Imperial Cleaning

How do I ensure that my servlet is thread-safe?

Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster.

Most Popular jGuru Stories

Immutable objects are automatically thread-safe. Immutable objects do not require a copy constructor. Immutable objects do not require an implementation of clone. Immutable objects allow hashCode to use lazy initialization, and to cache its return value. Immutable objects do not need to be copied defensively when used as a field.

Immutable objects are good Map keys and Set elements Since state of these objects must not change while stored in a collection. Immutable objects have their class invariant established once upon construction, and it never needs to be checked again.

Immutable objects always have "failure atomicity" a term used by Joshua Bloch: To create a object immutable You need to make the class final and all its member final so that once objects gets crated no one can modify its state. You can achieve same functionality by making member as non final but private and not modifying them except in constructor.

Also its NOT necessary to have all the properties final since you can achieve same functionality by making member as non final but private and not modifying them except in constructor. The main difference between the three most commonly used String classes as follows. StringBuffer and StringBuilder objects are mutable whereas String class objects are immutable. StringBuffer class implementation is synchronized while StringBuilder class is not synchronized. If the Object value can change and will only be modified from a single thread, use a StringBuilder because StringBuilder is unsynchronized means faster.

If the Object value may change, and can be modified by multiple threads, use a StringBuffer because StringBuffer is thread safe synchronized. It is very useful to have strings implemented as final or immutable objects. Below are some advantages of String Immutability in Java Immutable objects are thread-safe. Two threads can both work on an immutable object at the same time without any possibility of conflict. You can create substrings without copying. You just create a pointer into an existing base String guaranteed never to change.

Immutability is the secret that makes Java substring implementation very fast. Immutable objects are good fit for becoming Hashtable keys. If you change the value of any object that is used as a hash table key without removing it and re-adding it you will lose the object mapping. Since String is immutable, inside each String is a char[] exactly the correct length. Unlike a StringBuilder there is no need for padding to allow for growth.

If String were not final, you could create a subclass and have two strings that look alike when "seen as Strings", but that are actually different. The Java Spec says that everything in Java is pass-by-value.

There is no such thing as "pass-by-reference" in Java. The difficult thing can be to understand that Java passes "objects as references" passed by value. This can certainly get confusing and I would recommend reading this article from an expert: Java Pass By Ref or Value.

In this situation, the context cannot be used as a location to share global information because the information won't be truly global.

Use an external resource like a database instead. The ServletContext object is contained within the ServletConfig object, which the Web server provides the servlet when the servlet is initialized. This method was originally defined to retrieve a servlet from a ServletContext. In this version, this method always returns null and remains only to preserve binary compatibility. In lieu of this method, servlets can share information using the ServletContext class and can perform shared business logic by invoking methods on common non-servlet classes.

This method was originally defined to return an Enumeration of all the servlet names known to this context. In this version, this method always returns an empty Enumeration and remains only to preserve binary compatibility. This method was originally defined to return an Enumeration of all the servlets known to this servlet context.

In this version, this method always returns an empty enumeration and remains only to preserve binary compatibility. This method was originally defined to write an exception's stack trace and an explanatory error message to the servlet log file.

File provided by the servlet container for the ServletContext See Also: String getContextPath Returns the context path of the web application.

The context path is the portion of the request URI that is used to select the context of the request. The context path always comes first in a request URI. For servlets in the default root context, this method returns "". It is possible that a servlet container may match a context by more than one context path. In such cases the HttpServletRequest. The context path returned by this method should be considered as the prime or preferred context path of the application.

The context path of the web application, or "" for the default root context Since: This method allows servlets to gain access to the context for various parts of the server, and as needed obtain RequestDispatcher objects from the context. In a security conscious environment, the servlet container may return null for a given URL. All implementations that comply with Version 3.

The value returned may be different from getMajorVersion , which returns the major version of the Servlet specification supported by the Servlet container.

The value returned may be different from getMinorVersion , which returns the minor version of the Servlet specification supported by the Servlet container. The MIME type is determined by the configuration of the servlet container, and may be specified in a web application deployment descriptor. For example, for a web application containing: This method allows the servlet container to make a resource available to servlets from any source.

Resources can be located on a local or remote file system, in a database, or in a. This method returns null if no resource is mapped to the pathname. The resource content is returned directly, so be aware that requesting a.

Use a RequestDispatcher instead to include results of an execution. This method has a different purpose than java. This method does not use class loaders. The data in the InputStream can be of any type or length. The path must be specified according to the rules given in getResource.

