This is an automated email from the ASF dual-hosted git repository. juanpablo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jspwiki.git
commit 83f5c5c2162704d755e5e5bca66a36ba2d71e20d Author: juanpablo <[email protected]> AuthorDate: Sun Sep 30 01:46:04 2018 +0200 switch to servlet 3.1 - jsp 2.3 - updating portable build (I): update tomcat files to 8.5 --- .../src/overlay/tomcat/conf/catalina.properties | 123 +++++++++++++---- .../src/overlay/tomcat/conf/server.xml | 27 ++-- jspwiki-portable/src/overlay/tomcat/conf/web.xml | 150 ++++++++++++++++----- 3 files changed, 229 insertions(+), 71 deletions(-) diff --git a/jspwiki-portable/src/overlay/tomcat/conf/catalina.properties b/jspwiki-portable/src/overlay/tomcat/conf/catalina.properties index f8bff1d..d1ef1c2 100644 --- a/jspwiki-portable/src/overlay/tomcat/conf/catalina.properties +++ b/jspwiki-portable/src/overlay/tomcat/conf/catalina.properties @@ -19,7 +19,7 @@ # passed to checkPackageAccess unless the # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. -package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when @@ -30,7 +30,8 @@ package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,o # by default, no packages are restricted for definition, and none of # the class loaders supplied with the JDK call checkPackageDefinition. # -package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper. +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,\ +org.apache.jasper.,org.apache.naming.,org.apache.tomcat. # # @@ -89,31 +90,105 @@ shared.loader= # - Tomcat JARs # - Common non-Tomcat JARs # - Test JARs (JUnit, Cobertura and dependencies) -tomcat.util.scan.DefaultJarScanner.jarsToSkip=\ -bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\ -annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\ -catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\ -jasper.jar,jasper-el.jar,ecj-*.jar,\ -tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\ -tomcat-jni.jar,tomcat-spdy.jar,\ -tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\ -tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\ +tomcat.util.scan.StandardJarScanFilter.jarsToSkip=\ +annotations-api.jar,\ +ant-junit*.jar,\ +ant-launcher.jar,\ +ant.jar,\ +asm-*.jar,\ +aspectj*.jar,\ +bootstrap.jar,\ +catalina-ant.jar,\ +catalina-ha.jar,\ +catalina-jmx-remote.jar,\ +catalina-storeconfig.jar,\ +catalina-tribes.jar,\ +catalina-ws.jar,\ +catalina.jar,\ +cglib-*.jar,\ +cobertura-*.jar,\ +commons-beanutils*.jar,\ +commons-codec*.jar,\ +commons-collections*.jar,\ +commons-daemon.jar,\ +commons-dbcp*.jar,\ +commons-digester*.jar,\ +commons-fileupload*.jar,\ +commons-httpclient*.jar,\ +commons-io*.jar,\ +commons-lang*.jar,\ +commons-logging*.jar,\ +commons-math*.jar,\ +commons-pool*.jar,\ +dom4j-*.jar,\ +easymock-*.jar,\ +ecj-*.jar,\ +el-api.jar,\ +geronimo-spec-jaxrpc*.jar,\ +h2*.jar,\ +hamcrest-*.jar,\ +hibernate*.jar,\ +httpclient*.jar,\ +icu4j-*.jar,\ +jasper-el.jar,\ +jasper.jar,\ +jaspic-api.jar,\ +jaxb-*.jar,\ +jaxen-*.jar,\ +jdom-*.jar,\ +jetty-*.jar,\ +jmx-tools.jar,\ +jmx.jar,\ +jsp-api.jar,\ +jstl.jar,\ +jta*.jar,\ +junit-*.jar,\ +junit.jar,\ +log4j*.jar,\ +mail*.jar,\ +objenesis-*.jar,\ +oraclepki.jar,\ +oro-*.jar,\ +servlet-api-*.jar,\ +servlet-api.jar,\ +slf4j*.jar,\ +taglibs-standard-spec-*.jar,\ +tagsoup-*.jar,\ +tomcat-api.jar,\ +tomcat-coyote.jar,\ +tomcat-dbcp.jar,\ +tomcat-i18n-en.jar,\ +tomcat-i18n-es.jar,\ +tomcat-i18n-fr.jar,\ +tomcat-i18n-ja.jar,\ +tomcat-i18n-ru.jar,\ tomcat-jdbc.jar,\ +tomcat-jni.jar,\ +tomcat-juli-adapters.jar,\ +tomcat-juli.jar,\ +tomcat-util-scan.jar,\ +tomcat-util.jar,\ +tomcat-websocket.jar,\ tools.jar,\ -commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\ -commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\ -commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\ -commons-math*.jar,commons-pool*.jar,\ -jstl.jar,\ -geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\ -ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\ -jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\ -xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\ -junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\ -cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\ -jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\ +websocket-api.jar,\ +wsdl4j*.jar,\ +xercesImpl.jar,\ +xml-apis.jar,\ +xmlParserAPIs-*.jar,\ +xmlParserAPIs.jar,\ xom-*.jar +# Default list of JAR files that should be scanned that overrides the default +# jarsToSkip list above. This is typically used to include a specific JAR that +# has been