Using the JK native connector</a><br />
<a href="#Using Apache HTTP Server 2.x with mod_proxy">
Using Apache HTTP Server 2.x and mod_proxy</a><br />
+<!--
<a href="#Using the balancer webapp">Using the balancer webapp</a><br />
+-->
</p>
</section>
</section>
+<!--
<section name="Using the balancer webapp">
<subsection name="Overview">
</subsection>
</section>
+-->
</body>
external to the Tomcat JVM. If you are using the Java SecurityManager this
will bypass your security policy configuration in <code>catalina.policy.</code></p>
-<p>Rename <code>$CATALINA_BASE/server/lib/servlets-cgi.renametojar</code>
-to <code>$CATALINA_BASE/server/lib/servlets-cgi.jar</code>.</p>
-
<p>Remove the XML comments from around the CGI servlet and servlet-mapping
configuration in <code>$CATALINA_BASE/conf/web.xml</code>.</p>
</section>
+<p>Only Contexts which are marked as privileged may use the CGI servlet (see the
+privileged property of the Context element).</p>
+
<section name="Configuration">
<p>There are several servlet init parameters which can be used to
<properties>
<author email="remm@apache.org">Remy Maucherat</author>
<author email="yoavs@apache.org">Yoav Shapira</author>
+ <author email="fhanik@apache.org">Filip Hanik</author>
<title>Changelog</title>
</properties>
<body>
+<section name="Tomcat 6.0.0 (remm)">
+</section>
+
+<section name="Tomcat 5.5.21 (fhanik)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>29727</bug>: If env-entry values in web.xml are changed then
+ ensure new values are applied when context is reloaded. (markt)
+ </fix>
+ <fix>
+ <bug>34956</bug>: Ensure request and response objects passed to a
+ RequestDispatcher meet the requirements of SRV.8.2 and
+ SRV.14.2.5.1. This is disabled by default. The Java option
+ <code>-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true</code>
+ is required to enable this test. (markt)
+ </fix>
+ <fix>
+ <bug>36274</bug>: When including static content with the
+ DefaultServlet also treat content types ending in xml as text.
+ (markt)
+ </fix>
+ <fix>
+ <bug>39724</bug>: Removing the last valve from a pipeline did not
+ return the pipeline to the original state. Patch provided by
+ David Gagon. (markt)
+ </fix>
+ <fix>
+ <bug>36976</bug>: Don't use CATALINA_OPTS when stopping Tomcat. This
+ allows options for starting and stopping to be set on JAVA_OPTS and
+ options for starting only to be set on CATALINA_OPTS. Without this
+ fix, some startup options (eg the port for remote JMX) would cause
+ stop to fail. Based on a fix suggested by Michael Vorburger. (markt)
+ </fix>
+ <fix>
+ <bug>40528</bug>: Add missing message localisations as provided by
+ Ben Clifford. (markt)
+ </fix>
+ <fix>
+ <bug>40625</bug>: Stop CGIServlet swallowing the root cause of an
+ exception. Patch provided by Takayoshi Kimura. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Webapps">
+ <changelog>
+ <fix>
+ <bug>34952</bug>: Clarify that the Windows Installer always installs
+ a Windows service. (markt)
+ </fix>
+ <fix>
+ <bug>35968</bug>: Make environment entry properties input a text area.
