From: markt Date: Tue, 9 Aug 2011 15:36:44 +0000 (+0000) Subject: Prep the changelog X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=aa593e32eb8ffbf2af9f78c0abf2e96a2cdaa68b;p=tomcat7.0 Prep the changelog git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1155406 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 418e6e6f4..66322150d 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -24,16 +24,6 @@ &project; - Remy Maucherat - Filip Hanik - Rainer Jung - Konstantin Kolinko - Peter Rossbach - Keiichi Fujino - Tim Whittington - Mladen Turk - Christopher Schultz - Sylvain Laurent Changelog @@ -52,3677 +42,11 @@ Other fixed issues are added to the end of the list, chronologically. They eventually become mixed with the numbered issues. (I.e., numbered issues to not "pop up" wrt. others). + + Until the first Tomcat 8.0.0 release, only changes not back-ported to 7.0.x + should be listed here. --> -
- - - - Corrected missing comma in the value of jarsToSkip - property in conf/catalina.properties file, which - caused tomcat-jdbc.jar and commons-beanutils*.jar to be not - ignored when scanning jars for tag libraries. (kkolinko) - - - 41709: Provide exception messages where no message is - provided currently for IllegalStateExcpetions triggered by calling - HttpServletResponse methods when the reponse is committed. (markt) - - - 51509: Fix potential concurrency issue in CSRF prevention - filter that may lead to some requests failing that should not. (markt) - - - 51518: Correct error in web.xml parsing rules for the - <others/> tag when using absolute ordering. (markt) - - - Move the SetCharacterEncoding filter from the examples web application - to the org.apache.catalina.filters package so it is - available for all web applications. (markt) - - - 51550: Internal errors in Tomcat components that process - requests before they are passed to a web application, such as - Authenticators, now return a 500 response rather than a 200 response. - (markt) - - - 51555: Allow destroy() to be called on Lifecycle components - that are in the initialized state. (markt) - - - Add x-threadname pattern format token to ExtendedAccessLogValve to log - the current request thread name. Based on a patch from Felix Schumacher. - (timw) - - - 51584: Ensure file paths are encoded/decoded when translated - to/from URLs when working with resources from a Context so special - characters don't cause issues. (markt) - - - 51586: Expand error handling to cover anything that is - recoverable (or might be recoverable) when loading classes during - HandlesTypes processing. (markt) - - - 51588: Make it easier to extend the AccessLogValve to add - support for custom elements. (markt) - - - Ensure that calls to StandardWrapper methods() that may trigger creation - of a Servlet instance always do so in way that correctly instantiates a - Servlet instance. (markt) - - - In JDBCStore: Committing connection if autoCommit is false. - Make sure committed connection is returned to the pool if datasource is - enabled. (kfujino) - - - Split condition attribute of AccessLogValve into two, - conditionIf and conditionUnless. Implement - conditional logging that logs only if a request attribute is present. - (kkolinko) - - - Allow to have several AccessLogValve instances in the same scope (e.g. - in the same Context). (kkolinko) - - - 51610: If an unchecked exception occurs during a lifecycle - transition (e.g. web application start) ensure that the component is - put into the failed state. (markt) - - - 51614: Avoid calling store.load() and session.expire() - twice in PersistentManager when expiring sessions. (kfujino) - - - Prevent spurious log warnings on container stop if a child component has - previously failed. (markt) - - - Add missing getter and setter for the alwaysUseSession attribute of the - authenticators. (markt) - - - - - - - 49595: Prevent JVM crash with the AJP APR connector when - flushing a closed socket. (jfclere) - - - 50394: Return -1 instead throwing an exception when - encountering an EOF while processing an input stream with the HTTP APR - connector. (jfclere) - - - Correctly handle a connectionTimeout value of -1 (no timeout) for the - HTTP NIO and AJP NIO connectors. (markt) - - - 51503: Add additional validation that prevents a connector - from starting if it does not have a port > 0. (markt) - - - 51557: Ignore HTTP headers that do not comply with RFC 2616 - and use header names that are not tokens. (markt) - - - Improve error handling for HTTP APR if an error occurs while using - sendfile. (markt) - - - Ensure that when using sendfile, HTTP APR sockets are not added to - multiple pollers. This may cause errors during shutdown. (markt) - - - Set reuse flag of final AJP END_RESPONSE - packet to 0 if we plan to close the connection. (rjung) - - - Correctly indicate if socket is closing when calling recycle for the AJP - NIO processor. Note since the flag is unused in this case there were no - bugs triggered by the re-factoring error. (rjung) - - - - - - - 51532: JSP files with dependencies in JARs were recompiled on - every access leading to poor performance. (markt) - - - 51544: Correctly resolve bean methods in EL so accessible - methods that are overridden by inaccessible methods do not cause an - IllegalAccessException. (markt) - - - - - - - 41498: Add the allRolesMode attribute to the Realm - configuration page in the documentation web application. (markt) - - - 48997: Fixed some typos and correct cross-referencing to the - HTTP Connector documentation with the SSL How-To page of the - documentation web application. (markt) - - - 49122: Improvements and fixes for index page for ROOT web - application. Based on a patch provided by pidster. (markt) - - - 51516: Correct documentation web application to show correct - system property name for changing the name of the SSO session cookie. - (markt) - - - Configure the Manager and Host Manager web applications with the Set - Character Encoding Filter to make the default request character encoding - UTF-8 to improve i18n support. Note that best results will be obtained - if the connector is also configured with - URIEncoding="UTF-8".(markt) - - - Update the documentation web application to be even more explicit about - the implications of setting the path attribute on a Context element in - server.xml. (markt) - - - 51561: Update the Realm page within the documentation web - application to recommend the use of digest.[bat|sh] to generate digests - rather than calling RealmBase directly. (markt) - - - 51567: Update the class loading page of the documentation - web application to include information on the search order for the - common class loader when separate values are used for $CATALINA_HOME and - $CATALINA_BASE. (markt) - - - Improve class loading documentation and logging documentation. - (kkolinko) - - - Add information to the security page of the the documentation web - application for the ciphers attribute of the Connector element. (markt) - - - - - - - 51503: Add additional validation to Windows installer that - ensure that the shutdown port, HTTP port and AJP port are all specified - during the install process. (markt) - - - 51531: Update sample Eclipse classpath file to reflect - updated ECJ jar. Patch provided by Ian Brandt. (markt) - - - Convert Tomcat unit tests to JUnit 4. (kkolinko) - - - Update optional CheckStyle library to 5.4. (kkolinko) - - - Remove resolveHosts attribute from AccessLogValve - configuration in the default server.xml. It was documented - in 7.0.19 that it has no effect. (kkolinko) - - - Simplify mapping for jsp servlet in the default - web.xml. (kkolinko) - - - Correctly handle uninstall with the Windows installer of the service is - installed with a name that contains a '-' character. (markt) - - - 51598: Prevent direct invocation of the Windows uninstaller - without a service name from executing since the uninstall will not be - complete. (markt) - - - Use Tomcat icon (cat) instead of Apache Commons Daemon (feather) one - in the list of uninstallable programs on Windows. (kkolinko) - - - Update to Apache Commons Daemon 1.0.7. (markt) - - - 51621: Add additional required JARs to the deployer - distribution. (markt) - - - Fix a small number of warnings reported by FindBugs. (markt) - - - Update to version 1.1.22 of the native component for the AJP APR/native - and HTTP APR/native connectors. (markt) - - - -
-
- - - - Add option to activate access log for unit tests. (rjung) - - - Fix regression in year number formatting for AccessLogValve. (rjung) - - - 46252: Allow to specify character set to be used to write - the access log in AccessLogValve. (kkolinko) - - - 51494: Prevent an NPE when a long running request completes - if the associated web application was destroyed while the request was - processing. (markt) - - - Allow choosing a locale for timestamp formatting in AccessLogValve. - (rjung) - - - When generating access logs for errors, log at the Context/Host level if - a Context or Host can be identified for the failed request. (markt) - - - Create a directory for access log or error log (in AccessLogValve and - in JULI FileHandler) automatically when it is specified as a part of - the file name, e.g. in the prefix attribute. Earlier this - happened only if it was specified with the directory - attribute. (kkolinko) - - - Log a failure if access log file cannot be opened. (kkolinko) - - - Use en_US as locale for timestamps in ExtendedAccessLogValve. - (rjung) - - - Use en_US as locale for creationdate in WebdavServlet. (rjung) - - - - - - - 51477: Support all SSL protocol combinations in the - APR/native connector. This only works when using the native library - version 1.1.21 or later, which is not yet released. (rjung) - - - Various refactorings to reduce code duplication and unnecessary code in - the connectors. (markt) - - - Correct regression introduced in 7.0.17 that triggered 400 entries in - the AccessLog when using the AJP/BIO connector. (markt) - - - Fix regression producing invalid MBean names when using IPV6 - addresses for connectors. (rjung) - - - Add missing thread name in RequestProcessor when Servlet 3 Async - is used. Fixes null thread name in access log and JMX MBean. (rjung) - - - Fix CVE-2011-2526. Protect against infinite loops (HTTP NIO) and crashes - (HTTP APR) if sendfile is configured to send more data than is available - in the file. (markt) - - - Prevent NPEs when a socket is closed in non-error conditions after - sendfile processing when using the HTTP NIO connector. (markt) - - - - - - - Remove unnecessary server.xml parsing code for old cluster - implementation that does not ship as part of Tomcat 7. (markt) - - - - - - - Add additional information to the documentation web application on the - benefits and remaining risks when running under a security manager. - (markt) - - - 51490: Correct broken HTML in JSP tag plugin examples and - improve the <c:if> example to make failures more obvious. Based on - suggestions by Charles. (markt) - - - Document ExtendedAccessLogValve. (rjung) - - - Correct default value of enableLookups for connectors - and mention, that resolveHosts for the AccessLogValve - is replaced by enableLookups. (rjung) - - - - - - - Update to Commons Daemon 1.0.6. (markt) - - - Update to Eclipse JDT Compiler 3.7. (markt) - - - Include jdbc-pool into tomcat release. (fhanik) - - - -
-
- - - - Correct regression introduced in 7.0.17 that triggered an NPE if a - CrawlerSessionManagerValve was used without setting crawlerUserAgents. - (markt) - - - 51466: Correct comment typos in HostManagerServlet. Patch - provided by Felix Schumacher. (markt) - - - 51467: Invoke Thread.start() rather than Thread.run() so that - listeners and filters are stopped in a separate thread rather than the - current thread. Patch provided by Felix Schumacher. (markt) - - - 51473: Fix concatenation of values in - SecurityConfig.setSecurityProperty(). (kkolinko) - - - Fix response.encodeURL() for the special case of an absolute URL - with no path segment (http://name). (rjung) - - - - - - - Correct regression caused by connector re-factoring that made AJP - APR/native connector very unstable on Windows platforms. (markt) - - - Correct regression caused by connector re-factoring that meant that - sendfile data was not reset between pipe-lined HTTP requests. (markt) - - - - - - - Re-factor tests to align packages for tests with the classes under test. - Start to convert non-JUnit tests to JUnit. Remove unnecessary code. - (markt) - - - Add synchronization to receiver socket binding to prevent test failures - on Linux. (markt) - - - - - - - More code clean-up to remove unused code and reduce IDE warnings. - (markt/kkolinko) - - - Further improvements to the Windows installer. (markt/kkolinko) - - - -