This method returns null if no resource exists at the specified path. Meta-information such as content length and content type that is available via getResource method is lost when using this method. This method is different from java. This method allows servlet containers to make a resource available to a servlet from any location, without using a class loader. A RequestDispatcher object can be used to forward a request to the resource or to include the resource in a response.

Constants and ensure that the constants are correctly used. Avoid infinite recursion, when trying to validate a session while loading it with PersistentManager. Ensure that NamingContextListener instances are only notified once of property changes on the associated naming resources. Correct off-by-one error in thread pool that allowed thread pools to increase in size to one more than the configured limit. Patch provided by usc. Work-around a known, non-specification compliant behaviour in some versions of IE that can allow XSS when the Manager application generates a plain text response.

Based on a suggestion from Muthukumar Marikani. Document how the roles for an authenticated user are determined when the CombinedRealm is used. Ensure that SQLWarning has been cleared when connection returns to the pool. Enable PoolCleaner to be started even if validationQuery is not set. Update the build script so MD5 hashes are no longer generated for releases as per the change in the ASF distribution policy.

Prevent a stack trace being written to standard out when running on Java 10 due to changes in the LogManager implementation. Fix calling classloading transformers broken in 7. This was observed when using Spring weaving. When a JNDI reference cannot be resolved, ensure that the root cause exception is reported rather than swallowed. When caching an authenticated user Principal in the session when the web application is configured with the NonLoginAuthenticator , cache the internal Principal object rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks.

Correctly apply security constraints mapped to the context root using a URL pattern of "". When using Tomcat embedded, only perform Authenticator configuration once during web application start. Process all ServletSecurity annotations at web application start rather than at servlet load time to ensure constraints are applied consistently.

Add documentation for the Host Manager web application. Patch provided by Marek Czernek. Use a loop to preload anonymous inner classes when running under a SecurityManager , to be safe for future changes in the code or using a different compiler. Patch provided by Dmitri Blinov. Support configure the interval to keep all jars open if no jar is accessed, a non-positive interval indicates keeping jars always open.

Pre-load additional classes to prevent SecurityException s if the first request received when running under a SecurityManager is an asynchronous Servlet. Extend the AddDefaultCharsetFilter to add a character set when the content type is set via setHeader or addHeader as well as when it is set via setContentType.

The exception will be made available to the application via the asynchronous error handling mechanism. Add a new system property org. Partial fix for Prevent ConcurrentModificationException when running the asynchronous stock ticker in the examples web application.

Prevent NullPointerException and other errors if the stock ticker example is running when the examples web application is stopped.

Clarify the meaning of the allowLinking option in the documentation web application. Document the new JvmOptions9 command line parameter for tomcat7.

Prevent NullPointerException n when using the statement cache of connection that has been closed. Update the internal fork of Commons FileUpload to 6c00d57 to pick up some code clean-up. Update the internal fork of Commons Codec to r to pick up some code clean-up. The native source bundles for Commons Daemon and Tomcat Native are no longer copied to the bin directory for the deploy target.

They are now only copied to the bin directory for the release target. Revert the change from 7. Patch provided by isapir. Improve performance of NIO connector when clients leave large time gaps between network packets. Patch provided by Zilong Song. Invalid expressions in attribute values or template text should trigger a translation compile time error, not a run time error. Add support for authentication in the websocket client.

Patch submitted by J Fernandez. Add XML filtering for the status servlet output where needed. Fix incorrect behavior that attempts to resend channel messages more than the actual setting value of maxRetryAttempts. Ensure that the remaining Sender can send channel messages by avoiding unintended ChannelException caused by comparing the number of failed members and the number of remaining Senders.

Ensure that remaining SelectionKeys that were not handled by throwing a ChannelException during SelectionKey processing are handled.

Improve handling of endorsed directories. When running on Java 9, any such attempted use of the endorsed directory mechanism will trigger an error and Tomcat will fail to start. Refactoring in preparation for Java 9. Refactor to avoid using some methods that will be deprecated in Java 9 onwards.

When using the Windows installer, check if the requested service name already exists and, if it does, prompt the user to select an alternative service name. Patch provided by Ralph Plawetzki. Add necessary Java 9 configuration options to the startup scripts to prevent warnings being generated on web application stop. Update the Windows installer to search the new as of Java 9 registry locations when looking for a JRE.

Add generation of a SHA hash for release artifacts to the build script. Update the Windows installer to use "The Apache Software Foundation" as the Publisher when Tomcat is displayed in the list of installed applications in Microsoft Windows. Remove outdated SSL information from the Security documentation. When running under a SecurityManager, do not print a warning about not being able to read a logging configuration file when that file does not exist. Note that the default configuration does not change the existing behaviour.