+ Patch provided by Tristan Marly. (markt)
+ </fix>
+ <fix>
+ <bug>40633</bug>: Remove references to the DefaultContext from the
+ documentation. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+
+
+<section name="Tomcat 5.5.20 (fhanik)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ Fix logic error in UserDatbaseRealm.getprincipal() that caused user
+ roles assigned via groups to be ignored. (markt)
+ </fix>
+ <fix>
+ <bug>40518</bug>: Use correct message when a RuntimeException is
+ thrown from the requestInitialized or requestDestroyed method of
+ a listener that implements ServletRequestListener. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Jasper">
+ <changelog>
+ <fix>
+ <bug>31804</bug>: Unnested tags within a tag file are now configured
+ with the Tag represented by the containing tag file as their parent
+ tag. (markt)
+ </fix>
+ <fix>
+ <bug>33356</bug>: Tag attributes that contained $ followed by 1 or
+ more non-special characters and then a { character caused an
+ exception. (markt)
+ </fix>
+ <fix>
+ <bug>33407</bug>: The string \$ in template text was reduced to $
+ when the isELIgnored page directive was set to true. (markt)
+ </fix>
+ <fix>
+ <bug>34509</bug>: Tag names may now use the full range of
+ characters permitted by xsd:nmtoken. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Webapps">
+ <changelog>
+ <fix>
+ <bug>34399</bug>: Disable undeploy for applications that have not
+ been deployed such as those defined in server.xml (markt)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+
+
+<section name="Tomcat 5.5.19 (fhanik)">
+ <subsection name="General">
+ <changelog>
+ <update>
+ Add multi attribute setting to jmx:set JMX remote ant task.
+ Patch contributed by Didier Donsez (pero)
+ </update>
+ </changelog>
+ </subsection>
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>30762</bug>: Re-fix this bug that was re-introduced by the fix
+ to <bug>37264</bug>. (markt)
+ </fix>
+ <fix>
+ <bug>37588</bug>: Fix JNDI realm creation through JMX. Patch contributed by TerryZhou (fhanik)
+ </fix>
+ <fix>
+ <bug>39704</bug>: The use of custom classloaders failed when the context
+ was specified in server.xml. Correction of the fault will require setting
+ the new loader attribute useSystemClassLoaderAsParent to false. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ <bug>40418</bug>: APR Endpoint socket evaluation (remm)
+ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Webapps">
+ <changelog>
+ <fix>
+ <bug>31339</bug>: Admin app threw exceptions if a name other than Catalina
+ was configured for the Engine. Patch based on a suggestion from Amila
+ Suriarachchi. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+
<section name="Tomcat 5.5.18 (yoavs)">
<subsection name="General">
<bug>18477</bug>: Allow symbolic links when precompiling JSPs (markt)
</fix>
<add>
- <bug>34727</bug>: Allow specifying the Option class used by the Jasper engine,
+ <bug>34272</bug>: Allow specifying the Option class used by the Jasper engine,
submitted by Scott Stark (remm)
</add>
<add>
<li><em>$CATALINA_HOME/bin/bootstrap.jar</em> - Contains the main() method
that is used to initialize the Tomcat 6 server, and the class loader
implementation classes it depends on.</li>
- <li><em>$CATALINA_HOME/bin/commons-logging-api.jar</em> - Jakarta commons
- logging API.</li>
+ <li><em>$CATALINA_HOME/bin/tomcat-juli.jar</em> - Package renamed Jakarta commons
+ logging API, and java.util.logging LogManager.</li>
</ul></li>
<li><strong>Common</strong> - This class loader contains additional classes
that are made visible to both Tomcat internal classes and to all web
<body>
-<section name="Quick Start">
-<p>This document is pending an update to the latest implementation.<br/>
- You can also check the <a href="config/cluster.html">configuration reference documentation.</a>
+<section name="Important Note">
+<p><b>This document is pending an update to the latest implementation.<br/>
+ You can also check the <a href="config/cluster.html">configuration reference documentation.</a></b>
</p>
+</section>
+
+<section name="Quick Start">
<p>To run session replication in your Tomcat 5.5 container, the following steps
should be completed:</p>
</table>
<xsl:apply-templates select="readme"/>
<hr size="1" />
- <h3>Apache Tomcat/5.0</h3>
+ <h3>Apache Tomcat/6.0</h3>
</body>
</html>
</xsl:template>
The TCD is not packaged with the Tomcat core
distribution, and must therefore be downloaded separately from
the Downloads area. The download is usually labelled
- <i>jakarta-tomcat-5.5.x-deployer</i>.
+ <i>apache-tomcat-6.0.x-deployer</i>.
