12.1.3

Changelog

• #13768 - Sanitizing of HTTP headers names and values should remove NUL bytes (U+0000)
• #13708 - Improve StateTrackingHandler reporting of incomplete callbacks
• #13703 - MailSessionReference is not dereferenced in JNDI lookup
• #13683 - Badly pct-encoded Shift-JIS is not supported by Jetty 12
• #13682 - HttpClient.[maxRequest|request]HeadersSize should be consistent
• #13681 - QUICHE_ERR_STREAM_LIMIT with Jetty 12.1.2 on HTTP/3
• #13634 - Avoid sending RST_STREAM for closed streams
• #13626 - WebAppContext.setExtraClasspath(String) entry separator
• #13615 - Concurrency issue, headers from different requests are mixed in Jetty 12.0.27
• #13613 - HttpInput#read rethrows already thrown exception, leading to possible self-suppressing exception issue
• #13588 - CONTAINER_JAR_PATTERN ignored on Windows
• #13246 - Missing hook or statistic for QoSHandler rejections by exceeding setMaxSuspendedRequestCount

12.0.29

Changelog

• #13788 - 12.0.x: Make ContextHandler catch and ignore exceptions thrown by Thread.setContextClassLoader()
• #13768 - Sanitizing of HTTP headers names and values should remove NUL bytes (U+0000)
• #13685 - Infinite loop on Content.copy() with Content.Source.from(... , Path, ) when Path has size 0.
• #13683 - Badly pct-encoded Shift-JIS is not supported by Jetty 12
• #13682 - HttpClient.[maxRequest|request]HeadersSize should be consistent
• #13676 - Backport fix for #13613 from 12.1.x to 12.0.x
• #13634 - Avoid sending RST_STREAM for closed streams
• #13626 - WebAppContext.setExtraClasspath(String) entry separator
• #13615 - Concurrency issue, headers from different requests are mixed in Jetty 12.0.27
• #13613 - HttpInput#read rethrows already thrown exception, leading to possible self-suppressing exception issue
• #13588 - CONTAINER_JAR_PATTERN ignored on Windows

12.1.2

Special Thanks to the following Eclipse Jetty community members

• @znight1020 (이현수)

Changelog

• #13640 - Fix NPE in ee9/ee8 nested.BufferedResponesHandler
• #13634 - Avoid sending RST_STREAM for closed streams
• #13625 - Not possible to control HttpClient Accept-Encoding weights with standard API and discovered Compression
• #13624 - ContextClassLoader changed on resumed requests with QoSHandler
• #13621 - Restore BufferingResponseListener.onContent(Response, ByteBuffer) behavior
• #13613 - HttpInput#read rethrows already thrown exception, leading to possible self-suppressing exception issue
• #13608 - DebugHandler changes Thread name without restoring it afterwards
• #13603 - Bad Accept-Language request headers can result in NPE during HttpServletRequest.getLocale() call
• #13599 - Merge ConstantThrowable and StaticException
• #13598 - Server hangs when client closes too many connections.
• #13592 - ClosedFileSystemException when upgrading to 12.1.1
• #13586 - Merge back Release/12.0.27
• #13583 - NPE in WriteFlusher after org.eclipse.jetty.http.BadMessageException: 417
• #13579 - How to remove a websocket mapping
• #13571 - JMX Bean Names are not predictable now that they have hashcodes
• #13567 - Jetty 12.1.1 HTTP2 broken data
• #13563 - Jetty 12.1.0 fails to serve big (> 1MiB) static web resources located inside a jar file
• #13549 - Ensure buffer is always released from HTTP/3 HeadersGenerator in case of failure.
• #13548 - Improved HTTP2Connection dump information (@znight1020)
• #13539 - HttpCookie.Builder does not allow removing SameSite
• #13482 - New request attribute __oejs.Request.Cookies
• #13472 - Support multiple directories to be scanned by deployment-scanner
• #11826 - NativeHelper triggers JDK warning