Correct regression in 7. When using the CGI servlet, make the generation of command line arguments from the query string as per section 4. The feature is enabled by default for consistency with previous releases. Based on a patch by jm Correct a regression in 7. Use the correct path when loading the JVM logging.

Exclude test files in unusual encodings and markdown files intended for display in GitHub from RAT analysis. Patch provided by Chris Thistlethwaite. In this case the client certificate without the chain will be presented to the application. Based on a patch by Peter Major. Add an option to reject requests that contain HTTP headers with invalid non-token header names with a response. When using the permessage-deflate extension, correctly handle the sending of empty messages after non-empty messages to avoid the IllegalArgumentException.

To avoid unexpected session timeout notification from backup session, update the access time when receiving the map member notification message. Add member info to the log message when the failure detection check fails in TcpFailureDetector. When sending a channel message, make sure that the Sender has connected. Correct the backup node selection logic that node 0 is returned twice consecutively.

Fix race condition of responseMap in RpcChannel. Ensure that failed queries are logged if the SlowQueryReport interceptor is configured to do so and the connection has been abandoned. Patch provided by Craig Webb. Ensure that transaction of idle connection has terminated when the testWhileIdle is set to true and defaultAutoCommit is set to false.

Patch provided by WangZheng. Correctly handle invocations of methods defined in the PooledConnection interface when using pooled XA connections. Patch provided by Nils Winkler. Update fix for so that values less than zero are accepted instead of throwing a NegativeArraySizeException. Correct typos in Spanish translation.

Avoid NullPointerException if directory exists on the class path that is not readable by the Tomcat user. The thread that cleans the log files is marked as daemon thread. When log rotation is disabled only one separator will be used when generating the log file name.

For example if the prefix is catalina. Patch provided by Katya Stoycheva. Add warn message when Digester. Based on patches by Peter Maloney and Felix Schumacher. Ensure to explicitly signal an empty request body for HTTP responses. Additional fix to r Based on a patch provided by Alexandr Saperov.

Correct two regressions caused by the fix for when using BIO with an external Executor. Firstly, use the maxThreads setting from the Executor as the default for maxConnections if none is specified. Secondly, use maxThreads from the Executor when calculating the point at which to disable keep-alive.

Add additional logging to record problems that occur while waiting for the NIO pollers to stop during the Connector stop process. Prevent exceptions being thrown during normal shutdown of NIO connections. This enables TLS connections to close cleanly. Add support to the WebSocket client for following redirects when attempting to establish a WebSocket connection.

Patch provided by J Fernandez. Add the ability to set the defaults used by the Windows installer from a configuration file. Patch provided by Sandra Madden. CORS filter should set Vary header in response.

Submitted by Rick Riemer. Based on a patch by Lucas Ventura Carro. Allow the Manager and Host Manager web applications to start by default when running under a security manager.

This was accomplished by adding a custom permission, org. Polish the javadoc for o. A new configuration property crawlerIps is added to the o. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address.

Based on a patch provided by Tetradeus. Log a warning message rather than an information message if it takes more than ms to initialised a SecureRandom instance for a web application to use to generate session identifiers.

Patch provided by Piotr Chlebda. When an asynchronous request is dispatched via AsyncContext. Explicitly signal an empty request body for HTTP responses. Revert a change introduced in the fix for bug that changed the status code recorded in the access log when the client dropped the connection from to Make asynchronous error handling more robust.

Improve error message when JSP compiler configuration options are not valid. Improve thread-safety of Future s used to report the result of sending WebSocket messages. Correct a regression in the previous fix for that could trigger a deadlock depending on the locking strategy employed by the client code. Document the altDDName attribute for the Context element.

Add missing Documented annotation to annotations in the annotations API. Patch provided by Katya Todorova. Correct typo in Context Container Configuration Reference. Allow to exclude JUnit test classes using the build property test. Review those places where Tomcat re-encodes a URI or URI component and ensure that that correct encoding path differs from query string is applied and that the encoding is applied consistently. Use a more reliable mechanism for the DefaultServlet when determining if the current request is for custom error page or not.

Ensure that when the Default or WebDAV servlets process an error dispatch that the error resource is processed via the doGet method irrespective of the method used for the original request that triggered the error. If a static custom error page is specified that does not exist or cannot be read, ensure that the intended error status is returned rather than a When the WebDAV servlet is configured and an error dispatch is made to a custom error page located below WEB-INF , ensure that the target error page is displayed rather than a response.