</p>
<p>
TCD has prerequisites of Apache Ant 1.6.2+ and a Java installation.
written and easy to understand, we may have missed something. Provided
below are various web sites and mailing lists in case you get stuck.</p>
-<p>As Tomcat 5 is a new release of Tomcat, keep in mind that some of the
+<p>As Tomcat 6 is a new release of Tomcat, keep in mind that some of the
issues and solutions vary between the major versions of Tomcat (4.x versus
5). As you search around the web, there will be some documentation that
-is not relevant to Tomcat 5, but 3.x and 4.x. Doing 3.x or 4.x things to 5
+is not relevant to Tomcat 6, but 3.x, 4.x and 5.x. Doing 3.x or 4.x things to 6
will probably not work in most cases as the server.xml files are very
different.</p>
pages.</p>
<p>Apache Ant, which was used in previous Tomcat releases, can be used instead instead of
-the new compiler by simply removing the <code>common/lib/jasper-jdt.jar</code> file,
+the new compiler by simply removing the <code>lib/jasper-jdt.jar</code> file,
and placing the <code>ant.jar</code> file from the latest Ant distribution in the
<code>lib</code> folder. If you do this, you also need to use the "javac"
argument to catalina.sh.</p>
<fileset dir="${tomcat.home}/bin">
<include name="*.jar"/>
</fileset>
- <fileset dir="${tomcat.home}/server/lib">
- <include name="*.jar"/>
- </fileset>
- <fileset dir="${tomcat.home}/common/lib">
+ <fileset dir="${tomcat.home}/lib">
<include name="*.jar"/>
</fileset>
</classpath>
<fileset dir="${webapp.path}/WEB-INF/lib">
<include name="*.jar"/>
</fileset>
- <pathelement location="${tomcat.home}/common/classes"/>
+ <pathelement location="${tomcat.home}/lib"/>
<fileset dir="${tomcat.home}/common/lib">
<include name="*.jar"/>
</fileset>
- <pathelement location="${tomcat.home}/shared/classes"/>
- <fileset dir="${tomcat.home}/shared/lib">
- <include name="*.jar"/>
- </fileset>
<fileset dir="${tomcat.home}/bin">
<include name="*.jar"/>
</fileset>
<ul>
<li>From your <a href="ant.apache.org">Ant</a> installation, copy ant.jar
and (if it's available: Ant 1.5 and later) ant-launcher.jar to
-<code>$CATALINA_BASE/common/lib</code>.</li>
+<code>$CATALINA_BASE/lib</code>.</li>
<li>Download and install jikes. jikes must support the -encoding option.
Execute <code>jikes -help</code> to verify that it was built with support
for <code>-encoding</code>.</li>
<li>Jakarta-Commons Pool</li>
</ul>
These libraries are located in a single JAR at
-<code>$CATALINA_HOME/common/lib/naming-factory-dbcp.jar</code>. However,
+<code>$CATALINA_HOME/lib/tomcat-dbcp.jar</code>. However,
only the classes needed for connection pooling have been included, and the
packages have been renamed to avoid interfering with applications.
</p>
</ul>
</p>
-<p>Before you proceed, don't forget to copy the JDBC Driver's jar into <code>$CATALINA_HOME/common/lib</code>.</p>
+<p>Before you proceed, don't forget to copy the JDBC Driver's jar into <code>$CATALINA_HOME/lib</code>.</p>
<h3>1. MySQL configuration</h3>
<p>
usual gotchas :-)</p>
<p>Drivers for older Oracle versions may be distributed as *.zip files rather
than *.jar files. Tomcat will only use <code>*.jar</code> files installed in
-<code>$CATALINA_HOME/common/lib</code>. Therefore <code>classes111.zip</code>
+<code>$CATALINA_HOME/lib</code>. Therefore <code>classes111.zip</code>
or <code>classes12.zip</code> will need to be renamed with a <code>.jar</code>
extension. Since jarfiles are zipfiles, there is no need to unzip and jar these
files - a simple rename will suffice.</p>
<h3>1. Required files </h3>
<p>
-Copy the Postgres JDBC jar to $CATALINA_HOME/common/lib. As with Oracle, the
+Copy the Postgres JDBC jar to $CATALINA_HOME/lib. As with Oracle, the
jars need to be in this directory in order for DBCP's Classloader to find
them. This has to be done regardless of which configuration step you take next.