12.0.28

Changelog

• #13646 - Improve HTTP/2 and HTTP/3 invalid header value exception message
• #13637 - 12.0.x: H2 reset: fix missing callback completion
• #13618 - Jetty 12.1.x simplified epc no pending (#13372)
• #13603 - Bad Accept-Language request headers can result in NPE during HttpServletRequest.getLocale() call
• #13598 - Server hangs when client closes too many connections.
• #13586 - Merge back Release/12.0.27
• #13583 - NPE in WriteFlusher after org.eclipse.jetty.http.BadMessageException: 417
• #13509 - "No multipart configuration element" exception when getNamedDispatcher().forward() used

12.0.27

Changelog

• #13528 Review HttpParser._headerBytes accounting
• #13562 org.mortbay.jasper.apache-el-.jar missing from jetty-12.0.26
• #13549 - Ensure buffer is always released from HTTP/3 HeadersGenerator in case of failure.

12.1.1

Special Thanks to the following Eclipse Jetty community members

• @SentryMan (Josiah Noel)
• @znight1020 (이현수)

Changelog

• #13526 - BinaryStreamTest.testMoreThanLargestMessageOneByteAtATime() is flaky
• #13521 - Rework BlockingArrayQueue growth strategy
• #13506 - HTTP/2 CONTINUATION frames may cause connection close
• #13500 - Add jetty-compression artifacts to jetty-bom
• #13499 - Jetty 12.1 brotli linking problem
• #13498 - Jetty 12.1.x Migration Guide
• #13489 - OSGi package import problem with org.eclipse.jetty.http3.client.http
• #13487 - Regression in Jetty 12.1.0: @OnWebSocketFrame and @OnWebSocketMessage can no longer coexist
• #13485 - [jetty-http-spi] Add Https Implementation (@SentryMan)
• #13475 - jakarta Websocket served with h2 and timeouts disabled always times out after 30s
• #13465 - Review invocation of UpgradeListener.onHandshakeResponse() in case of failures
• #13464 - Automatic MultiPart cleanup for Jetty 12
• #13457 - ClassCastException due to HashSet being used in a non thread-safe way
• #13456 - use jdk25 instead of jdk24
• #13447 - Apache jsp/el jars in 12.1.0 are not groupId prefixed (like they are in 12.0.x releases)
• #13436 - AssertionError in MemoryEndPointPipe.MemoryEndPoint.fill()
• #13409 - Jetty fails to discover WebFragments in Library Files on classpath
• #13401 - CookieCompliance violation testing
• #13398 - Improve LoginAuthenticators to handle Proxy-Authenticate (@znight1020)
• #13385 - Regression in javax.servlet.http.HttpServletResponse#setHeader since jetty 10
• #13375 - WebSocketClient attempts to use HTTP/2 on servers without SETTINGS_ENABLE_CONNECT_PROTOCOL
• #13346 - TCP half-close during WebSocket session close causes ClosedChannelException
• #13341 - Complete WebSocket close handshake asynchronously
• #13336 - HTTP/2 - Valid horizontal tab "\t" in http header is coverted into "?"
• #12735 - Provide better documentation of JettyWebSocketServletContainerInitializer and jetty-${ee-version}-websocket-jetty-server modules
• #12029 - OutputStreamContentSource.AsyncOutputStream rethrows already thrown exception

12.0.26

Special Thanks to the following Eclipse Jetty community members

• @SentryMan (Josiah Noel)