Add MIME mapping for woff2 fonts in the default web. Patch provided by Justin Williamson. Respect the documentation statements that allow using the platform default secure random for session id generation. Correct the javadoc for o. Improve the handling of access to properties defined by interfaces when a BeanELResolver is used under a SecurityManager.

AsyncChannelWrapperSecure are correctly reset even if some exceptions occurred during processing. Document the property test. Add documents for maxIdleTime attribute to Channel Receiver docs. Refactor the creating a constructor for a proxy class to reduce duplicate code.

Correct comments about Java 8 in Jre8Compat. Patch provided by fibbers via Github. Correctly escape single quotes when used in i18n messages. Based on a patch by Michael Osipov. Based on a patch by Didier Gutacker. When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. Correctly spell compressible when used in configuration attributes and internal code.

Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. Implement equals and hashCode in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set.

This behavior can be changed with useStatementFacade attribute. Make it easier for sub-classes of Tomcat to modify the default web. Patch provided by Aaron Anderson.

Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. Remove final marker from CorsFilter to enable sub-classing. Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed event was not being fired and an entry wasn't being made in the access logs.

Ensure that the Map returned by ServletRequest. Based on a patch provided by woosan. Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. Ensure request and response facades are used when firing application listeners. Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.

Refactor code generated for JSPs to reduce the size of the code required for tags. Patch provided by Svetlin Zarev. Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext. This class cannot be built with Java 6. Update all unit tests that test the HTTP status line to check for the required space after the status code.

Make the accessTimeout configurable in BackupManager. Ensure the ASF logo image is correctly displayed in docs and host-manager applications. Correctly handle the configClass attribute of a Host when embedding Tomcat.

Dispose of the GSS credential once it is no longer required. The default value is different for the different implementations. Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options.

Fix thread safety issue with RMI cleanup code. Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.

Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. Improve the logic that selects an address to use to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of 0.

When unable to complete sendfile request, ensure the Processor will be added to the cache only once. Add support for varargs in UEL expressions. Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. Follow up fix using a better variable name for the tag reuse flag. Correct a typo in Host Configuration Reference. Issue reported via comments. In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic.

Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. Add log message that PING message has received beyond the timeout period. When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership.

Avoid possible handshake overflows in the websocket client. Implement the statistics of jdbc-pool. If validationQuery is not specified, connection validation is done by calling the isValid method. Fix testcase of TestSlowQueryReport. Patch provided by Petter Isberg. New property is added test. Patch provided by Emmanuel Bourg.

Patch provided by Tatsuya Bessho. Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type.

Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. Log a warning if deserialization issues prevent a session attribute from being loaded. Correctly test for control characters when reading the provided shutdown password. When configuring the JMX remote listener, specify the allowed types for the credentials.

Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. Log instances of HeadersTooLargeException during request processing. When using an Executor, disconnect it from the Connector attributes maxThreads , minSpareThreads and threadPriority to enable the configuration settings to be consistently reported.

These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. Based on a patch by Cris Berneburg. Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani.

Fix default value of validationInterval attribute in jdbc-pool. When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. Ensure that use all method arguments as a cache key when using StatementCache. Correct Javadocs for PoolConfiguration. Reported by Phillip Webb. Based upon a documentation patch by James H.

Remove preloading of the class that was deleted. Notify jmx when returning the connection that has been marked suspect.

Update to Commons Daemon 1. Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero.

Improve error handling around user code prior to calling InstanceManager. Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail.

By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context.

Provide a mechanism that enables the container to check if a component typically a web application has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component.

Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. When retrieving an object via a ResourceLink , ensure that the object obtained is of the expected type. Do not start the web application if the error page configuration in web. Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. Add a new initialisation parameter, envHttpHeaders , to the CGI Servlet to mitigate httpoxy CVE by default and to provide a mechanism that can be used to mitigate any future, similar issues.

When adding and removing ResourceLink s dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. Improve handling of exceptions during a Lifecycle events triggered by a state transition.

Better error message if a JAR is deleted while a web application is running. Deleting a JAR while the application is running is not supported and errors are expected.

Based on a patch by gehui. Add a limit default for the number of cookies allowed per request. Refactor the code that implements the requirement that a call to complete or dispatch made from a non-container thread before the container initiated thread that called startAsync completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this.

This removes the possibility that blocking the non-container thread could trigger a deadlock. Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. Based on a patch provided by wuwen via Github. Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. Ensure that a reason phrase is included in the close message if a session is closed due to a timeout.