-
- - - - 48956: Add regular expression support for SSI. (markt) - - - 49165: Allow any time stamp formats supported by - SimpleDateFormat in AccessLogValve. Support logging begin and/or end of - request. (rjung) - - - 50677: Allow system property variables to be used in the - values of "common.loader" and other "*.loader" properties in the - catalina.properties file. (kkolinko) - - - 51376: When adding a Servlet via - ServletContext#addServlet(String, Servlet), the Servlet was not - initialized when the web application started and a load on startup value - was set. (markt) - - - 51386: Correct code for processing @HandlesTypes annotations - so only types of interest are reported to a ServletContainerInitializer. - (markt) - - - Add the Tomcat extras, ant-junit and Java Help Jars to the list of JARs - to skip when scanning for TLDs and web fragments. (rjung) - - - The fix for bug 51310 caused a regression that re-introduced - bug 49957 and deleted the contents of the work directory - when Tomcat was shutdown. This fix ensures that that work directory for - an application is not deleted when Tomcat is shutdown. (markt) - - - Correct issues with JULI's OneLineFormatter including: correctly - re-using formatted timestamps when possible; thread-safety issues in - timestamp formatting; correcting the output of any milliseconds to - include leading zeros and formatting any parameters present. - (kkolinko/markt/rjung) - - - 51395: Fix memory leak triggered when an application that - includes a SAXParserFactory is the first web application to be loaded. - (markt) - - - 51396: Correctly handle jsp-file entries in web.xml when the - JSP servlet has been configured via code when embedding Tomcat. (markt) - - - 51400: Avoid known bottleneck in JVM when converting between - Strings and bytes by always providing a Charset rather than an encoding - name. Based on a patch by Dave Engberg. (markt) - - - 51401: Correctly initialise shared WebRuleSet instance used - by the digesters that parse web.xml and prevent incorrect warnings about - multiple occurrences of elements that are only allowed to appear once in - web.xml and web-fragment.xml. (kfujino) - - - 51403: Avoid NPE in JULI FileHandler if formatter is - misconfigured. (kkolinko) - - - Previous improvements in JAR scanning performance introduced a start-up - performance penalty for some use cases. This fix addresses those - performance penalties while retaining the original improvements. (markt) - - - 51418: Provide more control over Context creation when - embedding Tomcat. Based on a patch by Benson Margulies. (markt/kkolinko) - - - Remove redundant copy of catalina.properties from o.a.c.startup. - Generate this copy for inclusion in bin and src jars during the - ant "compile" task. (rjung) - - - Use system properties loaded from catalina.properties via the class - path in unit tests. (rjung) - - - Improve JMX unit test. (rjung) - - - Fix IllegalStateException for JavaScript files when switching from - Writer to OutputStream. The special handling of this case in the - DefaultServlet was broken due to a MIME type change for JavaScript. - (funkman) - - - Fix CVE-2011-2204. Prevent user passwords appearing in log files if a - runtime exception (e.g. OOME) occurs while creating a new user for a - MemoryUserDatabase via JMX. (markt) - - - Fix an issue with the CrawlerSessionManagerValve that meant sessions - were not always correctly tracked. (markt) - - - 51436: Send 100 (Continue) response earlier to enable - ServletRequestListener implementations to read the request body. Based - on a patch by Simon Olofsson. (markt) - - - Ensure an access log entry is made if an error occurs during - asynchronous request processing and the socket is immediately closed. - (markt) - - - Ensure that if asyncDispatch() is called during an onTimeout event and - the target Servlet does not call startAsync() or complete() that Tomcat - calls complete() once the target Servlet exits. (markt) - - - Improve the handling for Servlets that implement the deprecated - SingleThreadModel when embedding Tomcat. (markt) - - - 51445: Correctly initialise all instances of Servlets that - implement SingleThreadModel. Based on a patch by Felix Schumacher. - (markt) - - - 51453: Fix a regression in the preemptive authentication - support (enhancement 12428) that could trigger authentication - even if preemptive authentication was disabled. (markt) - - - Prevent possible NPE when serving Servlets that implement the - SingleThreadModel interface. (markt) - - - In launcher for embedded Tomcat: do not change catalina.home - system property if it had a value. (kkolinko) - - - When using Servlets that implement the SingleThreadModel interface, add - the single instance created to the pool when it is determined that a - pool of servlets is required rather than throwing it away. (markt) - - - - - - - Fix unit test for bindOnInit which was failing for APR on some - platforms. (rjung) - - - Remove superfluous quotes from thread names for connection pools. - (rjung) - - - Fix crash observed during pausing the connector when using APR. - Only add socket to poller if we are sure we don't close it later. - (rjung) - - - Various refactorings to reduce code duplication and unnecessary code in - the connectors. (markt) - - - Correct a regression introduced in Apache Tomcat 7.0.11 that broke - certificate revocation list handling. (markt) - - - - - - - Improve the message printed by TldLocationsCache and add configuration - example to the logging.properties file. (kkolinko) - - - 33453: Recompile JSPs if last modified time of the source or - any of its dependencies changes either forwards or backwards. Note that - this introduces an incompatible change to the code generated for JSPs. - Tomcat will automatically re-compile any JSPs and tag files found in the - work directory when upgrading from 7.0.16 or earlier to 7.0.17 or later. - If you later downgrade from 7.0.17 or later to 7.0.16 or earlier, you - must empty the work directory as part of the downgrade process. (markt) - - - 36362: Handle the case where tag file attributes (which can - use any valid XML name) have a name which is not a Java identifier. - (markt/kkolinko) - - - Broaden the exception handling in the EL Parser so that more failures to - parse an expression include the failed expression in the exception - message. Hopefully, this will help track down the cause of - 51088. (markt) - - - - - - - 51306: Avoid NPE when handleSESSION_EXPIRED is processed - while handleSESSION_CREATED is being processed. (kfujino) - - - Notifications of changes in session ID to other nodes in the cluster - should be controlled by notifySessionListenersOnReplication rather than - notifyListenersOnReplication. (markt) - - - The change in session ID is notified to the container event listener on - the backup node in cluster. - This notification is controlled by - notifyContainerListenersOnReplication.(kfujino) - - - - - - - Update Maven repository information in the documentation to reflect - current usage. (markt) - - - 43538: Add host name and IP address to the HTML Manager - application. Patch by Dennis Lundberg. (markt) - - - Add session="false" directive to the index page of the - ROOT web application. (kkolinko) - - - 51443: Document the notifySessionListenersOnReplication - attribute for the DeltaManager. (markt) - - - 51447: Viewing a back up session in the HTML Manager web - application no longer changes the session to a primary session. Based on - a patch provided by Eiji Takahashi. (markt) - - - - - - - 33262: Install monitor to auto-start for current user only - rather than all users to be consistent with menu item creation. (markt) - - - 40510: Provide an option to install shortcuts for the current - user or all users. Also ensure registry is correctly cleaned on - uninstall for 64-bit platforms. (markt) - - - 50949: Provide the ability to specify the AJP port and - service name when installing Tomcat using the Windows installer. This - permits multiple instances of the same Tomcat version to be installed - side-by-side. (markt) - - - Clean up shell and batch scripts (improve consistency, - clarify comments, add configtest command support for - Windows). (rjung) - - - 51206: Make CATALINA_BASE visible for setenv.sh. (rjung) - - - Remove unnecessary variable BASEDIR from scripts. (rjung) - - - 51425, 51450: Update Spanish translations. Based - on patches provided by Jesus Marin. (markt) - - - -
-
- - - - 51249: Further improve system property replacement code - in ClassLoaderLogManager of Tomcat JULI to cover some corner cases. - (kkolinko) - - - 51264: Improve the previous fix for this issue by returning - the connection to the pool when not in use so it does not appear to be - an abandoned connection. Patch provided by Felix Schumacher. (markt) - - - 51324: Improve handling of exceptions when flushing the - response buffer to ensure that the doFlush flag does not get stuck in - the enabled state. Patch provided by Jeremy Norris. (markt) - - - Correct a regression in the fix for 51278 that prevented any - web application from being marked as distributable. (kfujino/markt) - - - Correct a regression in the fix for 51278 that prevented a - web application from overriding the default welcome files. (markt) - - - Enable remaining valves for Servlet 3 asynchronous processing support. - (markt) - - - Avoid possible NPE when logging requests received during embedded Tomcat - shutdown. (markt) - - - 51340: Fix thread-safety issue when parsing multiple web.xml - files in parallel. Apache Tomcat does not do this but products that - embed it may. (markt) - - - 51344: Fix problem with Lifecycle re-factoring for deprecated - embedded class that prevented events being triggered. (markt) - - - 51348: Prevent possible NPE when processing WebDAV locks. - (markt) - - - - - - - When parsing the port in the HTTP host header, restrict the value to be - base 10 integer digits rather than hexadecimal ones. - (rjung/markt/kkolinko) - - - Various refactorings to reduce code duplication and unnecessary code in - the connectors. (markt) - - - - - - - Change JAR scanning log messages where no TLDs are found to DEBUG level - and replace the multiple messages with a single INFO level message that - indicates that at least one JAR was scanned needlessly and how to obtain - more info. (markt) - - - - - - - Enable Servlet 3 asynchronous processing support when using clustering. - (markt) - - - - - - - Correct the log4j configuration settings when defining conversion - patterns in the documentation web application. (markt) - - - -
-
