Apache Tomcat^®

The Apache Tomcat^® software is an open source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform.

The Jakarta EE platform is the evolution of the Java EE platform. Tomcat 10 and later implement specifications developed as part of Jakarta EE. Tomcat 9 and earlier implement specifications developed as part of Java EE.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation.

The Apache Tomcat Project is proud to announce the release of version 1.2.49 of Apache Tomcat Connectors. This version fixes a number of bugs found in previous releases.

Download | ChangeLog for 1.2.49

The Apache Tomcat Project is proud to announce the release of version 10.1.13 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

• If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
• Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.90 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.79 include:

• If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
• Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.93 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.92 include:

• If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
• Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M11 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

• Update the HTTP parameter handling to align with the changes in the Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used to obtain request parameters. Invalid parameters and/or exceeding parameter size and/or quantity limits now trigger exceptions. As a consequence, the FailedRequestFilter has been removed.
• If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
• Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 2.0.5 of Tomcat Native. The notable changes compared to 2.0.4 include:

• Align default pass phrase prompt with HTTPd
• Update autotools and associated fixes
• Fix memory leak in SNI processing
• The windows binaries in this release have been built with OpenSSL 3.0.10

Download | Change log for 2.0.5

The Apache Tomcat Project is proud to announce the release of version 1.2.38 of Tomcat Native. The notable changes since 1.2.37 include:

• Align default pass phrase prompt with HTTPd
• Fix memory leak in SNI processing
• Windows binaries built with OpenSSL 1.1.1v.

Download | Change log for 1.2.38

The Apache Tomcat Project is proud to announce the release of 1.0.7 of the Apache Tomcat Migration Tool for Jakarta EE. This release contains a number of bug fixes and improvements compared to version 1.0.6.

The notable changes in this release are:

• Update OSGI servlet specification versions if present in manifest file. PR #42 provided by Ivan Furnadjiev.
• Add configuration option, matchExcludesAgainstPathName that can be used to configure exclusions based on path name rather than just file name. PR 38 provided by Réda Housni Alaoui.
• When converting directories, rename files according to the chosen profile.
• Work-around a known JDK bug when converting using the streaming approach.

Full details of these changes, and all the other changes, are available in the changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 1.2.5 of the Standard Taglib. This tag library provides Apache's implementation of the JSTL 1.2 specification.

Version 1.2.5 is a minor bug fix release reverting a change made in 1.2.1 where <c:import> modified the HTTP method during POST operations, and fixing an issues that resulted in an AccessControlException during startup unless permission was granted to read the accessExternalEntity property.

Please see the Taglibs section for more details.

Download | Changes

The Apache Tomcat team is pleased to announce the release of Tomcat Maven Plugin 2.2. Changelog available here.

The Apache Tomcat Maven Plugin provides goals to manipulate WAR projects within the Apache Tomcat servlet container.

The binaries are available from Maven repositories. You should specify the version in your project's plugin configuration:

<plugin>
  <groupId>org.apache.tomcat.maven</groupId>
  <artifactId>tomcat7-maven-plugin</artifactId>
  <version>2.2</version>
</plugin>

or

<plugin>
  <groupId>org.apache.tomcat.maven</groupId>
  <artifactId>tomcat6-maven-plugin</artifactId>
  <version>2.2</version>
</plugin>

See former announcements.