</p>
</p>
<p>
After renaming <code>classes12.zip</code> file to <code>classes12.jar</code>
-for Tomcat, copy it into <code>$CATALINA_HOME/common/lib</code>.
+for Tomcat, copy it into <code>$CATALINA_HOME/lib</code>.
You may also have to remove the <code>javax.sql.*</code> classes
from this file depending upon the version of Tomcat and JDK you are using.
</p>
<section name="Introduction">
-<p>Tomcat 5 provides a JNDI <strong>InitialContext</strong> implementation
+<p>Tomcat 6 provides a JNDI <strong>InitialContext</strong> implementation
instance for each web application running under it, in a manner that is
compatible with those provided by a
<a href="http://java.sun.com/j2ee">Java2 Enterprise Edition</a> application
referenced in these elements must be defined in an application-server-specific configuration.
</p>
-<p>For Tomcat 5, these entries in per-web-application
+<p>For Tomcat 6, these entries in per-web-application
<code>InitialContext</code> are configured in the
<code><strong><Context></strong></code> elements that can be specified
in either <code>$CATALINA_HOME/conf/server.xml</code> or, preferably,
the per-web-application context XML file (either <code>META-INF/context.xml</code>).
</p>
-<p>Tomcat 5 maintains a separate namespace of global resources for the
+<p>Tomcat 6 maintains a separate namespace of global resources for the
entire server. These are configured in the
<a href="config/globalresources.html">
<code><strong><GlobalNameingResources></strong></code></a> element of
<li><code><strong><resource-ref></strong></code> - Resource reference,
which is typically to an object factory for resources such as a JDBC
<code>DataSource</code>, a JavaMail <code>Session</code>, or custom
- object factories configured into Tomcat 5.</li>
+ object factories configured into Tomcat 6.</li>
<li><code><strong><resource-env-ref></strong></code> - Resource
environment reference, a new variation of <code>resource-ref</code>
added in Servlet 2.4 that is simpler to configure for resources
<section name="Tomcat Standard Resource Factories">
- <p>Tomcat 5 includes a series of standard resource factories that can
+ <p>Tomcat 6 includes a series of standard resource factories that can
provide services to your web applications, but give you configuration
flexibility (in <code>$CATALINA_HOME/conf/server.xml</code>) without
modifying the web application or the deployment descriptor. Each
<p>See <a href="#Adding Custom Resource Factories">Adding Custom
Resource Factories</a> for information about how to create, install,
configure, and use your own custom resource factory classes with
- Tomcat 5.</p>
+ Tomcat 6.</p>
<p><em>NOTE</em> - Of the standard resource factories, only the
"JDBC Data Source" and "User Transaction" factories are mandated to
configuration details that the client application must be aware of
(including the name of the SMTP host to be used for message sending).</p>
- <p>Tomcat 5 includes a standard resource factory that will create
+ <p>Tomcat 6 includes a standard resource factory that will create
<code>javax.mail.Session</code> session instances for you, already
connected to the SMTP server that is configured in <code>server.xml</code>.
In this way, the application is totally insulated from changes in the
<p>This download includes 2 vital libraries for the configuration;
activation.jar and mail.jar. Unpackage both distributions and place
- them into $CATALINA_HOME/common/lib so that they are available to
+ them into $CATALINA_HOME/lib so that they are available to
Tomcat during the initialization of the mail Session Resource.
<strong>Note:</strong> placing these jars in both common/lib and a
web application's lib folder will cause an error, so ensure you have
- them in the $CATALINA_HOME/common/lib location only.
+ them in the $CATALINA_HOME/lib location only.