- - - - 27122: Remove a workaround for a very old and since fixed - Mozilla bug and change the default value of the securePagesWithPragma - attribute of the Authenticator Valves to false. These changes should - reduce the likelihood of issues when downloading files with IE. (markt) - - - 35054: Check that a file is not specified for a Host's - appBase and log an error if it is. (markt) - - - 51197: Fix possible dropped connection when sendError or - sendRedirect are used during async processing. (markt) - - - 51221: Correct Spanish translation of text used in a 302 - response. Patch provided by Paco Soberón. (markt) - - - 51249: Correct ClassLoaderLogManager system property - replacement code so properties of the form "}${...}" can be used - without error. (markt) - - - 51264: Allow the JDBC persistent session store to use a - JNDI datasource to define the database in which sessions are persisted. - Patch provided by Felix Schumacher. (markt) - - - 51274: Add missing i18n strings in PersistentManagerBase. - Patch provided by Eiji Takahashi. (markt) - - - 51276: Provide an abstraction for accessing content in JARs - so the most efficient method can be selected depending on the type of - URL used to identify the JAR. This improves startup time when JARs are - located in $CATALINA_BASE/lib. (markt) - - - 51277: Improve error message if an application is deployed - with an incomplete FORM authentication configuration. (markt) - - - 51278: Allow ServletContainerInitializers to override - settings in the global default web.xml and the host web.xml. (markt) - - - 51310: When stopping the Server object on shutdown call - destroy() after calling stop(). (markt) - - - - - - - 51145: Add an AJP-NIO connector. (markt/rjung) - - - - - - - 51220: Add a system property to enable tag pooling with JSPs - that use a custom base class. Based on a patch by Dan Mikusa. (markt) - - - Include a comment header in generated java files that indicates when the - file was generated and which version of Tomcat generated it. (markt) - - - 51240: Ensure that maxConnections limit is enforced when - multiple acceptor threads are configured. (markt) - - - - - - - 51230: Add missing attributes to JMX for ReplicationValve and - JvmRouteBinderValve. Patch provided by Eiji Takahashi. (markt) - - - - - - - Add documentation for AJP-NIO connector. (markt/rjung) - - - 51182: Document JAAS supported added in 51119. - Patch provided by Neil Laurance. (markt) - - - 51225: Fix broken documentation links for non-English locales - in the HTML Manager application. Patch provided by Eiji Takahashi. - (markt) - - - 51229: Fix bugs in the Servlet 3.0 asynchronous examples. - Patch provided by Eiji Takahashi. (markt) - - - 51251: Add web application version support to the Ant tasks. - Based on a patch provided by Eiji Takahashi. (markt) - - - 51294: Clarify behaviour of unpackWAR attribute of - StandardContext components. (markt) - - - - - - - 46451: Configure svn:bugtraq properties for Tomcat trunk. - Based on a patch provided by Marc Guillemot. (markt) - - - 51309: Correct logic in catalina.sh stop when using a PID - file to ensure the correct message is shown. Patch provided by Caio - Cezar. (markt) - - - -
-
- - - - Stylistic improvements to MIME type sync script. - Based on a patch provided by Felix Schumacher. (rjung) - - - Ensure that the SSLValve provides the SSL key size as an Integer rather - than a String. (markt) - - - Ensure that the RemoteIpValve works correctly with Servlet 3.0 - asynchronous requests. (markt) - - - Use safe equality test when determining event type in the - MapperListener. (markt) - - - Use correct class loader when loading Servlet classes in - StandardWrapper. (markt) - - - Provide additional configuration options for the RemoteIpValve and - RemoteIpFilter to allow greater control over the values returned by - ServletRequest#getServerPort() and ServletRequest#getLocalPort() when - Tomcat is behind a reverse proxy. (markt) - - - Ensure session cookie paths end in / so that session - cookies created for a context with a path of /foo do not - get returned with requests mapped to a context with a path of - /foobar. (markt) - - - - - - - 51177: Ensure Tomcat's MapElResolver always returns - Object.class for getType() as required by the - EL specification. (markt) - - - -
-
- - - - Correct mix-up in Realm Javadoc. (markt) - - - Fix display of response headers in AccessLogValve. (kkolinko) - - - Implement display of multiple request headers in AccessLogValve: - print not just the value of the first header, but of the all of them, - separated by commas. (kkolinko) - - - 50306: New StuckThreadDetectionValve to detect requests that - take a long time to process, which might indicate that their processing - threads are stuck. Based on a patch provided by TomLu. (slaurent) - - - 51038: Ensure that asynchronous requests are included in - access logs. (markt) - - - 51042: Don't trigger session creation listeners when a - session ID is changed as part of the authentication process. (markt) - - - 51050: Add additional common but non-standard file extension - to MIME type mappings for MPEG 4 files. Based on a patch by Cédrik Lime. - (markt) - - - Add some additional common JARs that do not contain TLDs or web - fragments to the list of JARs to skip when scanning for TLDs and web - fragments. (markt) - - - While scanning JARs for TLDs and fragments, avoid using JarFile and use - JarInputStream as in most circumstances where JARs are scanned, JarFile - will create a temporary copy of the JAR rather than using the resource - directly. This change significantly improves startup performance for - applications with lots of JARs to be scanned. (markt) - - - Ensure response is committed when AsyncContext#complete() - is called. (markt) - - - Add a container event that is fired when a session's ID is changed, - e.g. on authentication. (markt) - - - 51099: Correctly implement non-default login configurations - (configured via the loginConfigName attribute) for the the SPNEGO - authenticator. (fhanik/markt) - - - 51119: Add JAAS authentication support to the - JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt) - - - 51136: Provide methods that enable the name of a Context on - Context creation when using Tomcat in an embedded scenario. Based on a - patch provided by David Calavera. (markt) - - - 51137: Add additional Microsoft Office MIME type mappings. - (rjung) - - - Partial sync of MIME type mapping with mime.types from the Apache web - server. About 600 MIME types added, some changed. (rjung) - - - Make access logging more robust when logging requests that generate 400 - responses since the request object is unlikely to be fully/correctly - populated in that case. (markt) - - - - - - - 50957: Fix regression in HTTP BIO connector that triggered - errors when processing pipe-lined requests. (markt) - - - 50158: Ensure the asynchronous requests never timeout if the - timeout is set to zero or less. Based on a patch provided by Chris. - (markt) - - - 51073: Throw an exception and do not start the APR connector - if it is configured for SSL and an invalid value is provided for - SSLProtocol. (markt) - - - Align all the connector implementations with the documented default - setting for processorCache of 200. This changes the default from -1 - (unlimited) for the AJP-BIO, AJP-APR and HTTP-APR connectors. Additional - information was also added to the documentation on how to select an - appropriate value. - - - Take account of time spent waiting for a processing thread when - calculating connection and keep-alive timeouts for the HTTP BIO - connector. (markt) - - - 51095: Don't trigger a NullPointerException when the SSL - handshake fails with the HTTP-APR connector. Patch provided by Mike - Glazer. (markt) - - - Improve handling in AJP connectors of the case where too large a AJP - packet is received. (markt) - - - Restore the automatic disabling of HTTP keep-alive with the BIO - connector once 75% of the processing threads are in use and make the - threshold configurable. (markt) - - - Make pollerSize and maxConnections synonyms for the APR connectors since - they perform the same function. (markt) - - - Use maxThreads rather than 10000 as the default maxConnections for the - BIO connectors. (markt) - - - - - - - 47371: Correctly coerce the empty string to zero when used as - an operand in EL arithmetic. Patch provided by gbt. (markt) - - - Label JSP/tag file line and column numbers when reporting errors since - it may not be immediately obvious what the numbers represent. (markt) - - - Correct a regression in the fix for 49916 that resulted in - JSPs being compiled twice rather than just once. (markt) - - - Log JARs that are scanned for TLDs where no TLD is found so that users - can easily identify JARs that can be added to the list of JARs to skip. - (markt) - - - Use a single TLD location cache for a web application rather than one - per JSP compilation to speed up JSP compilation. (markt) - - - 51124: Refactor BodyContentImpl to assist in determining the - root cause of this bug. Based on a patch by Ramiro. (markt) - - - - - - - 50950: Correct possible NotSerializableException for an - authenticated session when running with a security manager. (markt) - - - - - - - Configure Security Manager How-To to include a copy of the actual - conf/catalina.policy file when the documentation is built, rather - than maintaining a copy of its content. (kkolinko) - - - Fix broken stylesheet URL in XML based manager status output. (rjung) - - - 51156: Ensure session expiration option is available in - Manager application was running web applications that were defined in - server.xml. (markt) - - - - - - - Clarify error messages in *.sh files to mention that if a script is - not found it might be because execute permission is needed. (kkolinko) - - - Update commons pool to 1.5.6. (markt) - - - 51135: Fix auto-detection of JAVA_HOME for 64-bit Windows - platforms that only have a 32-bit JVM installed. (markt) - - - 51154: Remove duplicate @deprecated tags in ServletContext - Javadoc. Patch provided by sebb. (markt) - - - 51155: Add comments to @deprecated tags that have none. Patch - provided by sebb. (markt) - - - -
-
- - - - Automatically correct invalid paths when specified for Context elements - inside server.xml and log a warning that the configuration has been - corrected. (markt) - - - Don't unpack WAR files if they are not located in the Host's - appBase. (markt) - - - Don't log to standard out in SSLValve. (markt) - - - Handle the case where a web crawler provides an invalid session ID in - the CrawlerSessionManagerValve. (markt) - - - Update pattern used in CrawlerSessionManagerValve to that used by the - ASF infrastructure team. (markt) - - - Remove unnecessary whitespace from MIME mapping entries in global - web.xml file. (markt) - - - When using parallel deployment, correctly handle the scenario when the - client sends multiple JSESSIONID cookies. (markt) - - - 12428: Add support (disabled by default) for preemptive - authentication. This can be configured per context. Based on a patch - suggested by Werner Donn. (markt) - - - 50929: When wrapping an exception, include the root cause. - Patch provided by sebb. (markt) - - - Make the CSRF nonce cache serializable so that it can be replicated - across a cluster and/or persisted across Tomcat restarts. (markt) - - - Resolve some refactoring TODOs in the implementation of the new Context - attribute "swallowAbortedUploads". (markt) - - - Include the seed time when calculating the time taken to create - SecureRandom instances for session ID generation, report excessive times - (greater than 100ms) at INFO level and provide a value for the message - key so a meaningful message appears in the logs. (markt) - - - Don't register Contexts that fail to start with the Mapper. (markt) - - - 48685: Add initial support for SPNEGO/Kerberos authentication - also referred to as integrated Windows authentication. This includes - user authentication, authorisation via the directory using the - user's delegated credentials and exposing the user's delegated - credentials via a request attribute so applications can make use of them - to impersonate the current user when accessing third-party systems that - use a compatible authentication mechanism. Based on a patch provided by - Michael Osipov. (markt) - - - HTTP range requests cannot be reliably served when a Writer is in use so - prevent the DefaultServlet from attempting to do so. (kkolinko) - - - Protect the DefaultServlet from Valves, Filters and Wrappers that write - content to the response. Prevent partial responses to partial GET - requests in this case since the range cannot be reliably determined. - Also prevent the DefaultServlet from setting a content length header - since this too cannot be reliably determined. (markt) - - - 50991: Fix regression in fix for 25060 that called - close on a JNDI resource while it was still available to the - application. (markt) - - - Provide a configuration option that lets the close method to be used for - a JNDI Resource to be defined by the user. This change also disables - using the close method unless one is explicitly defined for the - resource and limits it to singleton resources. (markt) - - - Correctly track changes to context.xml files and trigger redeployment - when copyXML is set to false. (markt) - - - 50997: Relax the requirement that directories must have a - name ending in .jar to be treated as an expanded JAR file - by the default JarScanner. Based on patch by Rodion Zhitomirsky. (markt) - - - Don't append the jvmRoute to a session ID if the jvmRoute is a zero - length string. (markt) - - - Don't register non-singelton DataSource resources with JMX. (markt) - - - Provide additional configuration options for the