Apache Tomcat

Apache Tomcat is an open source piece of software written in the Java programming language and designed to provide users with a native Java environment for running web apps. It is widely known for powering large-scale and mission-critical web applications across a wide range of organizations and industries.

Features at a glance

It is an open source implementation of the Java Servlet and JavaServer Pages technologies, which are developed under the Java Community Process. When developing web apps, you will need to add dynamic content to an existing Apache web server, which is provided by Tomcat.

Tomcat is also widely used for running Java code and applets on an Apache web server, especially be web developers who want to build dynamic websites and applications using the aforementioned Java technologies.

The software comprises of a JSP (JavaServer Pages) engine, a HTTP connector, as well as the Catalina servlet container. While the JSP engine is in charge of the dynamic content of a web app, the servlet container has been engineered to interact with the Java apps.

Under the hood, supported OSes and availability

As mentioned the project is written entirely in the Java programming language, which means that it will run well on GNU/Linux, BSD, Solaris, Microsoft Windows and Mac OS X operating systems. It is available for download as binary and source archives for the aforementioned OSes. Supported architectures include both 32-bit and 64-bit.

Bottom line

Summing up, Apache Tomcat is a reliable solution for anyone who wants to develop rich web applications using open source technologies. It is an important part of the Apache project, which develops the world's most popular and used web server software.

What is new in this release:

• TLS stability improvements.
• Add the ability to specify static HTML responses for specific error codes and/or exception types with the ErrorReportValve.
• Add an async HTTP/2 parser for NIO2.
• Add documentation for the Host Manager web application. Patch provided by Marek Czernek.

What is new in version 8.5.20:

• Catalina:
• Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
• Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
• Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
• Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
• Fix: Fix error message when failed to register MBean. (kfujino)
• Coyote:
• Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
• Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
• Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
• Jasper:
• Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
• Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
• Fix: 59640: NPEs with not found TLDs. (remm)
• Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
• Web applications:
• Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjall. (markt)
• jdbc-pool:
• Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
• Other:
• Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
• Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
• Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
• Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
• Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

What is new in version 8.5.9:

• Catalina:
• Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
• Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
• Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
• Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
• Fix: Fix error message when failed to register MBean. (kfujino)
• Coyote:
• Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
• Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
• Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
• Jasper:
• Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
• Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
• Fix: 59640: NPEs with not found TLDs. (remm)
• Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
• Web applications:
• Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjall. (markt)
• jdbc-pool:
• Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
• Other:
• Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
• Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
• Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
• Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
• Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

What is new in version 8.5.8:

• Catalina:
• Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
• Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
• Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
• Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
• Fix: Fix error message when failed to register MBean. (kfujino)
• Coyote:
• Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
• Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
• Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
• Jasper:
• Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
• Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
• Fix: 59640: NPEs with not found TLDs. (remm)
• Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
• Web applications:
• Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjall. (markt)
• jdbc-pool:
• Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
• Other:
• Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
• Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
• Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
• Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
• Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

What is new in version 8.5.6:

• Catalina:
• Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
• Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
• Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
• Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
• Fix: Fix error message when failed to register MBean. (kfujino)
• Coyote:
• Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
• Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
• Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
• Jasper:
• Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
• Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
• Fix: 59640: NPEs with not found TLDs. (remm)
• Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
• Web applications:
• Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjall. (markt)
• jdbc-pool:
• Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
• Other:
• Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
• Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
• Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
• Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
• Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

What is new in version 8.5.5:

