· A fix for an information disclosure issue.
· Various fixes to stop Tomcat attempting to parse text that looks like an EL expression in a JSP document as an EL expression when EL expressions are either not permitted or not enabled.
· Improved handling and reporting if a ConcurrentModificationException occurs while checking for memory leaks when a web application is being stopped.
· Fixed the regression in the JspC tool that is used to pre-compile JSP pages introduced in 7.0.35.
· Improved handling of ciphers and sslEnabledProtocols options for the BIO and NIO connectors. The behaviour of each connector is now the same. The values provided are pruned to those supported by the SSL implementation and when none of the remaining values are supported a warning is issued and the connector configured with an empty set of options (which essentially disables HTTPS support).
· Updated to Commons Daemon 1.0.13.
· Integrated documentation of Tomcat 7 with Apache Comments System. People can leave their comments when reading the documentation online.
· Improved detection of JAVA_HOME on OSX.
· Added support for auto-detection and configuration of JARs on the classpath that provide tag plug-in implementations.
· Improvements to the AccessLogValve to better handle non-standard DST changes and to provide option for the current access log to have a standard name.
· Fixed various JMX registration and deregistration issues.
· Updated the Eclipse JDT compiler to 4.2.1.
· A fix to the AccessLogValve to address a bug that caused some entries to be made with incorrect time stamps.
· A re-written, smaller, faster HTTP header parser.
· Further performance improvements for Jasper, Tomcat's JSP engine.
· A new option to automatically remove old, unused versions (ones where there are no longer any active sessions) of applications deployed using parallel deployment.
· Faster parsing of JSPs.
· Making the members and deployer associated with a cluster visible via JMX.
· Significantly reduced memory footprint during web application start while Servlet 3.0 annotation and SCI scanning is in progress.
· Adds support for scanning of classes that use Java 7 specific byte code for Servlet 3.0 annotation and SCI scanning.
· Improvements to DIGEST and FORM authentication.
· Added support for a default error page
· The servlet version defined in web.xml no longer determines if Tomcat scans for annotations when the web application starts. This is now solely controlled by metadata-complete element.
· On web application start, JARs are now always scanned for ServletContainerInitializers regardless of the setting of metadata-complete.
· The minimum required APR/native library version required if the APR/native connector is used is now 1.1.24.
· Various fixes and improvements to WebSocket support including the use of infinite time outs by default for WebSocket connections.
· Various fixes and improvements to annotation scanning.
· Support for the WebSocket protocol (RFC6455). Both streaming and message based APIs are provided and the implementation currently fully passes the Autobahn test suite. Also included are several examples.
· A number of fixes to the HTTP NIO connector, particularly when using Comet.
· Improve the memory leak prevention and detection code so that it works well with JVMs from IBM.
· Improved <code>@HandlesTypes</code> processing which no longer loads all classes on web application start.
· Ensure that POST bodies are available for reply after FORM authentication when using the AJP connectors
· Corrected a regression that broke annotation scanning for many use cases including web applications packaged as WARs and many embedded scenarios.
· This release includes many bug fixes and a number of security fixes over Apache Tomcat 5.5.34.
· Added the ability to start and stop child containers.
· Cache the results of parsing the global and host level context.xml files to improve start times.
· Improved the handling of failed deployments so that a broken application can be fixed (e.g. via JMX) and another attempt made to start it rather than it having to be removed.
· Further improvements to the memory leak detection and prevention features.
· Fix issue that prevented using SSL with the HTTP BIO connector and Java 7.
· Add support for controlling which session attributes are replicated when using session replication (a.k.a clustering).
· A fix for CVE-2011-3190 that allowed an attacker to inject requests when Tomcat was configured behind a reverse proxy using the AJP protocol.
· Multiple additions and improvements to the memory leak detection/prevention features.
· Improved validation of received AJP messages.
· JSP files with dependencies in JARs are no longer recompiled on every
· access thereby improving performance.
· Update to version 1.1.22 of the native component of the AJP and HTTP
· APR/native connectors.
· Update to Commons Daemon 1.0.7.
· Converted unit tests to JUnit 4.
· JSP recompilation is now triggered by any change (backwards as well as forwards) in the last modified time of the JSP or any of its dependencies.
· Support for installing multiple instances with the Windows Installer.
· Include jdbc-pool (an alternative database connection pool).
· NIO implementation of the AJP connector.
· Enable Servlet 3 asynchronous processing support when using clustering.
· Add parallel deployment support to the Manager's Ant tasks.
· New StuckThreadDetectionValve to identify long running requests.
· JAAS authentication support for the JMXRemoteLifecycleListener.
· Updated MIME type mappings to align with those of Apache httpd.
· Add URL encoding where missing to parameters in URLs presented by Ant tasks to the Manager application.
· Improve handling of SSL renegotiation by failing earlier when the request body contains more bytes than maxSavePostSize.
· Improve shut down speed by not renewing threads during shut down when the ThreadLocalLeakPreventionListener is enabled.
· Fix NPE in CoyoteAdapter when postParseRequest() call fails.
· 50709: Make ApplicationContextFacade non-final to enable extension.
· When running under a security manager, user requests may fail with a security exception.
· Reduce level of log message for invalid URL parameters from WARNING to INFO.
· Fix hanging Servlet 3 asynchronous requests when using the APR based AJP connector.
· Align server.xml installed by the Windows installer with the one bundled in zip/tar.gz files. The differences are LockOutRealm being used and AccessLogValve being enabled by default.
· Add an option to the Authenticators to force the creation of a session on authentication which may offer some performance benefits.
· Correct removal of LifeCycleListenters from Containers via JMX.
· Return the client's IP address rather than null for calls to getRemoteHost() when the APR connector is used with enableLookups="true" but the IP address is not resolveable.
· Avoid leak caused by using a cached exception instance in JspDocumentParser and ProxyDirContext.
· Make TagLibraryInfo.getTag() more robust at handling nulls.
· Update to Commons Daemon 1.0.4.
· Add support for maxActiveSessions attribute to BackupManager.
· Provide a mechanism to gracefully handle the case where users book-mark the form login page or otherwise misuse the FORM authentication process.
· Fix threading issues in org.apache.catalina.security.SecurityUtil.
· Apache Tomcat 7.0 includes new features over Apache Tomcat 6.0, including support for the new Servlet 3.0, JSP 2.2 and EL 2.2 specifications, web application memory leak detection and prevention, improved security for the Manager and Host Manager applications, Generic CSRF protection, support for including external content directly in a web application (aliases), re-factoring (connectors, life-cycle) and lots of internal code clean-up.
· The 7.0.4 release contains numerous bug fixes compared to 7.0.2.
· Encode all property files using ascii escaped UTF-8. Also fixes deployment problem when using French locale.
· Deprecate the jni Buffer and Thread classes.
· Make location and filename of catalina.out configurable in catalina.sh.
· Update Windows installer to use NSIS 2.45.
· Correct MD5 generation in the build process.
· Encode all property files using ascii escaped UTF-8.