DIGEST authenticator. - (markt) - - - Provide a workaround for Tomcat hanging during shutdown when running the - unit tests. (markt) - - - - - - - 50887: Add support for configuring the JSSE provider used to - convert client certificates. Based on a patch by pknopp. (markt) - - - 50903: When a connector is stopped, ensure that requests that - are currently in a keep-alive state and waiting for client data are not - processed. Requests where processing has started will continue to - completion. (markt) - - - 50927: Improve error message when SSLCertificateFile is not - specified when using APR with SSL. Based on a patch provided by sebb. - (markt) - - - 50928: Don't ignore keyPass attribute for HTTP BIO and - NIO connectors. Based on a patch provided by sebb. (markt) - - - - - - - Securely seed the SecureRandom instance used for UUID generation and - report excessive creation time (greater than 100ms) at INFO level. - (markt) - - - - - - - 50924: Clean-up HTTP connector comparison table. (markt) - - - Slightly expanded the documentation of the Host element to clarify the - relationship between host name and DNS name. (markt) - - - 50925: Update SSL how-to to take account of - keyPass connector attribute. (markt) - - - Improve Tomcat Logging documentation. (kkolinko) - - - Align the authenticator documentation and MBean descriptors with the - implementation. (markt) - - - Prevent the custom error pages for the Manager and Host Manager - applications from being accessed directly. (markt) - - - 50984: When using the Manager application ensure that - undeployment fails if a file cannot be deleted. (markt) - - - - - - - Update Eclipse JDT complier to 3.6.2. (markt) - - - Update WSDL4J library to 1.6.2 (used by JSR 109 support in the extras - package). (markt) - - - Update optional CheckStyle library to 5.3. (markt) - - - 50911: Reduce noise generated during the build of the Windows - installer so warnings are more obvious. Patch provided by sebb. (markt) - - - Further work to reduce compiler and validation warnings across the code - base. (markt) - - - -
-
- - - - CVE-2011-1088: Completed fix. Don't ignore @ServletSecurity - annotations. (markt) - - - 25060: Close Apache Commons DBCP datasources when the - associated JNDI naming context is stopped (e.g. for a non-global - DataSource resource on web application reload) to close remaining - database connections immediately rather than waiting for garbage - collection. (markt) - - - 26701: Provide a mechanism for users to register their own - URLStreamHandlerFactory objects. (markt) - - - 50855: Fix NPE on HttpServletRequest.logout() when debug - logging is enabled. (markt) - - - New context attribute "swallowAbortedUploads" allows - to make request data swallowing configurable for requests - that are too large. (rjung) - - - 50854: Add additional permissions required by the Manager - application when running under a security Manager and support a shared - Manager installation when $CATALINA_HOME != CATALINA_BASE. (markt) - - - 50893: Add additional information to the download README for - the extras components. (markt) - - - Calling stop() and then destroy() on a - connector incorrectly triggered an exception. (markt) - - - - - - - 48208: Allow the configuration of a custom trust manager for - use in CLIENT-CERT authentication. (markt) - - - Fix issues that prevented asynchronous servlets from working when used - with the HTTP APR connector on platforms that support TCP_DEFER_ACCEPT. - (markt) - - - - - - - Correct possible threading issue in JSP compilation when development - mode is used. (markt) - - - 50895: Don't initialize classes created during the - compilation stage. (markt) - - - -
-
- - - - CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity - annotations. (markt) - - - 27988: Improve reporting of missing files. (markt) - - - 28852: Add URL encoding where missing to parameters in URLs - presented by Ant tasks to the Manager application. Based on a patch by - Stephane Bailliez. (markt) - - - Improve handling of SSL renegotiation by failing earlier when the - request body contains more bytes than maxSavePostSize. (markt) - - - Improve shut down speed by not renewing threads during shut down when - the ThreadLocalLeakPreventionListener is enabled. (markt) - - - - - - - 49284: Add SSL re-negotiation support to the HTTP NIO - connector and extend test cases to cover CLIENT-CERT authentication. - (fhanik/markt) - - - -
-
- - - - 19444: Add an option to the JNDI realm to allow role searches - to be performed by the authenticated user. (markt) - - - 21669: Add the ability to specify the roleBase for the JNDI - Realm as relative to the users DN. Based on a patch by Art W. (markt) - - - 22405: Add a new Lifecycle listener, - org.apache.catalina.security.SecurityListener that prevents - Tomcat from starting insecurely. It requires that Tomcat is not started - as root and that a umask at least as restrictive as 0007 is used. This - new listener is not enabled by default. - (markt) - - - 48863: Better logging when specifying an invalid directory - for a class loader. Based on a patch by Ralf Hauser. (markt/kkolinko) - - - 48870: Refactor to remove use of parallel arrays. (markt) - - - Enhance the RemoteIpFilter and RemoteIpValve so that the modified remote - address, remote host, protocol and server port may be used in an access - log if desired. (markt) - - - Restore access to Environments, Resources and ResourceLinks via JMX - which was lost in early 7.0.x re-factoring. (markt) - - - Remove ServerLifecycleListener. This was already removed from server.xml - and with the Lifecycle re-factoring is no longer required. (markt) - - - Add additional checks to ensure that sub-classes of - org.apache.catalina.util.LifecycleBase correctly implement - the expected state transitions. (markt) - - - 50189: Once the application has finished writing to the - response, prevent further reads from the request since this causes - various problems in the connectors which do not expect this. (markt) - - - 50700: Ensure that the override attribute of context - parameters is correctly followed. (markt) - - - 50721: Correctly handle URL decoding where the URL ends in - %nn. Patch provided by Christof Marti. (markt) - - - 50737: Add additional information when an invalid WAR file is - detected. (markt) - - - 50748: Allow the content length header to be set up to the - point the response is committed when a writer is being used. (markt) - - - 50751: When authenticating with the JNDI Realm, only attempt - to read user attributes from the directory if attributes are required. - (markt) - - - 50752: Fix typo in debug message in deprecated Embedded - class. (markt) - - - 50789: Provide an option to enable ServletRequestListeners - for forwards as required by some CDI frameworks. (markt) - - - 50793: When processing Servlet 3.0 async requests, ensure - that the requestInitialized and requestDestroyed events are only fired - once per request at the correct times. (markt) - - - 50802: Ensure that - ServletContext.getResourcePaths() includes static resources - packaged in JAR files in its output. (markt) - - - Web crawlers can trigger the creation of many thousands of sessions as - they crawl a site which may result in significant memory consumption. - The new Crawler Session Manager Valve ensures that crawlers are - associated with a single session - just like normal users - regardless - of whether or not they provide a session token with their requests. - (markt) - - - Don't attempt to start NamingResources for Contexts multiple times. - (markt) - - - 50826: Avoid IllegalArgumentException if an - embedded Tomcat instance that includes at least one Context is destroyed - without ever being started. (markt) - - - Ensure a web application is taken out of service if the web.xml file is - not valid. (kkolinko/markt) - - - Ensure Servlet 2.2 jspFile elements are correctly converted to use a - leading '/' if missing. (markt) - - - 50836: Better documentation of the meaning of - Lifecycle.isAvailable() and correct a couple of cases where - this could incorrectly return true. (markt) - - - - - - - 50780: Fix memory leak in APR implementation of AJP - connector introduced by the refactoring for 49884. (markt) - - - If server configuration errors and/or faulty applications caused the - ulimit for open files to be reached, the acceptor threads for all - connectors could enter a tight loop. This loop consumed CPU and also - logged an error message for every iteration of the loop which lead to - large log files being generated. The acceptors have been enhanced to - better handle this situation. (markt) - - - - - - - 50720: Ensure that the use of non-ISO-8859-1 character sets - for web.xml does not trigger an error when Jasper parses the web.xml - file. (markt) - - - 50726: Ensure that the use of the genStringAsCharArray does - not result in String constants that are too long for valid Java code. - (markt) - - - 50790: Improve method resolution in EL expressions. (markt) - - - - - - - 50771: Ensure HttpServletRequest#getAuthType() returns the - name of the authentication scheme if request has already been - authenticated. (kfujino) - - - - - - - 50713: Remove roles command from the Manager application. - (markt) - - - - - - - 1068549 50667: Allow RPC callers to get - confirmation when sending a reply. (fhanik) - - - - - - - 50743: Cache CheckStyle results between builds to speed up - validation. Patch provided by Oliver. (markt) - - - -
-
- - - - Fix NPE in CoyoteAdapter when postParseRequest() call fails. (kkolinko) - - - 50709: Make ApplicationContextFacade non-final to - enable extension. (markt) - - - When running under a security manager, user requests may fail with a - security exception. (markt) - - - - - - - Reduce level of log message for invalid URL parameters from WARNING to - INFO. (markt) - - - Fix hanging Servlet 3 asynchronous requests when using the APR based AJP - connector. (markt) - - - - - - - Align server.xml installed by the Windows installer with the one - bundled in zip/tar.gz files. The differences are LockOutRealm being - used and AccessLogValve being enabled by default. (kkolinko) - - - -
-
- - - - 18462: Don't merge stdout and - stderr internally so users retain the option to treat them - separately. (markt) - - - 18797: Provide protection against null or zero - length names being provided for users, roles and groups in the - MemoryRealm and UserDatabaseRealm. (markt) - - - Improve fix for 50205 to trigger an error earlier if invalid - configuration is used. (markt) - - - Provide additional control over component class loaders, primarily for - use when embedding. (markt) - - - Fix NPE in RemoteAddrFilter, RemoteHostFilter. (kkolinko) - - - 49711: HttpServletRequest#getParts will work in a filter - or servlet without an @MultipartConfig annotation or - MultipartConfigElement if the new "allowCasualMultipartParsing" - context attribute is set to "true". (schultz) - - - 49978: Correct another instance where deployment incorrectly - failed if a directory in the work area already existed. (markt) - - - 50582: Refactor access logging so chunked encoding is not - forced for all requests if bytes sent is logged. (markt) - - - 50597: Don't instantiate a new instance of a Filter if - an instance was provided via the - ServletContext.addFilter(String, Filter) method. Patch - provided by Ismael Juma. (markt) - - - 50598: Correct URL for Manager text interface. (markt) - - - 50620: Stop exceptions that occur during - Session.endAccess() from preventing the normal completion - of Request.recycle(). (markt) - - - 50629: Make StandardContext.bindThread() and - StandardContext.unbindThread() protected to allow use by - sub-classes. (markt) - - - Use getName() instead of logName() in error messages in StandardContext. - (kkolinko) - - - 50642: Move the sun.net.www.http.HttpClient - keep-alive thread memory leak protection from the - JreMemoryLeakPreventionListener to the WebappClassLoader since the - thread that triggers the memory leak is created on demand. (markt) - - - 50673: Improve Catalina shutdown when running as a service. - Do not call System.exit(). (kkolinko) - - - 50683: Ensure annotations are scanned when - unpackWARs is set to false in the Host - where a web application is deployed. (markt) - - - Improve HTTP specification compliance in support of - Accept-Language header. (kkolinko) - - - - - - - Prevent