Changelog

• #13506 - HTTP/2 CONTINUATION frames may cause connection close
• #13485 - [jetty-http-spi] Add Https Implementation (@SentryMan)
• #13475 - jakarta Websocket served with h2 and timeouts disabled always times out after 30s
• #13457 - ClassCastException due to HashSet being used in a non thread-safe way
• #13456 - use jdk25 instead of jdk24
• #13455 - Fix console capture by really executing the extension .... != ---- :)
• #13448 - Upgrade quiche to version 0.24.5
• #13436 - AssertionError in MemoryEndPointPipe.MemoryEndPoint.fill()
• #13409 - Jetty fails to discover WebFragments in Library Files on classpath
• #13401 - CookieCompliance violation testing
• #13336 - HTTP/2 - Valid horizontal tab "\t" in http header is coverted into "?"
• #12029 - OutputStreamContentSource.AsyncOutputStream rethrows already thrown exception

12.1.0

Introducing Jetty 12.1.0

New Features:

• New Jakarta EE11 Server Environment
• New Compression layer with support for gzip, brotli, and zstandard compression and decompression. Available on Server via a new CompressionHandler and HttpClient APIs.
• New Server WebApp Deployment layer. Gone are the multiple scanners and multiple directories, now only 1 directory is scanned, along with support for Jetty Server Environment (ee8, ee9, ee10, ee11, etc) configuration files that apply to all webapps deployed in that environment.
• New Jetty Start Modules for easier management of environment specific configurations (see start.jar --help for details)

Special Thanks to the following Eclipse Jetty community members

• @afarber (Alexander Farber)
• @kohlschuetter (Christian Kohlschütter)
• @lijinliangyihao (lijinliang)
• @maarouf-yassine (Maarouf Yassine)
• @sanjerai (Sanjeev Rai)
• @scrat98 (Artem Golovko)
• @trucnguyenlam (Truc Nguyen Lam)

Changelog

• #842 - Implement RFC7239 support in Proxy and Middleman

• #2717 - Async requests are not considered when shutting down gracefully
• #3377 - Improve jetty-ssl-context.xml
• #4493 - Document ThreadPoolBudget behavior
• #5308 - Extract httpConfig and scheduler configuration out of jetty.xml
• #5442 - Allow multiple authentication options for a web app

• #5685 - AsyncProxyServlet calls onProxyResponseSuccess() when internally it throws "Response header too large" exception
• #5888 - Limit usage of HTTP/2 connections
• #6328 - High CPU usage of method handle invocations in Jetty 10

• #8715 - Jetty 12 - Optimize RequestLog information retrieval
• #8768 - JSON support for Java 16+ Records

• #8769 - Introduce new Compression Handler with support for gzip, brotli, and zstandard
• #8790 - Jetty-12 HttpContent should have an async API

• #9051 - Review Jetty-12 DelayedHandler
• #9529 - Expose TCP connection establishment information
• #9632 - Jetty 12 - conditional headers handling for welcome files
• #9632 - Jetty 12 - conditional headers handling for welcome files

• #9778 - Jetty 12 - Remove WriteFlusher.Listener

• #9794 - Jetty 12 - jetty-ee9-proxy.xml broken

• #9980 - Add format option to CustomRequestLog for request authority and request authority scheme+ #10608 - DefaultServlet behaviour wrong for welcomeFiles

• #11289 - Embedded jetty doesn't set the charset to content-type header
• #11294 - NPE on trying to read uri, headers or attributes from the original HttpServletRequest wrapped in UpgradeRequest on WebSocket server in Jetty 12
• #11307 - Explicit demand control in WebSocket endpoints with only onWebSocketFrame()
• #11307 - Explicit demand control in WebSocket endpoints with only onWebSocketFrame()
• #11320 - Review callers of HttpChannelState.onIdleTimeout()
• #11325 - Review content-length check in ServletChannel

• #11358 - Jetty Websocket should have some API to handle timeouts

• #11413 - Conscrypt does not support server-side SNI
• #11425 - Review Handler Collection logic around InvocationType
• #11492 - Auto add AliasChecker for custom Base Resource in DefaultServlet

• #11514 - Start properties jetty.webapp.addServerClasses and jetty.webapp.addSystemClasses are not applied during ee8/ee9 deployments
• #11560 - Implement Web3 OAuth/Sign-In Functionality

• #11579 - Introduce UriCompliance.Violation.FRAGMENT to reject HTTP Request Line that includes fragment section.