excluded by a broad file name pattern in the jarsToSkip list. +# The list of JARs to scan may be over-ridden at a Context level for individual +# scan types by configuring a JarScanner with a nested JarScanFilter. +tomcat.util.scan.StandardJarScanFilter.jarsToScan=\ +log4j-taglib*.jar,\ +log4j-web*.jar,\ +log4javascript*.jar,\ +slf4j-taglib*.jar + # Additional JARs (over and above the default JARs listed above) to skip when # scanning for Servlet 3.0 pluggability features. These features include web # fragments, annotations, SCIs and classes that match @HandlesTypes. The list @@ -122,7 +197,7 @@ org.apache.catalina.startup.ContextConfig.jarsToSkip= # Additional JARs (over and above the default JARs listed above) to skip when # scanning for TLDs. The list must be a comma separated list of JAR file names. -org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar +org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat-websocket.jar # # String cache configuration. diff --git a/jspwiki-portable/src/overlay/tomcat/conf/server.xml b/jspwiki-portable/src/overlay/tomcat/conf/server.xml index f52ee53..facd6ad 100644 --- a/jspwiki-portable/src/overlay/tomcat/conf/server.xml +++ b/jspwiki-portable/src/overlay/tomcat/conf/server.xml @@ -19,18 +19,17 @@ define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html --> -<Server port="8005" shutdown="SHUTDOWN"> +<Server port="8025" shutdown="SHUTDOWN"> + <Listener className="org.apache.catalina.startup.VersionLoggerListener"/> <!-- Security listener. Documentation at /docs/config/listeners.html <Listener className="org.apache.catalina.security.SecurityListener" /> --> <!--APR library loader. Documentation at /docs/apr.html --> - <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> - <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html --> - <Listener className="org.apache.catalina.core.JasperListener" /> + <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/> <!-- Prevent memory leaks due to use of particular java/javax APIs--> - <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> - <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> - <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> + <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> + <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> + <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> <!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html @@ -39,11 +38,11 @@ <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> - <Resource name="UserDatabase" auth="Container" - type="org.apache.catalina.UserDatabase" - description="User database that can be updated and saved" - factory="org.apache.catalina.users.MemoryUserDatabaseFactory" - pathname="conf/tomcat-users.xml" /> + <Resource name="UserDatabase" auth="Container" + description="User database that can be updated and saved" + factory="org.apache.catalina.users.MemoryUserDatabaseFactory" + pathname="conf/tomcat-users.xml" + type="org.apache.catalina.UserDatabase" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share @@ -54,7 +53,7 @@ <Service name="Catalina"> <!--The connectors can use a shared executor, you can define one or more named thread pools--> - <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="3" minSpareThreads="1"/> + <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" maxThreads="150" minSpareThreads="4"/> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : @@ -83,7 +82,7 @@ --> <!-- Define an AJP 1.3 Connector on port 8009 --> - <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> + <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> <!-- An Engine represents the entry point (within Catalina) that processes diff --git a/jspwiki-portable/src/overlay/tomcat/conf/web.xml b/jspwiki-portable/src/overlay/tomcat/conf/web.xml index 4f7f83c..f6a32d2 100644 --- a/jspwiki-portable/src/overlay/tomcat/conf/web.xml +++ b/jspwiki-portable/src/overlay/tomcat/conf/web.xml @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> +<?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with @@ -15,11 +15,11 @@ See the License for the specific language governing permissions and limitations under the License. --> -<web-app xmlns="http://java.sun.com/xml/ns/javaee"; +<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee - http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"; - version="3.0"> + xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee + http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"; + version="3.1"> <!-- ======================== Introduction ============================== --> <!