possible thread exhaustion if a Comet timeout event takes a - while to complete. (markt) - - - Prvent multiple Comet END events if the CometServlet calls - event.close() during an END event. (markt) - - - 50325: When the JVM indicates support for RFC 5746, disable - Tomcat's allowUnsafeLegacyRenegotiation configuration - attribute and use the JVM configuration to control renegotiation. - (markt) - - - 50405: Fix occassional NPE when using NIO connector and - Comet. (markt) - - - Ensure correct recycling of NIO input filters when processing Comet - events. (markt) - - - 50627: Correct interaction of NIO socket and Poller when - processing Comet events. (markt) - - - Correct interaction of APR socket and Poller when processing Comet - events. (markt) - - - 50631: InternalNioInputBuffer should honor - maxHttpHeadSize. (kkolinko) - - - - - - - Improve special case handling of - javax.servlet.jsp.el.ScopedAttributeELResolver in - javax.el.CompositeELResolver to handle sub-classes. (markt) - - - 15688: Use fully-qualified class names in generated jsp files - to avoid naming conflicts with user imports. (markt) - - - 46819: Remove redundant object instantiations in - JspRuntimeLibrary. Patch provided by Anthony Whitford. (markt) - - - Improve error message when EL identifiers are not valid Java identifiers - and use i18n for the error message. (markt) - - - 50680: Prevent an NPE when using tag files from an exploded - JAR file, e.g. from within an IDE. Patch provided by Larry Isaacs. - (markt) - - - - - - - 50591: Fix NPE in ReplicationValve. (kkolinko) - - - Internationalise the log messages for the FarmWarDeployer. (markt) - - - 50600: Prevent a ConcurrentModificationException - when removing a WAR file via the FarmWarDeployer. (markt) - - - Be consistent with locks on sessionCreationTiming, - sessionExpirationTiming in DeltaManager.resetStatistics(). (kkolinko) - - - 50648: Correctly set the interrupt status if a thread using - RpcChannel is interrupted waiting for a message reply. - Based on a patch by Olivier Costet. (markt) - - - 50646: Ensure larger Tribes messages are fully read. Patch - provided by Olivier Costet. (markt) - - - 50679: Update the FarmWarDeployer to support parallel - deployment. (markt) - - - - - - - 22278: Add a commented out RemoteAddrValve that - limits access to the Manager and Host Manager applications to localhost. - Based on a patch by Yann Cébron. (markt) - - - Correct a handful of Javadoc warnings. (markt) - - - Provide additional detail about how web application version order is - determined when using parallel deployment. (markt) - - - Correct the documentation for the recoveryCount count attribute of the - the default cluster membership. (markt) - - - 50441: Clarify when it is valid to set the docBase attribute - in a Context element. (markt) - - - 50526: Provide additional documetation on configuring - JavaMail resources. (markt) - - - 50599: Use correct names of roles required to access the - Manager application. (markt) - - - - - - - Extend the Checkstyle tests to check for license headers. (markt) - - - Modify the build script so a release build always rebuilds the - dependencies to ensure that the correct Tomcat version appears in the - manifest. (markt) - - - Code clean-up to remove unused code and reduce IDE warnings. (markt) - - - 50601: Code clean-up. Patch provided by sebb. (markt) - - - 50606: Improve CGIServlet: Provide support for specifying - empty value for the executable init-param. Provide support - for explicit additional arguments for the executable. Those were - broken when implementing fix for bug 49657. (kkolinko) - - - -
-
- - - - Update to Commons Daemon 1.0.5. (mturk) - - - - - - - 8705: org.apache.catalina.SessionListener now - extends java.util.EventListener. (markt) - - - 10526: Add an option to the Authenticators to - force the creation of a session on authentication which may offer some - performance benefits. (markt) - - - 10972: Improve error message if the className attribute is - missing on an element in server.xml where it is required. (markt) - - - 48692: Provide option to parse - application/x-www-form-urlencoded PUT requests. (schultz) - - - 48822: Include context name in case of error while stopping - or starting a context during its reload. Patch provided by Marc - Guillemot. (slaurent) - - - 48837: Extend thread local memory leak detection to include - classes loaded by subordinate class loaders to the web - application's class loader such as the Jasper class loader. Based - on a patch by Sylvain Laurent. (markt) - - - 48973: Avoid creating a SESSIONS.ser file when stopping an - application if there's no session. Patch provided by Marc Guillemot. - (slaurent) - - - 49000: No longer accept specification invalid name only - cookies by default. This behaviour can be restored using a system - property. (markt) - - - 49159: Improve memory leak protection by renewing threads of - the pool when a web application is stopped. (slaurent) - - - 49372: Re-fix after connector re-factoring. If connector - initialisation fails (e.g. if a port is alreasy in use) do not trigger - an LifecycleException for an invalid state transition. - (markt) - - - 49543: Allow Tomcat to use shared data sources with per - application credentials. (fhanik) - - - 49650: Remove unnecessary entries package.access property - defined in catalina.properties. Patch provided by Owen Farrell. (markt) - - - 50106: Correct several MBean descriptors. Patch provided by - Eiji Takahashi. (markt) - - - Further performance improvements to session ID generation. Remove legacy - configuration options that are no longer required. Provide additional - options to control the SecureRandom instances used to - generate session IDs. (markt) - - - 50201: Update the access log reference in - StandardEngine when the ROOT web application is redeployed, - started, stopped or defaultHost is changed. (markt/kkolinko) - - - 50282: Load - javax.security.auth.login.Configuration with - JreMemoryLeakPreventionListener to avoid memory leak when - stopping a web application that would use JAAS. (slaurent) - - - 50351: Fix the regression that broke BeanFactory resources - caused by the previous fix for 50159. (markt) - - - 50352: Ensure that AsyncListener.onComplete() is - fired when AsyncContext.complete() is called. (markt) - - - 50358: Set the correct LifecycleState when stopping instances - of the deprecated Embedded class. (markt) - - - Further Lifecycle refactoring for Connectors and associated components. - (markt) - - - Correct handling of versioned web applications in deployer. (markt) - - - Correct removal of LifeCycleListeners from - Containers via JMX. (markt) - - - Don't use nulls to construct log messages. (markt) - - - Code clean-up. Replace use of inefficient constructors with more - efficient alternatives. (markt) - - - 50411: Ensure sessions are removed from the - Store associated with a PersistentManager. - (markt) - - - 50413: Ensure 304 responses are not returned when using - static files as error pages. (markt/kkolinko) - - - 50448: Fix possible IllegalStateException - caused by recent session management refactoring. (markt) - - - Ensure aliases settings for a context are retained after a context is - reloaded. (markt) - - - Log a warning if context.xml files define values for properties that do - not exist (e.g. if there is a typo in a property name). (markt) - - - 50453: Correctly handle multiple X-Forwarded-For - headers in the RemoteIpFilter and RemoteIpValve. Patch provided by Jim - Riggs. (markt) - - - 50541: Add support for setting the size limit and time limit - for LDAP seaches when using the JNDI Realm with userSearch. - (markt) - - - All configuration options that use regular expression now require a - single regular expression (using java.util.regex) rather - than a list of comma-separated or semi-colon-separated expressions. - (markt) - - - 50496: Bytes sent in the access log are now counted after - compression, chunking etc rather than before. (markt) - - - 50550: When a new directory is created (e.g. via WebDAV) - ensure that a subsequent request for that directory does not result in a - 404 response. (markt) - - - 50554: Code clean up. (markt) - - - 50556: Improve JreMemoryLeakPreventionListener to prevent - a potential class loader leak caused by a thread spawned when the class - com.sun.jndi.ldap.LdapPoolManager is initialized and the - system property com.sun.jndi.ldap.connect.pool.timeout is - set to a value greater than 0. (slaurent) - - - - - - - 47319: Return the client's IP address rather than null - for calls to getRemoteHost() when the APR connector is - used with enableLookups="true" but the IP address - is not resolveable. (markt) - - - 50108: Add get/set methods for Connector property - minSpareThreads. Patch provided by Eiji Takahashi. (markt) - - - 50360: Provide an option to control when the socket - associated with a connector is bound. By default, the socket is bound on - Connector.init() and released on - Connector.destroy() as per the current behaviour but this - can be changed so that the socket is bound on - Connector.start() and released on - Connector.stop(). This fix also includes further Lifecycle - refactoring for Connectors and associated components. (markt) - - - Remove a huge memory leak in the NIO connector introduced by the fix - for 49884. (markt) - - - 50467: Protected against NPE triggered by a race condition - that causes the NIO poller to fail, preventing the processing of further - requests. (markt) - - - - - - - 13731: Make variables in _jspService() method - final where possible. (markt) - - - 50408: Fix NoSuchMethodException when using - scoped variables with EL method invocation. (markt) - - - 50460: Avoid a memory leak caused by using a cached exception - instance in JspDocumentParser and - ProxyDirContext. (kkolinko) - - - 50500: Use correct coercions (as per the EL spec) for - arithmetic operations involving string values containing '.', - 'e' or 'E'. Based on a patch by Brian Weisleder. - (markt) - - - - - - - 50185: Add additional trace level logging to Tribes to assist - with fault diagnosis. Based on a patch by Ariel. (markt) - - - Don't try and obtain session data from the cluster if the current - node is the only node in the cluster. Log requesting session data as - INFO rather than WARNING. (markt) - - - 50503: When web application has a version, Engine level - Clustering works correctly. (kfujino) - - - 50547: Add time stamp for CHANGE_SESSION_ID message and - SESSION_EXPIRED message. (kfujino) - - - - - - - 21157: Ensure cookies are written before the response is - commited in the Cookie example. Patch provided by Stefan Radzom. (markt) - - - 50294: Add more information to documentation regarding format - of configuration files. Patch provided by Luke Meyer. (markt) - - - Correctly validate provided context path so sessions for the ROOT web - application can be viewed through the HTML Manager. (markt) - - - Improve documentation of database connection factory. (rjung) - - - 50488: Update classpath required when using jsvc and add a - note regarding server VMs. (markt) - - - Further filtering of Manager display output. (kkolinko) - - - - - - - Don't configure Windows installer to use PID file since it is not - removed when the service stops which prevents the service from starting. - (markt) - - - 14416: Make TagLibraryInfo.getTag() more robust - at handling nulls. (markt) - - - 50552: Avoid NPE that hides error message when using Ant - tasks. (schultz) - - - Provide two alternative locations for the libraries downloaded from - the ASF web site at build time. Use the main distribution site as - default and the archive one as fallback. (kkolinko) - - - -
-
