12.0.1

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Special Thanks to the following Eclipse Jetty community members

• @zugazagoitia (Alberto Zugazagoitia)

Changelog

• #10420 - do not recycle ServletChannel if aborted
• #10416 - EE9 Copies HttpFields in response
• #10411 - Review deployment of Jetty Context XML files
• #10406 - Bump jetty-setuid to 2.0.1
• #10388 - Jetty10 inetaccess mod started error
• #10383 - Unsuppressed exceptions from EE10 ServletTest
• #10356 - Deploying WAR with ee10-cdi-spi fails with Weld 5/CDI 4
• #10353 - Questions about porting WebSocket APIs to jetty-core 12
• #10349 - Character encoding is reset when setting Content-Type
• #10340 - Implement containsLast in HttpFields
• #10339 - Freeze HttpFields
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10323 - Jetty 12.0.0 return wrong value for HttpServletRequest.isRequestedSessionIdValid
• #10315 - ServletInputStream::isReady results in IllegalArgumentException
• #10309 - Jetty 12: X-Powered-By header is added 2 times (if enabled)
• #10306 - Jetty 12 generates wrong Host header
• #10295 - FormAuthenticator does not dispatch to an error page but redirect
• #10294 - Request.getContext().getContextPath()
• #10284 - Document all HttpFields methods
• #10275 - Fix wrong websocket artifact Jetty 12.x docs (@zugazagoitia)
• #10274 - java.nio.file.FileSystemNotFoundException when creating a resource from a JAR URL
• #10222 - Experiment/12/improve default servlet
• #10217 - Review ProxyConnectionFactory buffer management
• #10213 - UnknownFormatConversionException in start.jar --debug if path has % sign
• #10207 - Update failed JSP deployment message
• #10163 - Allow better configuration of WebAppContext classloader
• #10064 - Various Cleanup in ServletChannel
• #9169 - Idle timeout is ignored if callback is not completed

11.0.16

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

10.0.16

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

• @strogiyotec (Almas Abdrazak)
• @huisongma (huisongma)
• @garydgregory (Gary Gregory)

Changelog

• #10397 - Iso88591StringBuilder.append seems to have a logic error
• #10388 - Jetty10 inetaccess mod started error
• #10329 - Various cleanups in HttpParser
• #10271 - jetty.sh does not stop jetty anymore
• #10211 - NPE in ArrayByteBufferPool.findOldestEntry()
• #10176 - cleanups of DateCache
• #10160 - Verify PROXY_AUTHENTICATION is sent to forward proxies
• #10145 - WritePendingException over HTTP/2 tunnel
• #10143 - Startup fails due to IllegalArgumentException: Comparison method violates its general contract
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.
• #10105 - Document that Request objects are not reusable
• #10086 - Revisiting ProxyConfiguration.getProxies()
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9997 - No progress during Gzip Request Inflation results in bogus error
• #9947 - Cannot invoke "org.eclipse.jetty.io.ManagedSelector.getTotalKeys()" because "selector" is null (@strogiyotec)
• #9938 - Bulletproof AbstractProxyServlet#destory() to make it easier to write (@garydgregory)
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9887 - Deprecate CGI Servlet
• #9798 - review and cleanup of HTTP/3 QPACK Integer and String encoding
• #9777 - CrossOriginFilter does not return Vary header on no-cors mode
• #9761 - H3: Fix racy read from stream-less channel
• #9749 - HTTP/2 improvements.
• #9741 - Review of websocket parser, improve testing & comments.
• #9728 - Fixes to QPACK configuration from SETTINGS frames.
• #9715 - deprecate PushSessionCacheFilter
• #9685 - Jetty doesn't set the date header on error responses
• #9682 - RetainableByteBuffer buffer release bug in WebSocket
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9476 - onCompleteFailure called multiple times
• #8926 - HttpClient GZIPContentDecoder should remove Content-Length and Content-Encoding: gzip
• #8556 - ServletContext.getSessionTimeout() incorrectly throws IllegalStateException
• #8405 - Servlet 3.1 ReadListener.onAllDataRead() is called twice under h2 or h2c if the server doesn't respond within 30s
• #7091 - Add SOCKS5 support (@huisongma)