-- This document defines default values for *all* web applications --> @@ -42,7 +42,8 @@ <!-- parameters (default values are in square brackets): --> <!-- --> <!-- debug Debugging detail level for messages logged --> - <!-- by this servlet. [0] --> + <!-- by this servlet. Useful values are 0, 1, and --> + <!-- 11 where higher values mean more detail. [0] --> <!-- --> <!-- fileEncoding Encoding to be used to read static resources --> <!-- [platform default] --> @@ -88,10 +89,16 @@ <!-- globalXsltFile[null] --> <!-- --> <!-- globalXsltFile Site wide configuration version of --> - <!-- localXsltFile This argument is expected --> - <!-- to be a physical file. [null] --> - <!-- --> + <!-- localXsltFile. This argument must either be an --> + <!-- absolute or relative (to either --> + <!-- $CATALINA_BASE/conf or $CATALINA_HOME/conf) --> + <!-- path that points to a location below either --> + <!-- $CATALINA_BASE/conf (checked first) or --> + <!-- $CATALINA_HOME/conf (checked second).[null] --> <!-- --> + <!-- showServerInfo Should server information be presented in the --> + <!-- response sent to clients when directory --> + <!-- listings is enabled? [true] --> <servlet> <servlet-name>default</servlet-name> @@ -131,9 +138,9 @@ <!-- pages. See the jasper documentation for more --> <!-- information. --> <!-- --> - <!-- compilerSourceVM Compiler source VM. [1.6] --> + <!-- compilerSourceVM Compiler source VM. [1.7] --> <!-- --> - <!-- compilerTargetVM Compiler target VM. [1.6] --> + <!-- compilerTargetVM Compiler target VM. [1.7] --> <!-- --> <!-- development Is Jasper used in development mode? If true, --> <!-- the frequency at which JSPs are checked for --> @@ -156,6 +163,8 @@ <!-- engineOptionsClass Allows specifying the Options class used to --> <!-- configure Jasper. If not present, the default --> <!-- EmbeddedServletOptions will be used. --> + <!-- This option is ignored when running under a --> + <!-- SecurityManager. --> <!-- --> <!-- errorOnUseBeanInvalidClassAttribute --> <!-- Should Jasper issue an error when the value of --> @@ -217,29 +226,33 @@ <!-- scratchdir What scratch directory should we use when --> <!-- compiling JSP pages? [default work directory --> <!-- for the current web application] --> + <!-- This option is ignored when running under a --> + <!-- SecurityManager. --> <!-- --> <!-- suppressSmap Should the generation of SMAP info for JSR45 --> <!-- debugging be suppressed? [false] --> <!-- --> - <!-- trimSpaces Should white spaces in template text between --> - <!-- actions or directives be trimmed? [false] --> + <!-- trimSpaces Should template text that consists entirely of --> + <!-- whitespace be removed from the output? [false] --> <!-- --> <!-- xpoweredBy Determines whether X-Powered-By response --> <!-- header is added by generated servlet. [false] --> + <!-- --> + <!-- strictQuoteEscaping When scriptlet expressions are used for --> + <!-- attribute values, should the rules in JSP.1.6 --> + <!-- for the escaping of quote characters be --> + <!-- strictly applied? [true] --> + <!-- --> + <!-- quoteAttributeEL When EL is used in an attribute value on a --> + <!-- JSP page should the rules for quoting of --> + <!-- attributes described in JSP.1.6 be applied to --> + <!-- the expression? [true] --> <servlet> <servlet-name>jsp</servlet-name> <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class> <init-param> - <param-name>development</param-name> - <param-value>false</param-value> - </init-param> - <init-param> <param-name>fork</param-name> - <param-value>true</param-value> - </init-param> - <init-param> - <param-name>keepgenerated</param-name> <param-value>false</param-value> </init-param> <init-param> @@ -319,14 +332,35 @@ <!-- --> <!-- cgiPathPrefix The CGI search path will start at --> <!-- webAppRootDir + File.separator + this prefix. --> - <!-- [WEB-INF/cgi] --> + <!-- If not set, then webAppRootDir is used. --> + <!-- Recommended value: WEB-INF/cgi --> <!-- --> - <!-- debug Debugging detail level for messages logged --> - <!-- by this servlet. [0] --> + <!-- enableCmdLineArguments --> + <!-- Are command line parameters generated from --> + <!-- the query string as per section 4.4 of 3875 --> + <!-- RFC? [true] --> <!-- --> <!-- executable Name of the executable used to run the --> <!-- script. [perl] --> <!-- --> + <!-- envHttpHeaders A regular expression used to select the HTTP --> + <!-- headers passed to the CGI process as --> + <!-- environment variables. Note that headers are --> + <!-- converted to upper case before matching and --> + <!