• Catalina:
• Fix: RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
• Fix: Ensure NPE will not be thrown during deployment when scanning jar files without MANIFEST.MF file. (violetagg)
• Fix: 59604: Correct the assumption made in the URL decoding that the default platform encoding is always compatible with ISO-8859-1. This assumption is not always valid, e.g. on z/OS. (markt)
• Fix: 59608: Skip over any invalid Class-Path attribute from JAR manifests. Log errors at debug level due to many bad libraries. (remm)
• Fix: Fix error message when failed to register MBean. (kfujino)
• Coyote:
• Fix: Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
• Fix: When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
• Fix: If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
• Jasper:
• Fix: 59567: Fix NPE scanning webapps for TLDs when an exploded JAR has an empty WEB-INF/classes/META-INF folder. (remm)
• Fix: Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
• Fix: 59640: NPEs with not found TLDs. (remm)
• Fix: 59654: Improve error message when attempting to use a TLD file from an invalid location. Patch provided by Huxing Zhang. (markt)
• Web applications:
• Fix: 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjall. (markt)
• jdbc-pool:
• Fix: Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
• Other:
• Update: Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus additional fixes). (markt)
• Update: Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus additional fixes). (markt)
• Update: Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
• Update: Update the option code coverage tool Cobertura to 2.1.1 so it is easier to compare the change in lines of code between 8.0.x and 9.0.x. (markt)
• Fix: 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)

What is new in version 8.0.36:

• Catalina:
• Fix: Correct a regression in the fix for 58867. When configuring a Context to use an external directory for the docBase, and that directory happens to be located along side the original WAR, use the directory as the docBase rather than expanding the WAR into the appBase and using the newly created expanded directory as the docBase. (markt)
• Add: 58351: Make the server build date and server version number accessible via JMX. Patch provided by Huxing Zhang. (markt)
• Add: 58988: Special characters in the substitutions for the RewriteValve can now be quoted with a backslash. (fschumacher)
• Fix: 58999: Fix class and resource name filtering in WebappClassLoader. It throws a StringIndexOutOfBoundsException if the name is exactly "org" or "javax". (rjung)
• Code: Remove unnecessary code. There is no support for context level cluster. (kfujino)
• Add: Make checking for var and map replacement in RewriteValve a bit stricter and correct detection of colon in var replacement. (fschumacher)
• Fix: Fix the type of InstanceManager attribute of mbean definition of StandardContext. (kfujino)
• Fix: Refactor the web application class loader to reduce the impact of JAR scanning on the memory footprint of the web application. (markt)
• Fix: Fix some resource leaks in the error handling for accessing files from JARs and WARs. (markt)
• Fix: Refactor the JAR and JAR-in-WAR resource handling to reduce the memory footprint of the web application. (markt)
• Fix: 57809: Deprecate the custom context attribute org.apache.tomcat.util.scan.MergedWebXml which will be removed in Tomcat 9. (markt)
• Fix: 59001: Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. (markt)
• Fix: Expand the fix for 59001 to cover the special sequences used in Tomcat's custom jar:war: URLs. (markt)
• Fix: 59043: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.logout() is used. (markt)
• Fix: 59054: Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. (markt)
• Fix: Storeconfig handling of alternate cookie processors. (markt/remm)
• Fix: Storeconfig handling for socket properties. (remm)
• Add: Log a warning message if a user tries to configure the default session timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval() method. (markt)
• Fix: Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
• Fix: 59065: Correct the timing of the check for colons in paths on non-Windows systems implemented in catalina.sh so it works correctly with Cygwin. Patch provided by Ed Randall. (markt)
• Fix: When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it. (markt)
• Fix: 59115: When using the Servlet 3.0 file upload, the submitted file name may be provided as a token or a quoted-string. If a quoted-string, unquote the string before returning it to the user. (markt)
• Fix: 59123: Close NamingEnumeration objects used by the JNDIRealm once they are no longer required. (fschumacher/markt)