</p>
<h3>Example Application</h3>
to support the functionality required by that application. The J2EE
Platform Specification requires J2EE Application Servers to make
available a <em>DataSource</em> implementation (that is, a connection
- pool for JDBC connections) for this purpose. Tomcat 5 offers exactly
+ pool for JDBC connections) for this purpose. Tomcat 6 offers exactly
the same support, so that database-based applications you develop on
Tomcat using this service will run unchanged on any J2EE server.</p>
that you make an appropriate JDBC driver available to both Tomcat internal
classes and to your web application. This is most easily accomplished by
installing the driver's JAR file(s) into the
- <code>$CATALINA_HOME/common/lib</code> directory, which makes the driver
+ <code>$CATALINA_HOME/lib</code> directory, which makes the driver
available both to the resource factory and to your application.</p>
<h3>2. Declare Your Resource Requirements</h3>
<section name="Adding Custom Resource Factories">
<p>If none of the standard resource factories meet your needs, you can
- write your own factory and integrate it into Tomcat 5, and then configure
+ write your own factory and integrate it into Tomcat 6, and then configure
the use of this factory in the <code>conf/server.xml</code> configuration
file. In the example below, we will create a factory that only knows how
to create <code>com.mycompany.MyBean</code> beans, from the
Provider Interface (SPI) Specification</a>.</p>
<p>You will need to compile this class against a class path that includes
- all of the JAR files in the <code>$CATALINA_HOME/common/lib</code> and
- <code>$CATALINA_HOME/server/lib</code> directories. When you are through,
+ all of the JAR files in the <code>$CATALINA_HOME/lib</code> directory. When you are through,
place the factory class (and the corresponding bean class) unpacked under
- <code>$CATALINA_HOME/common/classes</code>, or in a JAR file inside
- <code>$CATALINA_HOME/common/lib</code>. In this way, the required class
+ <code>$CATALINA_HOME/lib</code>, or in a JAR file inside
+ <code>$CATALINA_HOME/lib</code>. In this way, the required class
files are visible to both Catalina internal resources and your web
application.</p>
<p>Apache 1.3 supports an optional module (<code>mod_proxy</code>) that
configures the web server to act as a proxy server. This can be used to
-forward requests for a particular web application to a Tomcat 5 instance,
+forward requests for a particular web application to a Tomcat 6 instance,
without having to configure a web connector such as <code>mod_jk</code>.
To accomplish this, you need to perform the following tasks:</p>
<ol>
Specification (Version 2.4)</a>, Section 12.</p>
<p>For information about utilizing the <em>Single Sign On</em> feature of
-Tomcat 5 (allowing a user to authenticate themselves once across the entire
+Tomcat 6 (allowing a user to authenticate themselves once across the entire
set of web applications associated with a virtual host), see
<a href="config/host.html#Single Sign On">here</a>.</p>
defining the interface between a servlet container and the associated user
and role information. In many cases, however, it is desireable to "connect"
a servlet container to some existing authentication database or mechanism
-that already exists in the production environment. Therefore, Tomcat 5
+that already exists in the production environment. Therefore, Tomcat 6
defines a Java interface (<code>org.apache.catalina.Realm</code>) that
can be implemented by "plug in" components to establish this connection.
Five standard plug-ins are provided, supporting connections to various
<code>testUser:localhost:8080:testPassword</code>.</p>
<p>To use either of the above techniques, the
-<code>$CATALINA_HOME/server/lib/catalina.jar</code> file will need to be
-on your class path to make the <code>RealmBase</code> class available. In
-addition, you will need the JMX jar and the commons-logging jar (either
-commons-logging-api.jar or commons-logging.jar). Both of these are included
-with the Tomcat distribution.
+<code>$CATALINA_HOME/lib/catalina.jar</code> and
+<code>$CATALINA_HOME/bin/tomcat-juli.jar</code> files will need to be
+on your class path to make the <code>RealmBase</code> class available.
