The Apache Tomcat 8 Configuration Reference states that the default value for org.apache.catalina.connector.RECYCLE_FACADES = false. However, the Security Considerations web page says:
Setting org.apache.catalina.connector.RECYCLE_FACADES system property to true will cause a new facade object to be created for each request. This reduces the chances of a bug in an application exposing data from one request to another.
Because the default value is the less safe value, I wonder why. I assume that part of it has to do with performance, but I haven't seen much discussion on RECYCLE_FACADES. What are the drawbacks of setting it to true?
The primary disadvantage of setting org.apache.catalina.connector.RECYCLE_FACADES=true is performance. Tomcat re-uses as many objects as possible across requests in order to reduce GC churn (that is, repeatedly creating and discarding many objects). There is no performance difference due to the use of these objects -- only the discarding and re-creating cycle that reduces performance.
The default setting is not "unsafe" per se, but applications with bugs can cause Tomcat to appear to do very strange things. So if applications aren't breaking any rules, then the higher-performance configuration should be preferred.
If you don't trust the applications that are running on your Tomcat instance, you should definitely enable RECYCLE FACADES.
NOTE 2024-07-22
More recent versions of Tomcat have introduced a configuration attribute on the <Connector> called discardFacades. The term "discard façades" is clearer in intent than the previous term "recycle façades", and should be preferred over using the system-property-based approach.
Also, the default value for this setting has been changed from false to true meaning that the Tomcat team has decided that the (likely small) performance benefit achieved by re-using these façade objects does not justify the potential reduction in security.