9.4.52.v20230823

Sponsored Release

This is a release of the End of Community Support Jetty 9.x series that was sponsored by a support contract from Webtide.com

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

• @RangerRick (Benjamin Reed)

Changelog

• #10352 - Backport of various cleanups in HttpParser from jetty-10.0.x
• #10337 - SizeLimitHandler does not enforce 0 responseLimit
• #10169 - make sure that a ServiceLoader is retrieved before iterating (@RangerRick)
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #9887 - Deprecate CGI Servlet
• #9716 - Deprecate PushSessionCacheFilter
• #9660 - Bring back some openid improvements from jetty-10.0.x
• #9476 - onCompleteFailure called multiple times

12.0.0

Important Notes

• New Environment System (ee10 / ee9 / ee8)
• Supports ee10 / ee9 / ee8 at the same time (in different deployed webapps)
  • See Jetty 11 to 12 Migration Docs for help finding the new maven coordinates for EE specific artifacts.
• Jetty Core no longer has dependencies on any Jakarta EE Spec

Security Updates

• This release provides a workaround for Security Advisory GHSA-58qw-p7qm-5rvh

Special Thanks to the following Eclipse Jetty community members

@kohlschuetter (Christian Kohlschütter)
@gregpoulos (Greg Poulos)

Changelog

• #10231 - DefaultServlet no longer supports POST and OPTIONS and returns a 405 instead
• #10229 - HttpConfiguration.setIdleTimeout() breaks long running requests
• #10227 - EE10 Unable to use Cookie attributes with HttpServletResponse.addCookie(jakarta.servlet.http.Cookie)
• #10205 - fixes for jetty 12 ee8 websocket demos
• #10178 - Fix demo-spec webapp failures
• #10066 - Allow SAXParserFactory or SAXParser to be configured in Jetty's XmlParser class - Allows for GHSA-58qw-p7qm-5rvh workaround
• #10165 - rename JAVAX_API to JAKARTA_API in ee9 and ee10 Source
• #10155 - EE10 Servlet include after HttpServletResponse.getWriter().println() omits Content-Length from the response
• #10135 - Websocket: Using PerMessageDeflateExtension and flush in batchMode send FLUSH_FRAME to client.

12.0.0.beta4

Changelog

• #10144 - Common code and documentation for dispatched query parameters
• #10141 - welcome-file ignored on jetty12ee10 on exploded deploy, works on ee9 and older jettys.
• #10139 - DefaultServlet not working with named dispatch in Jetty-12 EE10.
• #10134 - Server.stop() and WebInfConfiguration.deconfigure() can throw a ClosedFileSystemException when restoring the original base resource
• #10131 - Review ERROR query-string handling
• #10102 - Fixes delivery of events to Response.CompleteListeners.
• #10090 - Improved start.jar dry-run command line quoting
• #10084 - ServletApiContext.getResourcePaths() doesn't respect the spec
• #10082 - Various cleanups of StringUtil and TypeUtil
• #10081 - Fix replacement logic for Configuration lists
• #10071 - add SizeLimitHandler to Jetty-12
• #10068 - Jetty 12: instantiation of HashLoginService
• #10061 - Simplified URLResource cleaner
• #9444 - Unexpected encoding in request.getPathInfo() with Jetty 12 beta0