</p>
<p>Non-ASCII usernames and/or passwords are supported using
<subsection name="Example Application">
-<p>The example application shipped with Tomcat 5 includes an area that is
+<p>The example application shipped with Tomcat 6 includes an area that is
protected by a security constraint, utilizing form-based login. To access it,
point your browser at
<a href="http://localhost:8080/jsp-examples/security/protected/">http://localhost:8080/jsp-examples/security/protected/</a>
<subsection name="Manager Application">
<p>If you wish to use the <a href="manager-howto.html">Manager Application</a>
-to deploy and undeploy applications in a running Tomcat 5 installation, you
+to deploy and undeploy applications in a running Tomcat 6 installation, you
MUST add the "manager" role to at least one username in your selected Realm
implementation. This is because the manager web application itself uses a
security constraint that requires role "manager" to access ANY request URI
<h3>Introduction</h3>
-<p><strong>JDBCRealm</strong> is an implementation of the Tomcat 5
+<p><strong>JDBCRealm</strong> is an implementation of the Tomcat 6
<code>Realm</code> interface that looks up users in a relational database
accessed via a JDBC driver. There is substantial configuration flexibility
that lets you adapt to existing table and column names, as long as your
at least read only access to the tables described above. (Tomcat will
never attempt to write to these tables.)</li>
<li>Place a copy of the JDBC driver you will be using inside the
- <code>$CATALINA_HOME/server/lib</code> directory (if you do not need it
- visible to web applications) or <code>$CATALINA_HOME/common/lib</code>
- (if it will be used both by Tomcat 5 <em>and</em> by your apps).
+ <code>$CATALINA_HOME/lib</code> directory.
Note that <strong>only</strong> JAR files are recognized!</li>
<li>Set up a <code><Realm></code> element, as described below, in your
<code>$CATALINA_HOME/conf/server.xml</code> file.</li>
-<li>Restart Tomcat 5 if it is already running.</li>
+<li>Restart Tomcat 6 if it is already running.</li>
</ol>
<h3>Realm Element Attributes</h3>
<p>JDBCRealm operates according to the following rules:</p>
<ul>
<li>When a user attempts to access a protected resource for the first time,
- Tomcat 5 will call the <code>authenticate()</code> method of this
+ Tomcat 6 will call the <code>authenticate()</code> method of this
<code>Realm</code>. Thus, any changes you have made to the database
directly (new users, changed passwords or roles, etc.) will be immediately
reflected.</li>
<h3>Introduction</h3>
-<p><strong>DataSourceRealm</strong> is an implementation of the Tomcat 5
+<p><strong>DataSourceRealm</strong> is an implementation of the Tomcat 6
<code>Realm</code> interface that looks up users in a relational database
accessed via a JNDI named JDBC DataSource. There is substantial configuration
flexibility that lets you adapt to existing table and column names, as long
for information on how to configure a JNDI named JDBC DataSource.</li>
<li>Set up a <code><Realm></code> element, as described below, in your
<code>$CATALINA_HOME/conf/server.xml</code> file.</li>
-<li>Restart Tomcat 5 if it is already running.</li>
+<li>Restart Tomcat 6 if it is already running.</li>
</ol>
<h3>Realm Element Attributes</h3>
<p>DataSourceRealm operates according to the following rules:</p>
<ul>
<li>When a user attempts to access a protected resource for the first time,
- Tomcat 5 will call the <code>authenticate()</code> method of this
+ Tomcat 6 will call the <code>authenticate()</code> method of this
<code>Realm</code>. Thus, any changes you have made to the database
directly (new users, changed passwords or roles, etc.) will be immediately
reflected.</li>
<h3>Introduction</h3>
-<p><strong>JNDIRealm</strong> is an implementation of the Tomcat 5
+<p><strong>JNDIRealm</strong> is an implementation of the Tomcat 6
<code>Realm</code> interface that looks up users in an LDAP directory
server accessed by a JNDI provider (typically, the standard LDAP
provider that is available with the JNDI API classes). The realm
never attempt to modify this information.)</li>
<li>Place a copy of the JNDI driver you will be using (typically
<code>ldap.jar</code> available with JNDI) inside the
- <code>$CATALINA_HOME/server/lib</code> directory (if you do not need it
- visible to web applications) or <code>$CATALINA_HOME/common/lib</code>
- (if it will be used both by Tomcat 5 <em>and</em> by your apps).</li>
+ <code>$CATALINA_HOME/lib</code> directory.</li>
<li>Set up a <code><Realm></code> element, as described below, in your
<code>$CATALINA_HOME/conf/server.xml</code> file.</li>
-<li>Restart Tomcat 5 if it is already running.</li>
+<li>Restart Tomcat 6 if it is already running.</li>
</ol>
<h3>Realm Element Attributes</h3>
<p>JNDIRealm operates according to the following rules:</p>
<ul>
<li>When a user attempts to access a protected resource for the first time,
- Tomcat 5 will call the <code>authenticate()</code> method of this
+ Tomcat 6 will call the <code>authenticate()</code> method of this
<code>Realm</code>. Thus, any changes you have made to the directory
(new users, changed passwords or roles, etc.) will be immediately
reflected.</li>
<h3>Introduction</h3>
<p><strong>MemoryRealm</strong> is a simple demonstration implementation of the
-Tomcat 5 <code>Realm</code> interface. It is not designed for production use.