- - - - Update to Commons Daemon 1.0.4. (mturk) - - - - - - - 3839: Provide a mechanism to gracefully handle the case where - users book-mark the form login page or otherwise misuse the FORM - authentication process. Based on a suggestion by Mark Morris. (markt) - - - 49180: Add option to disable log rotation in - juli FileHandler. Patch provided by Pid (pidster at apache). (funkman) - - - 49991: Ensure servlet request listeners are fired for - the login and error pages during FORM authentication. (markt) - - - 50107: When removing a Host via JMX, do not attempt to - destroy the host's pipeline twice. Patch provided by Eiji - Takahashi. (markt) - - - 50138: Fix threading issues in - org.apache.catalina.security.SecurityUtil. (markt) - - - 50157: Ensure MapperListener is only added to a container - object once. (markt) - - - 50159: Add a new attribute for <Resource> - elements, singleton, that controls whether or not a new - object is created every time a JNDI lookup is performed to obtain the - resource. The default value is true, which will return the - same instance of the resource in every JNDI lookup. (markt) - - - 50168: Separate the Lifecycle.DESTROY_EVENT into - Lifecycle.BEFORE_DESTROY_EVENT and - Lifecycle.AFTER_DESTROY_EVENT. Use the additional state to - ensure that Context objects are only destroyed once. - (markt) - - - 50169: Ensure that when a Container is started that it - doesn't try and register with the mapper unless its parent has - already started. Patch provided by Eiji Takahashi. (markt) - - - 50222: Modify memory leak prevention code so it pins the - system class loader in memory rather than than the common class loader, - which is better for embedded systems. Patch provided by Christopher - Schultz. (markt) - - - Improve debug logging for MapperListener registration. (markt) - - - Expose names of LifecycleListeners and ContainerListeners for - StandardContext via JMX. (markt) - - - Add a new option, resourceOnlyServlets, to Context elements - that provides a mechanism for working around the issues caused by new - requirements for welcome file mapping introduced in Servlet 3.0. By - default, the existing Tomcat 6.0.x welcome file handling is used. - (markt) - - - Make Tomcat more tolerant of null when generating JMX names - for Valves. (markt) - - - Make AccessLogValve attribute enabled changeable via JMX. - (pero) - - - Correct infinite loop if ServletRequest.startAsync(ServletRequest, - ServletResponse) was called. (markt) - - - 50232: Remove dependency between StoreBase and - PersistentManager and associated code clean-up. Patch provided by - Tiago Batista. (markt) - - - 50252: Prevent ClassCastException when using a - <ResourceLink>. Patch provided by Eiji Takahashi. (markt) - - - Reduce synchronization in session managers to improve performance of - session creation. (markt) - - - If starting children automatically when adding them to a container (e.g. - when adding a Context to a Host) don't lock the parent's set - of children whilst the new child is being started since this can block - other threads and cause issues such as lost cluster messages. (markt) - - - Implement support for parallel deployment. This allows multiple versions - of the same web application to be deployed to the same context path at - the same time. Users without a current session will be mapped to the - latest version of the web application. Users with a current session will - continue to use the version of the web application with which the - session is associated until the session expires. (markt) - - - 50308: Allow asynchronous request processing to call - AsyncContext.dispatch() once the asynchronous request has - timed out. (markt) - - - Make memory leak prevention code that clears ThreadLocal instances more - robust against objects with toString() methods that throw exceptions. - (markt) - - - - - - - 49860: Complete support for handling trailing headers in - chunked HTTP requests. (markt) - - - Impose a limit on the length of the trailing headers. The limit - is configurable with a system property and is 8192 - by default. (kkolinko) - - - 50207: Ensure Comet timeout events are triggered. This bug - was a regression triggered by the fix for 49884. (markt) - - - - - - - 49297: Enforce the rules in the JSP specification for parsing - the attributes of custom and standard actions that require that - the attribute names are unique within an element and that there is - whitespace before the attribute name. The whitespace test can be - disabled by setting the system property - org.apache.jasper.compiler.Parser.STRICT_WHITESPACE to - false. Attributes of the page directive have slightly - different rules. The implementation of that part of the fix is based on - a patch by genspring. (markt) - - - 50105: When processing composite EL expressions use - Enum.name() rather than Enum.toString() as - required by the EL specification. (markt) - - - Fix minor thread-safety and performance issues in the implementation - of maxLoadedJsps. (rjung) - - - Add support for unloading JSPs that have not been requested for a - long time using the new parameter jspIdleTimeout. (rjung) - - - Add logging and JMX support to JSP unloading. (rjung) - - - 50192: Improve performance for EL when running under a - security manager. Based on a patch by Robert Goff. (markt) - - - 50228: Improve recycling of BodyContentImpl. - This avoids keeping a cached reference to a webapp-provided Writer - used in JspFragment.invoke() calls. (kkolinko) - - - 50273: Provide a workaround for an HP-UX issue that can - result in large numbers of SEVERE log messages appearing in the logs as - a result of normal operation. (markt) - - - 50293: Increase the size of internal ELResolver array from 2 - to 8 since in typical usage there are at least 5 resolvers. Based on a - patch by Robert Goff. (markt) - - - - - - - Add support for maxActiveSessions attribute to BackupManager. (kfujino) - - - Improve sending an access message in DeltaManager. - maxInactiveInterval of not Manager but the session is used. - If maxInactiveInterval is negative, an access message is not sending. - (kfujino) - - - 50183: BIO sender was not scheduling tasks to the executor - during normal operation. Patch provided by Ariel. (markt) - - - 50184: Add an option to the RpcChannel to enable the Channel - send options to be set for the reply message. Based on a patch by Ariel. - (markt) - - - Ensure that a new Context waiting for session data from other nodes in - the cluster does not block the processing of clustering messages for - other Contexts. (markt) - - - - - - - 49426: Localize messages in the Manager application based on - the Locale of the user rather than the default Locale of the server. - (markt) - - - Localize messages in the Host Manager application based on the Locale of - the user rather than the default Locale of the server. (markt) - - - 50242: Provide a sample log4j configuration that more - closely matches the default JULI configuration. Patch provided by - Christopher Schultz. (markt) - - - Restore the ability to edit the contents of /WEB-INF and /META-INF via - WebDAV via the provision of a new configuration option, - allowSpecialPaths. (markt) - - - Correct broken links for on-line JavaDocs. (markt) - - - 50230: Add new DistributedManager interface that is - implemented by the Backup Manager to remove circular dependency between - tomcat-catalina-ha and tomcat-catalina modules. Also allows third-party - distributed Manager implementations to report full session information - through the HTML Manager. (markt) - - - Improve Tomcat Logging documentation. (kkolinko) - - - 50303: Update JNDI how-to to reflect the new JavaMail - download location and that JAF is now included in Java SE 6. (markt) - - - Fix ordering functionality on sessions page for the HTML Manager - application. (markt) - - - Fix primary sessions not always being treated as such in the HTML - Manager application. (markt) - - - Fix message not being displayed after session attribute removal in the - HTML Manager application. (markt) - - - 50310: Fix display of Servlet information in the Manager - application. (markt) - - - CVE-2010-4172: Multiple XSS in the Manager application. (markt/kkolinko) - - - 50316: Fix display of negative values in the Manager - application. (kkolinko) - - - 50318: Avoid NPE when trying to view session detail for an - expired session in the Manager application. (markt) - - - - - - - Correct a handful of Javadoc warnings. (markt) - - - 22965: Fix some typos and formatting issues in the global - web.xml file. Based on a patch by Yann Cébron. (markt) - - - Extend Checkstyle validation checks to check for unused imports. (markt) - - - General code clean-up to reduce (not eliminate) the number of warnings - reported by IDEs. (markt) - - - 50140: Don't ignore a user specified installation - directory when performing a silent install with the Windows installer on - 64-bit platforms. (markt) - - - Reimplemented Windows installer dialogs, using modern libraries - (nsDialogs, MUI2). (kkolinko) - - - When installing with the Windows installer on 64-bit platforms, allow - the user to select either a 32-bit JDK or a 64-bit JDK. If a 32-bit JDK - is selected, the 32-bit service wrapper and the 32-bit native DLL will - be installed. If a 64-bit JDK is selected, the 64-bit service wrapper - and the 64-bit native DLL will be installed. (markt/kkolinko) - - - Create Windows shortcuts for the Manager and Host Manager webapps. - (kkolinko) - - - Support /? command line option in the Windows Installer. (kkolinko) - - - Display and allow to change roles for the Tomcat admin user in the - Windows installer. (kkolinko) - - - In the Windows installer: do not leave stale server.xml - and tomcat-users.xml fragments in the $TEMP folder. - (kkolinko) - - - 49819: Redesign of home page by Pid (pidster at apache). - (timw) - - - -
-
- - - - 49428: Re-implement the fix for bug 49428 – - namespace issues for some Microsoft WebDAV clients. (kkolinko) - - - 49669: Fix memory leak triggered by using the deprecated - javax.security.auth.Policy class. (markt) - - - 49922: Don't add filter twice to filter chain if the - filter matches more than one URL pattern and/or Servlet name. Patch - provided by heyoulin. (markt) - - - 49937: Use an InstanceManager when creating an AsyncListener - through the AsyncContext to ensure annotations are processed. Based on a - patch by David Jencks. (markt) - - - To avoid NoSuchMethodException, xmlValidation and xmlNamespaceAware are - removed from the createStandardHost definition - of mbeans-descriptors.xml. (kfujino) - - - 49945: Continue improvements to JMX. Fix a handful of - attributes that were showing as Unavailable in JConsole. Patch provided - by Chamith Buddhika. (markt) - - - 49952: Allow ServletContainerInitializers to add listeners to - a web application. Patch provided by David Jencks. (markt) - - - 49956: Handle case when @Resource annotation uses the full - JNDI name for a resource. Based on a patch by Gurkan Erdogdu. (markt) - - - 49557: Correct regression due to Lifecycle refactoring that - cleared all work directories (with compiled JSPs and persisted sessions) - when Tomcat was stopped. (markt) - - - 49978: Correctly handle the case when a directory expected - to be created during web application start is already present. Rather - than throwing an exception and failing to start, allow the web - application to start normally. (markt) - - - 49987: Fix thread safety issue with population of servlet - context initialization parameters. (markt) - - - 49994: As per the Java EE 6 specification, return a new - object instance for each JNDI look up of a resource reference. (markt) - - - 50015: Re-factor dynamic servlet security implementation to - make extensions, such as JACC implementations, simpler. Patch provided - by David Jencks. (markt) - - - 50016: Re-factor isUserInRole() and - login()/logout() methods to support JACC implementations - and to improve encapsulation. Patch provided by David Jencks. (markt) - - - 50017: Code clean-up. No functional change. Patch provided by - sebb. (markt) - - - 50027: Avoid NPE on start when a Context is defined in - server.xml with one or more JNDI resources. (markt) - - - 50059: JARs should always be searched for static resources - even if the web application is marked as meta-data complete. (markt) - - - 50063: Correct regression in fix for 50059 that - causes applications marked as meta-data complete to return 404s for all - requests. Patch provided by heyoulin. (markt) - - - 50087: Catch ClassFormatErrors when scanning for annotations. - (markt) - - - - - - - 49923: Avoid using negative timeouts during acceptor unlock - to ensure APR connector shuts down properly. (mturk) - - - 49972: Fix potential thread safe issue when formatting dates - for use in HTTP headers. (markt) - - - 50003: Set not maxThreads but minSpareThreads to - corePoolSize, if AbstractEndpoint.setMinSpareThreads is called. - (kfujino) - - - 50044: Fix issue when using comet where socket remained in - long poll after the comet request has ended. (markt) - - - 50054: Correctly handle the setting of minSpareThreads in - AJP connector. (kfujino) - - - 50072: Fix issues when using a non-blocking read for the - request line with the NIO connector that could result in the request - line being mis-read. (markt) - - - - - - - 49986: Fix thread safety issue for JSP reload. (timw) - - - 49998: Make jsp:root detection work with single quoted - attributes as well. (timw) - - - Correctly handle the setting of primitive bean values via expression - language. (markt) - - - Don't swallow exceptions when processing TLD files and handle the - case when there is no web.xml file. (markt) - - - 50066: Fix building of recursive tag files when the file - depends on a JAR file. Patch provided by Sylvain Laurent. (markt) - - - 50078: Fix threading problem in EL caches. Patch provided by - Takayoshi Kimura. (markt) - - - Make EL cache sizes configurable. (markt) - - - - - - - Apply filters to default home page so copyright year is correctly - displayed. (markt) - - - - - - - 48716: Do not call reset if the default LogManager is in use. - (markt) - - - 50013: Correctly package classes from - org.apache.tomcat.util.file and add the tomcat-util.jar to - the class path for the Ant tasks. Based on a patch provided by - Sylvain Laurent. (markt) - - - -