12.0.0.beta3

Changelog

• #9988 - Add constructors accepting the handler to wrap to all core handler wrappers
• #9984 - URLResource.isDirectory() throws a NullPointerException when created from a jar:file: URL
• #9983 - Implement quality lists for Locales
• #9975 - Experiment with a fully async ContentSourceCompletableFuture
• #9973 - Creating a Resource for an entry in a nested jar file in Jetty 12
• #9972 - getResourcePaths fails when a META-INF resource has reserved characters in its filename
• #9966 - NullPointerException with default servlet, include and welcome pages
• #9965 - prevent multiple websocket frames from being demanded in Jetty-12
• #9960 - Custom logging in Jetty 12 beta2 can fail due to NullPointerException in org.eclipse.jetty.server.Request
• #9955 - Jetty 12.0 beta 2 HttpServletResponse::getStatus returns 0 by default
• #9953 - Jetty 12.0 Handle HEAD requests in Handler
• #9946 - Handler passed to Handler in constructor a parent or child?
• #9944 - Remove integer for demand in websocket in Jetty-12
• #9934 - Fix ee10 path info only (alternative)
• #9927 - Jetty 12 inserted handler in ee10 servlet context
• #9925 - Bring back Jetty <12 flexibility of "current context / context handler"
• #9920 - Remove ee10 HttpChannel.Listener
• #9919 - Jetty-12 creates two instances of ArrayByteBufferPool
• #9904 - Experiment/jetty 12 chunk isError and warnings
• #9878 - Fixes and extra testing for EE9 ContextHandler class loading
• #9396 - Improve JPMS testing for websocket in Jetty 12

Dependencies

• #9924 - Upgrade of dependencies: slf4j 2.0.7, and some 3rd parties dependencies used for testing

12.0.0.beta2

Changelog

• #9914 - prevent potential NPE from StartArgs in Jetty-12
• #9911 - fixing JPMS and reactivating the tests
• #9906 - Inconsistent handling of empty "path info" between Jetty 10 and 12
• #9905 - Jetty 12 idletimeout
• #9902 - Jetty 12.0.x ee9 serverpush tck
• #9897 - Various improvements to CyclicTimeouts.
• #9895 - A MessageTooLargeException doesn't close a WebSocket connection
• #9890 - Fix redirect demo; fix links to sources for demos; fix blog link
• #9886 - Remove unused ee10-demo-realm files and add distro test
• #9883 - Jetty 12.0.x 9072 move core ee classes
• #9879 - Jetty-12 rewrite demo not working
• #9867 - Jetty 12 graceful contexts
• #9866 - Jetty 12 context initial ClassLoader
• #9796 - Fix/jetty 12 restore ee n fcgi
• #9792 - Simplified and fixed TryPathsHandler.
• #9790 - Fixed FCGI content parsing.
• #9785 - jetty-12 ee9 contextPath not set correctly on nested ContextHandler
• #9783 - Jetty 12 simplify EchoHandler
• #9774 - jetty-12 ee10 Cross context dispatch is not supported
• #9767 - jetty-12 ee10 ServerPush failures
• #9766 - jetty-12 ee9 ServerPush failures
• #9762 - jetty-12 ee9 Double parsing of cookies
• #9760 - jetty-12 ee9 Omnibus tck failure analysis
• #9750 - jetty-12 ee10 wrong authType for CLIENT-CERT
• #9745 - jetty-12 SecurityHandler role checking with * not correct
• #9743 - jetty-12 ee9 changeSessionId should throw ISE if no exception
• #9740 - Jetty 12 content length 0
• #9734 - Cookie config can be set after SessionHandler is started
• #9733 - FCGI improvements.
• #9731 - Infinite loop with mapped roles
• #9729 - Simplified QuotedStringTokenizer
• #9724 - Jetty 12 immutable ee10 configurations
• #9685 - Jetty doesn't set the date header on error responses
• #9684 - Refine how Request / Channel / Stream completion works
• #9682 - A possible native memory leak through RetainableByteBuffers
• #9657 - jetty-12 ee9 & ee10 Request.upgrade returns null
• #9650 - jetty-12 ee10 ServletApiResponse.resetBuffer does not check for response being committed
• #9649 - jetty-12 ee10 ServletApiResponse.addIntHeader does not ignore headers after response committed
• #9637 - jetty-12 ee10 ServletRequestListeners called too many times on sendError
• #9630 - Jetty 12 - Make Context dumpable
• #9554 - Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9173 - Configuring SameSite on a per-cookie basis in Jetty 12
• #8885 - Jetty-12, replacement for HttpChannel.Listener
• #8819 - Jetty-12 Improve CustomRequestLog efficiency