+Tomcat 6 <code>Realm</code> interface. It is not designed for production use.
At startup time, MemoryRealm loads information about all users, and their
corresponding roles, from an XML document (by default, this document is loaded from <code>$CATALINA_HOME/conf/tomcat-users.xml</code>). Changes to the data
in this file are not recognized until Tomcat is restarted.</p>
<h3>Example</h3>
-<p>The default installation of Tomcat 5 is configured with a MemoryRealm
+<p>The default installation of Tomcat 6 is configured with a MemoryRealm
nested inside the <code><Engine></code> element, so that it applies
to all virtual hosts and web applications. The default contents of the
<code>conf/tomcat-users.xml</code> file is:</p>
this file will <strong>not</strong> be recognized until Tomcat is
restarted.</li>
<li>When a user attempts to access a protected resource for the first time,
- Tomcat 5 will call the <code>authenticate()</code> method of this
+ Tomcat 6 will call the <code>authenticate()</code> method of this
<code>Realm</code>.</li>
<li>Once a user has been authenticated, the user (and his or her associated
roles) are cached within Tomcat for the duration of the user's login.
<li>Configure your security-constraints in your web.xml for
the resources you want to protect</li>
<li>Configure the JAASRealm module in your server.xml </li>
- <li>Restart Tomcat 5 if it is already running.</li>
+ <li>Restart Tomcat 6 if it is already running.</li>
</ol>
<h3>Realm Element Attributes</h3>
<p>To configure JAASRealm as for step 6 above, you create
<h3>Additional Notes</h3>
<ul>
<li>When a user attempts to access a protected resource for
- the first time, Tomcat 5 will call the <code>authenticate()</code>
+ the first time, Tomcat 6 will call the <code>authenticate()</code>
method of this <code>Realm</code>. Thus, any changes you have made in
the security mechanism directly (new users, changed passwords or
roles, etc.) will be immediately reflected.</li>
by Tomcat will have. There are a number of Permission classes that are
a standard part of the JDK, and you can create your own Permission class
for use in your own web applications. Both techniques are used in
- Tomcat 5.</p>
+ Tomcat 6.</p>
<subsection name="Standard Permissions">
looks like this:</p>
<source>
// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 5
+// catalina.corepolicy - Security Policy Permissions for Tomcat 6
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
//
// * Read access to the document root directory
//
-// $Id: security-manager-howto.xml 301460 2003-01-15 03:40:45Z glenn $
+// $Id: catalina.policy 393732 2006-04-13 06:32:25Z pero $
// ============================================================================
// ========== CATALINA CODE PERMISSIONS =======================================
-// These permissions apply to the launcher code
-grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the logging API
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
-// located in the "common" directory
-grant codeBase "file:${catalina.home}/common/-" {
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
-// These permissions apply to the container's core code, plus any additional
-// libraries installed in the "server" directory
-grant codeBase "file:${catalina.home}/server/-" {
- permission java.security.AllPermission;
+// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory
+grant codeBase "file:${catalina.home}/webapps/balancer/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
};
+
// ========== WEB APPLICATION PERMISSIONS =====================================
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
- // Required for JNDI lookup of named JDBC DataSource's and
- // javamail named MimePart DataSource used to send mail
- permission java.util.PropertyPermission "java.home", "read";
- permission java.util.PropertyPermission "java.naming.*", "read";
- permission java.util.PropertyPermission "javax.sql.*", "read";
-
- // OS Specific properties to allow read access
- permission java.util.PropertyPermission "os.name", "read";
- permission java.util.PropertyPermission "os.version", "read";
- permission java.util.PropertyPermission "os.arch", "read";
- permission java.util.PropertyPermission "file.separator", "read";
- permission java.util.PropertyPermission "path.separator", "read";
- permission java.util.PropertyPermission "line.separator", "read";
-
- // JVM properties to allow read access
- permission java.util.PropertyPermission "java.version", "read";
- permission java.util.PropertyPermission "java.vendor", "read";
- permission java.util.PropertyPermission "java.vendor.url", "read";
- permission java.util.PropertyPermission "java.class.version", "read";
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
+
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
- // Required for getting BeanInfo
- permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
-
- // Required for OpenJMX
- permission java.lang.RuntimePermission "getAttribute";
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
+
+ // Precompiled JSPs need access to this package.
