Last checked and updated on 09 Jun 2026
Apache Tomcat 10.1 Release Notes
Apache Tomcat 10.1 is the current stable branch of Tomcat 10, implementing Servlet 6.0 and JSP 3.1 specifications from Jakarta EE 10. Released starting with version 10.1.0 on September 26, 2022, it supports web applications and services with features like HTTP/2, WebSocket 2.0, and EL 4.0. The branch has seen regular updates up to 10.1.48 as of September 7, 2025, focusing on security hardening, performance tweaks, and compatibility with newer Java versions up to 25.
This version requires Java 11 or later and emphasizes Jakarta EE migration from Java EE. Key themes include DoS protection via rate limiting, improved HTTP/2 handling, virtual thread support for Java 21+, and deprecations of legacy features. It suits developers building modern web apps, with backward compatibility for converted Jakarta EE apps.
Jakarta EE Compliance and Migration
Tomcat 10.1 fully implements Jakarta EE 10, shifting from javax.* to jakarta.* packages. This requires code changes for apps from Tomcat 9 or earlier. Use the Apache Tomcat Migration Tool for Jakarta EE to convert web apps automatically during deployment.
Place Java EE apps in $CATALINA_BASE/webapps-javaee for auto-conversion to webapps. The tool handles offline migrations too. No support for Java EE in webapps -- all must convert. This ensures alignment with Eclipse Foundation standards.
New Features in 10.1
Tomcat 10.1 adds virtual thread support via StandardVirtualThreadExecutor for Java 21, enabling efficient concurrent request processing. The RateLimitFilter mitigates DoS and brute-force attacks by limiting requests per client.
JSON access log valve provides structured logging. Early hints support via HttpServletResponse.sendEarlyHints() for HTTP/103 responses. Partitioned cookies and multiple path parameters per URL segment enhance security and flexibility.
WebDAV gains PropertyStore for dead properties and tableName in DataSourcePropertyStore. Rewrite maps now support comments and txt:/rnd: types.
Performance Improvements
Optimizations include faster escaping in AccessLogValve by up to 2x, better ParameterMap handling for included requests, and cached string conversions for URIs and headers. HTTP/2 flow control and connection management see tweaks for reduced overhead.
SavedRequestInputFilter avoids data copying, and getHeader() calls are quicker. Refactored TaskQueue uses RetryableQueue for better efficiency. These changes cut latency in high-traffic scenarios without code modifications.
Security Updates
Hardened FORM authentication against DoS, with authenticationSessionTimeout reducing timeouts during auth. Default maxParameterCount lowered to 1000. Checks for CVE-2024-56337 in JVM config, and fixes for header parsing, HTTP/2 integer overflows, and malformed content-length.
Strong ETags use SHA-256 by default for collision resistance. ParameterLimitValve limits parameters per URL, and multipart controls via maxPartCount/maxPartHeaderSize. Guidance added for WebDAV, HTTP PUT, and reverse proxies.
Deprecated xssProtectionEnabled in HttpHeaderSecurityFilter as browsers dropped support. RemoteAddrFilter/RemoteAddrValve deprecated for RemoteCIDRFilter/RemoteCIDRValve.
Bug Fixes Overview
Extensive fixes across components: HTTP/2 stream resets, trailer header case sensitivity, and HttpSession.isNew() after client joins. Concurrent access in FileStore for sessions resolved, and race conditions in storage creation fixed.
WebDAV handles expired locks, partial PUT ranges, and namespace enforcement better. JSP compilation on case-insensitive filesystems and inner class support in EL improved. AJP connector routes methods correctly, avoiding DELETE-as-OPTIONS issues.
Access logs use Instant for timestamps, and multi-part uploads clean temp files. Fixes for Java 25+ in permessage-deflate and spurious wake-ups in clustering.
Java Compatibility
Requires Java 11 minimum, with full support up to Java 25. JSP compiler targets Java 21+ sources. Virtual threads need Java 21. Updates include gb18030-2022 charset and Panama OpenSSL for Java 20+.
FFM OpenSSL classes added to tomcat-embed-core.jar. Builds use correct JDK versions to avoid issues.
Deprecations and Removals
Deprecated useAcceptRanges in DefaultServlet (removal in Tomcat 12). trimCredentials in Basic auth defaults to false per RFC 7617, removal in 11. APR/Native connector support removed.
rejectIllegalHeader and allowHostHeaderMismatch deprecated (removal in 11). Legacy RemoteAddr* components phased out.
Dependency Updates
Commons DBCP to 2.13.0, Commons FileUpload to 1.6.0, Tomcat Native to 2.0.9 (OpenSSL 3.0.9). EasyMock to 5.6.0, Checkstyle to 10.25.0, BND to 7.1.0. Eclipse JDT compiler to 4.27, UnboundID to 6.0.8.
Commons Daemon to 1.3.4. Migration Tool to latest versions for Jakarta EE conversions.
Migration and Support
Migrate from Tomcat 9 by converting to Jakarta EE packages. Use the migration tool for automated help. Test for deprecations with updated configs. Rebuild native libs if using Tomcat Native.
Tomcat 10.1 follows the Apache release cycle with frequent patches. Download from official site, and consult docs for setup, realms, JNDI, clustering, and security. Active community support via mailing lists.