I had to change Tomcat version used with Spring boot from 9.0.36 to 10.0.0-M7. Spring boot found dependencies, I see them in class path:
C:\Users....m2\repository\org\apache\tomcat\embed\tomcat-embed-core\10.0.0-M7\tomcat-embed-core-10.0.0-M7.jar
However Tomcat initialization section is missing from the application logs, and there is no listener on configured port.
When I added @ServletComponentScan annotation to my application class, application failed to start:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'servletComponentRegisteringPostProcessor': Bean instantiation via constructor failed; nested exception is java.lang.NoClassDefFoundError: javax/servlet/annotation/WebServlet
It looks like Spring boot is not aware of javax -> jakarta change in Tomcat 10 APIs. I'm using the latest 2.3.1-RELEASE version of Spring Boot.
Comment From: bclozel
Spring Boot is not yet compatible with the jakarta namespace change. This change needs to be first implemented in Spring Framework - see spring-projects/spring-framework#25354
Comment From: dimaa6
@bclozel Does that mean that even without @ServletComponentScan, which I don't really need, it will not work with Tomcat 10? All I need is working @RestController and @GetMapping annotations.
Comment From: bclozel
Spring MVC depends on the javax.servlet namespace in its programming model and infrastructure, so no, this won't be working.
Could elaborate on why you've chosen Tomcat 10 for your deployments - any particular reason?
Comment From: dimaa6
Sure. Customer executed intrusion prevention software on our product and it revealed some vulnerabilities in Tomcat 9.0.36 which are fixed in 10.0.0-M7.
Comment From: bclozel
Both 9.x and 10.x should be equivalent (besides the namespace change), so I guess the security fix made its way into 9.0.37 as well?
Comment From: bclozel
Since this is not strictly related to Tomcat 10 or the jakarta namespace change, I'm closing this issue and pointing other contributors to spring-projects/spring-framework#25354 as the blocker for any related change in Spring Boot.
Comment From: edensys
Tomcat 9.0.39 has vulnerabilities ( ref. https://nvd.nist.gov/vuln/detail/CVE-2020-13943 ) . In my scenario i' usign spring-boot framewrork application with embedded tomcat app server, vulnerability affected those dependencies:
-
tomcat-embed-core-9.0.39.jar
-
tomcat-embed-jasper-9.0.39.jar
-
tomcat-embed-websocket-9.0.39.jar
When does spring-boot framework will supports Tomcat 10 ?
Comment From: wilkinsona
CVE-2020-13943 affects Tomcat 9.0.0.M1 to 9.0.37, i.e. 9.0.39 is not affected.
Tomcat 10 switches from the javax.* to jakarta.* namespace and as such will be a large breaking change. Spring Boot is likely to support it in its 3.0 release alongside Framework 6.0, but that will depend on the rest of the ecosystem being ready for such a move.
Comment From: AnthonyCavanagh
Thanks, I had a feeling this might be the case. I upgraded to tomcat10 springBoot no longer working
Comment From: Abhilashkongara
Hi, When can we expect Tomcat 10 support on spring boot framework any tentative date!
Comment From: philwebb
@Abhilashkongara It will be in Spring Framework 6 / Spring Boot 3. We don't have plans or dates to share at this time.
Comment From: Abhilashkongara
Hi, When can we expect Tomcat 10 support on spring boot framework any tentative date!
Comment From: philwebb
@Abhilashkongara Please don't add the same comment to the issue tracker multiple times, it sends notifications for everyone subscribed. See the answer above.