-- that the entire header name must match the --> + <!-- pattern. --> + <!-- [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST| --> + <!-- IF-[-0-9A-Z]*|REFERER|USER-AGENT] --> + <!-- --> + <!-- environment-variable- An environment to be set for the execution --> + <!-- environment of the CGI script. The name of --> + <!-- variable is taken from the parameter name. --> + <!-- To configure an environment variable named --> + <!-- FOO, configure a parameter named --> + <!-- environment-variable-FOO. The parameter value --> + <!-- is used as the environment variable value. --> + <!-- The default is no environment variables. --> + <!-- --> <!-- parameterEncoding Name of parameter encoding to be used with --> <!-- CGI servlet. --> <!-- [System.getProperty("file.encoding","UTF-8")] --> @@ -343,14 +377,10 @@ <servlet-name>cgi</servlet-name> <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> <init-param> - <param-name>debug</param-name> - <param-value>0</param-value> - </init-param> - <init-param> <param-name>cgiPathPrefix</param-name> <param-value>WEB-INF/cgi</param-value> </init-param> - <load-on-startup>5</load-on-startup> + <load-on-startup>5</load-on-startup> </servlet> --> @@ -396,6 +426,46 @@ <!-- ================== Built In Filter Definitions ===================== --> + <!-- A filter that sets various security related HTTP Response headers. --> + <!-- This filter supports the following initialization parameters --> + <!-- (default values are in square brackets): --> + <!-- --> + <!-- hstsEnabled Should the HTTP Strict Transport Security --> + <!-- (HSTS) header be added to the response? See --> + <!-- RFC 6797 for more information on HSTS. [true] --> + <!-- --> + <!-- hstsMaxAgeSeconds The max age value that should be used in the --> + <!-- HSTS header. Negative values will be treated --> + <!-- as zero. [0] --> + <!-- --> + <!-- hstsIncludeSubDomains --> + <!-- Should the includeSubDomains parameter be --> + <!-- included in the HSTS header. --> + <!-- --> + <!-- antiClickJackingEnabled --> + <!-- Should the anti click-jacking header --> + <!-- X-Frame-Options be added to every response? --> + <!-- [true] --> + <!-- --> + <!-- antiClickJackingOption --> + <!-- What value should be used for the header. Must --> + <!-- be one of DENY, SAMEORIGIN, ALLOW-FROM --> + <!-- (case-insensitive). [DENY] --> + <!-- --> + <!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be --> + <!-- allowed? [] --> + <!-- --> + <!-- blockContentTypeSniffingEnabled --> + <!-- Should the header that blocks content type --> + <!-- sniffing be added to every response? [true] --> +<!-- + <filter> + <filter-name>httpHeaderSecurity</filter-name> + <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> + <async-supported>true</async-supported> + </filter> +--> + <!-- A filter that sets character encoding that is used to decode --> <!-- parameters in a POST request --> <!-- @@ -484,6 +554,15 @@ <!-- ==================== Built In Filter Mappings ====================== --> + <!-- The mapping for the HTTP header security Filter --> +<!-- + <filter-mapping> + <filter-name>httpHeaderSecurity</filter-name> + <url-pattern>/*</url-pattern> + <dispatcher>REQUEST</dispatcher> + </filter-mapping> +--> + <!-- The mapping for the Set Character Encoding Filter --> <!-- <filter-mapping> @@ -524,6 +603,7 @@ <!-- based on these mappings. Additional mappings can be added here (to --> <!-- apply to all web applications), or in your own application's web.xml --> <!-- deployment descriptor. --> + <!-- Note: Extensions are always matched in a case-insensitive manner. --> <mime-mapping> <extension>123</extension> @@ -2809,7 +2889,7 @@ </mime-mapping> <mime-mapping> <extension>otf</extension> - <mime-type>application/x-font-otf</mime-type> + <mime-type>font/otf</mime-type> </mime-mapping> <mime-mapping> <!-- OpenDocument Drawing Template --> @@ -3848,11 +3928,11 @@ </mime-mapping> <mime-mapping> <extension>ttc</extension> - <mime-type>application/x-font-ttf</mime-type> + <mime-type>font/collection</mime-type> </mime-mapping> <mime-mapping> <extension>ttf</extension> - <mime-type>application/x-font-ttf</mime-type> + <mime-type>font/ttf</mime-type> </mime-mapping> <mime-mapping> <extension>ttl</extension> @@ -4241,7 +4321,11 @@ </mime-mapping> <mime-mapping> <extension>woff</extension> - <mime-type>application/x-font-woff</mime-type> + <mime-type>font/woff</mime-type> + </mime-mapping> + <mime-mapping> + <extension>woff2</extension> + <mime-type>font/woff2</mime-type> </mime-mapping> <mime-mapping> <extension>wpd</extension>
