Jakarta EE 11
Jakarta Servlet
Jakarta Pages
Jakarta WebSocket
Jakarta Expression Language
Jakarta Authentication
Jakarta Annotations
Tomcat specific changes
42 individual specifications - Tomcat implements 6
Platform specification - Tomcat implements relevant sections
Minimum of Java 21
No SecurityManager support
Testing and Compatibility Kits (TCKs) are being refactored
First milestones due end of November
Final release June/July 2024
No major changes
Clarification
Clean-up
Various improvements
Calls using null for a header name will be NO-OPs
Using null when setting a header value will remove all current values
Calls using null when adding a header value will be NO-OPs
The empty string is a valid value for a header
Any method that sets a header is a NO-OP once the response is committed
Align getDateHeader() and getIntHeader() with getHeader() for multiple values
dispatch() and complete() close non-blocking output streams
write(), print(), println() and flush() are "write operations"
Status code can be specified
Response body can be specified
Relative redirects are allowed
Clarify that all ServletContext methods that accept a path bypass security constraints
Remove sensitive HTTP headers from TRACE responses
Invalid parameters will always trigger an Exception
Update HTTP RFC references to latest versions
HTTPS support is now mandatory
New constants for status codes 308, 421, 422 and 426
New request attribute jakarta.servlet.error.query_string
Add ByteBuffer support to ServletInputStream and ServletOutputStream
Charset support for setCharacterEncoding()
Context root mapping occurs with or without the trailing '/'
Clarify when leading '/' is omitted in HttpServletMapping.getMatchValue()
Clarify multi-part config sizes are in bytes
Clarify expected behaviour for CONNECT requests
Deprecate and make optional support for HTTP/2 server push
HttpSession access for WebSocket
Require error dispatches to use GET
Clarify behaviour of various methods for include / forward
Support for 1xx responses - particularly early hints
Deprecated classes and methods have been removed
Updated ErrorData to support the new request attribute jakarta.servlet.error.query_string
Clarified the responsibility for sending Ping messages
Added getSession() method to SendResult
Remove all deprecated classes and methods
Dependency on JavaBeans API is now optional
Added support for java.util.Optional via OptionalELResolver
ManagedBean is deprecated
TBD
No major changes
Specification / RFC updates
Generally stricter with invalid input
Enhancements and improvements
32-bit Windows no longer supported (no JRE)
BASIC authentication uses UTF-8 by default
Update DIGEST auth to RFC 7616
Documentation web application is only accessible from localhost by default
Examples web application is only accessible from localhost by default
rejectIllegalHeader hard-coded to true
allowHostHeaderMismatch hard-coded to false
Align AJP connector handling of invalid HTTP headers with HTTP connector
Added RateLimitFilter
RFC 9218 - HTTP/2 priority frame support
Support for server push has been removed
Virtual thread support - useVirtualThreads on the Connector
Some internal refactoring
Log TLS cert info on startup
Dedicated loggers for detailed TLS configuration info
Added TLSCertificateReloadListener
Expose the utility executor to web applications
Tomcat no longer sets java.protocol.handler.pkgs when starting
Added PropertiesRoleMappingListener
Added ContextNamingInfoListener
Add support for loading configuration resources from the web application