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+
};
Tomcat. It is important to note that the Tomcat administration web
application can only be used when Tomcat is running.</p>
- <p>If using a J2SE 1.4 JRE, the compatibility package must be downloaded and
- expanded inside the folder where Tomcat was installed.</p>
-
</section>
<section name="Unix daemon">
<p>Please note that you should use the GNU make (gmake) instead of
the native BSD make on FreeBSD systems.</p>
+ <p>Download a commons-daemon binary from the Jakarta Commons download page,
+ and place jsvc.tar.gz and commons-daemon.jar in the
+ <code>$CATALINA_HOME/bin</code> folder.</p>
<source>
cd $CATALINA_HOME/bin
<source>
cd $CATALINA_HOME
- ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp ./bin/bootstrap.jar \
+ ./bin/jsvc -cp ./bin/bootstrap.jar \
-outfile ./logs/catalina.out -errfile ./logs/catalina.err \
org.apache.catalina.startup.Bootstrap
</source>
will bypass your security policy configuration in <code>catalina.policy.</code>
</p>
-<p>Rename <code>$CATALINA_BASE/server/lib/servlets-ssi.renametojar</code>
-to <code>$CATALINA_BASE/server/lib/servlets-ssi.jar</code>.</p>
-
<p>To use the SSI servlet, remove the XML comments from around the SSI servlet
and servlet-mapping configuration in
<code>$CATALINA_BASE/conf/web.xml</code>.</p>
and filter-mapping configuration in
<code>$CATALINA_BASE/conf/web.xml</code>.</p>
+<p>Only Contexts which are marked as privileged may use SSI features (see the
+privileged property of the Context element).</p>
+
</section>
<section name="Servlet Configuration">
<blockquote><em>
<p>The description below uses the variable name $CATALINA_HOME
- to refer to the directory into which you have installed Tomcat 5,
+ to refer to the directory into which you have installed Tomcat 6,
and is the base directory against which most relative paths are
- resolved. However, if you have configured Tomcat 5 for multiple
+ resolved. However, if you have configured Tomcat 6 for multiple
instances by setting a CATALINA_BASE directory, you should use
$CATALINA_BASE instead of $CATALINA_HOME for each of these
references.</p>
</em></blockquote>
-<p>To install and configure SSL support on Tomcat 5, you need to follow
+<p>To install and configure SSL support on Tomcat 6, you need to follow
these simple steps. For more information, read the rest of this HOW-TO.</p>
<ol>
<li>If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from
<p>The final step is to configure your secure socket in the
<code>$CATALINA_HOME/conf/server.xml</code> file, where
<code>$CATALINA_HOME</code> represents the directory into which you
-installed Tomcat 5. An example <code><Connector></code> element
+installed Tomcat 6. An example <code><Connector></code> element
for an SSL connector is included in the default <code>server.xml</code>
file installed with Tomcat. It will look something like this:</p>
<source>
projects / tomcat7.0 / commitdiff