Do not log an additional case of IOException s in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. Follow-up to the fix for Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realm s. Also document the NullRealm and when it is automatically created for an Engine.

MBeans Descriptors How-To is moved to mbeans-descriptors-howto. Patch provided by Radoslav Husar. Correct a typo in the Manager How-To page of the documentation web application.

If the ping message has been received at the AbstractReplicatedMap leftOver method, ensure that notify the member is alive than ignore it. Fix the duplicated connection release when connection verification failed. Ensure that do not remove the abandoned connection that has been already released. In order to avoid the unintended skip of PoolCleaner , remove the check code of the execution interval in the task that has been scheduled.

Ensure that the connection verification is executed by initSQL if required if the borrowing PooledConnection has not been initialized. Ensure that the ResultSet is closed when enabling the StatementCache interceptor.

Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. Add log message of when returning the connection that has been marked suspect.

Correct Javadoc for ConnectionPool. Based on a patch by Yahya Cahyadi. Update the internal fork of Commons Codec to r Code formatting changes only. Update the internal fork of Commons FileUpload to afdedc9.

This pulls in a fix to improve the performance with large multipart boundaries. Do not add a Content-Length: In ContainerBase , ensure that the process to remove a child container is the reverse of the process to add one. Patch provided by Huxing Zhang. RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop.

Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. Fix a potential concurrency issue with the web application class loader and concurrent reads and writes of the resource cache.

Within the web application class loader, always use path as the key for the resource cache to improve the hit ratio. This also fixes a problem exposed by the fix for that enabled file based configuration resources to be loaded from the class path.

Fix a connection counting bug in the NIO connector that meant some dropped connections were not removed from the current connection count. Do not recycle upgrade processors in unexpected close situations.

When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a response. Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory.

Enforce the requirements of section 7. Ensure that a client disconnection triggers the error handling for the associated WebSocket end point. Update the SSL how-to. Based on a suggestion by Alexander Kjäll. Fix potential NPE that depends on the setting order of attributes of static member when using the static cluster. As with the multicast cluster environment, in the static cluster environment, the local member inherits properties from the cluster receiver.

Add name to channel in order to identify channels. Add the channel name to the thread which is invoked by channel services in order to identify the associated channel. Ensure that clear the channel instance from channel services when stopping channel.

Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool.

Update the internal fork of Commons File Upload to r 1. Fix the type of InstanceManager attribute of mbean definition of StandardContext. Make the server build date and server version number accessible via JMX.

Correctly handle the case when Tomcat is installed on a path where one of the segments ends in an exclamation mark. Expand the fix for to cover the special sequences used in Tomcat's custom jar: Avoid warning while expiring sessions associated with a single sign on if HttpServletRequest.

Ensure that using the CrawlerSessionManagerValve in a distributed environment does not trigger an error when the Valve registers itself in the session. Log a warning message if a user tries to configure the default session timeout via the deprecated and ignored Manager. Correct a regression introduced in 7. When a Host is configured with an appBase that does not exist, create the appBase before trying to expand an external WAR file into it.

When using the Servlet 3. If a quoted-string, unquote the string before returning it to the user. Correct a false positive warning for ThreadLocal related memory leaks when the key class but not the value class has been loaded by the web application class loader. Don't log an invalid warning when a user logs out of a session associated with SSO. Fix a regression in the fix for that added additional and arguably unnecessary validation to the provided redirect location.

Ensure NPE will not be thrown by o. Async dispatches should be based off a wrapped request. Remove duplication in the recycling of the path in o. Patch is provided by Kyohei Nakamura. ServletResponse provided during javax. AsyncListener registration are made available via javax. Clarify the log message that specifying both urlPatterns and value attributes in WebServlet and WebFilter annotations is not allowed.

Ensure the exceptions caused by Valves will be available in the log files so that they can be evaluated when o. Patch is provided by Svetlin Zarev. Correct the implementation of PersistentManagerBase so that minIdleSwap functions as designed and sessions are swapped out to keep the active session count below maxActiveSessions.

Correct a problem with sendfile that resulted in a Processor being added to the cache twice leading to broken responses. Fix potential cause of endless APR Poller loop during shutdown if the Poller experiences an error during the shutdown process. The default value is -Djdk. Ensure that a WebSocket close message can be sent after a close message has been received.

Correctly handle compression of partial messages when the final message fragment has a zero length payload. Extend the WebSocket programmatic echo endpoint provided in the examples to handle binary messages and also partial messages.

This aligns the code with Tomcat 8 and makes it easier to run the Autobahn testsuite against the WebSocket implementation.