-
- - - - 48644: Review all instances of catching Throwable and - re-throw where appropriate. (markt) - - - Allow glob patterns in the jarsToSkip configuration and add - some debug logging to the jar scanner. (rjung) - - - 48738: Workaround a couple of long standing JDK bugs to - enable GZIP compressed output streams to be flushed. Based on a patch - provided by Jiong Wang. (markt) - - - 48967: Replace strings "catalina.base" and "catalina.home" - by globally defined constants. Patch provided by Marc Guillemot. (rjung) - - - 49195: Don't report an error when shutting down a Windows - service for a Tomcat instance that has a disabled shutdown port. (markt) - - - 49209: Prevent possible AccessControlException during - undeployment when running with a security manager. Patch provided by - Sylvain Laurent. (markt) - - - 49657: Handle CGI executables with spaces in the path. - (markt) - - - 49667: Ensure that using the JDBC driver memory leak - prevention code does not cause a one of the memory leaks it is meant to - avoid. (markt) - - - 49670: Restore SSO functionality that was broken by Lifecycle - refactoring. (markt) - - - 49698: Allow a listener to complete an asynchronous request - if it times out. (markt) - - - 49714: The annotation process of Jar doesn't influence - distributable element of web.xml. (kfujino) - - - 49721: Alls JAR in a web application should be searched for - resources, not just those with a web-fragment.xml that is going to be - processed. (markt) - - - 49728: Improve PID file handling when another process is - managing the PID file and Tomcat does not have write access. (markt) - - - 49730: Fix a race condition in StandardThreadExector that can - cause requests to experience large delays. Patch provided by Sylvain - Laurent. (markt) - - - 49749: Single sign on cookies should have httpOnly flag set - using same rules as session cookies. (markt) - - - 49750: Align WebappClassLoader.validate() - implementation with Javadoc and ensure that javax.servlet.* - classes can not be loaded by a WebappClassLoader instance. - Patch provided by pid. (markt) - - - 49757: Correct some generics warnings. Based on a patch - provided by Gábor. (markt) - - - 49779: Improve handling of POST requests and FORM - authentication, particularly when the user agent responds to the 302 - response by repeating the POST request including a request body. Any - request body provided at this point is now swallowed. (markt) - - - CSRF prevention filter did not correctly handle URLs that used anchors. - (markt) - - - Fix memory leak on web application stopped caused by failed to - de-register the web application's Servlets with the MBean server. - (markt) - - - More tweaks to the Lifecycle refactoring to ensure that when a component - is being destroyed, the destroy method is only called once on each - child component. (markt) - - - Keep the MBean names for web applications consistent between Tomcat 6 - and Tomcat 7. (markt) - - - 49856: Add an executorName attribute to Connectors so it is - possible to trace ThreadPool to Connector to Executor via the JMX - interface. (markt) - - - 49865: Tomcat failed to start if catalina.properties was not - present. (markt) - - - 49876: Fix the generics warnings in the copied Apache Jakarta - BCEL code. Based on a patch by Gábor. (markt) - - - 49883: Ensure that the CombinedRealm and LockOutRealm return - a name for use in log messages rather than throwing an - UnsupportedOperationException. (markt) - - - 49884: Fix occassional NullPointerException on async - complete(). This resulted in a major refactoring of the async - implementation to address a number of threading issues. (markt) - - - Update the version numbers in ServerInfo defaults to Tomcat 7.0.x. - (markt) - - - 49892: Correct JNDI name for method resource injections. - Based on a patch by Gurkan Erdogdu. (markt) - - - Ensure that Context elements defined in server.xml use any configClass - setting specified in the parent Host element. (markt) - - - GSOC 2010. Enable the creation of Services, Engines, Connectors, Hosts - and Contexts via JMX from a minimal server.xml that contains only a - Server element. Based on a patch by Chamith Buddhika. (markt) - - - 49909: Fix a regression introduced with the fix for - 47950 that prevented JSTL classes being loaded. (markt) - - - 49915: Make error more obvious, particularly when accessed - via JConsole, if StandardServer.storeConfig() is called when there is - no StoreConfig implementation present. (markt) - - - 50018: Fix some minor Javadoc errors in Jasper source. - Based on a patch by sebb. (timw) - - - 50021: Correct a regression in the fix for 46844 - that may have caused additional problems during a failure at start up. - (markt) - - - 50026: Prevent serving of resources from WEB-INF and - META-INF directories when DefaultServlet or WebdavServlet is mapped - to a sub-path of the context. This changes DefaultServlet to always - serve resources with paths relative to the root of the context - regardless of where it is mapped, which is a breaking change for - current servlet-mappings that map the default servlet to a subpath. - (timw) - - - 50689: Provide 100 Continue responses at appropriate points - during FORM authentication if client indicates that they are expected. - (markt) - - - - - - - Wait for the connectors to exit before closing them down. (mturk) - - - Follow up to 48545. Make JSSE connectors more tolerant of a - incorrect trust store password. (markt) - - - Fix some edge cases in the NIO connector when handling requests that are - not received all at the same time and the socket needs to be returned to - the poller. (markt) - - - Further work to reduce the code duplication in the HTTP connectors. - (markt) - - - Make sure acceptor threads are stopped when the connector is stopped. - (markt) - - - Make sure async timeout thread is stopped when the connector is stopped. - (markt) - - - 49625: Ensure Vary header is set if response may be - compressed rather than only setting it if it is compressed. (markt) - - - 49802: Re-factor connector pause, stop and destroy methods so - that calling any of those methods has the expected results. (markt) - - - Various refactorings to reduce code duplication and unnecessary code in - the connectors. (markt) - - - 49860: Add partial support for trailing headers in chunked - HTTP requests. (markt) - - - - - - - 49665: Provide better information including JSP file name and - location when a missing file is detected during TLD handling. Patch - provided by Ted Leung. (markt) - - - 49726: Specifying a default content type via a JSP property - group should not prevent a page from setting some other content type. - (markt) - - - 49799: The new omit attribute for - jsp:attribute elements now supports the use of expressions - and expression language. (markt) - - - 49916: Switch to using an initialisation parameter to pass - JSP file information from Catalina to Jasper. This simplifies the - Catalina code as well as making it easier for Geronimo and others to - integrate Jasper. Patch provided by David Jencks. (markt) - - - 49985: Fix thread safety issue in EL parser. (markt) - - - - - - - Remove domainReplication attribute from ClusterManager. - If you send session to only same domain, use DomainFilterInterceptor. - (kfujino) - - - Add Null check when CHANGE_SESSION_ID message received. (kfujino) - - - Add support for LAST_ACCESS_AT_START system property to DeltaSession. - (kfujino) - - - Avoid a NPE in the DeltaManager when a parallel request invalidates the - session before the current request has a chance to send the replication - message. (markt) - - - 49905: Prevent memory leak when using asynchronous session - replication. (markt) - - - 49924: When non-primary node changes into a primary node, - make sure isPrimarySession is changed to true. (kfujino) - - - - - - - Correct the class name of the default JAR scanner in the documentation - web application. (rjung) - - - 49585: Update JSVC documentation to reflect new packaging - of Commons Daemon. (markt) - - - Update the Servlet, JSP and EL Javadoc links to link to the - specifications and the relevant part of the Java EE 6 Javadoc. (markt) - - - Update a few places in the docs where the Manager documentation referred - to the old role name of manager rather than than the new manager-script. - (markt) - - - - - - - 49861: Don't log RMI ports formatted with commas for the - JMX remote listener. (markt) - - - - - - - Correct the user names created by the Windows installer for the Manager - and Host Manager applications. (mturk) - - - Correct the Eclipse compiler dependency in the Jasper POM. (markt) - - - Extend Checkstyle validation checks to check import order. (markt) - - - 49758: Fix generics warnings exposed by a fix in Eclipse 3.6. - Patch provided by sebb. (markt) - - - Update commons pool to 1.5.5. (markt) - - - 49955: Improvement and correction of Building Tomcat guide. - Based on a patch from Wesley Acheson. (timw) - - - -
-
- - - - Fix regression that prevented running with a security manager enabled. - (markt) - - - - - - - Correct Javadoc errors. (markt) - - - Provide Javadoc for Servlet 3.0 API, JSP 2.2 API and EL 2.2 API. - (markt) - - - Remove second copy of RUNNING.txt from the full-docs distribution. Some - unpacking utilities can't handle multiple copies of a file with the same - name in a directory. (markt) - - - - - - - Extend Checkstyle validation checks to check for tabs in nearly all text - files. (markt) - - - Update Commons Daemon from 1.0.2 to 1.0.3.(markt) - - - Update Eclipse JDT Core Batch Compiler (ecj.jar) from 3.5.1 to 3.6. - (markt) - - - -
-