Dependencies

• #9917 - Upgrade Guava to 32.0.1

12.0.0.beta1

Changelog

• #6184 Remove usages of classes associated with JEP-411 that deprecate/remove the SecurityManager from the JVM
• #6483 Jetty http client SSL connectivity over CNTLM proxy fails
• #7608 Jetty-12 MetaData cleanup needed
• #8740 Jetty 12 - Move org.eclipse.jetty.server.context.ManagedAttributes to core
• #9237 Decouple QTP idleTimeout from pool shrink rate
• #9309 jetty.sh cannot handle complex Jetty properties from start.d/*.ini
• #9311 Performance of ArrayRetainableByteBufferPool.acquire() can degenerate pathologically as the buckets grow in size
• #9391 Jetty 12: port/move Jetty WebSocket APIs, client and server to jetty-core
• #9400 Jetty logs warning with stacktrace when annotation parser encounters module-info.class file inside elasticsearch-x-content jar
• #9408 HugeResourceTest failing
• #9410 Jetty 12: review locking in MultiPartFormData and MultiPartByteRanges
• #9412 Jetty 12: WebSocket hangs when ServerEndpointConfig.Configurator.getEndpointInstance() throws
• #9438 Jetty 12: Review JakartaWebSocketClientContainer use of reflection
• #9440 Jetty 12: HttpCookieStore should return cookies for "ws" schemes
• #9442 Jetty 12 Documentation Html artifact not populated
• #9444 Unexpected encoding in request.getPathInfo() with Jetty 12 beta 0
• #9459 Path is missing from JSESSIONID cookie in 12 beta 0
• #9463 NPE when starting jetty-ee10-maven-plugin
• #9464 Respect expiry time of ID token
• #9466 WebSocket DeploymentException is not thrown by client nor server
• #9467 Jetty 12 - Review BOMs
• #9468 Jetty 11.0.14 is less tolerant of non-compliant cookies than 11.0.13
• #9497 Maven plugin add support for jar projects in :effective-web-xml
• #9501 jetty client with proxy - ssl traffic between both proxy and servers
• #9537 "error-on-el-not-found" behavior is not as specified
• #9552 Jetty 12 - Rewrite of the Jetty WebSocket APIs
• #9554 Move (qpack/hpack) HuffmanDecoder / HuffmanEncoder / NBitInteger* to common location
• #9556 Password Util does not ask for password
• #9617 Update to apache jasper 10.1.7 for jetty-12 ee10
• #9656 jetty-12 ee10 PushBuilderImpl.push must throw IllegalStateException
• #9685 Jetty doesn't set the date header on error responses

11.0.15

Changelog

• #9556 - Password Util does not ask for password
• #9555 - General bug fixes for jetty-start
• #9517 - Jetty 11.0.14 uses wrong pathSpec for request
• #9501 - jetty client with proxy - ssl traffic between both proxy and servers
• #9497 - Maven plugin add support for jar projects in :effective-web-xml
• #9494 - Improved HttpClient TLS documentation about server host name verification
• #9468 - Jetty 11.0.14 is less tolerant of non-compliant cookies than 11.0.13
• #9464 - Respect expiry time of ID token
• #9400 - Jetty logs warning with stacktrace when annotation parser encounters module-info.class file inside elasticsearch-x-content jar
• #9309 - jetty.sh cannot handle complex Jetty properties from start.d/*.ini
• #9237 - Decouple QTP idleTimeout from pool shrink rate
• #6184 - Remove usages of classes associated with JEP-411 that deprecate/remove the SecurityManager from the JVM

Dependencies

• #9610 - Bump tycho-p2-repository-plugin to 3.0.4
• #9607 - Bump logback-core to 1.3.6
• #9596 - Bump org.eclipse.osgi.util to 3.7.200
• #9591 - Bump json-smart to 2.4.10
• #9581 - Bump commons-compress to 1.23.0
• #9575 - Bump protostream to 4.6.2.Final
• #9574 - Bump org.eclipse.osgi to 3.18.300
• #9558 - Bump asm.version to 9.5