• #11741 - Review case of MimeType.Type charsets
• #11749 - InvalidArgumentExceptions due to invalid status codes are not handled properly
• #11815 - Servlet spec 6.1 issue 300

• #11947 - Jetty12: HttpConfiguration#_relativeRedirectAllowed flipped to true per default
• #11947 - Jetty12: HttpConfiguration#_relativeRedirectAllowed flipped to true per default
• #11952 - Remove usages of ByteBufferCallbackAccumulator

• #11956 - Consider re-introducing ByteBufferPool.NON_POOLING constant
• #12023 - [12.1.x] Remove deprecated classes/methods
• #12082 - RetainableByteBuffer.DynamicCapacity enters a corrupt state when released

• #12106 - Document protected and hidden classes
• #12153 - Failed to serve resource java.lang.IllegalStateException: s=HANDLING rs=ASYNC os=OPEN is=IDLE awp=false se=false i=true al=0
• #12266 - InvocationType improvements and cleanups
• #12266 - InvocationType improvements and cleanups

• #12268 - IteratingCallback may iterate too much when process() returns Action.IDLE

• #12272 - Potential deadlock with Vaadin
• #12300 - Use of RewriteHandler.LastRuleHandler without a child handler should produce a clear error message. (@sanjerai)

• #12313 - Jetty 12 ee9/ee10 doesn't invoke callbacks when h2 client sends RST_STREAM
• #12318 - SecurityUtils should not elminate calls to existing methods

• #12323 - AsyncMiddleManServlet response flushing
• #12324 - Response compression does not work when the Accept-Encoding: * request header is used.
• #12324 - Response compression does not work when the Accept-Encoding: * request header is used.

• #12339 - Default session configuration parameter flushOnResponseCommit to true rather than false
• #12341 - QPack encoder must not send any encoder instructions when SETTINGS_QPACK_MAX_TABLE_CAPACITY is 0
• #12348 - HttpClientTransportDynamic does not initialize low-level clients
• #12350 - LdapLoginModule support for Jetty Password obfuscation
• #12356 - RuntimeIOException: Parser is terminated when doing lots of requests with Connection: Keep-Alive

• #12361 - ErrorHandler#getShowMessageInTitle() is ignored

• #12378 - Change default value for SslContextFactory.renegotiationAllowed to false
• #12397 - .tgz files are double-gzipped
• #12404 - Parsing URI with HttpUri.from(String uri) throws "IllegalArgumentException: Bad authority" when path is empty