- - - - GSOC 2010. Continue work to align MBean descriptors with reality. Patch - provided by Chamith Buddhika. (markt) - - - When running under a security manager, enforce package access and - package definition restrictions defined in the catalina.properties file. - (markt) - - - When using a Loader configured with - searchExternalFirst="true" failure to find the - class in an external repository should not prevent searching of the - local repositories. (markt) - - - Add entryPoint support to the CSRF prevention filter. (markt) - - - 48297: Correctly initialise handler chain for web services - resources. (markt) - - - 48960: Add a new option to the SSI Servlet and SSI Filter to - allow the disabling of the exec command. This is now - disabled by default. Based on a patch by Yair Lenga. (markt) - - - 48998, 49617: Add the ExpiresFilter, a port of the - httpd mod_expires module. Patch provided by Cyrille Le Clerc. (markt) - - - 49030: When initializing/starting/stopping connectors and - one of them fails, do not ignore the others. (markt/kkolinko) - - - 49128: Don't swallow exceptions unnecessarily in - WebappClassLoader.start(). (markt) - - - 49182: Align comments in setclasspath.[sh|bat] with - behaviour. Based on a patch provided by sebb. (markt) - - - 49230: Enhance JRE leak prevention listener with protection - for the keep-alive thread started by - sun.net.www.http.HttpClient. Based on a patch provided by - Rob Kooper. (markt) - - - 49414: When reporting threads that may have triggered a - memory leak on web application stop, attempt to differentiate between - request processing threads and threads started by the application. - (markt) - - - 49428: Add a work-around for the known namespace issues for - some Microsoft WebDAV clients. Patch provided by Panagiotis Astithas. - (markt) - - - Add support for *.jar pattern in VirtualWebappLoader. - (kkolinko) - - - Use a LockOutRealm in the default configuration to prevent attempts to - guess user passwords by brute-force. (markt) - - - 49478: Add support for user specified character sets to the - AddDefaultCharsetFilter. Based on a patch by Felix - Schumacher. (markt) - - - 49503: Make sure connectors bind to their associated ports - sufficiently early to allow jsvc and the - org.apache.catalina.startup.EXIT_ON_INIT_FAILURE system property to - operate correctly. (markt) - - - 49525: Ensure cookies for the ROOT context have a path of / - rather than an empty string. (markt) - - - 49528, 49567: Ensure that - AsyncContext.isAsyncStarted() returns the correct value - after AsyncContext.start() and that if - AsyncContext.complete() is called on a separate thread that - it is handled correctly. (markt) - - - 49530: Contexts and Servlets not stopped when Tomcat is shut - down. (markt) - - - 49536: If no ROOT context is deployed, ensure a 404 rather - than a 200 is returned for requests that don't map to any other context. - (markt) - - - Additional debug logging in StandardContext to provide information on - Manager selection. (markt) - - - 49550: Supress deprecation warning where deprecated code is - required to be used. No functional change. Patch provided by Sebb. - (markt) - - - 49551: Allow default context.xml location to be specified - using an absolute path. (markt) - - - Improve logging of unhandled exceptions in servlets by including the - path of the context where the error occurred. (markt) - - - Include session ID in error message logged when trying to set an - attribute on an invalid session. (markt) - - - Improve the CSRF protection filter by using SecureRandom rather than - Random to generate nonces. Also make the implementation class used user - configurable. (markt) - - - Avoid NullPointerException, when copyXML=true and META-INF/context.xml - does not exist. (kfujino) - - - 49598: When session is changed and the session cookie is - replaced, ensure that the new Set-Cookie header overwrites the old - Set-Cookie header. (markt) - - - Create a thread to trigger asynchronous timeouts when using the BIO - connector, change the default timeout to 10s (was infinite) and make the - default timeout configurable using the asyncTimeout - attribute on the connector. (pero/markt) - - - 49600: Make exceptions returned by the - ProxyDirContext consistent for resources that weren't found - by checking the DirContext or the cache. Test case based on - a patch provided by Marc Guillemot. (markt) - - - 49613: Improve performance when using SSL for applications - that make multiple class to Request.getAttributeNames(). - Patch provided by Sampo Savolainen. (markt) - - - Handle the edge cases where resources packaged in JARs have names that - start with a single quote character or a double quote character. (markt) - - - Correct copy and paste typo in web.xml parsing rules that mixed up - local-ejb-ref and resource-env-ref. (markt) - - - Refactor session managers to remove unused code and to reduce code - duplication. Also, all session managers used for session replication now - extend org.apache.catalina.ha.session.ClusterManagerBase. - (markt) - - - - - - - Remove references to Jikes since it does not support Java 6. (markt) - - - Correct over zealous type checking for EL in attributes that broke the - use of JSF converters. (markt) - - - Correct algorithm used to identify correct method to use when a - MethodExpressions is used in EL. (markt) - - - 49217: Ensure that identifiers used in EL meet the - requirements of the Java Language Specification. (markt) - - - Improve logging of JSP exceptions by including JSP snippet (if enabled) - rather than just the root cause in the host log. (markt) - - - 49555: Correctly handled Tag Libraries where functions are - defined in static inner classes. (markt) - - - - - - - 49127: Don't swallow exceptions unnecessarily in - SimpleTcpReplicationManager.startInternal(). (markt) - - - 49407: Change the BackupManager so it is consistent with - DeltaManager and reports both primary and backup sessions when active - sessions are requested. (markt) - - - 49445: When session ID is changed after authentication, - ensure the DeltaManager replicates the change in ID to the other nodes - in the cluster. (kfujino) - - - - - - - 49112: Update the ROOT web application's index page. Patch - provided by pid. (markt) - - - 49213: Add the permissions necessary to enable the Manager - application to operate currently when running with a security manager. - (markt) - - - 49436: Correct documented default for readonly attribute of - the UserDatabase component. (markt) - - - 49475: Use new role name for manager application access on - the ROOT web application's index page. (markt) - - - 49476: CSRF protection was preventing access to the session - expiration features. Also switch the manager application to the generic - CSRF protection filter. (markt) - - - Better handle failure to create directories required for new hosts in - the Host Manager application. (markt) - - - Switch the Host Manager application to the generic CSRF protection for - the HTML interface and prevent started hosts from being started and - stopped hosts from being stopped. (markt) - - - 49518: Fix typo in extras documentation. (markt) - - - 49522: Fix regression due to change of name for MBeans for - naming resources that broke the complete server status page in the - manager application. Note these MBeans now have a new name. (markt) - - - 49570: When using the example compression filter, set the - Vary header on compressed responses. (markt) - - - Add redirects for the root of the manager and host-manager web - applications that redirect users to the html interface rather than - returning a 404. (markt) - - - Provide the HTML Manager application with the ability to differentiate - between primary, backup and proxy sessions. Note that proxy sessions are - only shown if enabled in web.xml. (markt) - - - - - - - 49130: Better describe the core package in the Windows - installer, making it clear that the service will be installed. Patch - provided by sebb. (markt) - - - Re-factor unit tests to enable them to be run once with each of the HTTP - connector implementations (BIO, NIO and APR/native). (markt) - - - 49268: Add the necessary plumbing to include CheckStyle in - the build process. Start with no checks. Additional checks will be - added as they are agreed. (markt) - - - Updated to Ant 1.8.1. The build now requires a minimum of Ant 1.8.x. - (markt) - - - Update the re-packaged version of commons-fileupload from 1.2.1 to - 1.2.2. The layout of re-packaged version was also restored to the - original commons-fileupload layout to make merging of future updates - easier. (markt) - - - Update the re-packaged version of Jakarta BCEL from trunk revision - 880760 to trunk revision 978831. (markt) - - - -
-
- - - - Update Servlet support to the Servlet 3.0 specification. (all) - - - Improve and document VirtualWebappLoader. (rjung) - - - 43642: Add prestartminSpareThreads attribute for Executor. - (jfclere) - - - Switch from AnnotationProcessor to InstanceManager. Patch provided by - David Jecks with modifications by Remy. (remm/fhanik) - - - 620845 and 669119. Make shutdown address - configurable. (jfclere) - - - 651977 Add some missing control checks to - ThreadWithAttributes. (markt) - - - 677640 Add a startup class that does not require any - configuration files. (costin) - - - 700532 Log if temporary file operations within the CGI - servlet fail. Make sure header Reader is closed on failure. (markt) - - - 708541 Delete references to DefaultContext which was removed - in 6.0.x. (markt) - - - 709018 Initial implementation of an asynchronous file handler - for JULI. (fhanik) - - - Give session thisAccessedTime and lastAccessedTime clear semantics. - (rjung) - - - Expose thisAccessedTime via Session interface. (rjung) - - - Provide a log format for JULI that provides the same information as the - default but on a single line. (markt) - - - 723889 Provide the ability to configure the Executor job - queue size and a timeout for adding jobs to the queue. (fhanik) - - - Add support for aliases to StandardContext. This allows content from - other directories and/or WAR files to be mapped to paths within the - context. (markt) - - - Provide clearer definition of Lifecycle interface, particularly start - and stop, and align components that implement Lifecycle with this - definition. (markt) - - - 48662: Provide a new option to control the copying of context - XML descriptors from web applications to the host's xmlBase. Copying of - XMl descriptors is now disabled by default. (markt) - - - Move comet classes from the org.apache.catalina package to the - org.apache.catalina.comet package to allow comet to work under a - security manager. (markt) - - - - - - - Port SSLInsecureRenegotiation from mod_ssl. This requires - to use tomcat-native 1.2.21 that have option to detect this - support from OpenSSL library. (mturk) - - - Allow bigger AJP packets also for request bodies and responses - using the packetSize attribute of the Connector. (rjung) - - 703017 Make Java socket options consistent between NIO - and JIO connector. Expose all the socket options available on - java.net.Socket (fhanik) - - - 46051: The writer returned by getWriter() now - conforms to the PrintWriter specification and uses platform - dependent line endings rather than always using \r\n. - (markt) - - - Use tc-native 1.2.x which is based on APR 1.3.3+ (mturk) - - - 724239 NIO connector now always uses an Executor. (fhanik) - - - 724393 Implement keepAliveCount for NIO connector in a thread - safe manner. (fhanik) - - - 724849 Implement keep alive timeout for NIO connector. - (fhanik) - - - - - - - Update JSP support to the JSP 2.2 specification. (markt) - - - Update EL support to the EL 2.2 specification. (markt) - - - 787978 Use "1.6" as the default value for compilerSourceVM - and compilerTargetVM options of Jasper. (kkolinko) - - - 48358: Add support for limiting the number of JSPs that are - loaded at any one time. Based on a patch by Isabel Drost. (markt) - - - 48689: Access TLD files through a new JarResource interface - to make extending Jasper simpler, particularly in OSGi environments. - Patch provided by Jarek Gawor. (markt) - - - - - - - Add support for UDP and secure communication to tribes. (fhanik) - - - Add versioning to the tribes communication protocol to support future - developments. (fhanik) - - - Add a demo on how to use the payload. (fhanik) - - - Started to add JMX support to the cluster implementation. (markt) - - - 609778 Minor fixes to the throughput interceptor and the - NIO receiver. (fhanik) - - - 630234 Additional checks for the NIO receiver. (fhanik) - - - 671650 Improve error message when multicast is not enabled. - (fhanik) - - - - - - - 631321 Update changelog to support the <rev> element - in the documentation. (fhanik) - - - A number of additional roles were added to the Manager and Host Manager - applications to separate out permissions for the HTML interface, the - text interface and the JMX proxy. (markt) - - - CSRF protection was added to the Manager and Host Manager applications. - (markt) - - - List array elements in the JMX proxy output of the Manager application. - (rjung) - - - - - - - A new JmxRemoteLifecycleListener that can be used to fix the ports used - for remote JMX connections, eg when using JConsole. (markt) - - - - - - - Numerous code clean-up changes including the use of generics and - removing unused imports, fields, parameters and methods. (markt) - - - All deprecated internal code has been removed. Warning: If you - have custom components for a previous Tomcat version that extend - internal Tomcat classes and override deprecated methods it is highly - likely that they will no longer work. (markt) - - - Parameterize version number throughout build scripts and source. (rjung) - - - +