS port from ISO-8859-1 to UTF-8. (markt)
      •  64007: Cancel selection key in poller before wrapper close to avoid possible deadlock. (remm)
      •  Add support for RFC 5915 formatted, unencrypted EC key files when using a JSSE based TLS connector. (markt)
      •  Correct a regression introduced in 9.0.28 that meant invalid tokens in the Transfer-Encoding header were ignored rather than treated as an error. (markt)
      •  Rename the HTTP Connector attribute rejectIllegalHeaderName to rejectIllegalHeader and expand the underlying implementation to include header values as well as names. (markt)
      •  Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt)
      •  Change the default bind address for the AJP/1.3 connector to be the loopback address. (markt)
      •  Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt)
      •  Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt)


      •  Update the performance optimisation for using expressions in tags that depend on uninitialised tag attributes with implied scope to make the performance optimisation aware of the new public class (java.lang.Record) added in Java 14. (markt)
      •  64097: Replace the faulty custom services lookup used for ExpressionFactory implementations with ServiceLoader. (markt)
      •  Add a META-INF/services entry to jasper-el.jar so that the Expression Language implementation can be discovered via the services API. (markt)


      •  64043: Ensure that session ID changes are replicated during form-authentication. (kfujino)

        Web applications

      •  64000: In the examples web application, where a Servlet example includes ii18n support, the Locale used should be based on the request locale and not the server locale. (markt)
      •  Add additional information on securing AJP/1.3 Connectors. (markt)


      •  63995: Ensure statements are closed when a pooled JDBC connection is passivated in Tomcat's fork of Commons DBCP2. (markt)

        Gliffy Diagrams





                dhorwitz David Horwitz
                dhorwitz David Horwitz
                0 Vote for this issue
                1 Start watching this issue



                    Git Integration