Apache Releases Tomcat 6.0.24 – Whats New

January 21 2010


The new stable release of Tomcat 6.0.24 represents six months of open source software development. Version 6.0.24 includes a small number of new features, plus a large amount of important bug fixes and enhancements. This release is an incremental bug fix release, but the number of fixes included in this release is high.

Numerous Important Bug Fixes

Here is a summary of just the fixes that are included in Tomcat 6.0.24, an impressive list:

  • Aggressive webapp / JDK memory leak handling. This is a major set of fixes.
  • Better HTTPS security. This includes a workaround for the HTTPS vulnerability CVE-2009-3555.
  • Major updates and bug fixes to Tomcat’s database connection pooling code. This includes performance fixes, exception fixes, and more.
  • Improved Servlet session edge condition handling.
  • Improved support for JMX via a new JmxRemoteLifecycleListener and additional JMX-related bug fixes.
  • Fixed an obscure bug that caused the use of the vi editor to erase webapps. Yes, you read that right. Look here and here for more information.
  • Fixed quite a few thread safety bugs. This prevents bad behavior in high scalability situations.
  • Many clustering bug fixes and improvements (a true distributed community effort).
  • Upgraded and improved Tomcat’s Windows installer. Now fully supports 64-bit Windows installations, and the installer software has been upgraded.
  • Many additional bug fixes, including scalability and performance fixes.

Anyone who uses Tomcat 6 in production should upgrade to version 6.0.24 to get these important bug fixes.

New Features

As part of some new development that is currently ongoing for Tomcat 7, a few helpful feature additions were also added to Tomcat 6. These were added to Tomcat 6 as Listeners and a Valve, which are both modular components that are currently supported in the same ways on both Tomcats 6 and 7. For that reason it was easy to simply add them to Tomcat 6’s code after they were implemented for Tomcat 7, without disturbing or modifying any of Tomcat 6’s other code.

A new JmxRemoteLifecycleListener was added in Tomcat 6 and 7 that allows opening a JMX Remote server port over RMI where the server port is a fixed port number. Normally, the port number is random, which doesn’t work well in production because firewalls must be pre-configured to allow TCP connections just to specified ports. But because the RMI server chooses its port number at the time you’re trying to connect a JMX client (such as jconsole), you cannot prepare your firewall to allow connections to that random port number. It is already too late once you find out what port number was chosen! This JmxRemoteLifecycleListener solves that problem and allows us to use jconsole with a fixed RMI server port number. This fix helps anyone who would like to inspect and manipulate Tomcat’s MBeans components using tools like jconsole while Tomcat stays running, including in production environments.

A new JreMemoryLeakPreventionListener was added in Tomcat 6 and 7. This Listener and other code changes to Tomcat prevent numerous different types of memory leaks from occurring, including memory leaks caused by the JDK. This Listener was not written for fixing any memory leaks in Tomcat itself (those are fixed right away, individually, once they’re found), but instead it fixes memory leaks caused by your webapp’s use of JDK core features. Note that your Tomcat installation may suffer from OutOfMemoryError and PermGen space problems without these fixes, even if you do not have Context reloading enabled. These fixes repair a surprisingly large list of memory leaks that should make any Tomcat 6 user want to upgrade.

To start the memory leak prevention code, make sure you have the following lines in your server.xml file:

<!-- Prevent memory leaks due to use of particular java/javax <a href="http://www.mulesoft.com/platform/api" target="_blank" rel="" title="Anypoint Platform for APIs" >APIs</a>-->

The new RemoteIpValve is implemented in Tomcat 6 and 7 to ensure that the original HTTP client’s real IP address is available via servletRequest.getRemoteAddr(), even when the request was proxied from Apache httpd or a hardware load balancer. For more information about this feature, see the conversation about it and the initial code submission at https://issues.apache.org/bugzilla/show_bug.cgi?id=47330.


Overall, this is a whopper of a bug fix release and includes some nice new additional features. And since MuleSoft Tcat Server 6 supports the official ASF release binaries, you do not need to wait before taking advantage of this great new release of Tomcat.

You can download Tcat Server here. It’s free to download and use in development and pre-production.

We'd love to hear your opinion on this post

3 Responses to “Apache Releases Tomcat 6.0.24 – Whats New”

  1. Your download link is wrong. The link is: http://tomcat.apache.org/download-60.cgi for Tomcat 6.0.24.

  2. Hello,

    In addition to getting the actual ip address of the web user with the X-Forwarded-Proto header, the RemoteIpValve offers the ability to know whether the incoming request used http or https relying on the X-Forwarded-Proto (aka Front-End-HTTPS).

    I didn’t yet have the time to reintegrate in Tomcat’s documentation all the pieces we wrote. Interested docs can be found here :
    * http://code.google.com/p/xebia-france/wiki/RemoteIpValve (english)
    * http://blog.xebia.fr/2009/05/05/tomcat-adresse-ip-de-linternaute-load-balancer-reverse-proxy-et-header-http-x-forwarded-for/ (french but google translate friendly)
    * http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (french but google translate friendly)