Apache Tomcat 9.0.31

What's new in this version:

Catalina:
Update:
- Do not store username and password as session notes during authentication if they are not needed
Update: 63691: Skip all jar and directory scanning when the wildcard pattern "*" or "*.jar" is set or added to tomcat.util.scan.StandardJarScanFilter.jarsToSkip
- Allow more than one parameter when defining RewriteMaps
- Refactor recycle facade system property into a new connector attribute named discardFacades

Fix:
- Avoid useless environment restore when not using GSSCredential in JNDIRealm
- Respect the argument-count when searching for MBean operations to invoke via the JMXProxyServlet
- Correct a regression in the static resource caching changes introduced in 9.0.28. Avoid a NullPointerException when working with the URL provided for the root of a packed WAR
- Provide default configuration source based on the current directory if none has been set, for full compatibility with existing code
- Clarify/expand the Javadoc for the Tomcat#addWebapp() and related methods
- JNDIRealm no longer authenticates to LDAP
- Ensure that container provided SCIs are always loaded before application provided SCIs. Note that where both the container and the application provide the same SCI, it is the application provided SCI that will be used
- SCI definitions from JARs unpacked into WEB-INF/classes are now handled consistently and will always be found irrespective of whether the web application defines a JAR ordering or not
- Skip null-valued session attributes when deserializing sessions
- Do not throw a NullPointerException when an MBean or operation cannot be found by the JMXProxyServlet
- InputStreams for directories obtained from resource URLs now return a directory listing consistent with the behaviour of FileURLConnection. In addition to restoring the behaviour that was lost as a result of the introduction of CachedResourceURLConnection, it expands the feature to include packedWARs and to take account of resource JARs
- Add ${...} property replacement support to XML external entity definitions
- Fix a problem that meant that remote host, address and port information could be missing in the access log for an HTTP/2 request where the connection was closed unexpectely

Code:
- Deprecate MappingData.contextPath as it is unused
- Deprecate the JmxRemoteLifecycleListener as the features it provides are now available in the remote JMX capability included with the JRE. This listener will be removed in Tomcat 10 and may be removed from Tomcat 9.0.x some time after 2020-12-31.

Coyote:
Update:
- Simplify NIO blocking read and write
- Disable (comment out in server.xml) the AJP/1.3 connector by default
- Change the default bind address for the AJP/1.3 connector to be the loopback address

Fix:
- Ensure that Servlet Asynchronous processing timeouts fire when requests are made using HTTP/2
- Fix the corrupton of the TLS configuration when using the deprecated TLS attributes on the Connector if the configuration has already been set via the new SSLHostConfig and SSLHostConfigCertificate elements
- Switch the message shown when using HTTP to connect to an HTTPS port from ISO-8859-1 to UTF-8
- Cancel selection key in poller before wrapper close to avoid possible deadlock
- Correct a regression introduced in 9.0.28 that meant invalid tokens in the Transfer-Encoding header were ignored rather than treated as an error
- Rename the HTTP Connector attribute rejectIllegalHeaderName to rejectIllegalHeader and expand the underlying implementation to include header values as well as names

Add:
- Add support for RFC 5915 formatted, unencrypted EC key files when using a JSSE based TLS connector
- Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String
- Add a new attribute, allowedRequestAttributesPattern to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403

Jasper:
Fix:
- Update the performance optimisation for using expressions in tags that depend on uninitialised tag attributes with implied scope to make the performance optimisation aware of the new public class (java.lang.Record) added in Java 14
- Replace the faulty custom services lookup used for ExpressionFactory implementations with ServiceLoader

Add:
- Add a META-INF/services entry to jasper-el.jar so that the Expression Language implementation can be discovered via the services API

Cluster:
Fix:
- Ensure that session ID changes are replicated during form-authentication

Web applications:
Fix:
- In the examples web application, where a Servlet example includes ii18n support, the Locale used should be based on the request locale and not the server locale

Add: Add additional information on securing AJP/1.3 Connectors

Other:
Fix:
- Ensure statements are closed when a pooled JDBC connection is passivated in Tomcat's fork of Commons DBCP2