IDP on Tomcat 8.5.x

Jason Castor jcastor at
Mon May 8 17:33:05 EDT 2017

We are in the process of upgrading from v2 -> 3.3.1 (but on RHEL6) and our sysadmins don't like the 8.0 release stream and want us on 8.5.5 (see note below)

> As discussed, the issue that led the Shibboleth maintainer to advise against Tomcat 8.5 appears only to have ever been verified on Windows 2012 and I can't see any > evidence that it's ever been replicated; further, 8.0 is "superseded" by 8.5 in the 8.x stream, and the Tomcat maintainers advise that it should no longer be installed > in new deployments. Given that we haven't actually experienced the issue described, I'm suggesting we stay with our 8.5 deployment. confirms that they say 8.0 is superseded, so far we have not experienced any issues, but will do Tomcat 8.0 if we need to.  I am reluctant to deploy Jetty as it would be new for us and there are only so many containers we will want to support long term.



-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: May 8, 2017 2:13 PM
To: Shib Users <users at>
Subject: RE: IDP on Tomcat 8.5.x

> I found an issue (IDP-1028) that came from a session problem reported 
> to the mailing list:
> NullPointerException-on-Apache-Tomcat-8-5-4-td7627069.html

That's what the note refers to, it should be more explicit.

> But otherwise, I don't see widespread reports of problems with Tomcat 
> v8.5.

I don't know how much its been used. My uninformed sense is that it's a bad release. They were waiting for 9 and then decided to do one of those backporting exercises to try and get stuff out sooner, and it seems to include a "not final" version of whatever the next servlet spec is going to be, and that all sort of made me feel like I wasn't shocked that the sessions were buggy. And that's about the worst place to be suspicious with software like this.

> Is it safe to upgrade to Tomcat v8.5.14?

I have literally no idea but my opinion is that it's not, based solely on the fact that it was broken for one person and that's all I need to see from a container. Rock solid, or get out. This is not a piece of software I think is worth trying to "live with" when there are demonstrably better alternatives.

Jetty continues to try and prove me wrong with regressions, so I'm not sure I like any of them at the moment but the regressions of late have been pretty harmless.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list