Apache Tomcat 9.0 Release History and End-of-Life Status

Apache Tomcat 9.0 Release Notes

Apache Tomcat 9.0 is a widely used open-source Java servlet container and web server. This release note provides information about its supported dependencies, API stability, bundled libraries, and configuration details that developers and administrators should be aware of. The version is designed to run smoothly on Java 8 and later and continues to support enterprise-grade web application deployments.

This summary also highlights security considerations, static resource management, and useful tips for troubleshooting in case issues arise. Apache Tomcat 9.0 aims to deliver reliability, performance, and flexibility for production environments.

Dependency Changes

Tomcat 9.0 requires Java 8 or newer. Running the server on older versions of Java is not supported. This ensures access to modern Java features and better security patches.

API Stability

Stability of the API is an important concern for developers upgrading between minor versions. Tomcat 9.0 defines the following stability rules:

• All public interfaces under the javax namespace are stable and will not change during the lifetime of the 9.x branch.
• The org.apache.catalina.* classes (excluding sub-packages) may be extended with new methods or features, but no existing methods will be removed or modified. Deprecated methods may be introduced when necessary.
• Other classes are considered internal and may change without prior notice between point releases.

As Tomcat 9 evolves, this list of stable interfaces may expand to include more packages and classes.

Bundled APIs

A standard installation of Apache Tomcat 9.0 ships with several APIs and libraries available for use by web applications. These are typically located in the lib directory.

Additional APIs can be provided by placing JAR files in the lib directory or adding unpacked classes into a classes directory. To override XML parser implementations, use the endorsed standards override mechanism for Java 8 or the upgradeable modules mechanism for Java 9 and above.

Web Application Reloading and Static Fields

Some shared libraries, including those from the JDK, may retain references to objects from a reloaded web application. This can lead to class loading issues such as ClassCastException or warnings about stopped classloaders. To minimize these problems:

• Avoid placing classes referenced by static fields in the web application classloader.
• Instead, place these classes in the shared classloader (by putting JARs in the lib folder or classes in the classes folder).

Security Manager URLs

When using a security manager, permissions must be granted to JARs located inside the web application repository. This is done in the policy file using a format like:

file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar

Symlinking Static Resources

On Unix systems, symbolic links within web applications are disabled by default if they point outside the application’s root directory. This prevents accidental or insecure exposure of system files.

Administrators who want to allow symlinks can enable this behavior by setting the allowLinking flag in the server configuration.

Conclusion

Apache Tomcat 9.0 continues to be a stable and flexible foundation for Java-based web applications. By requiring Java 8 or newer, it ensures that modern features and security standards are available. The release emphasizes API stability, offers a comprehensive set of bundled APIs, and provides clear guidance on deployment practices, security, and resource handling.

Administrators and developers should familiarize themselves with bundled libraries, API guarantees, and configuration options such as static resource symlinking and security manager URL settings. These release notes help ensure smooth deployments and minimize common pitfalls during production.

Tomcat 9.0 remains a trusted choice for enterprises and developers who need a reliable, high-performance servlet container to power their Java applications.