This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata


  1. Security hardening.
    1. (improvements to Windows installer)
    2. (a more general mod_headers style solution)
  2. TCK + CI
    1. Integrate the Jakarta EE TCKs for Servlet, JSP, EL and WebSocket into the Tomcat CI builds
  3. Cloud enablement
    1. Improve use of a CDI 2 implementation (OpenWebBeans and/or Weld) in Tomcat
    2. Should be able to use a single Server listener and hopefully only a few JARs so that the user experience is better, in that scenarios all webapps should be CDI enabled
    3. Better Eclipse Microprofile (Health and Metrics in particular) support using the CDI 2 extensions support added in a and b
  4. Coyote clean-up / improvements
    1. Consider wrapping the SocketWrapper with a facade to detect / prevent components retaining references longer than they should (from the Tomcat next document)
  5. Add support for TLS key logging via OpenSSL to Tomcat-Native to aid debugging
  6. Look at TLS 1.3 early data and review the costs / benefits / feasibility of implementing it in Apache Tomcat
  7. Check HTTP/2 priority implementation
    3. Review Tomcat's use of buffering. Generally, want to commit to the network as late as possible to help (re-)prioritisation work.
  8. Check Tomcat's caching behaviour
  9. Look at new(ish) cookie extensions and review the costs / benefits / feasibility of implementing them in Apache Tomcat
  10. Coverity Scan analysis:
  11. GraalVM native-image tool compatibility
    1. Should use
    2. Should use the JVM agent to generate reflection information
    3. The agent should be post CR16, to get the commit
  12. POEditor i18n contributions
  13. PGP key signing (
  • No labels


  1. From starting at slide 26 for the "upcoming" section, I have at the moment:

    • HTTP/2 improvements
    • Cloud functionality (= better CDI2 integration)
    • Coyote cleanups and improvements
    • Native improvements
    • HTTP/3
    • Jakarata
    • Configuration improvements

    Only the first 3 items could be attempted at this time.

  2. It would be nice to have a pgp key signing session

  3. Ideas from the http workshop (I'll update the page once I have internet access that doesn't block WebSocket). URLs for any referenced test suites should be available in the relevant presentation linked from I'll dig those out when I update the page.

    • Reduce h2 max streams (most impls use 100)
    • Reduce max header list size (most impls use 16k or 32k)
    • Implement option to enable TLS key logging in OpenSSL to aid TLS debugging with Wireshark
    • Review Tomcat's use of buffering. Need to commit to the network as late as possible to permit re-prioritisation
    • Run the re-prioritisation tests and see how well we do
    • Run the caching tests and see how well we do
    • Check EOS behaviour
    • Review available new(ish) extensions and consider implementing
    • Look at TLS 1.3 early data and what would be required to support it in Tomcat
  4. Stuff I would love to address are replacement for Apache Commons Daemon and everything around native components.

    • Simplify Windows service wrappers
      I already have working prototype, but it needs Unicode and dynamic
      file length support. Something that can be done during Hackaton
    • Try to use Windows PowerShell instead archaic CP/M batch scripts
    • Make sure we are ready for OpenSSL 1.1.1 that has new library names
      and some minimum OS requirements
  5. For Graal, based on

    export JAVA_HOME=/home/remm/Work/graalvm-ce-1.0.0-rc16
    export JAVA_OPTS=-agentlib:native-image-agent=config-output-dir=./target/
    java -jar ./target/tomcat-maven-1.0.jar
    cd target
    $JAVA_HOME/bin/native-image -H:+ReportUnsupportedElementsAtRuntime -H:ConfigurationFileDirectories=./ -jar tomcat-maven-1.0.jar