• #12428 - No ALPNProcessor for org.bouncycastle.jsse.provider.ProvSSLEngine error with jetty http2 client
• #12429 - HandshakeRequest getHeaders are case sensitive.
• #12436 - Allow headers size extend to maxRequestHeadersSize in http client
• #12436 - Allow headers size extend to maxRequestHeadersSize in http client (@shaoxt)
• #12453 - Guard against NullPointerException in AnnotationParser
• #12469 - Content.Sink.write(sink, last, utf8Content, callback) could become faster
• #12481 - Exception when a Content-Length is set on a 304 response
• #12482 - CustomRequestLog %q inconsistency with a doc
• #12486 - Undisable and fix PartialRFC2616Test
• #12488 - HTTP/2 headers may not be split in CONTINUATION frames
• #12496 - MultiPartFormData.Parser question.
• #12502 - Undisable WebAppContextTest.testGetResourcePaths
• #12505 - ErrorPageErrorHandler does not use the proper attributes for error handling
• #12520 - Numerous stack traces logged at warning level when running under HTTP/2 (regression in 12.0.15)
• #12529 - Undisable ee9 BlockingTest and fix HttpChannel.produceContent
• #12530 - Make HttpOutput.println() simpler and faster
• #12531 - Reworking jetty-compression for JPMS
• #12534 - Jetty 12.1.x ee9 ee10 ee11 default servlet test resource servlet test
• #12537 - org.eclipse.jetty.server.LowResourceMonitor#setMonitorThreads seems not right (@lijinliangyihao)
• #12546 - Added documentation for DoSHandler.
• #12547 - Improve module deprecation
• #12553 - Execute immediately HTTP/2 failures
• #12558 - Document graceful shutdown
• #12564 - Enhance HTTP Compliance CRLF modes
• #12577 - org.eclipse.jetty.http.HttpURI.getDecodedPath() throws an NPE when there is no path
• #12578 - HttpServletRequest.getParameterMap - UnmodifiableMap does not wrap a jetty MultiMap
• #12588 - oejhs.AbstractHTTP2ServerConnectionFactory installs the HTTP2SessionContainer bean twice
• #12593 - Create start.d/*.ini for [ini-template] modules
• #12603 - ee9 / UnsupportedOperationException: Read Only
• #12609 - Change of behaviour with HttpServletResponse.sendError(0) in EE10
• #12611 - Supporting Compression discovery with ServiceLoader.
• #12612 - Use Compression classes for client decoding
• #12625 - Request.getBeginNanoTime returns invalid values
• #12639 - Request.Content.getContentType()'s Javadoc contradicts HttpConnection.normalizeRequest()
• #12644 - use a builder API for OpenIdConfiguration
• #12646 - CompleteListener may be invoked twice
• #12650 - Attribute org.eclipse.jetty.multipartConfig is null
• #12652 - Jetty Reactive client hangs for HTTP 401 responses
• #12659 - Use websocket over varying http protocols using a single client
• #12663 - Improve scalability of HttpCookieStore.Default
• #12670 - Improve buffer management of HTTP/1 response headers
• #12674 - EE8 has reference to Xalan jars that are no longer needed on new JVMs
• #12680 - ResourceHandler cannot handle files over 2GB in size.
• #12681 - CachingHttpContentFactory$CachedHttpContent already released buffer
• #12683 - Cross context dispatch to root context uses incorrect target path
• #12687 - Buffer reusal in the BufferingResponseListener
• #12689 - Add statistics about ByteBufferPool.acquire() calls made for which there is no bucket
• #12690 - Add configurable capping for values of H2 MAX_HEADER_LIST_SIZE settings frames
• #12695 - 12.1.0 - ResourceHandler is unable to serve content from PathResource that doesn't support mapped file buffers.
• #12697 - Servlet error pages do not work when Response.writeError is called before entering the ServletChannel
• #12700 - ResourceHandler & ResourceServlet (all envs) do not agree on UseFileMapping default
• #12705 - Orphaned sessions are never deleted at runtime in the SessionDataStore.
• #12706 - Export ArrayByteBufferPool statistics via JMX
• #12714 - MongoSessionDataStore can't upsert sessions if workerName contains token deliminators
• #12723 - Only on Windows: Failed startup of context oeje8w.WebAppContext
• #12730 - RegexRule needs configurable to include query (or not) in match logic
• #12735 - Provide better docume...

9.4.58.v20250814

This is a sponsored release for an End of Life version of Jetty.

Changelog

• #13461 - 9.4.x HTTP2Session cleanups - Addresses CVE-2025-5115
• #13261 - Improve handling of failed HTTP/2 requests
• #461 - Move ServletTester to the test source directory

11.0.26

This is a sponsored release for an End of Life version of Jetty.

Changelog

• #6369 Increment default jetty.http2.rateControl.maxEventsPerSecond (@jebeaudet, @slovdahl, @markslater)
• #7818 Modifying of HTTP headers in HttpChannel.Listener#onResponseBegin is no longer possible with Jetty 10
• #13462 HTTP2Session cleanups - Addresses CVE-2025-5115