Last checked and updated on 09 Jun 2026
Apache Tomcat 9.0 Release Notes
Apache Tomcat 9.0 is a widely used open-source Java servlet container and web server. This release note provides information about its supported dependencies, API stability, bundled libraries, and configuration details that developers and administrators should be aware of. The version is designed to run smoothly on Java 8 and later and continues to support enterprise-grade web application deployments.
This summary also highlights security considerations, static resource management, and useful tips for troubleshooting in case issues arise. Apache Tomcat 9.0 aims to deliver reliability, performance, and flexibility for production environments.
Dependency Changes
Tomcat 9.0 requires Java 8 or newer. Running the server on older versions of Java is not supported. This ensures access to modern Java features and better security patches.
API Stability
Stability of the API is an important concern for developers upgrading between minor versions. Tomcat 9.0 defines the following stability rules:
-
All public interfaces under the
javaxnamespace are stable and will not change during the lifetime of the 9.x branch. -
The
org.apache.catalina.*classes (excluding sub-packages) may be extended with new methods or features, but no existing methods will be removed or modified. Deprecated methods may be introduced when necessary. - Other classes are considered internal and may change without prior notice between point releases.
As Tomcat 9 evolves, this list of stable interfaces may expand to include more packages and classes.
Bundled APIs
A standard installation of Apache Tomcat 9.0 ships with several APIs and libraries available for use by web
applications. These are typically located in the lib directory.
| File | Description |
|---|---|
| annotations-api.jar | Annotations package |
| catalina.jar | Tomcat Catalina implementation |
| catalina-ant.jar | Ant tasks for Catalina |
| catalina-ha.jar | High availability features |
| catalina-ssi.jar | Server-side Includes module |
| catalina-storeconfig.jar | Generate XML configuration from running state |
| catalina-tribes.jar | Cluster communication support |
| ecj-4.20.jar | Eclipse JDT Java compiler |
| el-api.jar | Expression Language 3.0 API |
| jasper.jar | Jasper 2 Compiler and runtime |
| jasper-el.jar | Jasper 2 EL implementation |
| jsp-api.jar | JSP 2.3 API |
| servlet-api.jar | Servlet 4.0 API |
| tomcat-api.jar | Interfaces shared by Catalina and Jasper |
| tomcat-coyote.jar | Connector and utility classes |
| tomcat-dbcp.jar | Database connection pool (based on Commons DBCP 2) |
| tomcat-jdbc.jar | Tomcat JDBC connection pooling |
| tomcat-jni.jar | Interface to APR/native connector |
| tomcat-util.jar | Utility classes |
| tomcat-websocket.jar | WebSocket 1.1 implementation |
| websocket-api.jar | WebSocket 1.1 API |
Additional APIs can be provided by placing JAR files in the lib directory or adding unpacked
classes into a classes directory. To override XML parser implementations, use the endorsed
standards override mechanism for Java 8 or the upgradeable modules mechanism for Java 9 and above.
Web Application Reloading and Static Fields
Some shared libraries, including those from the JDK, may retain references to objects from a reloaded web
application. This can lead to class loading issues such as ClassCastException or warnings about
stopped classloaders. To minimize these problems:
- Avoid placing classes referenced by static fields in the web application classloader.
- Instead, place these classes in the shared classloader (by putting JARs in the
libfolder or classes in theclassesfolder).
Security Manager URLs
When using a security manager, permissions must be granted to JARs located inside the web application repository. This is done in the policy file using a format like:
file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jarSymlinking Static Resources
On Unix systems, symbolic links within web applications are disabled by default if they point outside the application's root directory. This prevents accidental or insecure exposure of system files.
Administrators who want to allow symlinks can enable this behavior by setting the
allowLinking flag in the server configuration.
Conclusion
Apache Tomcat 9.0 continues to be a stable and flexible foundation for Java-based web applications. By requiring Java 8 or newer, it ensures that modern features and security standards are available. The release emphasizes API stability, offers a comprehensive set of bundled APIs, and provides clear guidance on deployment practices, security, and resource handling.
Administrators and developers should familiarize themselves with bundled libraries, API guarantees, and configuration options such as static resource symlinking and security manager URL settings. These release notes help ensure smooth deployments and minimize common pitfalls during production.
Tomcat 9.0 remains a trusted choice for enterprises and developers who need a reliable, high-performance servlet container to power their Java applications.