• Fix: 59138: Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. (markt)
• Fix: 59145: Don't log an invalid warning when a user logs out of a session associated with SSO. (markt)
• Fix: 59151: Fix a regression in the fix for 56917 that added additional (and arguably unnecessary) validation to the provided redirect location. (markt)
• Fix: 59154: Fix a NullPointerException in the JASSMemoryLoginModue resulting from the introduction of the CredentialHandler to Realms. (schultz/markt)
• Coyote:
• Fix: 58646: Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. (markt)
• Fix: 59015: Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. (markt)
• Fix: Align cipher aliases for kECDHE and ECDHE with the current OpenSSL implementation. (markt)
• Fix: 59081: Retain the user defined cipher order when defining ciphers using the OpenSSL format. (markt)
• Fix: 59089: Correctly ignore HTTP headers that include non-token characters in the header name. (markt)
• Add: Add support for additional OpenSSL cipher aliases from OpenSSL master when specifying ciphers using the OpenSSL syntax. (markt)
• Jasper:
• Fix: 57583: Improve the performance of javax.servlet.jsp.el.ScopedAttributeELResolver when resolving attributes that do not exist. This improvement only works when Jasper is used with with Tomcat's EL implementation. (markt)
• Update: 58111: Update to the Eclipse JDT Compiler 4.5. (markt)
• Add: Add Java 9 support for JSPs. (markt)
• WebSocket:
• Fix: 59014: Ensure that a WebSocket close message can be sent after a close message has been received. (markt)
• Fix: Correctly handle compression of partial messages when the final message fragment has a zero length payload. (markt)
• Fix: 59119: Correct read logic for WebSocket client when using secure connections. (markt)
• Fix: 59134: Correct client connect logic for secure connections made through a proxy. (markt)
• Fix: 59189: Explicitly release the native memory held by the Inflater and Deflater when using PerMessageDeflate and the WebSocket session ends. Based on a patch by Henrik Olsson. (markt)
• Web applications:
• Fix: Correct an error in the documentation of the expected behaviour for automatic deployment. If a WAR is updated and an expanded directory is present, the directory will always be deleted and recreated by expanding the WAR if unpackWARs is true. (markt)
• Fix: 58935: Remove incorrect references in the documentation to using jar:file: URLs with the Manager application. (markt)
• Fix: Correct the description of the ServletRequest.getServerPort() in Proxy How-To. Issue reported via comments.apache.org. (violetagg)
• Fix: Fix a potential indefinite wait in the Comet Chat servlet in the examples web application. (markt)
• Tribes:
• Fix: If promoting a proxy node to a primary node when getting a session, notify the change of the new primary node to the original backup node. (kfujino)
• Other:
• Fix: 58283: Change the default download location for libraries during the build process from /usr/share/java to ${user.home}/temp. Patch provided by Ahmed Hosni. (markt)
• Fix: 59031: When using the Windows uninstaller, do not remove the contents of any directories that have been symlinked into the Tomcat directory structure. (markt)
• Update: Update the packaged version of the Tomcat Native Library to 1.2.5 to pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR 1.5.1. (markt)
• Update: Modify the default tomcat-users.xml file to make it harder for users to configure the entries intended for use with the examples web application for the Manager application. (markt)

What is new in version 8.0.32:

• General:
• Add: Allow to configure multiple JUnit test class patterns with the build property test.name and document the property in BUILDING.txt. (rjung)
• Fix: 58768: Log a warning if a redirect fails because of an invalid location. (markt)
• Catalina:
• Fix: Fix class loader decision on the delegation for class loading and resource lookup and make it faster too. (rjung)
• Fix: 58946: Ensure that the request parameter map remains immutable when processing via a RequestDispatcher. (markt)
• Fix: 58827: Deprecate what is left of the JSR 77 implementation. (markt)
• Fix: 58905: Ensure that Tomcat.silence() silences the correct logger and respects the current setting. (markt)
• Coyote:
• Add: New configuration option ajpFlush for the AJP connectors to disable the sending of AJP flush packets. (rjung)
• Cluster:
• Fix: Correct a regression in the session attribute filtering that prevented clustering from starting in the default configuration. (kfujino)
• WebSocket:
• Fix: Fix a timing issue on session close that could result in an exception being thrown for an incomplete message even through the message was completed. (markt)